\n
Quantitative vs. qualitative information risk assessment<\/h3>\n
Qualitative information risk assessment<\/strong> is the most commonly used approach to information security risk assessment and uses subjective estimates (e.g. high, medium, low) for likelihood and loss\/consequence. When performing information risk assessments, it is recommended that information risks are assessed by more than one person to reduce the subjective element of this approach. A workshop format is often a useful way of bringing those individuals who are most familiar with the information asset and the associated threats and vulnerabilities together to discuss and agree the likelihood and impact of each risk.<\/p>\nQuantitative information risk assessment<\/strong>, unlike qualitative information risk assessment, uses numerical values<\/strong> (normally monetary) rather than subjective values (high, medium, low) for risk assessment. Figures are derived for the Single Loss Expectancy<\/strong> (how much the occurrence of a given information risk costs) and Annual Rate of Occurrence<\/strong> (how often a risk will occur per year). From these it is possible to calculate the Annual Loss Expectancy<\/strong> (how much the organisation can expect to lose each year for a given risk).<\/p>\n\n
\n
\n
By defining a monetary value for risks and having the historic data to determine the expected frequency, it\u00a0is not only possible to prioritize information risks in order of the financial impact on the organisation, but in combination with an understanding of the costs of your controls and their effectiveness at mitigating risk, it is possible to make some statements about the Return On Security Investment<\/strong>.<\/p>\nUnfortunately, quantitative information risk assessment requires a significant amount of data about information risk impacts and probabilities, which may not be readily available and which are resource intensive to collect. Calculations can be complex and resource intensive and, as a result, professional risk management software is often required for effective analysis<\/strong>. In addition, technology changes so fast that historical data may not be a good source of information about current and future impacts and probabilities.<\/p>\nIt is often the case, particularly with information security risk, that the impact of a risk cannot be defined solely as a numerical value or monetary sum. For example, the reputational impacts of a data breach cannot easily be measured by quantitative methods. Quantitative information risk assessment is a process which requires experience and competence to use and is not as straightforward to involve colleagues in as qualitative information risk assessment.<\/p>\n
One possible approach is to use qualitative information risk management by default, and quantitative information risk assessment where it is felt that the benefits provided by the technique outweigh the costs.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>
<\/div>
<\/div>
<\/div>
Process<\/h2>\n<\/div><\/div>
<\/div><\/div>
<\/div>
\n
\n
\n
The information risk assessment case study provides a practical example of how information risk measurement criteria can be used to help achieve consensus when using qualitative information risk assessment.<\/p>\n
Since qualitative information risk assessment is largely subjective, agreement may not be reached if a simple high, medium, low rating is used to rate impact and likelihood. Using information risk measurement criteria provides a consistent basis on which to assess the impact and likelihood of a risk and provides a descriptor for each impact level and likelihood rating so that individual perceptions of what is high or low are excluded and consensus is reached on which impact statement best described the perceived risk.<\/p>\n
The steps involved are:<\/strong><\/p>\n\n- Considering the threats and vulnerabilities, generate information risk scenarios (e.g. through brainstorming). These scenarios should, in real world terms, outline something which could go wrong and the mechanism by which it could occur. You can also use a standard list of risk scenarios.<\/li>\n
- Assess and score each information risk for impact.<\/li>\n
- Assess and score each information risk for likelihood.<\/li>\n
- Plot impact and likelihood of each information risk on a risk acceptance matrix.<\/li>\n<\/ol>\n
It is important to retain some sense of proportion when attempting to estimate impacts and effects; the organisation should bear in mind that some of the most devastating impacts actually rely on a chain of specific circumstances, which reduces the likelihood of an event with that very high impact occurring.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>
<\/div>
<\/div>
<\/div>
Information risk treatment<\/h2>\n<\/div><\/div>
<\/div><\/div>
<\/div>
\n
\n
\n
Having plotted the identified information risks on the information risk acceptance matrix, decisions (based onthe organisation\u2019s information risk appetite) can be made as to the responses to be taken for each information risk.<\/p>\n
Typical risk treatment options include:<\/strong><\/p>\n\n- terminate (cease the activity giving rise to the risk)<\/li>\n
- transfer (typically by passing some aspect of the risk onto another body such as an insurance company)<\/li>\n
- reduce or increase (through applying, modifying or removing controls)<\/li>\n
- accept (accept the risk).<\/li>\n<\/ul>\n
\n
\n
\n
When treating an information risk by implementing a control, an estimation should be made as to the effect of\u00a0that control on the overall risk score. In doing this, the residual risk score (amount of risk remaining) can be calculated and a decision made as to whether the residual score is still too high and further mitigation is required.<\/p>\n
The organisation should ensure that the effort and expense involved in treating an information risk does not significantly exceed the loss (whether measured in financial, reputational, legal, ethical, etc. terms) which would be suffered should the risk materialize.<\/p>\n
It is essential that, as part of the process, information risk owners and action owners are assigned. The information risk owner<\/strong> is the person or body which has the authority and accountability<\/strong> for managing an information risk. The action owner is the individual responsible for carrying out the activities to control the information risk. It is possible that the information risk owner and action owner may be the same person.<\/p>\nAt a higher level, whether part of the organisation\u2019s pre-existing risk management framework or a specific information security governance body, there should be a review body which on a regular basis scrutinizes the management of information security risk.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>
<\/div>
<\/div>
<\/div>
Information risk register<\/h2>\n<\/div><\/div>
<\/div><\/div>
<\/div>
\n
\n
\n
Identified information risks should be added to an information risk register outlining all the information risks faced by the organisation, what controls are being applied, and the initial, current and residual information risk scores. In this way, it is possible to see at a glance how exposure to an information risk has changed over time. Information risk management<\/strong> is a cyclical process, and risks should be reassessed on a regular basis (the degree of regularity depending on the significance of the risk) but also as part of managing changes to the operating environment. Changes in the threat landscape may allow the relaxation of certain controls or, equally, require extra controls.<\/p>\nA further reason for maintaining an information risk register is to provide an auditable account of decisions made. This will allow the organisation to manage identified information risks as well as to determine the overall information risk exposure. The register will also act as an historical record of the assessed value of each information risk over time.<\/p>\n
It should be noted that information security risk assessment cannot be carried out and managed in isolation. Risks identified as part of the information security process should be integrated into the appropriate organizational risk registers. For example, information security risks which have the potential to impact on organisation strategies should be referenced from the organisation\u2019s overall strategic risk register.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>