There are many different ways to evaluate risk. In this video, you’ll learn about risk heat maps, audit risk models, risk awareness, and more.
If you’re working on a large project, then you probably have a project plan and you should consider creating a risk register to go alongside that project plan. This would allow you to identify any significant risks associated with the project at every single step, and you may have some possible solutions that could get you through any of those risky situations. This also allows you to monitor the results so that you can tell what impact that risk had on the overall project.
You might even want to quantify this with a risk matrix or what we call a risk heat map. This allows you to visually determine the risk assessment and you can see how risky something might be based on the color of the risk matrix. This allows you to combine the likelihood of an event with the consequences of that event and you can use these same scales to compare different events to each other.
There’s not only a color component associated with this heat map but there’s also some quantitative values as well. If your evaluating event that was likely and the results of that event are major, then you would meet the extreme qualification which is not only red, but it has 16 points associated with it. If this event was almost certain and had catastrophic consequences, it would also be extreme and it would be marked red, but you could see it has a higher point value at 25.
Inherent risk is risk that exists in the absence of security controls. This means that without putting anything else in place there would be a certain amount of risk that we would undertake. In some models that describe inherent risk, you would also include your existing security controls to then determine what your inherent risk might be.
Residual risk is when you take the inherent risk that exists and you combine that with the effectiveness of your security controls. You can think of inherent risk as the risk you would take by connecting your organization to the internet without having any type of firewall in place. Residual risk is when you combine the inherent risk with the effectiveness of your security controls. So once we connect to the internet, we add a firewall to provide additional security controls and that would then allow us to calculate a residual risk. Some models of residual risk are including additional security controls that you would add on top of what may already be existing.
And the risk appetite describes how much risk an organization may be willing to take. So an organization that would like to connect to the internet does not have the appetite to do that if a firewall is not in place. Once the firewall is in place the risk is decreased to a level that meets the risk appetite for that company.
So now you’ve done the work at identifying where the risks might be, you’ve created a heat map, so you understand exactly how that might affect the organization. So now it’s time to create the cybersecurity requirements around these identified risks. We need to determine where those gaps might be in our security posture and this may require a formal audit to have someone evaluate every aspect of our organization and understand where those gaps might be.
In smaller organizations, you may be able to do a self-assessment to be able to find those gaps. Once you understand where those gaps might be, you can then build security controls that would fill in all of those risky areas. In areas that are very risky, we would apply additional security controls, and in areas of less risk, we get to decide what business case meets the particular goals we have for minimizing that risk.
And we’ll also want to look at all of the existing security controls that we’re already using. If we have a firewall that’s 10 years old, we may determine that to be non-compliant and not providing us with any type of risk control. Instead, we would purchase new firewalls with new capabilities and new security systems, bringing them into compliance.
To me, one thing that makes IT security so interesting is that it is a constantly moving battlefield. There’s constant change with the type of risk that we have to prepare for and there’s new risks that are emerging all the time. The amount of information on existing threats and the newer threats that we’re dealing with is almost overwhelming and it takes constant study to stay up-to-date so that you can manage a proper defense.
Understanding how to recognize these security events and protect against them is everyone’s responsibility, and of course, we need to make sure that every employee understands how that fits into their daily job role. It’s not unusual in many organizations that when you’re brought on board you go through a formal training process and part of that training is understanding the security risk for the organization. But of course, the conversation doesn’t stop there, we have to have ongoing training so that we understand what these emerging risks might be, group discussions are incredibly important, whether in person or on the internet, you could get presentations from law enforcement that can help understand what other organizations are dealing with, and of course, attending security conferences and programs can keep you up to date with the latest security information.
Not only is there a constant set of threats we have to keep track of, there’s also a constant set of regulations. From an IT perspective, there are an extensive number of regulations affecting cybersecurity. Many of these regulations are associated with protecting someone’s personal information or financial information and there are extensive regulations describing the disclosure of information breaches.
If you’re in health care, a significant regulation is HIPAA, this is the Health Insurance Portability and Accountability Act. HIPAA is a broad regulation that covers many different areas, but from an IT perspective, we are dealing with the privacy of patient health records. This includes not only how you provide that information to others but how that information is stored, how the network is secured when that information is sent across the network, and how you can protect against threats to that data. And in the European Union, we have GDPR, which is the General Data Protection Regulation. If you are in the EU and you want to control who has your data and what they’re doing with the data there are extensive regulations that give you control over where your data may be stored.
Sometimes it’s difficult to put a number or a value on how risky something might be. Instead, you could use a qualitative risk assessment to get a better understanding of where you sit with this particular risk. You may want to get opinions from others on how they feel this particular risk is in your environment and then you can use things like colors to determine how risky something might be.
Let’s say that we would like to get a qualitative analysis of the risk in our environment of having legacy Windows clients. It may be that we’re not able to upgrade these systems because they’re running proprietary hardware or software that will only run on older Windows machines. It may be that we believe that that has a minimal impact so we’ll put a yellow color associated with that. But this is something that may happen constantly throughout the year, so we’ll make that a red color. If we want to address this concern, then we’ll need security controls that we’ll put at about a yellow color, which means the overall risk for these legacy Windows clients in our environment we’ll mark with red.
Let’s also consider the risk of having untrained staff. We may believe that the risk is very minimal in our case, so the impact we’ll mark with green. This is something that shouldn’t occur very often during the year. So we’ll mark it as yellow and the cost of not training people obviously is not significant. So we’ll mark that as green, meaning the overall risk for untrained staff in our environment we’ll mark as yellow. And if we have systems with no antivirus software, this could have an impact. It might be a significant problem throughout the year. We need to purchase that, so there is a cost associated with it, meaning the overall risk for that particular risk factor is one that we’ll mark with red. This qualitative assessment allows us to see where the highest risk might be in our organization without having specific values that we can associate with these risk factors.
Of course, we might want to associate specific quantitative values with these risks, and often that value is a dollar figure. This calculation might start with the likelihood of this particular issue occurring. An annualized rate of occurrence or ARO describes that likelihood. For example, how likely is it that a hurricane will hit this year? If you’re in Montana probably very low, but if you’re in Florida, it might be a higher risk.
Another important metric is the SLE or single loss expectancy. That describes how much money we’re going to lose if that single event occurs. For example, if a laptop is stolen and we have a value on that laptop, we can associate $1,000 with loss every time a laptop is stolen. To determine the annualized loss expectancy or the ALE, we would multiply the annualized rate of occurrence with the single loss expectancy. Let’s say that seven laptops are stolen in a single year, that would be our annualized rate of occurrence, we’ll multiply that times the single loss expectancy for one of those laptops, which is $1,000, which means that our total annualized loss expectancy would be $7,000.
We now can make some business decisions on whether we want to add some additional security controls around the protection of these laptops or it may be that we realize we’re going to lose 7,000 this year in laptops being stolen and we’ll decide to accept that particular risk. Of course, there may be other concerns that are outside the scope of something like a dollar figure. It may be that losing access to this laptop could potentially prevent additional sales, which might have more impact than simply identifying the cost of the laptop.
When we talk about risk to an organization, we also have to talk about disasters and there are certainly environmental threats wherever you may be. This could be tornadoes, hurricanes, earthquakes, or even just severe weather. There might also be threats created by a person. This might be human intent or someone is trying to bring down your systems or perhaps somebody simply clicked the wrong button and through negligence or error caused all the power systems to turn off. These person-made threats could also be more severe, such as arson, crime, fires, and other concerns.
And we also have to categorize whether these disasters are created internally or whether they come from an external source. Internal threats tend to be from the employees we have in our organization that are creating these disasters. External threats come from outside of the organization and we may have different security controls depending on whether those threats are internal or external.