When it comes to risk analysis, one of the most important tools an IT executive can deploy is compelling language.
Getting buy-in from senior management is one of the most, if not the most, important prerequisite for effective IT risk management. Senior management will not be interested in the gritty technical details; they will want to ensure that risk analysis:
- Contains thoughtful consideration of all possible risk events
- Uses domain expertise and whatever useful security metrics exist to determine event probabilities
- Leverages business owners' knowledge of their operations to consider the impact of various risk events to the business in a meaningful way
- Introduces as much objectivity and precision as possible into the risk analysis process
- Produces prioritized output to guide executive decision-making on risk management
- Is communicated, including its findings and recommendations, in clear and understandable language
It's also vital to rethink and rephrase the old equation "Risk = (Threat * Vulnerability) / Controls". This formula doesn't factor in the impact of a potential risk occurring and this of utmost importance to senior management. The equation also doesn't clarify what "threat" means. The threat must be qualified - for example, consider if "threat" is the level of force being applied by the attacker, or the frequency of event occurrence, or both? It's essential to remove ambiguity wherever possible.
The Open Group Security Forum has developed a risk taxonomy that aims to clarify the terminology used in risk management and define the relationships between terms. The objectives of the Open Group Taxonomy Standard are to:
- Educate information security, risk, and audit professionals
- Enable a common language for the information security and risk management profession
- Introduce rigor and consistency into analysis, which sets the stage for more effective risk modelling
- Explain the basis for risk analysis conclusions
- Strengthen existing risk assessment and analysis methods
- Create new risk assessment and analysis methods
- Evaluate the efficacy of risk assessment and analysis methods
- Establish metric standards and data sources
The faster IT architecture evolves, the greater the need for clarity when it comes to risk analysis - clarity not just in terms of language, but also in terms of technique. Effective measurement will bring clarity to your risk analysis. You need to measure the risk and components that contribute to an organisation's risk posture in order to make decisions about which risks to mitigate. Even though collecting information critical to risk analysis can be manual and laborious, making the effort to measure risk factors is essential in order to understand risk and to decide which risks to avoid, accept, transfer, or mitigate.
The Open Group has published a Guide to the Requirements for Risk Assessment Methodologies, which describes the elements that make up an effective risk assessment. The guide seeks to identify and articulate the characteristics that make up effective risk assessment methodologies, providing a standard set of guidelines for risk assessment methodologies.
The IT risk landscape is evolving rapidly. Architectures such as virtualisation and cloud computing all change the way in which information is produced and consumed in an enterprise. Each technology brings its own selection of new vulnerabilities and new risks. While we don't have much control over the speed at which new technology evolves, we do have control over how we define risk.
The Open Group is a supplier-neutral and technology-neutral consortium spanning all sectors of the IT community - IT customers, systems and solutions suppliers, tool vendors, integrators and consultants, as well as academia and researchers.
Computer Weekly has teamed up with The Open Group to make a comprehensive range of research avaialble to readers. Sign-up to Computer Weekly to download in-depth reports on Security and Risk Management, Cloud Computing and Enterprise Architecture:
Security and Risk Management
This was first published in November 2010