Risk Management
By Robert Shimonski and Martin M. Weiss
Date: Aug 5, 2024
This chapter covers the following official Security+ exam objective: 5.2 Explain elements of the risk management process. You will learn the steps of the process, from risk identification and assessment, to risk management strategies and risk reporting.
Risk Identification
Risk identification is the initial step in the risk management process, aimed at identifying potential threats and vulnerabilities that could adversely affect an organization. This ensures that the organization can proactively address risks through planning and implementation of security measures.
A threat can be thought of as the potential that a vulnerability will be identified and exploited. Analyzing threats can help an organization develop security policies and prioritize securing resources. Threat assessments are performed to determine the best approaches to securing the environment against a threat or class of threats. Threats might exist, but if an environment has no vulnerabilities, it faces little or no risk. Likewise, little or no risk affects environments that have vulnerability without threat. Consider the simple analogy of a hurricane. Few would argue that a hurricane represents a threat. However, consider a home on the coast in Florida and a home inland in the Midwest. The former is certainly vulnerable to a hurricane, whereas the latter is not.
Probability is the likelihood that an event will occur. In assessing risk, it is important to estimate the probability or likelihood that a threat will occur. Assessing the likelihood of occurrence of some types of threats is easier than assessing other types. For example, you can use frequency data to estimate the probability of natural disasters. You might also be able to use the mean time to failure (MTTF) and mean time to repair (MTTR), both covered later in this chapter, to estimate the probability of component problems. Determining the probability of attacks by human threat sources is difficult. Threat source likelihood is assessed using skill level, motive, opportunity, and size. Vulnerability likelihood is assessed using ease of discovery, ease of exploit, awareness, and intrusion detection.
Risk Assessment
Risk assessment is the process of analyzing identified risks to evaluate the likelihood of their occurrence and their potential impact. This evaluation is required for prioritizing risks and formulating strategies to mitigate them effectively.
Risk is the possibility of, or exposure to, loss or danger from a threat. Risk management is the process of identifying and reducing risk to a level that is acceptable and then implementing controls to maintain that level. Risk comes in various types. Risk can be internal, external, or multiparty. Banks provide a great example of multiparty risk: Because of the ripple effects, issues at banks have effects on other banks and financial systems.
To determine the relative danger of an individual threat or to measure the relative value across multiple threats to better allocate resources designated for risk mitigation, it is necessary to map the resources, identify threats to each, and establish a metric for comparison. A business impact analysis (BIA) helps identify services and technology assets as well as provides a process by which the relative value of each identified asset can be determined if it fails one or more of the CIA (confidentiality, integrity, and availability) requirements. The failure to meet one or more of the CIA requirements is often a sliding scale, with increased severity as time passes. Recovery point objectives (RPOs) and recovery time objectives (RTOs) in incident handling, business continuity, and disaster recovery must be considered when calculating risk. BIA, RPOs, and RTOs are covered further later in this chapter.
Risk assessments should rarely if ever be a one-time event for an organization. The frequency with which these are conducted, however, can vary depending on various factors regarding the organization’s risk landscape, regulatory requirements, and level of change across their environments. For example, a small, stable private organization may find an annual risk assessment sufficient. On the other hand, a large, dynamic organization operating across high-risk environments, where emerging risks may pose challenges, should opt for more frequent assessments. Generally, risk assessments are conducted adopting the following frequencies:
Ad hoc
One-time
Recurring
Continuous
Ad hoc risk assessments are conducted in response to specific incidents or triggers. For example, if a company encounters a significant security breach, it would conduct an ad hoc risk assessment to understand the scope and severity of the risk posed by the breach. Ad hoc assessments can also be made if a new business opportunity arises, and the company needs to carry out an immediate assessment of the associated risks.
One-time risk assessments are often conducted for specific events or changes. For instance, when introducing a new system, launching a new product, or during a business merger or acquisition, a company would conduct a one-time assessment to understand the potential risks associated with these activities. A one-time assessment helps organizations anticipate and mitigate risks associated with the change.
Recurring assessments are conducted at regular intervals, such as annually, semi-annually, or quarterly, depending on the organization’s requirements and nature of the industry. Recurring risk assessments allow organizations to stay on top of any changes to their risk profile. The frequency depends on the level of risk an organization faces and the rate of change in its external environment, as well as internal factors such as a change in business strategy.
In a continuous risk assessment approach, the risk environment is monitored in real time, and risks are assessed on an ongoing basis. This approach relies on established key risk indicators (KRIs) to evaluate the company’s risk profile. When thresholds are breached, risk assessments are triggered. As with other approaches, a continuous risk assessment approach requires balancing risk visibility against resource commitment, but it may provide the most complete and timely understanding of risk in more volatile environments.
Risk Analysis
Risk analysis helps align security objectives with business objectives. It is a process that deals with the calculation of risk and the return on investment for security measures. By identifying risks, estimating the effects of potential threats, and identifying ways to mitigate these risks in a cost effective manner, organizations can ensure that the cost of prevention does not outweigh the benefits.
The risk analysis process involves several key steps to assess and manage risk effectively:
Identify threats: Recognize potential threats that could exploit vulnerabilities.
Identify vulnerabilities: Determine weaknesses within the system that could be exploited by threats.
Determine the likelihood of occurrence: Evaluate how probable it is for a threat to occur and exploit a vulnerability.
Determine the magnitude of impact: Assess the potential severity of the damage or loss if a threat materializes.
Determine the risk: Calculate the level of risk using the simple equation Risk = Threat × Vulnerability × Impact.
This process helps in understanding the complex relationship between threats, vulnerabilities, and their potential impacts, emphasizing the importance of assessing the likelihood that a threat will actually occur.
After identifying and assessing risks, it’s important that you categorize and prioritize them based on their likelihood of occurrence and potential impact. This prioritization helps in formulating appropriate response strategies:
High-level threats may necessitate immediate corrective measures.
Medium-level threats might require developing an action plan for reasonable implementation.
Low-level threats could be dealt with as feasible or might be accepted as part of the organization’s risk threshold.
The assessment of impact alongside risk likelihood is needed to understand the potential consequences of risk events.
Qualitative Risk Analysis
Qualitative risk analysis is a subjective approach that assesses risks based on non-numeric criteria. It involves using techniques such as brainstorming, focus groups, and surveys to gauge the significance of different risks and their impact. This method allows for a relative projection of risk for each threat, using a risk matrix or heat map to visualize the probability (from very low to very high) and impact (from very low to very high) of potential risks.
To facilitate this assessment, Table 24.1 provides a risk matrix that can help you understand the level of risk as either low, medium, or high for both likelihood and impact. The table organizes risk levels based on a combination of likelihood scores, ranging from very low to very high, and levels of impact, ranging from very low to very high, resulting in the assignment of an overall risk level.
TABLE 24.1 Level of Risk Based on Likelihood and Impact
Likelihood |
Level of Impact |
||||
|---|---|---|---|---|---|
|
Very Low |
Low |
Moderate |
High |
Very High |
Very High |
Medium |
High |
High |
High |
High |
High |
Low |
Medium |
High |
High |
High |
Moderate |
Low |
Medium |
Medium |
High |
High |
Low |
Low |
Low |
Medium |
Medium |
High |
Very Low |
Low |
Low |
Low |
Low |
Medium |
The preceding matrix underscores the principle that risk is not just about the potential for a threat to occur but also about the significance of its impact. By categorizing risks into these levels, organizations can prioritize their risk management efforts more effectively, focusing on mitigating the most important risks first.
Despite its subjective nature, and the need for expert judgment, qualitative analysis provides essential insights into risk prioritization, especially when quantitative data is unavailable.
Quantitative Risk Analysis
Quantitative risk analysis offers an objective means to evaluate risk, assigning numerical values to the potential loss and the likelihood of risk occurrence. This method calculates the degree of risk based on the estimation of potential losses and the quantification of unwanted events, utilizing concepts such as single loss expectancy (SLE), annual rate of occurrence (ARO), and annual loss expectancy (ALE).
Quantitative analysis provides clear measures of relative risk and expected return on investment, making it easier for senior management to comprehend and make informed decisions. However, it requires significant effort and time to collect and analyze all related data, making it more labor-intensive than qualitative analysis. Furthermore, qualitative measures tend to be less precise, more subjective, and more difficult in assigning direct costs for measuring return on investment (ROI) and rate of return on investment (RROI).
Because a quantitative assessment is less subjective than a qualitative one, the process requires that a value be assigned to each of the various components. To perform a quantitative risk assessment, an estimation of potential losses is calculated. Next, the likelihood of some unwanted event is quantified, based on the threat analysis. Finally, depending on the potential loss and likelihood, the quantitative process arrives at the degree of risk. Each step relies on the concepts of single loss expectancy, annual rate of occurrence, and annual loss expectancy.
Single Loss Expectancy
Single loss expectancy (SLE) is the expected monetary loss every time a risk occurs. SLE equals asset value multiplied by the threat exposure factor, which is the percentage of the asset lost in a successful attack. The formula looks like this:
Asset Value × Exposure Factor = SLE
Consider an example of SLE using denial-of-service (DoS) attacks. Firewall logs indicate that the organization was hit hard one time per month by DoS attacks in each of the past 6 months. You can use this historical data to estimate that you likely will be hit 12 times per year. This information helps you calculate the SLE and the ALE. (The ALE is explained in greater detail shortly.)
An asset is any resource that has value and must be protected. Determining an asset’s value can most mean determining the cost to replace the asset if it is lost. Simple property examples fit well here, but figuring asset value is not always so straightforward. Other considerations could be necessary, including the value of the asset to adversaries, the value of the asset to the organization’s mission, and the liability issues that would arise if the asset were compromised.
The exposure factor is the percentage of loss that a realized threat could have on a certain asset. In the DoS example, imagine that 25% of business would be lost if a DoS attack succeeded. The daily sales from the website are $100,000, so the SLE would be $25,000 (SLE = $100,000 × 0.25). The possibility of certain threats is greater than that of others. Historical data presents the best method of estimating these possibilities.
Annual Rate of Occurrence
The annual rate of occurrence (ARO) is the estimated possibility of a specific threat taking place in a 1-year time frame. The possible range of frequency values is from 0.0 (the threat is not expected to occur) to some number whose magnitude depends on the type and population of threat sources. When the probability that a DoS attack will occur is 50%, the ARO is 0.5. After you calculate the SLE, you can calculate the ALE, which gives you the probability of an event happening over a single year.
Annual Loss Expectancy
The annual loss expectancy (ALE) is the monetary loss that can be expected for an asset from risk over a 1-year period. ALE equals SLE times ARO:
ALE = SLE × ARO
ALE can be used directly in a cost/benefit analysis. Going back to our earlier example, if the SLE is estimated at $25,000 and the ARO is 0.5, the ALE is $12,500 ($25,000 × 0.5 = $12,500). In this case, spending more than $12,500 to mitigate risk might not be prudent because the cost would outweigh the risk.
Risk Register
As mentioned earlier, risk assessments should not be a one-time event. As an organization evolves, change is inevitable. Risk management needs to be part of a framework from which risk can easily be communicated and adapted on an ongoing basis.
A risk register gives an organization a way to record information about identified risks, and it’s usually implemented as a specialized software program, cloud service, or master document. Risk registers often include enterprise- and IT-related risks. With threats and vulnerabilities identified, the organizations can then implement controls to manage the risk appropriately. (The next section discusses these techniques.) The risk register should contain specific details about the risks, especially any residual risks the organization faces as a result of controls or mitigation techniques employed. Common contents of a risk register include the following:
Risk categorization groupings
Name and description of the risk
A measure of the risk through a risk score
The impact to the organization if the risk is realized
The likelihood of the risk being realized
Mitigating controls
Residual risk
Contingency plans that cover what happens if the risk is realized
The items listed here are fundamental components of a risk register, providing a comprehensive overview of the organization’s potential and actual risk landscape. However, to address the dynamic nature of risks, and to ensure an effective and proactive approach to risk management, some other elements are crucial and warrant further exploration.
These elements, namely key risk indicators (KRIs), risk owners, and risk thresholds, enhance the risk register’s depth and effectiveness, ultimately providing a more nuanced understanding of the organization’s risks.
KRIs function as early warning signs for potential increases in risk. By monitoring KRIs, organizations can catch and handle risk escalations before they worsen and have an impact. KPIs measure and showcase trend lines of risk exposure, offering a quantitative means to keep track of risk movements over time. These KRIs, along with other features of a risk register, are an important tool in the risk reporting process across key stakeholders.
Risk owners are individuals or teams designated with the responsibility of managing specific risks. Assigning risk owners is valuable because it not only encourages accountability but also ensures there’s a specific point of contact and decision maker for each risk. It guarantees that the management of each identified risk is streamlined and focused.
Finally, risk thresholds help an organization determine the maximum amount of risk it can tolerate. This is a measure of the acceptable level of risk exposure for the company. Once a risk crosses its respective threshold, it calls for immediate attention. It triggers a response that could include escalated reporting, contingency plans, or mitigation strategies. Understanding risk thresholds helps in laying out a clear roadmap for when and what action needs to be taken against the identified risks.
These items play a significant part in shaping the risk strategy of an organization and provide more context and depth to the typical components of a risk register.
The risk register serves as a strategic component for an organization and helps ensure that an organization’s risk appetite and risk tolerance are correctly aligned with the goals of the business.
Risk Appetite and Tolerance
Risk appetite is the total amount of risk that an organization is prepared to accept or be exposed to at any point in time. It drives the organization’s strategic decision-making process and is linked with the organization’s objectives and strategies. Risk appetite may be categorized into three types:
Expansionary or aggressive: Organizations with an expansionary risk appetite are willing to take on more risk for the potential of higher returns. These companies are often in high-growth industries where the benefits of taking a riskier approach can result in significant returns, such as tech startups and investment banking.
Neutral: A company with a neutral risk appetite strikes a balance between being too risky and overly cautious. While they don’t shy away from taking risks, they ensure this is done in a controlled and managed way. These organizations may be mature businesses in stable markets where business growth is consistent and returns are steady.
Conservative: A conservative risk appetite involves low tolerance for risk and a preference for safer investments with predictable outcomes. These companies typically operate in highly regulated industries such as utilities and healthcare, where the emphasis is on stability, safety, and reliability rather than rapid growth.
These concepts are not unlike one’s own personal behavior and risk appetite, even if subconscious. Consider, for example, your own personal values, goals, and objectives. Consider what activities you may or may not participate in, or how you personally choose to invest your savings and so forth.
Risk tolerance is the specific maximum risk that an organization is ready to handle. While risk appetite is about the overall amount of risk an organization is willing to accept, risk tolerance drills down to more specific scenarios or risk categories. Risk tolerance is the degree of variability in outcomes that an organization is willing to withstand.
For example, an organization might have a high risk tolerance for financial risks if it has strong cash reserves, but a low risk tolerance for reputational risks that could harm its brand in the marketplace.
Understanding these two concepts enables organizations to effectively manage risk in line with their strategic goals. They can select projects or make decisions that align with their appetite and tolerance for risk. The risk appetite and tolerance also guide the organization’s risk management activities, determining how they identify, assess, analyze, and mitigate risk.
Together with the risk register, an organization’s appetite and tolerance for risk plays an important role in helping align risk with the goals of the business. The risk register can then provide valuable information and help drive the strategic decision-making process to achieve those goals. It is important that the reporting from a risk register be clear and understandable. The outputs should be available and visible across the business, including to management and senior executives responsible for strategy, budget, and operations.
Risk Management Strategies
Risk management involves creating a risk register document that details all known risks and their related mitigation strategies. Creating the risk register involves mapping the enterprise’s expected services and data sets, as well as identifying vulnerabilities in both implementation and procedures for each. Risk cannot be eliminated outright in many cases, but mitigation strategies can be integrated with policies for risk awareness training ahead of an incident. Formal risk management deals with the alignment of four potential strategies to respond to each identified risk:
Avoid: Risk avoidance seeks to eliminate the vulnerability that gives rise to a particular risk. This is the most effective solution, but it often is not possible due to organizational requirements. For example, eliminating email to avoid the risk of email-borne viruses is an effective solution but is not likely a realistic approach.
Transfer: With risk transference, a risk or the effect of its exposure is transferred by moving to hosted providers that assume the responsibility for recovery and restoration. Alternatively, organizations can acquire insurance to cover the costs of equipment theft or data exposure. Insurance related to the consequences of online attacks is known as cybersecurity insurance.
Accept: With risk acceptance, an organization recognizes a risk, identifies it, and accepts that it is sufficiently unlikely or of such limited impact that corrective controls are not warranted. In such cases, this is known as risk exemption. On the other hand, a risk exception is a formal acknowledgment that a system or process is not compliant with an applied standard or policy but has been permitted to operate because the risk is acknowledged and accepted. In essence, an organization agrees to tolerate a higher level of risk than usual due to unique circumstances. In most cases, these are temporary, require mitigating controls be put in place, and are given a timeline for the exception to be re-evaluated. Risk acceptance must be a conscious choice that is documented, approved by senior administration, and regularly reviewed.
Mitigate: Risk mitigation involves reducing the likelihood or impact of a risk’s exposure. Risk deterrence involves putting into place systems and policies to mitigate a risk by protecting against the exploitation of vulnerabilities that cannot be eliminated. Most risk management decisions focus on mitigation and deterrence, balancing costs and resources against the level of risk and mitigation that will result.
Bruce Schneier, a well-known cryptographer and security expert, was asked after the tragic events of 9/11 if it would be possible to prevent such events from happening again. “Sure,” he replied. “Simply ground all the aircraft.” Schneier gave an example of risk avoidance, albeit one he acknowledged as impractical in today’s society. Consider the simple example of an automobile and its associated risks. If you drive a car, you have likely considered those risks. The option to not drive deprives you of the many benefits the car provides that are strategic to your individual goals in life. As a result, you have come to appreciate mitigating controls such as seat belts and other safety features. You accept the residual risks and might even transfer some of the risk through a life insurance policy. Certainly, when it comes to the risks of the vehicle itself, insurance plays a vital role. Not carrying insurance even carries risk itself because insurance is often required by law. Examples abound of people who have even accepted that risk, making a conscious choice to drive without insurance.
Finally, the choices you make related to risk often result in residual risk. Living in a high-crime neighborhood might spur someone to put bars on their home’s windows. That’s one problem seemingly mitigated. However, in case of a fire, the bars would render common egress points in the home no longer accessible.
Risk Reporting
Risk reporting is needed for communicating risk information to stakeholders across the organization. Risk reporting involves the regular and ad hoc dissemination of risk-related information, from the operational level to senior management and the board of directors, ensuring that all parties are informed about current risks, their potential impact, and the actions taken to mitigate them. This process provides an up-to-date picture of the organization’s risk profile to support strategic decision-making and help foster a proactive risk management culture.
This process benefits from the use of the risk register, which acts as a central repository of all identified risks, their assessment, and management plans. The risk register, as detailed previously, contains critical information that forms the backbone of risk reporting, which includes the following:
Risk categorization helps in understanding the types of risks (strategic, operational, financial, compliance) the organization faces.
Risk description and scoring provide a snapshot of each risk’s nature and its relative priority.
Impact, likelihood, and mitigation plans offer insights into the potential consequences of risks and the steps taken to manage them.
Residual risk levels highlight the remaining risk after mitigation efforts, guiding ongoing management and monitoring.
Key risk indicators (KRIs) and heat maps serve as visual tools for tracking and communicating risk status and trends over time.
Effective risk reporting ensures that this information is available and presented in a manner that is accessible and actionable for all stakeholders, allowing for informed discussions about risk tolerance, appetite, and strategic risk management priorities. Risk reports should not only highlight where risks align or deviate from the organization’s risk appetite but also signal when risk levels approach or exceed predefined tolerance thresholds. This alignment ensures that risk management efforts are strategic, targeted, and effective in supporting the organization’s objectives.
Business Impact Analysis
Business impact analysis (BIA) is the process of determining the potential impacts resulting from the interruption of time-sensitive or critical business processes. IT risk assessment, as well as planning for both disaster recovery and operational continuity, relies on conducting a BIA as part of the overall plan to ensure continued operations and the capability to recover from disaster. The BIA focuses on the relative impact of the loss of operational capability on critical business functions. Conducting a business impact analysis involves identifying critical business functions and the services and technologies required for them, along with determining the associated costs and the maximum acceptable outage period.
For hardware-related outages, the assessment should also include the current age of existing solutions, along with standards for the expected average time between failures, based on vendor data or accepted industry standards. Planning strategies are intended to minimize this cost by arranging recovery actions to restore critical functions in the most effective manner based on cost, legal or statutory mandates, and calculations of the mean time to restore.
A business impact analysis is a key component in ensuring continued operations. For that reason, it is a major part of a business continuity plan (BCP) or continuity of operations plan (COOP) as well. The focus is on ensuring the continued operation of key mission and business processes. U.S. government organizations commonly use the term mission-essential functions to refer to functions that need to be immediately functional at an alternate site until normal operations can be restored. Essential functions for any organization require resiliency. Organizations also must identify the dependent systems for both the functions and the processes that are critical to the mission or business.
A BCP must identify critical systems and components. If a disaster is widespread or targets an Internet service provider (ISP) or key routing hardware point, an organization’s continuity plan should detail options for alternate network access. This should include dedicated administrative connections that might be required for recovery. Continuity planning should include considerations for recovery in case existing hardware and facilities are rendered inaccessible or unrecoverable. It should also consider the hardware configuration details, network requirements, and utilities agreements for alternate sites.
RTO and RPO
Recovery point objective (RPO) and recovery time objective (RTO) are important concepts of the BCP and form part of the broader risk management strategy. RPO, which specifically refers to data backup capabilities, is the amount of time that can elapse during a disruption before the quantity of data lost during that period exceeds the BCP’s maximum allowable threshold. Simply put, RPO specifies the allowable data loss. It determines up to what point in time data recovery can happen before business is disrupted. For example, if an organization does a backup at 10:00 p.m. every day and an incident happens at 7:00 p.m. the following day, everything that changed since the last backup would be lost. The RPO in this context is the backup from the previous day. If the organization set the threshold at 24 hours, the RPO would be within the threshold because it is less than 24 hours.
The RTO is the amount of time within which a process must be restored after a disaster to meet business continuity requirements. The RTO is how long the organization can go without a specific application; it defines how much time is needed to recover after a notification of process disruption.
MTTF, MTBF, and MTTR
When systems fail, one of the first questions asked is, “How long will it take to get things back up?” It is better to know the answer to such a question before disaster strikes than to try to find the answer afterward. Fortunately, established mechanisms can help you determine this answer. Understanding these mechanisms is a big part of the overall analysis of business impact.
Mean time to failure (MTTF) is the length of time a device or product is expected to last in operation. It represents how long a product can reasonably be expected to perform, based on specific testing. MTTF metrics supplied by vendors about their products or components might not have been collected by running one unit continuously until failure. Instead, MTTF data is often collected by running many units for a specific number of hours and then is calculated as an average based on when the components fail.
MTTF is one of many ways to evaluate the reliability of hardware or other technology and is extremely important when evaluating mission-critical systems hardware. Knowing the general reliability of hardware is vital, especially when it is part of a larger system. MTTF is used for nonrepairable products. When MTTF is used as a measure, repair is not an option.
Mean time between failures (MTBF) is the average amount of time that passes between hardware component failures, excluding time spent repairing components or waiting for repairs. MTBF is intended to measure only the time a component is available and operating. MTBF is similar to MTTF, but it is important to understand the difference. MTBF is used for products that can be repaired and returned to use. MTTF is used for nonrepairable products. MTBF is calculated as a ratio of the cumulative operating time to the number of failures for that item.
MTBF ratings can be predicted based on product experience or data supplied by the manufacturer. MTBF ratings are measured in hours and are often used to determine the durability of hard drives and printers. For example, typical hard drives for personal computers have MTBF ratings of about 500,000 hours.
These risk calculations help determine the life spans and failure rates of components. These calculations help an organization measure the reliability of a product.
One final calculation assists with understanding approximately how long a repair will take on a component that can be repaired. The mean time to repair (MTTR; also called mean time to recovery) is the average time required to fix a failed component or device and return it to production status. MTTR is corrective maintenance. The calculation includes preparation time, active maintenance time, and delay time. Because of the uncertainty of these factors, MTTR is often difficult to calculate. In order to reduce the MTTR, some systems have redundancy built in so that when one subsystem fails, another takes its place and keeps the whole system running.
What Next?
If you want more practice on this chapter’s exam objective before you move on, remember that you can access all of the Cram Quiz questions on the Pearson Test Prep software online. You can also create a custom exam by objective with the Online Practice Test. Note any objective you struggle with and go to that objective’s material in this chapter.