IT security risk assessment in the real world

Without an accurate estimation of risk you may be putting your company's resources into protecting the wrong things.


Stuart King 

Stuart King


A business hosts a web site which it uses for selling the ubiquitous widget. Customers browse to the web site, select a widget, enter their credit card details to pay, and the business then ships the widget to the customer. Your role is to define the risk. Where do you begin?


Risks assessment is a fundamental of IT security. Without an accurate estimation of risk you are likely to be either overspending or underspending on protecting your business assets and maybe putting resources into protecting the wrongs things altogether.


Given the online widget shop, we must first consider the bad outcome scenarios that could realistically affect the product. For example, such a scenario that may come to mind is that a malicious web user discovers a way to bypass the online payment functions and place an order for the product without paying. Taking this particular scenario, and for any bad outcome we want to consider three factors: threat, vulnerability, and cost.


The threat is a measure of the probability of the scenario occurring. Vulnerability is the current state of susceptibility to the threat and cost is the estimated cost of a single event occurrence of the bad outcome. Each of these three factors should be rated on the same numeric scale so that a final calculation can be performed and a value assigned to the risk.


Back to our widget store, we now want to assign a value to each of the three items. This requires a good deal of further question asking. In this particular case how well known is the online store? If it’s been the subject of a TV advertising campaign then there’s a higher likelihood of somebody attempting malicious activity than if it’s a store serving a small niche market. If the widget being sold is highly desirable then again, the value assigned to the threat may be considered to be greater than that for a common cheaply priced consumer item.


For vulnerability, here we might consider whether or not back-office services would despatch a product without confirmation of a cleared payment being received. Perhaps an external vulnerability – penetration – test has determined that the web product is very secure, and so the value assigned to the vulnerability might be quite low.


Lastly what would be the cost to the business of the bad outcome occurring? Be realistic, but also consider some non-tangible costs such as business reputation and customer confidence. The product being sold may be cheap but if it became public knowledge that it was being sold across an insecure web site then the actual event costs may far exceed the actual cost of a widget.


Each of the three values is open to much debate and it’s generally agreed best practice for them to be decided within a group of people from across the business rather than being the remit of a single individual to decide.


There are also likely to be a number of different bad outcome scenarios to consider. For the widget shop, another risk to consider might be the likelihood of customer credit card data being compromised, and perhaps a denial of service scenario too.


With a rating assigned to the overall risk, you are then in a strong position to determine the most cost effective mitigating controls to implement.


With little historical data to go on, risk assessment can be “finger in the wind” exercise. However, looking critically at the threat, vulnerability and event costs related to particular scenarios enables us to prepare a firmer business case for managing and mitigating risk.



Stuart King CISSP is an information security professional employed by the Reed Elsevier Group, responsible for assessing and managing risk across the enterprise with a particular emphasis on online products

Read more on Hackers and cybercrime prevention