Welcome to our

Cyber Security News Aggregator

.

Cyber Tzar

provide a

cyber security risk management

platform; including automated penetration tests and risk assesments culminating in a "cyber risk score" out of 1,000, just like a credit score.

How can businesses determine and assess risk?

published on 2022-06-01 12:31:47 UTC by
Content:

Risk... it’s a word that creates tension for many and excitement for others! Risk is a part of every day life. It’s definitely a part of business and burying heads in the sand is not an option. If we try and eliminate every single risk then we will end up managing risk and not “doing the do” or living life. Business relies on effective risk management.

Below the excellent Tim Pinnell from NQA discusses how to acknowledge and assess risk. He describes that doing this enables you to make informed decisions about the “what next” questions. It’s a great read and will help you review your own risks and your own way forward.

One of the most important elements in an information security audit is the review of an organisation’s information security risks. An organisation that understands it risks can make informed decisions on what actions it might take: whether to treat the risk, or to put up with it, or perhaps to transfer the risk to the insurance policy. An organisation that knows the risks it faces is in a strong position to weather business storms.

Almost all SMEs take information security risk assessment very seriously, despite perhaps not having the expertise. And yet I frequently see organisations that have not been able to articulate their information security risks. But people in business are experts in business risk, making risk decisions every day. So why is there is a difference in understanding between business risk and information security risk?

On closer examination the principles are the same, and it becomes apparent that the problem lies in articulating information security risk.

A risk is made up to two components: something that could happen and the consequences if it does happen. It’s easy to think of business risk examples, such as failed business plans having an impact on the bottom line.

Here’s an example of a poorly described information security risk, and is typical of many of the risk descriptions I see whilst auditing:

Access control failure causes loss of information

How can that help support decision making? There’s so much missing from it: what kind of access control failure (physical or IT), why did the control fail, what asset was it protecting? And then consider the consequences – loss of information might not be an adverse consequence if the information had no value. So we need to know what information was lost and the impact of that loss, bearing in mind that impacts can comprise a number of factors – cost of remediation, fines, loss of customer business, drop in share price, customer rebates etc.

This is a better risk description:

A lack of strong passwords on the file server could allow insiders to delete personnel files, resulting in an ICO fine of up to £10000

Note that there’s no mention of how likely the incident is to occur, so this is an improvement:

There is a 10% likelihood that a lack of strong passwords on the file server will result in insiders deleting personnel files, leading to an ICO fine of up to £10000 and unspecified employee compensation

Likelihood is attempting to predict the future so it’s not an exact science. But the most important thing is to make a prediction and try to avoid the middle ground – it might happen/it might not happen, because that won’t help decision making. And note the change in terms: could has become will. This is necessary because of the addition of likelihood – the risk is a statement of the likelihood of a specific event occurring and the impact of that occurrence.

The important thing to note is that the risk is self-explanatory. Anybody reading it will easily understand it, which is important during the Great Resignation and the constant loss of corporate knowledge. If all the information security risks are similarly articulated then the consistency and repeatability of the process is ensured, regardless of who in the future is following it.

Some organisations break this out into a table which aids comparability with other risks:

And there’s no tech speak involved; bear in mind the people who need persuading to take action are the business managers, such as the CEO and CFO. This then helps top management articulate their information security risk appetite. And their job can be made easier by including the risk treatment cost:

By doing the maths the business is carrying a £1000 (10% * £10000) risk that will cost £500 to treat. It’s arguably not worth doing, unless by implementing strong passwords other risks will be treated as well, the lesson being that risks and their treatments should never be considered in isolation.

Many organisations use a High/Medium/Low – RAG method of scoring risks. But these methods need criteria to explain what High to Low is in likelihood and impact, and the finer decision-making detail can be lost, particularly for impact: consider a high profile data breach from the news and all the cost factors that went into remediating it.

Another factor that organisations sometimes get wrong is that implementing a risk treatment doesn’t always mean that the impact is reduced. Risk treatments usually reduce the likelihood – you can make it harder for a ransomware attack to occur, but when it does that hard drive is still going to become encrypted.

There are a variety of risk management techniques, such as ISO 27005 and ISO 31000. Time spent on risk analysis and articulating them in business terms is time well spent.

Article: How can businesses determine and assess risk? - published over 2 years ago.

https://www.wmcrc.co.uk/post/how-can-businesses-determine-and-assess-risk   
Published: 2022 06 01 12:31:47
Received: 2022 06 02 08:09:30
Feed: The Cyber Resilience Centre for the West Midlands
Source: National Cyber Resilience Centre Group
Category: News
Topic: Cyber Security
Views: 1

Custom HTML Block

Click to Open Code Editor