Welcome to this video on risk management, which builds on the principles of risk by introducing the risk management lifecycle, illustrating how risks are identified, analysed, treated and monitored. Within this, we’ll investigate further the qualitative and quantitative methods of risk analysis before reviewing some examples of how risks are classified, recorded and managed through a risk register. We’ll end by taking a brief look at how assets can be classified to help manage risk.

Let’s start by looking at the risk management lifecycle.

This is an iterative process which has four stages:

• Identification – the collation of vulnerabilities and threats identified for assets
• Analysis – establishing the impacts and likelihood that these will occur
• Treatment – deciding on options to address the risk and how they can be implemented, including looking at methods to reduce the likelihood of risks arising
• Monitoring – which is observing existing risks to ensure they’re not worsening

We’ll look at each of these in more detail later in this video.

These four stages can be seen in the more detailed approach to risk management that forms the basis of the ISO 27005 standard. It starts with context, where information about the organization is gathered. Then the risk assessment phase which includes risk identification, analysis and evaluation. Then, after the risks have been analysed and understood, the risk treatment phase can begin. You can also see that continuous monitoring and communication with stakeholders is built into the process.

Risk management doesn’t occur in a vacuum; it’s there to help the business achieve its objectives. So, the risk manager must understand the business and its objectives, together with the resources it uses and the constraints it works within. Different organizations have different criteria for deciding how much risk they’re prepared to accept. This is known as their risk appetite. It’s not uncommon for different business units or departments within the same organization to have different risk appetites.

As we’ve seen, before risk can be analysed and assessed, it must be identified. And this means defining which asset is at risk. An organization will generally have a register of its assets. However, many have been poor at keeping a register of their data assets. Now GDPR has been introduced – with its increased fines for failures to protect personal data – organizations are taking data asset control much more seriously. As well as defining the asset at risk, vulnerabilities and threats must be considered before risk can be identified and analysed. The data asset register should contain information about the location of the data, in addition to identifying the data owner and the value of the data. Ownership of the data is important as ultimately the data owner is responsible for deciding whether to accept the risks identified through the risk assessment. The risk will generally relate to the value of the data. However, this isn’t always easy to calculate. In addition to the cost of replacing the data, value includes other losses which would result from it being damaged, lost or temporarily unavailable. It would also reflect any potential legal penalties for failing to secure the data properly.

Vulnerabilities are weaknesses within the organization, so they’re often easier to find threats, which can be internal and external. There are many vulnerability assessment tools, like Nessus, which automatically scan networks to find vulnerabilities. Automated scans are highly efficient, but their results shouldn’t be blindly accepted. They’ll often highlight a vulnerability but clearly can’t ‘understand’ what other controls are in place to mitigate it.

There’s no excuse for an organization to be unaware of the internal threats it faces. However, external threats can be difficult to identify. Some suppliers of security products provide information about threats communicated by their customer base. There’s also open source intelligence (or OSINT) about threats, like the Cyber Security Information Sharing Partnership (CISP) which is a joint UK Government and industry initiative.

After the risk is identified it needs to be analysed. There are three main types of risk analysis:

• Qualitative analysis which uses subjective ways of describing the risk, impact and likelihood. These are often categorized as low, medium and high, although many organizations link these to numeric ranges, for example high impact might mean a loss in excess of £1,000,000
• Semi-quantitative which is similar to qualitative, but uses numbers, like 1, 2 and 3, instead of low, medium and high
• Quantitative analysis which uses calculated values for impact and likelihood. If these values can be calculated accurately then the annual cost of the risk can be calculated

Let’s move on to look at examples of how these different types of analysis can be portrayed.

This is an example of qualitative analysis of risk through a simple 3 x 3 risk matrix comprising impact ratings and likelihood ratings from low to high. Risk matrices are also shown as a 5 x 5 grid to incorporate more granular definitions of impact and likelihood. There will usually be separate matrices for risks to confidentiality, integrity and availability, and each risk will be colour-coded for visual impact, often using a RAG (red, amber, green) rating system. The matrix approach provides the basis for risks to be prioritized and is commonly used.

The semi-quantitative method shown here assigns numeric values for impact and likelihood. It then enables a value to be assigned to the risk by multiplying the associated numbers. The semi-quantitative approach also allows risk to be prioritized, for example a risk of 9 is greater than a risk of 3. However, a risk of 9 is not necessarily three times greater than a risk of 3 – the number represents a priority, not an absolute value.

Quantitative risk analysis begins by calculating the Single Loss Expectancy which is the actual monetary cost of a single incident. This is the Asset Value multiplied by the Exposure Factor. The Exposure Factor is the fraction or percentage which specifies how much of the asset value is lost. Organizations will often simply set this to a value of 1 or 100% to assume that all the value is lost.

The Annualized Loss Expectancy is the estimated cost of the risk for the year. This is calculated by multiplying the Single Loss Expectancy by the estimated Annual Rate of Occurrence. This allows the cost of mitigating the risk to be compared with the cost of accepting it. However, for the calculations to have any value, the data used in them must be accurate. 

Many organizations have insufficient or inaccurate information, so this method is not widely used.

Risks can be collected in a risk register which is often collated in a spreadsheet or through a software package like Active Risk Manager from Sword Active Risk.

Let’s look at a few examples of risk register entries, together with the appropriate impact, likelihood and risk levels identified.

This example represents a vulnerability found through penetration testing – web pages are revealing too much information about the site’s development environment which potentially helps attackers plan and launch attacks. The impact on the asset – the website – is low and the likelihood of the threat occurring is medium. So, the resulting risk is rated as medium.

This next example shows a common risk where business continuity plans aren’t tested and updated regularly, so they’re potentially ineffective. As you can see, the impact of a disaster is rated as high although, depending on the location of a data centre or the office building in question, it could be rated as medium. The risk rating is also high. This can now be justifiably escalated to make senior management aware of the risk.

This final example reflects another common organizational risk of a failure to segregate duties. Segregation of duties is important to reduce the opportunity for fraudulent misuse of an organization’s assets. Here, the impact is rated as high and the likelihood is rated as medium. The resulting risk is therefore high.

After the risk is analysed the appropriate action needs to be taken. This is known as risk treatment and there are four potential options:

• The risk can be accepted if it falls within the risk appetite of the organization
• The risk can be modified or mitigated. This involves applying controls to reduce the risk to an acceptable level within the risk appetite of the organization
• The risk can be transferred or shared – this is commonly achieved through insurance
• The risk can be avoided by stopping the activity causing the risk

These four treatment options are also collectively known as the 4-Ts - Tolerate (to Accept), Treat (to Modify), Transfer (to Share) and Terminate (to Avoid).

Let’s go back to the three examples we looked at earlier and see how the risk treatment can be added to the risk rating.

Notice the two additional columns:

• Risk treatment, which has a brief description of the treatment or mitigation
• Treated risk, which shows the level of residual risk after the risk has been treated

In the first example where the web pages are revealing too much information about the website’s development environment, the treatment is to contact the developers to remove the metatags. After this is done, the risk level is reduced to low. The risk can’t be removed completely because the attackers might be able to work out what the development environment is without this information. However, the treatment of this risk has reduced it to an acceptable level. Remember, if the residual risk is low then the treated risk can be accepted.

In the second example, the risk treatment involves annual testing of the business continuity plan. The organization has elected to avoid this risk entirely which means the rating has dropped from high to non-existent because the organization has put in place processes to monitor and ensure annual testing happens. We need to be careful here. The risk of the business continuity plans not working because they were tested is now zero. However, there may be other reasons why they might fail to protect the business in the event of a disaster.

In the third case, there are three methods that can be employed to treat the risk of administrators performing unauthorized activities.

The first method is procedural, where a level of security vetting is imposed on the administrators working on the systems. This is an appropriate option for Government agencies as most have access to a vetting department. Adding vetting into the HR process means that the administrators are less likely to be compromised by the threat sources. This reduces the risk rating to low.

The second treatment for this example is to have different administrators for different components of the system, for example, one team of administrators run the operating systems, and a different team runs the databases and applications. Many large organizations use this approach for dividing the risk across different groups in the IT department.

The third treatment is to have an independent auditing infrastructure controlled by a different set of individuals to those that administer the systems. All security-related audit information from operating systems, databases and applications can be forwarded to this auditing system. If the administrators are aware of this and know their actions are audited, it should affect their behaviour. In the same way as vetting, the likelihood of this risk occurring is reduced to low.

There are many controls we haven’t covered here that could be implemented; some incurring more cost than others. The important point is to re-assess the risk after considering the mitigation actions to ensure the level of reduction has taken the risk to an acceptable level.

Finally, here are the two examples we’ve looked at as they might appear in a typical risk register. You’ll see that columns for Comments and Risk Owner have been added.

In the first example the risk owner has stated that the cost of running annual testing is excessive, even though they understand that the risk remains at a rating of high and has therefore accepted the risk. This is a brave decision but valid if they have the authority to make this decision. However, this illustrates the need to balance the cost of implementing security controls against the cost of potential losses. It requires the organization taking a conscious decision to accept the risk, which should be documented. As we’ve seen, the appropriate level of authorisation is required if a risk is being accepted. Unless the risk falls within the organization’s, or business unit’s, risk appetite, the owner of the data (who also owns the risk) should make the decision whether to accept the risk, as well as taking the responsibility for meeting the costs of mitigating it. Sometimes, even after mitigation, a risk will be greater than the organization’s risk appetite but there may be compelling reasons to continue the related activity. In these cases, an exception needs to be entered in the risk register to indicate the risk owner’s acceptance.

Here, we can see the relationships between the different facets of risk assessment and management:

• Assets are subject to a loss of confidentiality, integrity and availability, as a result of threats and vulnerabilities
• These result in business impacts which can be limited by security controls
• Business impacts increase risks, while security controls reduce risks. Controls protect against threats that increase risk
• Threats increase risk and so do vulnerabilities

It’s worth going back to the ISO 27005 approach to risk management and assessment. This process involves continuous monitoring – new vulnerabilities will be discovered, new threats will emerge, and new assets will be acquired by the organization.

Throughout the process it’s important to keep stakeholders informed about the risk management decisions which affect them. This is especially relevant for the information asset owners, who are ultimately responsible for accepting the risk to their assets.

Risk can also be reduced through classification, which specifies how data and physical assets should be treated. Most organizations have a corporate information classification scheme and associated policy that explains its use.

In governments throughout the world, classification schemes are used to label documents with protective markings, such as ‘official’, ‘secret’ and ‘top secret’. Commercial organizations often use markings like ‘company confidential’, ‘company sensitive’, ‘commercial in confidence’ and ‘personal’.

Markings aren’t only relevant for printed documents. They can also be applied to electronic documents, for example through document headers and footers.

Physical assets can also be protectively marked with a classification of ‘secret laptop’, or a removable hard disc marked as ‘confidential’. The policy might also state that all confidential removable media should be kept on the premises and secured in a locked cabinet when not in use.

Access to classified material is often restricted to individuals who have been vetted and have achieved the appropriate security clearance.

Here you can see the classification scheme and associated levels of clearance used by the UK Government:

• Developed vetting – or DV clearance – is for people needing regular access to ‘top secret’ material
• Security check – or SC clearance – is for those needing regular access to ‘secret’ material and occasional access to ‘top secret’ material
• Baseline personnel security standard – or BPSS – is the basic clearance required for all UK Government staff

It’s worth noting that the ‘need to know’ principle also applies. If someone has ‘top secret’ clearance it doesn’t automatically mean that they have access to all material marked as ‘top secret’.

That’s the end of this video on risk management.