Back to Basics: Understanding Risk Concepts - WST

People often make judgements and decisions about risk. Modern technology environments are complex and pervasive – nearly everything we do at work relies on at least some piece of technology. Making sense of it all can seem daunting, especially from a risk management perspective. It can be beneficial to review some of the core concepts and terminology of risk management to maintain clarity.

So, let’s review some terminology:

Asset: An asset is anything used in an environment that should be protected. This can really be anything of enough value that warrants at least some level of protection. Hardware, software, networking equipment, customer data, internal data, facilities, personnel, business processes, vendor relationships – the list can be endless, and each organization is unique in at least some aspects. Which assets in your organization have the most value to the organization? Identifying the highest-value assets need to be focused on first. This can lead to a broader asset management conversation – for now, asset management is basically knowing and understanding what assets you have, and documentation supporting that knowledge and understanding.

Vulnerability: No asset is 100% perfect. Those imperfections are vulnerabilities. All assets can have vulnerabilities. Again, the range of vulnerabilities is extensive and broad. Vulnerabilities range from software issues that need to be patched, to broken business processes that need to be amended, to team members using unsafe security practices.

Threat: A threat exploits a vulnerability in an asset. Threats can be intentional or accidental, and they can be man-made or natural. A malicious actor writing malware to exploit a software vulnerability is an example of an intentional threat. Hard drive failure in a PC is an example of an accidental threat. A hurricane that would knock out power to an organization is an example of a natural threat.

Risk: The concept of risk ties the above factors together. Risk is the likelihood of harm to an organization due to a threat exploiting a vulnerability of an asset. Risk to an asset can be expressed like this: Risk = Threat x Vulnerability
OK – so, how does this overall risk concept work in practice? How is this used to reduce risk? The answer is controls.

Controls: Controls are anything used to reduce vulnerabilities and/or protect against threats. Controls can include technical actions, policies and procedures, additional training – you name it. Applying firmware updates to a firewall is an example of reducing vulnerabilities of that firewall. Restricting admin access to that firewall provides protection against the threat of unauthorized people accessing the firewall and making changes to it. Providing security training to staff members reduces the vulnerability of untrained users being susceptible to phishing attacks. Using strong email filtering services prevents (at least some) phishing emails from reaching user mailboxes.

There are many models of risk assessments, ranging from simple qualitative analysis processes to highly detailed quantitative risk analysis tools. We are not going to delve deep into the various models here. Regardless of your current method of risk assessment, keep the following takeaways in mind:

1. Know (and document) your assets. Whether you are using simple spreadsheets or automated systems management platforms, you need to know what assets you have first. You can’t assess vulnerabilities on an asset you don’t know about.
2. Work to stay abreast of applicable vulnerabilities and threats. Regular internal and external vulnerability scans of your environment help clarify vulnerabilities specific to your environment. Many organizations, such as US-CERT and InfraGard (and potentially others specific to your industry), can provide alerts to ongoing vulnerabilities and threats. Vendors that support critical assets for you may also have similar services. Again, knowledge is power.
3. Understand the controls you have in place, and also try to understand the “gaps” in your controls. In a perfect world, all risks are known and effectively controlled down to zero impact. Since that’s never the case, it is important that you understand the controls you have in place, and just as importantly, the controls that you don’t (or “can’t”) have in place. Regular monitoring and analysis of the effectiveness of the various controls helps you understand and reduce your risks.

Risk management is an ongoing process. To date, there’s no panacea that will take care of everything when it comes to risk – only continuous vigilance and dedication to your processes will be effective in reducing risk. The work is worth it. It’s like the adage says: an ounce of prevention is worth a pound of cure.