What levels must risk be managed to? What is the measure used to determine when it has been achieved?
Management of risk presents a number of challenges for the information security manager. For one thing, there is typically not enough information to determine “ac-ceptable levels” with any degree of precision, and, for another, actually determining the degree of risk despite years of study and development is more art than science.
Certainly, at a statistical level we can determine the probable degree of risk, provided there is a large enough sample. Given a large population of individuals, we know how long the average individual will live and how many traffic accidents they will have.
Unfortunately, statistical averages are of little use in determining individual situations.
The responsibilities and objectives of risk management are well described in the ISACA 2008 Certified Information Security Manager Review Manual [2]:
The objective of this job practice area (risk management) is to ensure that the informa-tion security manager understands the importance of risk management as a tool for meet-ing business needs and developmeet-ing a security management program to support these needs. While information security governance defines the links between business goals and objectives and the security program, security risk management defines the extent of protection that is prudent based on business requirements, objectives, and priorities.
The objective of risk management is to identify, quantify and manage information security-related risks to achieve business objectives through a number of tasks utiliz-ing the information security manager’s knowledge of key risk management tech-niques. Since information security is one component of enterprise risk management, the techniques, methods and metrics used to define information security risks may need to be viewed within the larger context of organizational risk.
Managing risk effectively is complex and this complexity is compounded by the fact that risk management responsibilities are usually split between a number of or-ganizational entities, with the consequence that the biggest risk may well be a lack of continuity and integration between these efforts. The fact that all parts of any or-ganization are required to operate in some fashion related to managing risk further complicates the problem. Though many of these risk management concerns may be the responsibility of an organizational risk manager, most will also have a direct im-pact on information security. This includes most elements of physical security, in-cluding how every user of information systems behaves, how physical information is handled, how laptops and other portable devices storing information are man-aged, and how access to facilities is controlled, to mention a few.
Good metrics directly informative of risk are nonexistent, at least in the area of information security. Although we can get more-or-less direct metrics on techni-cal vulnerabilities, those on most other components of risk, including procedural vulnerabilities, threats, frequency, probability, and magnitude, will not be as sim-ple to obtain. Risk assessments are the primary approach to ascertaining risks but are highly speculative; they are only a snapshot in time and just a form of moni-toring. They are also subjective and imprecise, which results in the likelihood that some risks will be overestimated and excessive precautions taken, or that the un-derestimation of risks will ultimately result in unfortunate consequences.
Although the increasingly sophisticated approaches such as value-at-risk (VAR) computations and other complex analysis methods offer the promise of providing better risk management metrics, most are not ready for general implementation and their utility remains to be demonstrated. In most situations, technical vulnerability scans, security reviews, audits, and monitoring are typically the only viable options.
Against this backdrop of high hurdles, it is nevertheless an imperative that risks must be managed and they are often managed quite successfully. It is probably helpful to be lucky as well.
The decisions that must be made by an information security manager about man-aging risk are numerous, complex, and generally lacking information of sufficient clarity and precision for any degree of certainty. These decisions are often guided by intuition and experience. They are, of course, also sometimes wrong.
The range of decisions that are typically most important are the type and level of protection that should be afforded various information-related assets and whether the protection provided is in fact adequate. The whole notion of layered security shown in Table 6.1 is to compensate for the inherent uncertainty in the entire risk assessment and management process.
Though well known to practitioners, it may be useful to dissect the kind of infor-mation needed to make rational decisions about managing risks, including:
앫 Criticality of assets 앫 Sensitivity of assets
앫 The nature and magnitude of impact if assets are compromised
앫 The extent and types of vulnerabilities and conditions that may change them 앫 The extent and nature of viable and emerging threats
앫 The probability or likelihood of compromise 앫 Strategic initiatives and plans
앫 Acceptable levels of risk and impact
앫 The possibility of risk aggregation or cascading
Key goal indicators from a governance perspective can be used to indicate whether we are heading in the right direction to appropriately manage risk. Some possibilities to consider can include:
앫 Complete Periodic Risk Assessment. Despite decades of promoting the ne-cessity for risk assessments, the astonishing fact is that roughly half of all or-ganizations have not done so, including some major financial institutions known to the author. Risks are not likely to be well managed unless they are known. A KGI would be the performance of periodic risk assessments.
앫 Business Impact Assessment. An even greater percentage of organizations do not engage in business impact assessments and analysis. It is unlikely that risk management efforts will be effectively prioritized or appropriate
re-Table 6.1. Layered security
Defenses against system compromise Policies, standards, procedures, and technology
Prevention Authentication Source: Brotby, Krag; “Xerox BASIA Architecture,” 1996.
sources allocated without understanding the potential impacts of compromise.
A KGI would be periodic impact assessments of all critical systems.
앫 Business Continuity Planning/Disaster Recovery (BCP/DR). It is certain that organizations that do not do risk assessments and BIAs have not devel-oped BCP/DRP of any consequence. If they do exist, one KGI would be test-ed BCP/DR and another would be maintenance of consistent updates to the plans.
앫 Defined Risk Appetite. To manage risk appropriately, the level of acceptable risk must be decided in order to know what to manage risk to. A KGI would be defining risk tolerance in terms of maximum acceptable impacts or losses and, perhaps, an acceptable ratio of probable losses to costs of mitigation.
앫 Asset Classification. Risk management cannot be apportioned appropriately without determining the level of sensitivity and criticality of information as-sets. A KGI would be documented assignment of asset ownership and classi-fication as to sensitivity and criticality.
Other possible KGI’s can include such things as:
앫 An overall security strategy and program for achieving acceptable levels of risk
앫 Defined mitigation objectives for identified significant risks 앫 Processes for management or reduction of adverse impacts 앫 Systematic, continuous risk management processes
앫 Trends of periodic risk assessment, indicating progress toward defined goals 앫 Trends in impacts
앫 Analysis of collective impact of aggregated risk 앫 Recognition of the potential for cascading impacts
6.1.3 Business Process Assurance/Convergence—Integrating All Relevant