The risk assessment methodology is a foundational pillar of effective information security and there are numerous risk methodologies available to allow organizations to identify, quantify, and mitigate information security risks to its information assets. But, as we all know, risk is subjective.
Personal experience, subject knowledge, and anecdotal sources can all result in mixed results. How we make sense of the risks to information and present this information in a meaningful way is where risk assessment comes in, enabling the business to identify risks, determine potential impacts, and to analyze those risks to determine the risk level, appropriate controls, and to calculate a risk rating.
Determining the right risk assessment methodologies for your business will depend upon several factors. These can include the industry the business operates in, its size and scope, and the compliance regulations to which it's subject.
The Right Fit
Unless specified contractually, the risk methodology should fit the business, not the other way around. A clear understanding of the risks faced in the collection, processing, storing, sharing, and disposal of information is key to ensuring that those risks are managed appropriately to the impact of a breach, whether to its own or customer data.
You'll also need to decide whether you are looking for a qualitative or quantitative approach or a combination of both methods, and what you're trying to achieve, i.e., the risks you wish to mitigate and where. Are you looking to address threats and vulnerabilities; protect personal information, data sets, or business-critical information; or reduce the risk posed to the services of the business, its physical hardware, or staff?
Component-driven risk focuses on technical components and the threats and vulnerabilities they face, so looks at individual elements. System-driven risk, on the other hand, analyzes systems or processes as a whole, so takes more of an overview. Although different, they are deemed complementary. Most organizations adopt the component methodology, which requires the organization to identify specific information assets and its associated risks to its confidentiality, integrity, and availability (aka, CIA).
The CIA triad enables the security team to keep data secure while ensuring legitimate access to data. It is essential to use alongside your risk framework, as it can help control the risk to data associated with the introduction of new systems or devices, for instance.
Given all these variables, there are, of course, numerous frameworks to choose from. Some of the most well-known are ISO 27005:2011, ISF IRAM2, NIST (SP800-30), Octave Allegro, and ISACA COBIT 5 for risk, for example. There's no one-size-fits-all approach, and all have their strengths and weaknesses, leading many teams to adopt more than one approach.
Pitfalls to Avoid
Risk methodologies will only ever be as good as the data we put into them. This means it's relatively common for teams to be too restrictive in their scope and to overlook assets. All too often, we've seen examples of asset lists that only contain IT assets, without including information assets, for instance. An information asset has its own value, which doesn't change whether it is in physical, electronic, or tacit form, but excluding this from the organization's asset list would skew results.
Another common failing is to restrict the way risk assessment is used. It's often regarded as a negative exercise because it sees the enforcement of controls, so it's important to counter this by ensuring the assessment benefits the aims of the organization and doesn't hinder or stifle its success.
Understanding what lies behind the risk is also key, i.e., the threats/vulnerabilities and their likelihood of realization — and this needs to be translated in a meaningful way.
Risk assessment can lead to risk registers producing risk matrices and red-amber-green (RAG) status indicators without conveying the relative impact in a business language. Being able to effectively communicate risk to those responsible for managing the purse strings is vital to securing funds for risk protection. For example, describing a risk as red, or 43, will mean very little to most laypeople, whereas a description of the impact to operations, reputation, finances, or punitive measures will see the issues described using business language that will be readily understood by senior management. Indeed, the importance of being able to translate risk into meaningful business impacts is an often underappreciated skill.
The output of risk assessments should guide the business to invest in the controls that best meet its objectives. They should also, just as importantly, highlight when spending on new technology or controls does not contribute to those goals.
Finally, it's important that the applied risk methodology creates an environment where consistent, repeatable results are produced. This will help the business evaluate whether risks have increased, whether existing controls are adequate, and where exposure has increased, leading to a more accurate risk profile and clearer understanding of the overall security risk posture.