Introduction – the wrong and right
The wrong thing
Why do IT people and security specialists need to know and study the art of Risk, Risk Assessment and Risk Analysis?
Why each security exam like CISSP dedicates a whole section to talk about “Risk”? Who cares really?! Why don’t you just do your homework and implement some security best practices and hope nothing bad will happen?
Have you ever asked business people to spend couple of thousand dollars to purchase security products? When they asked why, you answered “Well, to prevent hackers and secure systems!!”.
I can imagine the look on business people who write the checks as the last thing they care about is spending money for something they do not feel or digest. If you asked them to write checks for laptops, then they might agree, because they can imagine a person using that laptop to do his work as laptops are physical assets after all. When you start talking about securing the systems, then do not expect business people to ever understand this. Usually business people cannot care less about security until they get attacked heavily.
Think about this, if you are in a small organization with couple of sales people and 2000 dollars profit daily, and you have couple of servers located in the kitchen because you do not have server room, then you cannot go to your boss asking for an IDS system that costs 50,000 dollars in order to implement detection counter measures. If you understand your business and profit, and study the risks, IDS could be the last thing to consider at this point.
The right thing
Now, if you go to your boss, telling him that you need to build a server room to put all the servers there as it is more secure that way, he may or may not agree with you. Instead, if you tell him “We need to spend 5000 dollars building a server room, not doing that may allow anyone to steal servers from the kitchen and cause the business to stop for couple of days”. Since the business gets 2000 dollars profit per day, it makes sense to invest in 5000 dollars server room because the business impact for not doing this is bigger.
“Security people need to understand business and how to speak to business people and to justify their security countermeasures by speaking about the likelihood of business losses (Risk) if they do not purchase or implement security systems”.
Security specialist cannot just go and implement random security solutions (think about IDS in the previous example). Instead, they need to understand the business and what can cause the business to lose (Risk) and use that as the drive to implement security measures (Risk Mitigation). So let us talk more about “Risk” from that perspective.
Risk is a business thing?!!
First of all, remember that “Risk” is simply a business concept. It is invented for businesses to talk about their potential loss weather it is financial loss or other type of loss. Risk is not an IT concept at all. Keep this in mind always.
Business can be at risk when merging with another company (financial loss), or it can be at risk if it loses its secret (legal loss). Business can also be at risk if the servers went down (financial loss, think about Facebook site going offline for couple of hours).
Risk is defined as the likelihood of business losing. For example, you can say that the business is at big risk of losing all its assets if an earthquake hits the building or business is at big risk if its medical information get published.
Since Risk is a business concept, why should i learn about it? Well, IT and Risk intersect when IT security people start talking about security solutions that should be in place to protect business from loss. So you can say “what will happen if a server went down because of a virus for example, and how much money this will cost the business”.This will simply justify your need for Antivirus solution.
For you as an IT guy, risk relates to you when it comes to business losing something when your systems went down or attacked. Loss can come from different sources:
- Down time: when your system goes down because of viruses, DoS attacks or any other reason. This down time can cause business some kind of loss, thus putting it at risk.
- Legal Issues: for example, if someone hacked to your medical database pulling medical information about people, hacker may not get money, you may not lose money, but you can have many legal issues to deal with because your database is compromised, and this is another type of loss that puts business at risk.
- Trade Secrets: information disclosure will cause the business financial lose or losing customers, thus putting business at risk.
What is Risk for IT Security then?!
People have different ways to understand how risk is measured and evaluated. I am so comfortable with a particular way that I will try to explain here:
Risk = Threat x Vulnerability
So the likelihood of loss equals what how high the threat is times how vulnerable my business is against that threat.
Do not think of this in a numerical way, by saying for example that threat is 40 and vulnerability is 10 so I will have Risk = 400 or so. It does not work this way.
Instead, think about it in a High, Low and Medium way. So if both threat and vulnerability are high, then I will have high risk. If both are low, then I will have low risk.
If I am worried about online attacks and If my business has an online presence, then there is a threat, and because hackers always target online websites, then the possibility of being attacked by hacker is high, and thus the threat of hackers is high. Now if I do not have firewalls and antivirus, then I will be vulnerable against that threat, so my vulnerability is high, and thus risk is high. If I happen to have good firewall and antivirus solution, then my vulnerability is low, so it could be that the risk of hackers is medium because the threat is still high.
What you can notice easily from this equation is that anything times zero equals to zero. So if any of the threat or vulnerability is zero, then the risk is simply zero. Let me explain more, if we are to evaluate the risk of earthquakes on business located in place that do not have earthquakes, then it is not logical to implement any counter measurements against earthquakes because the threat (the danger) is zero, and also the risk equals to zero because anything times zero is zero. No matter how vulnerable your business is against earthquakes, it does not matter.
Also, if you have many counter measurements and security controls in place against online hacking, then your vulnerability against online hackers is zero, and the risk is zero no matter how high the threat is.
Finally, IT security specialist should study the concept of Business Risk and how to mitigate those risks by implementing security solutions. Knowing what causes the business to lose money or reputation, should be your drive to focus your efforts on what to protect or what to protect most.
Studying types of threat that the business can have is very important. Each business has different type of threats. A certain threat can be big issue for a business, but can be ignored by different business. A company without online presence will care nothing about online attacks for example. Knowing the business will give you clear image of the type of threats and thus the risk the business can encounter. Keep this in mind.
Also, it is no practical to just implement security solutions because you think so. Why to implement a complex IDS systems on workstations while the business may not be affected of those workstations are down. Maybe the business is using web servers with static content, and bringing all those servers will not affect the core business, so the impact of the risk can be ignored and thus, you should not focus on securing those servers.
Risk Assessment controls the IT security budget also, by making sure the money is spent on protecting the business most valuable assets and on things that cause big damage to the business.
Risk Assessment from my point of view is like a compass, it calculates danger times protection, asks the business if it cares , and finally direct security efforts accordingly.
RISK ASSESSMENT = COMPASS