Stating the value of having a risk model

Why should we go to the trouble, time, and effort of producing an information security risk model? What value does it bring to the organisation and who is going to use it?

These are questions I’ve been asked in the past few days and if they are being asked of me then it’s likely they are being asked of you too, or you are asking them yourselves.

I have an opinion on the matter than can be summed up in a few short words: Risk assessment is central to improving information security effectiveness and efficiency. Gartner say “A formalized risk management process will enable you to determine specific threats, impacts and vulnerabilities and to identify the appropriate corrective action.”

The value of having a risk model and a risk management program comes at the business unit level. The model provides a framework for identifying controls (which should be measurable, testable, auditable and enforceable) , monitoring for exposure to risk and control effectiveness, and incident management.

The fact that a risk model is constructed around negative themes – the bad things that can happen – does little to further our cause when trying to explain the value of the exercise to executives who are likely to perceive the messages as being counter-productive.

What is true is that if we can begin by identifying a valid set of risks that clearly relate to business objectives, we can assign cost and reputation impacts to various scenarios that apply to each. We now have something that management can directly relate to – the bottom line impact on the business. We also have a basis for asking questions around what controls are in place to mitigate the risks that we’ve identified and how effective we believe those controls to be.

The book “Information Security Risk Analysis” by Thomas Peltier (ISBN: 0-8493-0880-1) makes the point “with an effective risk analysis process in place, only those controls and safeguards that are actually needed will be implemented.” The benefits come because it forces us to focus on the issues that are really important, spending money where we most need to spend it.

The real value will come in how we can present the risk model and associated risk assessments to management. For example, it would undoubtably be shocking for them to see that denial of service is the biggest risk but that the controls to mitigate this risk have not been implemented, or to show that the business is not fully in compliance with relevant legislation.

Some might argue that compliance (with the likes of PCI and SOX) simply requires the business to follow a check list and work through a series of action items until all the right boxes have been ticked and so going to trouble of creating a risk model is simply going to be stating the obvious. There’s a blog entitled “Practical Risk Management” which makes the following statement: “If you want to check boxes, surface audits are fine. But if you want to understand your true security exposure, you have to dig deeper. It’s not enough to ask whether regular backups are taken and stored offsite. You have to ask how often….You have to dig deeper than the surface and get to where the substance lives if you want to get a real sense of things. After all, if you have to endure a security audit, it’d be nice to actually get some value out of it.”

So, with that all said, I hope I’ve explained why we should be looking at risk models and why they are important.

Anyway, it’s the weekend. If I write any more today the bad outcome that will apply is: “disgruntled wife” and the potential event costs are too much to contemplate!