With the explosive rise of digital information, the continued success of modern enterprises has become inextricably bound to the effective use and management of data. However new efficiency-driving technologies, global interconnectivity, and remote work have also introduced several significant and high-profile information risks.
The specter of risk is leaving organizations with no choice but to improve the overall management of various cyber risks. What follows is a step-by-step process (based on the Information Security Forum’s IRAM2 methodology) that cybersecurity and risk practitioners can leverage to assess and manage information risk.
Step 1: Scoping exercises
The objective of a scoping exercise is to provide a business-centric view of an identified risk. This involves achieving alignment and agreement between stakeholders on the business scope (intellectual property, brand or reputation, organizational performance) and the technological scope of the assessment (information architecture, user profiling, assessment of a technology or a service).
This exercise can help determine which party will be responsible for assessing the various risk domains and the mandate behind a particular risk assessment. For example, choosing who will handle the introduction of a new business service or technology or address management concerns about a particular area of the business.
Step 2: Business impact assessment (BIA)
A BIA is used to determine the potential business impact should any information asset or system have its confidentiality, availability, or integrity compromised. The first step in a BIA is to identify all relevant information assets, such as customer and financial data, and information used for the operation of services and systems, across all environments and across the entire information lifecycle (input, processing, transmission, storage).
Once assets are identified, a value (rank or priority) can be assigned to them. Then the extent of any potential security incident can be determined by comparing realistic scenarios comprising the most reasonable impact with worst-case scenarios for each asset.
Step 3: Threat profiling
This phase helps to identify and prioritize threats and understand how they can manifest. Threat profiling starts with the identification of potentially relevant threats through discussion with key stakeholders and analyzing available sources of threat intelligence (e.g., an internal threat intelligence team or external commercial feeds).
Once the threat landscape is built, each threat it contains should be profiled. Threats can be profiled based on two key risk factors: likelihood of initiation — the likelihood that a particular threat will initiate one or more threat events — and threat strength, or how effectively a particular threat can initiate or execute threat events.
Threats can also be further profiled by separating them into an overarching group: adversarial, accidental, or environmental.
Step 4: Vulnerability Assessment
Once threat profiling is completed, the next phase is to identify the degree to which information assets are vulnerable against each identified threat. A vulnerability assessment is used to examine the extent of the relevance of each key control as well as the performance and quality of its implementation.
Each vulnerability must be assessed and expressed in terms of its relative strength of controls. The strength of controls can be calculated based on the stakeholder rating for that control, along with supporting information such as control characteristics, performance, deficiencies, and documentation.
At the end of the assessment, the practitioner will have gained a solid understanding of which information assets are vulnerable against which threat event.
Step 5: Risk evaluation
By evaluating risks, organizations can map how likely threats are to succeed, what the worst-case business impact would be, and how these can fit into their overall risk management plan.
The first step is to choose the most relevant impact scenario for each risk. This means deciding between a realistic outcome, considering the threat’s strength, or a worst-case scenario.
Secondly, it’s crucial to identify existing or planned controls that might lessen the threat’s impact. Like other control assessments, judging how much these controls reduce the inherent impact is subjective. Here, the experience of the risk practitioner and key stakeholders plays a vital role.
Step 6: Risk treatment
This step explores various approaches to managing information risk:
Mitigation: To build stronger defenses, improve existing controls and implement new ones to lessen the impact of a potential attack.
Avoidance: Avoid or eliminate any activities that could trigger or lead to potential risk.
Transfer: Allow another party to shoulder some level of risk, for example, obtaining cyber insurance.
Acceptance: Acknowledge the possibility of the risk happening and its potential fallout, but take no further action based on the organization’s risk tolerance.
Risk treatment should be guided by an organization’s risk appetite. Evaluate each risk individually to determine whether it exceeds the organization’s risk tolerance. When all risk treatment options are clear, create a risk treatment plan. Follow through with executing the plan and monitoring the results to ensure that risk management efforts are successful.
Using the six steps of risk assessment
At the end of the sixth step, the risk assessment process is effectively complete. The practitioner has gained a better understanding of the assessed environment. This includes a clear picture of the relevant threats, the associated vulnerabilities, and the prioritized risks. A risk treatment plan has been developed and implemented to reduce risks to an acceptable level.
It’s important to remember that the world of information security is dynamic; threat events, vulnerabilities and their impacts on the business are fluid and evolving. Practitioners and stakeholders should consistently evaluate risks especially when the organization or the environment undergoes major changes or mitigation efforts.