This article can also be found in the Premium Editorial Download "IT in Europe: Handle with care: Calculating and managing risk is tricky business."
Download it now to read this article plus other related content.
The banking crisis of 2008 did much to dent the reputation of risk management as a discipline.
With their teams of Ph.D. geniuses, the banks had created what looked like unbreakable predictive models to help them manage the risks implicit in allowing more and more people to take out mortgages, which a staggering number of customers were never able to repay.
When the whole banking system collapsed like a house of cards, the pseudo-scientific mathematical formulae that underpinned the businesses (and which, it emerged later, few people understood) were revealed to be more pseudo than scientific. Their complexity had provided a veneer of reassurance, but their failure came as a stark reminder that risk calculation is by no means synonymous with risk mitigation.
It is a lesson that information security professionals should heed: system controls, policies and procedures designed to cope with last year’s problems can be easily rendered ineffective by this year’s new and emerging threats.
For example, no sooner have organisations decided how to handle USB sticks than they have other questions to answer, such as how to deal with smartphones, iPads and social networking sites; users’ requirements for technology often outstrip the security team's ability to protect their devices.
And 2011 will no doubt introduce even more must-have gadgets, plus new forms of malware presented by an ever more resourceful criminal underworld. Add to that the rise of Internet-based campaigns by special interest groups such as those that sprang to the defence of WikiLeaks founder Julian Assange, and the possibility of state-sponsored cyber aggression, and it would be a brave or foolish person who would claim to have it all under control.
Nevertheless, risk management is an essential part of information security, and organisations must do their best to protect their most valuable assets against whatever new business risks fate may throw at them. Assessing any kind of risk will always involve some level of guesswork; the skill is in reducing the margin of error to an acceptable level.
Back to basics
Risk is generally calculated by combining the likelihood of a threat and its potential effects. To take a simple example: It is a sure bet that there will be viruses on the Internet, and the effect of viruses on an organisation's systems, if left unchecked, would undoubtedly be disruptive, to say the least. Therefore, the risk is high, and the company must apply a mitigating control (such as antivirus software and firewalls) to manage the risk.
So far, so easy: In this example, the negative effects and ubiquity of viruses are well established, and antivirus software is not too expensive.
The picture becomes more complex when any of the factors are less certain, or if the cost of a mitigating control is too high. For instance, how important is proper function of an enterprise’s payroll system? Obviously, it is vital to pay workers, but, in reality, the loss of the system for a few days (as long as none of them are pay day) would have little impact.
How likely is it that the payroll server would go down (via a virus, or even a simple hardware or software failure)? This is a key question when determining how much to invest in its security and redundancy. Probably, with good maintenance, the payroll server is unlikely to break down, and with standard security practices, the payroll system is typically secured with relative ease, so the risk is probably not high enough to justify having a standby server. The payroll manager may not agree, but the business may decide it’s a risk it can live with.
Which leads to the next question: Who decides when it comes to the impact and likelihood of risk? The security pros can probably estimate the reliability of a server, but they alone cannot determine the business effects, nor the cost of the mitigating control (the standby server). Those things are down to the business, and its appetite for risk.
Planning a risk assessment
Nick Frost, global account manager for the Information Security Forum, a membership organisation comprised of more than 300 major corporations, has spent the last 10 years researching risk management. He says the best companies have shifted their focus from individual IT systems to business processes. The effect has been dramatic.
“The planning and scoping of risk assessments has improved beyond recognition from what I saw 10 years ago,” he said. “It used to be done at a system level and in an ad hoc manner, and organisations targeted what the IT manager thought was the most important system, such as email or the public website. There was a disconnect between what the business thought was important for them, and what the IT function considered to be important.”
The best companies, he said, now plan their risk assessments according to their most critical business processes. “Before they even start thinking about systems that need to go through a risk assessment, they identify the critical processes,” he said.
If, as is usual these days, the organisation has mapped its business processes, the information risk manager has a perfect starting point for planning and scoping an assessment of the most critical processes. “The best CISOs look at processes, not just systems,” he said. “They can then determine which are the systems that are fundamental in keeping that business process working.”
The benefit of focusing first on the process level is that the assessment can incorporate a broader and more practical list of the types of security threats. These can include accidental threats, such as people entering the wrong data by mistake, for example, and the resultant assessment tends to be more complete, rather than focusing just on technical faults.
Having identified critical processes, risk managers can then start classifying the information assets of the organisation, which can include applications and data as well as servers and networks.
The aim is to build an inventory of the assets and to understand their relative importance to the organisation, which needs to be done in a structured and objective way.
Every business owner thinks his or her system is the most important, so if you have a structured way of assessing criticality, you force the owners to use a company-wide yardstick to measure
what could go wrong if a system were down for a day, or if they had a breach of confidentiality.
cofounder and managing director, Citicus Ltd.
“Most organisations have a gut feeling about what is important, but when they take a structured and objective approach, organisations can be surprised by what is revealed,” said Simon Oxley, one of the founders and the managing director of Citicus Ltd., which sells consultancy and software to support risk assessments. “Every business owner thinks his or her system is the most important, so if you have a structured way of assessing criticality, you force the owners to use a company-wide yardstick to measure what could go wrong if a system were down for a day, or if they had a breach of confidentiality.”
Oxley favours a standard approach, which forces each business owner to rank the criticality of his or her assets by assessing the damage that could occur if the asset was compromised for an hour, a day or a week. How serious would the damage be in terms of profits, performance and reputation? That then allows the organisation to identify which are the most sensitive systems.
“It’s not rocket science, but if you have a structured approach, it just helps you to channel your efforts and cash more effectively,” Oxley said.
“Some organisations start by thinking they have a lot of critical information systems, but they find they only have a handful that are really critical to the organisation; the others are important to the people responsible for them, but they are not critical.”
The exercise can also uncover some uncomfortable truths, he said, such as a critical business process running on an Excel spreadsheet that the user has developed alone, without an external code review. “When you begin the process, you may think the critical assets are the big business applications (such as finance or payroll), but it is often a surprise how big a role these spreadsheets play. Organisations discover they don’t have a lot of control over them, and that they run the risk of data integrity problems,” Oxley said.
The risk assessment process
Having identified the critical business processes, and the critical information assets that underpin them, then a more detailed assessment of risks can begin. This is probably the most demanding and arduous part of the process, because it requires all parts of the business to come together to assess the risks, with the meetings facilitated by an information security professional.
“We encourage people to do workshop-based risk assessments,” Oxley said, “where you pull together the business person responsible for the assets, plus those with information about the risk: IT operations, IT development and internal auditors. You use a risk scorecard in the discussion, and the interplay of their different perspectives helps to get a realistic picture of the risk.”
The workshops generally last for no longer than two hours to avoid attention fatigue, and they can bring to light some incongruent views, Oxley said. For instance, a business owner may report that the applications are running fine, whereas users may be aware of problems that have occurred.
In another instance, a business owner reported that his system had experienced recurring problems. In the workshop, IT operations explained that the system shared a server with another application that was causing all the trouble. Operations assumed there was no budget for a dedicated server, but once the business owner learned the truth, he provided the money to make it happen. “No one had asked him if he’d pay for a separate server before,” Oxley said. “There is a lack of communication within organisations, and this leads to people taking decisions based on their own perceptions without using a structured approach.”
Preparing for the worst
Like it or not, some threats cannot be managed. A sustained attack by a foreign power -- such as Operation Aurora of a year ago, determined DDOS attacks and new malware such as Stuxnet -- could all be impossible to prevent, either because they exploit unpatched vulnerabilities, or because of the sheer force they apply.
By doing the cyberresponse exercise, business managers can see what could go wrong with their side of the business.”
—NICK FROST, global account manager,
Information Security Forum
According to ISF’s Frost, many organisations now conduct what are essentially tabletop exercises in order to plan how they would react to the kind of eventuality where, for example, an unstoppable infection was spreading on the network, or a system had been put out of action by a DDoS attack, and the attackers were asking for a ransom.
The response exercise takes the form of a meeting, attended by senior managers representing affected units, where a threat scenario is proposed. Their task is to decide what would be the best course of action.
A well-prepared exercise will keep introducing new uncertainties. For instance, after a server goes down and a standby machine begins running its application, this secondary server is then brought down as well. “By doing the cyber-response exercise, business managers can see what could go wrong with their side of the business,” Frost said. “So when a list of controls is presented after the exercise, he or she is in a much better position to decide if the controls are applicable, and to understand and acknowledge their security functions.”
New skills needed
All of those involved in risk management acknowledge that it is not easy, and that it is not a purely technical discipline. The information security professional (or more precisely, the information risk professional) needs strong personal qualities, including the ability to explain, persuade and negotiate with people at all levels of the organisation.
The language of risk provides IT and business with a common vocabulary that both can understand and employ. It also helps to inject interest and excitement into a subject that can often seem remote and boring to non-technical people.
“Risk management is not easy. It takes a lot of time and negotiation to be successful,” said Marcus Alldrick, senior information risk and protection manager at Lloyd’s of London. “That is why information security people need to be able to communicate. There are plenty of tools and methodologies around to help with risk management, but the real challenge is getting buy-in from the business and putting it into practice.”
This was first published in April 2011