Module 2 - Information Risk Management
This Course provides a strong risk management foundation by initially investigating what risk is and how it affects an organisation. It then looks at managing risk through a detailed review of the four stages of the risk management lifecycle, before identifying risk analysis approaches and providing some helpful risk register examples.
The objectives of this Course are to provide you with and understanding of:
- What risk means, how it arises and the likelihood of it impacting an organisation
- The effect big data, the Internet of Things and social media have on the risk landscape
- Management techniques used by organisations to understand the risks they face
- Risk treatment and risk reduction methods
- The risk management lifecycle, illustrating how risks are identified, analysed, treated and monitored
- Qualitative and quantitative methods of risk analysis
- How assets can be classified to help manage risk
This Course is ideal for members of information security management teams, IT managers, security and systems managers, information asset owners and employees with legal compliance responsibilities. It acts as a foundation for more advanced managerial or technical qualifications.
There are no specific pre-requisites to study this Course, however, a basic knowledge of IT, an understanding of the general principles of information technology security, and awareness of the issues involved with security control activity would be advantageous.
We welcome all feedback and suggestions - please contact us at email@example.com if you are unsure about where to start or if would like help getting started.
Welcome to this video on understanding risk.
Risk is a fundamental aspect of information management and it’s important you know the basic concepts to be able to manage it.
This video will provide a foundation by defining what risk means, how it arises and the likelihood of it impacting an organization. We’ll also look at the effect big data, the Internet of Things and social media have on the risk landscape. Finally, we’ll look at some of the management techniques used by organizations to understand the risks they face, including Business Impact Analysis and threat intelligence, before briefly looking at risk treatment and risk reduction methods. The first thing we need to do is understand what risk means in relation to information security.
The ISO27000 standard defines risk as simply:
‘The effect of uncertainty on objectives.’
However, it goes on to explain that risk is usually expressed as ‘a combination of the consequence and likelihood of a security incident’ – which means something bad happening.
So, let’s go into that a little bit further and investigate how risk arises.
A vulnerability – or weakness – in a system is used to create an incident, which is an event with negative security consequences. The way the vulnerability is used is referred to as the exploit. The exploit is often a piece of software – known as exploit code – which is designed to compromise the system. However, it could also be an action, or sequence of actions carried out by a person.
The potential for a vulnerability to be exploited is known as a threat. The threat is realized by a threat agent. If the threat agent is a person (or group of people) then they’re referred to as threat actors. If the threat agent is not human, for example a hurricane or earthquake, the term hazard is generally used.
There are two other important aspects of an incident – the damage it causes, which is known as the consequence or impact and how often it occurs, which is referred to as the likelihood or probability. Risk is generally expressed as a combination of consequence and likelihood.
Sometimes, particularly in the public sector, the term threat source is used. A threat source is the origin of the threat, such as a country, an organization – for example a foreign intelligence group or terrorist cell – or an individual. This is the entity that wants to breach security and benefit from the outcome.
As we’ve seen, a threat actor is a specific person, or group of people, who carry out an attack. For example, a hacker is a threat actor and the crime organization they represent is the threat source. In some situations, the threat actor and the threat source are the same.
To recap, a threat is anything that could cause harm by tampering, destroying, compromising or interrupting any service or item of value, such as data.
Threats can originate from human actors, for example:
- Organised criminal gangs
- Nation states
- Disgruntled staff
- Industrial spies
Non-human threats are often referred to as hazards and could include:
- Electrical supply issues
A threat must be realistic and should have occurred somewhere before. So, an alien invasion isn’t really a threat. However, if a building is located next to a flood plain, then it could easily be impacted by a flood. Threats need to be understood and credible to be worth considering.
As well as being categorised as external or internal, threats can be grouped as accidental or deliberate. An example of an external-accidental threat might be a telecoms engineer digging to locate some cables, accidentally cutting through the power supply. If there’s no backup power generator for the data centre, the business will go offline. An example of an internal-deliberate threat could be a disgruntled staff member threatening to steal confidential organizational information. Threats can be classified in different ways. Whatever method you use, it should be consistently applied.
Information risk is the likelihood that a threat will exploit a vulnerability which then leads to a business impact. The level of risk depends on the likelihood of the weakness being exploited.
Vulnerabilities can be categorised as general or information-specific.
Examples of general vulnerabilities include:
- Lack of physical controls, such as adequate locks or building security guards
- Lack of pre-employment checks to validate how trustworthy new employees are
Information specific vulnerabilities include:
- Running software on a computer system without the latest security patches
- Using a website without firewall protection
- Running a PC without up-to-date anti-virus software, risking exposure to viruses
So, a vulnerability is a weakness that could either be related to technology, people or processes.
If a vulnerability is successfully exploited, the impact – or consequence – can affect individuals, the whole organization, or both. For example, when Lehman Brothers collapsed, the impact caused the organization to close which resulted in many employees losing their jobs.
We’ve seen that information risk is the likelihood that a threat will exploit a vulnerability, which then leads to a business impact. So, likelihood relates to the probability of a threat exploiting a vulnerability. There are two approaches to calculating likelihood – quantitative and qualitative.
- Quantitative calculations are based on recorded metrics which is often statistical data based on historical information. For example, the probability of a group of drivers having an accident or a power outage occurring in a specific area
- Qualitative calculations are required when there are no firm evidence or metrics and the assessment is subjective. For example, an expert making an educated guess based on their experience and understanding
The assessment of risk for a threat is a function of the impact and the likelihood that the threat occurs. This is known as the risk equation.
Risks should not be considered in isolation of everything else going on around them. Sometimes there will be side effects that result in the risks increasing.
Consider this…a system has a vulnerability because it doesn’t enforce a password policy; users can select any password length and complexity, so passwords are typically weak and easily cracked.
Alice, who works in HR, is responsible for creating new computer accounts. She has a weak password. Bob, a hacker, knows about the vulnerability and decides to break into Alice’s account. The impact of this is that Bob could look at the HR records of other employees in the organization while the audit trail registers the activity as being from Alice’s account. This would be high impact and has a high likelihood of occurring. As a result, the risk is high. Also, by breaking into Alice’s account, Bob can now create any number of bogus accounts on the system, which is also high risk to the organization. As you can see from this example, a single vulnerability can result in multiple risks.
A Business Impact Analysis – or BIA – is the process of analysing a business function and assessing the effect that a business disruption might have on it. It’s used to estimate the impact that the loss of confidentiality, integrity or availability presents to an organization should a risk be realised.
Risks are associated with assets and, as we’ve seen, are a function of threat, vulnerability, impact and likelihood.
Threat management is a term used to categorise a variety of security technologies. These work together to counter the range of threats that might attack the endpoints, gateways, and information in the cloud or on user devices.
Some vendors call this unified threat management, or UTM. However, this term can mean different things to different vendors.
For an information security manager, threat management is the strategy for managing the threats an organization faces. As we know, threats come from a variety of external threat actors, such as criminals and foreign nation state groups, all of which will use a wide range of attacks and exploits to break into a network. These threats might also target different aspects of the business, including the endpoints, servers, networks or even employees interacting with social media systems.
A threat management strategy needs to consider external actors and internal actors, like existing employees who unintentionally or maliciously harm the organization. Threat management is different to risk management because motivation isn’t important to the threat manager, providing sophisticated or unlikely threats are not ignored simply because the risk is low.
Threat intelligence is part of threat management.
Cyber threat intelligence is where feeds of information from sensors, researchers and systems are used to better understand the actors, threats and the threat landscape that might affect an organization. Bear in mind though, that information is not intelligence – raw information must be understood in the context of the situation to contribute to the intelligence process.
Cyber threat intelligence requires the analyst to understand how the threat actors operate and use knowledge of their tradecraft to understand their means, motivations and intent. This helps them make sense of the information from the network and information security-related sensors.
Ultimately, cyber threat intelligence helps to identify where to focus cyber defense efforts, while providing evidence to justify why efforts are being focused on a specific part of the organization’s infrastructure.
Now, let’s look at some other areas that create security risks for an organization – big data, the Internet and social media.
Big data is a term used to describe extremely large volumes of rapidly changing structured and unstructured data.
In the context of information security, the amount of data coming from sensors, event logs, systems, threat intelligence sources, cloud systems and user devices, is vast. Much of this can be used in threat management, but with the data sets being so massive, special tools and approaches are used to help make sound decisions and create strategic security plans.
In cyber security terms, the volume of data isn’t as important as how it’s used. Security technologies used in threat management can contribute to better risk management and a reduction in remediation time.
When cyber security threat intelligence and high-powered analytics are combined, a variety of cybersecurity tasks can be accomplished, including:
- Determining root causes of security failures, issues and defects in as close to real time as possible
- Recalculating risk mitigation strategies
- Detecting fraudulent behaviour before it affects the organization
The Internet of Things (IoT) relates to the connection to the internet of a vast range of physical devices, vehicles, buildings and other items. These devices all contain embedded electronics, software, sensors, actuators, and network connectivity that allow them to collect and exchange data.
As you know, cars, medical devices, televisions, fridges and even microwave ovens have internet connectivity, allowing manufacturers to provide value added services based on interactions with online systems. From a cyber security perspective this means that the attack surface – the extent of the exposure to attackers – is growing all the time.
However, manufacturers may have little experience of delivering Internet connected systems and can overlook some basic security precautions.
The Internet of Things Security Foundation was established in 2015 to promote knowledge and best practice for manufacturers to help address some of these security concerns.
Social media has also created major security risks.
These stem from the lack of control the organization can have over their own social media presence – one bad post or hack of a poorly configured management platform can have a negative impact on their reputation.
Attackers have been known to monitor what’s being said about their targets, then use the information from platforms like Twitter, Facebook and LinkedIn to help them develop a profile from which to carry out targeted campaigns. Hackers can identify very specific details about decision makers and executives and use this in sophisticated social engineering attacks.
A social media policy is essential to help control the information flow from an organization and provide the foundation for monitoring the activities of employees.
Having looked at the identification, likelihood and impact of risks, let’s move on to look at how a risk can be treated to either eliminate it or to reduce it to an acceptable level.
Before a risk is treated, it’s known as an inherent risk. After treatment, the risk is referred to as a residual risk.
The main treatment options are as follows:
- Modify, mitigate or reduce
- Transfer or share
- Avoid or terminate the activity causing the risk
- Accept or tolerate the risk
We’ll look at each of these in more detail in the next video.
The measures put in place to reduce risk are known as controls. There are three primary types of control:
- Administrative or procedural controls which include policies and procedures
- Technical controls which usually involve IT, firewalls and password authentication
- Physical controls like gates and walls
There are some overlaps here, for example a door-entry mechanism (a physical control) can be controlled by an IT system (a technical control) which records who entered and left.
Controls can also be distinguished by what they do:
- Directive controls tell people what to do, for example an Acceptable Use Policy
- Detective controls detect activity, for example an audit
- Preventive controls stop certain activities, for example a firewall
- Corrective controls correct for some failures, for example a backup generator
- Restorative controls restore systems to normal functionality, for example a backup and restore system
- Deterrent controls try to stop an activity happening, for example a prominent CCTV camera
- Compensating controls are put in place to compensate for one of the other controls which may not be available
There can be an overlap here, for example a CCTV camera may deter as well as detect.
The course syllabus only explicitly mentions the first four of these controls. However, the others are widely referred to in information security and are worth knowing.
That’s the end of this video on understanding risks.
Fred is a trainer and consultant specializing in cyber security. His educational background is in physics, having a BSc and a couple of master’s degrees, one in astrophysics and the other in nuclear and particle physics. However, most of his professional life has been spent in IT, covering a broad range of activities including system management, programming (originally in C but more recently Python, Ruby et al), database design and management as well as networking. From networking it was a natural progression to IT security and cyber security more generally. As well as having many professional credentials reflecting the breadth of his experience (including CASP, CISM and CCISO), he is a Certified Ethical Hacker and a GCHQ Certified Trainer for a number of cybersecurity courses, including CISMP, CISSP and GDPR Practitioner.