What is Risk Management?
- Risk management is the process of identifying, assessing and controlling financial, legal, strategic and security risks to an organization's capital and earnings.
- Risks can come from various sources including uncertainty in international markets, threats from project failures (at any phase in design, development, production, or sustaining of life-cycles), legal liabilities, credit risk, accidents, natural causes and disasters, deliberate attack from an adversary, or events of uncertain or unpredictable root-cause.
What is Expressing And Measuring Risk?
Assets:
- Assets in an organization are usually diverse. Because of this diversity, it is likely that some assets that have a known monetary value (hardware) can be valued in the local currency, whereas others of a more qualitative nature (data or information) may be assigned a numerical value based on the organization’s perception of their value.
- This value is assessed in terms of the assets’ importance to the organization or their potential value in different business opportunities.
- The legal and business requirements are also taken into account, as are the impacts to the asset itself and to the
Vulnerabilities:
- Vulnerabilities can be related to the physical environment of the system, to the personnel, management, and administration procedures and security measures within the organization, to the business operations and service delivery, or to the hardware, software, or communications equipment and facilities.
- Vulnerabilities are reduced by installed security measures.
Harm:
- The consequences of the occurrence of a security incident are a function of the likely impact the incident will have on the organization as a result of the harm that the organization assets will sustain.
- Harm, in turn, is a function of the value of the assets to the organization.
Impact:
- Impact is related to the degree of success of the incident. Impact is considered to have either an immediate (operational) effect or a future (business) effect that includes financial and market consequences. An immediate (operational) impact is either direct or indirect
- A direct impact may result because of the financial replacement value of a lost (part of) asset or the cost of acquisition, configuration, and installation of the new asset or backup, or the cost of suspended operations resulting from the incident until the service provided by the asset(s) is restored.
- An indirect impact may result because financial resources needed to replace or repair an asset would have been used elsewhere (opportunity cost), or owing to the cost of interrupted operations or to potential misuse of information obtained through a security breach, or because of the violation of statutory or regulatory obligations or of ethical codes of conduct.
Threats:
- Threats can be classified as deliberate or accidental.
- The likelihood of deliberate threats depends on the motivation, knowledge, capacity, and resources available to possible attackers and the attractiveness of assets to sophisticated attacks.
- On the other hand, the likelihood of accidental threats can be estimated using statistics and experience.
Risk:
- Information security risk “is measured in terms of a comibination of the likelihood of an event and its consequence.”
- Because we are interested in events related to information security, we define an information security event as “an identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of safeguards, or a previously unknown situation that may be security relevant
- Risk R is defined as the product of likelihood L of a security incident occurring times impact I that will be incurred to the organization owing to the incident: that is, R= L x I
