“Risk and Risk Tolerance are Business Decisions”
I have posted couple of blog posts about the concept of Risk and what are the wrong thoughts about it, and we agreed that Risk is a business term and not an IT security term by any means. Risk is defined as the likelihood for business loss. This can be financial loss, legal loss or even reputation loss.
We also agreed that IT security people should understand both business and technology to deal with Risk. A lot of technology and little of business, finance and return of investment stuff. IT security people should provide business justification to business people for applying security controls, and list the business impact (loss) for not doing that.
“You need to understand the business to deal with Risk”
I recommend that you read this previous blog post in order to get a quick overview about what we are trying to touch on in this blog series. You cannot go to a business and say you want to implement an Antivirus solution, only because you think they should. People who write the checks are business people and they need business justifications. They will agree with you if you list to them how the business will lose money for not having Antivirus. This is how you should deal with Risk.
Moving forward, Risk and Risk Tolerance are pure business decisions. In other words, Business will decide the risk tolerance and accepted risks. So in order to do deal with risk, you need to know how the business makes money. The more that you know about the business and its profit, the easier you can sell security to the boss or owner. Security is the biggest selling game that you have to master, and Risk Management is your tool.
Think about this. If you are going to put a new computer, your boss or owner will understand spending 1000 dollars because they can imagine an employee sitting there and doing his job. If you put a web site and spend 5000 dollars, business people will understand that because they can see it. Computer security on the other hand, although it has an outcome, but it cannot be seen physically, that is why you need to understand the business and provide business justifications by doing risk assessment. After all, Security Management is simply paying money for nothing to happen.
Keep also in mind that Risk Management and Computer Security are not one time practice. You cannot bring someone from outside, to “Secure” your network and then go away because he finished securing your environment. Same with Risk Management, as business changes, you will have risks with each change along the way. Below you can see the fundamental steps for handling Risk.
1. Know the assets that matter most to the business
To start with handling Risk, the first thing to do in this assessment is to figure out what are the assets or valuable assets that matter the most to the business (i.e. trade secrets, contact information…). It is very common that what you (as a security expert) think is valuable to the business, is not actually what is really valuable to the business. You may visit a company and see valuable servers and SQL databases, and you think (those databases are the most important asset that I have to invest time and money protecting), while all what matters to the business is their contact information located in a separate file share!!. For the business, losing that contact information, means they are out of business.
2. Threats to those assets?
After identifying what matters to the business, you can move on and ask yourself “Now that I know the important assets, let me see what the possible threats are”. Threats are simply all the forces that can be considered dangerous sources, things like natural disasters (floods, earthquakes), Human mistakes and stupidity (accidentally deleting a file), or simply a cracker who hacks to your systems.
Remember that each business has different type of threats. A certain threat can be big deal for a business, but can be completely ignored by another. For example, online attacks are big threat for a business with online presence on the internet, while this threat can be ignored for a business without online presence.
Threats can have ranking (High, Low, Medium). If you are living in a safe neighborhood, and some one comes to sell you 5,000 $ home security system, then i do not think you will buy it because the danger (threat) of being stolen in that safe neighborhood is low.
If you are living in a neighborhood with a lot of crimes, then you know the possibility of being stolen is high (threat is high), so you may consider buying that expensive home security system after all. Since Risk can be calculated as Threat times Vulnerability, then the possibility of a threat can affect the value of the associate Risk.
3. How well they are protected?
After that, move to see how vulnerable (lack of protection) the systems are against those threats. Remember that Risk is measured as (Threat x Vulnerability), so if both the threat and vulnerability are high, you will have big risk.
If for example the business building where all the servers are located is in a flood area, and the server room is located in the first floor, then the threat is high (there is big possibility for floods in the area), and the vulnerability is high (server room is in the first floor). This may indicates high risk.
If the server room is in the first floor (high vulnerability) but the building is not in a flood area (zero threat) then the risk my be considered zero although the vulnerability is high (because anything times zero is zero).
4. Does business care ?
Finally, you can put all this together by adding the business impact and justification. It is not rocket science after all. You can say something like “We think we should invest 10 000 dollars moving the server room to the third floor because there is a big risk a flood taking down the servers. The down time will cost the business 15000 dollars, so I guess it worth it”. Here you go, you can sell it that way and remember, this is all business exercise and you should provide business justification and possible loss to the business. It is like selling a specific item, you start mentioning the benefits for the item you are selling and how bad you will be for not having it.
If Threat is High (you are living in a neighborhood with lot of crimes, so threat of being stolen is big) , and Vulnerability is High ( your house is not well secure) , you may think that since (Risk = Threat times Vulnerability) so the Risk should be high. Well, there is a missing piece, which is “does business care?“. Is there a business impact or loss from this danger ? In our example, your house may be empty or it may contain nothing important and you do not actually care if it get stolen. Same with business, you may be evaluating the danger or threat if someone steal money from the corporate cafeteria that happened to be vulnerable to theft, but the business really do not care about it. Although both Threat and Vulnerability are high, Risk is low !
In summary,do not assume what are the assets that are considered valuable to the business, instead you should ask the business what is its most valuable assets or services it owns. This is a turning point when dealing with Risk. From there, start investigating what the possible threats to those assets are and what the vulnerabilities are. Remember that Risk = Threat x Vulnerability. Finally, you should come up with a business justification for the the security outcomes and the business cost (possible loss) for not doing that. The most dollar signs you put to the final equation, the better everyone can digest your analysis.