How Can Businesses Determine and Assess Risk?
20 June 2022
Tim Pinell, NQA’s Information Security Assurance Manager recently wrote an article for The Cyber Resilience Centre for West Midlands on the importance of the importance of risk analysis and the benefits that come with it:
One of the most important elements in an information security audit is the review of an organisation’s information security risks. An organisation that understands it risks can make informed decisions on what actions it might take: whether to treat the risk, or to put up with it, or perhaps to transfer the risk to the insurance policy. An organisation that knows the risks it faces is in a strong position to weather business storms.
Almost all SMEs take information security risk assessment very seriously, despite perhaps not having the expertise. And yet I frequently see organisations that have not been able to articulate their information security risks. But people in business are experts in business risk, making risk decisions every day. So why is there is a difference in understanding between business risk and information security risk?
On closer examination the principles are the same, and it becomes apparent that the problem lies in articulating information security risk.
A risk is made up to two components: something that could happen and the consequences if it does happen. It’s easy to think of business risk examples, such as failed business plans having an impact on the bottom line.
Here’s an example of a poorly described information security risk, and is typical of many of the risk descriptions I see whilst auditing:
Access control failure causes loss of information
How can that help support decision making? There’s so much missing from it: what kind of access control failure (physical or IT), why did the control fail, what asset was it protecting? And then consider the consequences – loss of information might not be an adverse consequence if the information had no value. So we need to know what information was lost and the impact of that loss, bearing in mind that impacts can comprise a number of factors – cost of remediation, fines, loss of customer business, drop in share price, customer rebates etc.
This is a better risk description:
A lack of strong passwords on the file server could allow insiders to delete personnel files, resulting in an ICO fine of up to £10000
Note that there’s no mention of how likely the incident is to occur, so this is an improvement:
There is a 10% likelihood that a lack of strong passwords on the file server will result in insiders deleting personnel files, leading to an ICO fine of up to £10000 and unspecified employee compensation
Likelihood is attempting to predict the future so it’s not an exact science. But the most important thing is to make a prediction and try to avoid the middle ground – it might happen/it might not happen, because that won’t help decision making. And note the change in terms: could has become will. This is necessary because of the addition of likelihood – the risk is a statement of the likelihood of a specific event occurring and the impact of that occurrence.
The important thing to note is that the risk is self-explanatory. Anybody reading it will easily understand it, which is important during the Great Resignation and the constant loss of corporate knowledge. If all the information security risks are similarly articulated then the consistency and repeatability of the process is ensured, regardless of who in the future is following it.
Some organisations break this out into a table which aids comparability with other risks:
And there’s no tech speak involved; bear in mind the people who need persuading to take action are the business managers, such as the CEO and CFO. This then helps top management articulate their information security risk appetite. And their job can be made easier by including the risk treatment cost:
By doing the maths the business is carrying a £1000 (10% * £10000) risk that will cost £500 to treat. It’s arguably not worth doing, unless by implementing strong passwords other risks will be treated as well, the lesson being that risks and their treatments should never be considered in isolation.
Many organisations use a High/Medium/Low – RAG method of scoring risks. But these methods need criteria to explain what High to Low is in likelihood and impact, and the finer decision-making detail can be lost, particularly for impact: consider a high profile data breach from the news and all the cost factors that went into remediating it.
Another factor that organisations sometimes get wrong is that implementing a risk treatment doesn’t always mean that the impact is reduced. Risk treatments usually reduce the likelihood – you can make it harder for a ransomware attack to occur, but when it does that hard drive is still going to become encrypted.
There are a variety of risk management techniques, such as ISO 27005 and ISO 31000. Time spent on risk analysis and articulating them in business terms is time well spent.
Originally published by The Cyber Resilience Centre for West Midlands, Jun 1 2022
Almost all SMEs take information security risk assessment very seriously, despite perhaps not having the expertise. And yet I frequently see organisations that have not been able to articulate their information security risks. But people in business are experts in business risk, making risk decisions every day. So why is there is a difference in understanding between business risk and information security risk?
On closer examination the principles are the same, and it becomes apparent that the problem lies in articulating information security risk.
A risk is made up to two components: something that could happen and the consequences if it does happen. It’s easy to think of business risk examples, such as failed business plans having an impact on the bottom line.
Here’s an example of a poorly described information security risk, and is typical of many of the risk descriptions I see whilst auditing:
Access control failure causes loss of information
How can that help support decision making? There’s so much missing from it: what kind of access control failure (physical or IT), why did the control fail, what asset was it protecting? And then consider the consequences – loss of information might not be an adverse consequence if the information had no value. So we need to know what information was lost and the impact of that loss, bearing in mind that impacts can comprise a number of factors – cost of remediation, fines, loss of customer business, drop in share price, customer rebates etc.
This is a better risk description:
A lack of strong passwords on the file server could allow insiders to delete personnel files, resulting in an ICO fine of up to £10000
Note that there’s no mention of how likely the incident is to occur, so this is an improvement:
There is a 10% likelihood that a lack of strong passwords on the file server will result in insiders deleting personnel files, leading to an ICO fine of up to £10000 and unspecified employee compensation
Likelihood is attempting to predict the future so it’s not an exact science. But the most important thing is to make a prediction and try to avoid the middle ground – it might happen/it might not happen, because that won’t help decision making. And note the change in terms: could has become will. This is necessary because of the addition of likelihood – the risk is a statement of the likelihood of a specific event occurring and the impact of that occurrence.
The important thing to note is that the risk is self-explanatory. Anybody reading it will easily understand it, which is important during the Great Resignation and the constant loss of corporate knowledge. If all the information security risks are similarly articulated then the consistency and repeatability of the process is ensured, regardless of who in the future is following it.
Some organisations break this out into a table which aids comparability with other risks:
| Description | Likelihood | Impact |
| A lack of strong passwords on the file server will result in insiders deleting personnel files | 10% | Fine: ICO - £10000 Compensation: £TBD |
And there’s no tech speak involved; bear in mind the people who need persuading to take action are the business managers, such as the CEO and CFO. This then helps top management articulate their information security risk appetite. And their job can be made easier by including the risk treatment cost:
| Description | Likelihood | Impact | Treatment |
| A lack of strong passwords on the file server will result in insiders deleting personnel files | 10% | Fine: ICO - £10000 Compensation: £TBD |
Implement strong passwords: £500 |
By doing the maths the business is carrying a £1000 (10% * £10000) risk that will cost £500 to treat. It’s arguably not worth doing, unless by implementing strong passwords other risks will be treated as well, the lesson being that risks and their treatments should never be considered in isolation.
Many organisations use a High/Medium/Low – RAG method of scoring risks. But these methods need criteria to explain what High to Low is in likelihood and impact, and the finer decision-making detail can be lost, particularly for impact: consider a high profile data breach from the news and all the cost factors that went into remediating it.
Another factor that organisations sometimes get wrong is that implementing a risk treatment doesn’t always mean that the impact is reduced. Risk treatments usually reduce the likelihood – you can make it harder for a ransomware attack to occur, but when it does that hard drive is still going to become encrypted.
There are a variety of risk management techniques, such as ISO 27005 and ISO 31000. Time spent on risk analysis and articulating them in business terms is time well spent.
Originally published by The Cyber Resilience Centre for West Midlands, Jun 1 2022