C-note: What is Your Risk Assessment Worth?
By John Rostern, Managing Director, Coalfire
A risk assessment provides your organization with a tool to determine how, where and how much to invest in controls and security over technology. It also serves to document the risk acceptance policy of your organization as the acceptable level of risk dictates the level of controls to be implemented. It is also a requisite part of legal and regulatory compliance for Sarbanes-Oxley, HIPAA and PCI, among others. The risk assessment plays a key role in internal processes such as business continuity planning, internal audit planning and overall enterprise risk management. This has led, in many cases, to the risk assessment becoming a ‘check the box’ item. Risk assessment you ask? Yep, I have one of those. However, an inadequate risk assessment may be preventing your organization from developing and executing an effective information security and technology risk management strategy.
There are many historical examples of the impact a bad risk assessment can have. For example, after World War I, the French invested in a line of fortifications on the border with Germany and Italy. Fearing a repeat of the last war, French Minister of War Andre’ Maginot designed and built a series of fixed artillery emplacements and tank barriers all facing the enemy. However, history tells us that while Maginot correctly identified the source of the risk, (Germany), he assumed the next war would be fought the same way as the last. Maginot failed to properly assess the current threats and vulnerabilities he faced, which led to the defeat of France when the German army performed an end-run and attacked France from the north instead of the east (the guns were literally pointed the wrong way!). His perceived ‘risk’ was improperly supported, which led to a massive investment in a defensive line that was ultimately ineffective.
Had Maginot studied risk assessment, he would have realized that risk (R) is the product of threat (T) and vulnerability (V), sometimes expressed as T x V = R. Properly described, Risk is the combination of the impact and likelihood of an event that impacts the mission, functions, image or reputation of an organization. Overall Risk to the organization/entity is the sum of all of the risks described in their Risk Catalog that represents the portfolio of relevant risks. Following this process can help your organization to build appropriate controls and avoid an outcome similar to Maginot. The overall process for a comprehensive risk assessment may be summarized in the following steps:
- Develop a Threat Catalog describing the universe of applicable risks.
- Determine the Relevance and Impact of each Threat to produce the Threat Value;
- Examine the Vulnerabilities and Pre-Disposing Conditions to determine the value for Vulnerability;
- Determine the Inherent Risk as the product of Threat and Vulnerability;
- Apply the Risk Treatment process applicable to the organization to the Risk Catalog and determine which risks will be Mitigated in the Controls Environment;
- Based on independent testing, determine the Design and Operating Effectiveness of the Controls Environment;
- Subtract the Controls Value from the Inherent Risk to determine the Residual Risk; and
- Compare the Residual Risk, both in aggregate and for each individual risk, to the Risk Tolerance of the organization.
This disciplined approach will provide insight into allocation of resources and the alignment of controls with the risks to the core business of the organization.