Risk assessment is everywhere in our daily actions. From deciding which road to take to get to the work, choosing the right moment to cross the street while walking, to deciding if we should accept a job offer, or proposing the delay of a milestone within a project.
Risk assessment helps us make decisions:
- Should I give my phone number to the supermarket teller?
- Should I make a story with this photo on Instagram?
- Should I leave my kids alone in this mall?
- Should I allow my neighbor to use my Wifi?
- Should I use this eBanking app on my mobile?
- Which door should I choose for my home?
Such decisions are based on balancing potential benefits with potential threats. If I do give my phone number to the stranger, I may get a discount – If I use this eBanking app, I won’t have to wait in the queue to pay my bills etc.
Corporate services use the same pattern. We keep thinking about what we might get vs. what we might lose.
And this is exactly was security is all about – balancing these two things: Benefits vs. Risks.
As one can imagine there are many (really many..) ways of doing that.
We @INTRASOFT International have long practiced, formalized and experienced with several of them - ITSRM2 and ISO 27005 might be considered good examples - yet the main steps are quite common for most of these:
First, we must identify what’s important to us (our “assets” or our “crown jewels”): Might be the provision of a service, the integrity of a contract document, the confidentiality of a due diligence email etc. There are plenty of sources to help us with that, including IT inventories, HR lists, our service catalog, or even bringing together some department heads on a casual session on a Tuesday morning.
Secondly, we should ask ourselves which are the potential threats for each of these assets. Some may come from our previous painful experience (e.g. a stolen laptop), some may be part of our customers input (e.g. a corrupted backup file, espionage), others may be sourced from bibliography or standardized external sources (e.g. a pandemic situation, earthquakes). For each selected threat, we can now ask how much probable this is to happen, what would be the potential impact, and (depending on the exact chosen methodology) what would be our most probable detection/response time.
A third set of actions would then be, to combine the above intel in order to identify the most important (and most urgent) items based on their “risk level”. This “risk level” is typically seen as a combination of probability, impact and detection/response speed for each threat scenario for each asset. At its simplest form, this can take the form of a spreadsheet that includes the list of assets, their corresponding threats ordered by their risk level, which is calculated as the product of probability and impact.
For the fourth phase, and as we never have an infinite budget(!), prioritization and careful selection of actions that manage risk (called “treatment” in the InfoSec jargon) is important. One has to deal with the risk of breaking his smartphone, before considering the risk of a meteor dropping on his house!
Selection of treatment actions can however turn to a long and cumbersome process… Going back to those personal decisions, choosing one very expensive door for our home, might be one way of dealing with the risk of someone stealing our TV, but another option might be to have a cheaper door and home insurance or installing an alarm system.
Imagine now bringing that into a corporate environment, where “assets” and “treatment measures” are numerous, decisions must balance benefits with impact and treatment cost and all these on a case by case basis… Using a shared account for Netflix in home environment might not be as important as in an IT production environment, in which various people might chose to share a common username and password. Also, an internal application to reserve office space (while in COVID social distancing measures) might not need an encryption mechanism for its DB – A core banking software however would probably need a really strong one!
As a final consideration, we have to appreciate the volatility of all these decisions: Assets change, digitalize, move from place to place, become more or less important. At the same time, threats and measures evolve: Viber hacking, antivirus for smartphones, ransomware and identity theft are on today’s agenda more than ever!
This is why formal methods and experience in those risk management processes can keep related costs, effort and time spend low, while ensuring that services and information can be trusted, used, paid for...
In the era of digitalization & transformation offerings, corporate environments must proactively integrate risk management at all their levels. At the heart of the process, Enterprise Risk Management can set the rules of these engagements. More specific Information Security Risk Management can be also implemented in a centralized corporate-level manner (typically coordinated by the Corporate InfoSec Officers). At a third level, Information Security risks can also be managed at a project or corporate activity function (typically facilitated by specialized InfoSec Consultants or assigned security officers). Further integration should also be made with related processes, such as Business Continuity and Suppliers Management.
Still, maximum benefits of Risk Assessment are achieved by adopting risk management at an individual level within a company. Indeed, risk assessments and risk-based decisions are made by all employees in any company: In finance department when an invoice is to be paid, in procurement when a new supplier is to be chosen, in IT when a new firewall rule is to be deployed, in development teams when a new SW component is to be designed, in reception areas when a guest asks to enter a building – everywhere!
However, maturing companies evolve themselves and their people to make these decisions faster, cheaper and with less risk, while being compliant to regulations and serving contractual requirements.
Still, and in order for all these to work, individuals within a company should acknowledge the fact that benefits from any decision are not risk free. Risks should be assessed and managed, many times in a structured way, several times in a documented way, sometimes as a detailed structured process.
In any case, risk assessment should not be seen as yet another compliance requirement, but more like a core driving force of a company that wants its customers to trust and believe in its capabilities and offerings.
Author: Emmanouil Serrelis.