Stuart King
A business hosts a
web site which it uses for selling the ubiquitous widget. Customers
browse to the web site, select a widget, enter their credit card
details to pay, and the business then ships the widget to the
customer. Your role is to define the risk. Where do you begin?
Risks assessment
is a fundamental of IT security. Without an accurate estimation of
risk you are likely to be either overspending or underspending on
protecting your business assets and maybe putting resources into
protecting the wrongs things altogether.
Given the online
widget shop, we must first consider the bad outcome scenarios that
could realistically affect the product. For example, such a
scenario that may come to mind is that a malicious web user
discovers a way to bypass the online payment functions and place an
order for the product without paying. Taking this particular
scenario, and for any bad outcome we want to consider three
factors: threat, vulnerability, and cost.
The threat is a
measure of the probability of the scenario occurring. Vulnerability
is the current state of susceptibility to the threat and cost is
the estimated cost of a single event occurrence of the bad outcome.
Each of these three factors should be rated on the same numeric
scale so that a final calculation can be performed and a value
assigned to the risk.
Back to our widget
store, we now want to assign a value to each of the three items.
This requires a good deal of further question asking. In this
particular case how well known is the online store? If it’s been
the subject of a TV advertising campaign then there’s a higher
likelihood of somebody attempting malicious activity than if it’s a
store serving a small niche market. If the widget being sold is
highly desirable then again, the value assigned to the threat may
be considered to be greater than that for a common cheaply priced
consumer item.
For vulnerability,
here we might consider whether or not back-office services would
despatch a product without confirmation of a cleared payment being
received. Perhaps an external vulnerability – penetration – test
has determined that the web product is very secure, and so the
value assigned to the vulnerability might be quite low.
Lastly what would
be the cost to the business of the bad outcome occurring? Be
realistic, but also consider some non-tangible costs such as
business reputation and customer confidence. The product being sold
may be cheap but if it became public knowledge that it was being
sold across an insecure web site then the actual event costs may
far exceed the actual cost of a widget.
Each of the three
values is open to much debate and it’s generally agreed best
practice for them to be decided within a group of people from
across the business rather than being the remit of a single
individual to decide.
There are also
likely to be a number of different bad outcome scenarios to
consider. For the widget shop, another risk to consider might be
the likelihood of customer credit card data being compromised, and
perhaps a denial of service scenario too.
With a rating
assigned to the overall risk, you are then in a strong position to
determine the most cost effective mitigating controls to
implement.
With little
historical data to go on, risk assessment can be “finger in the
wind” exercise. However, looking critically at the threat,
vulnerability and event costs related to particular scenarios
enables us to prepare a firmer business case for managing and
mitigating risk.
Stuart
King CISSP is an information security professional employed by the
Reed Elsevier Group, responsible for assessing and managing risk
across the enterprise with a particular emphasis on online
products