Philosophy of Security, part 6 – Risk Management – Risks: Threats and Vulnerabilities
In previous part, Part 5 of this series we discussed the general approaches to Risk Management. In this part I wish to take a closer look at the heart, and technically, the most difficult part of the process – Risk Analysis – and specifically dealing with risks as expressed as a set of threats and vulnerabilities, and the interaction of the two, which provides an insight into likelihood of a risk event coming to pass.
Vulnerability is as a flaw in the business systems, processes and assets that are the subjects of the risk analysis process, or in the environment where these systems operate While there are many types of vulnerabilities, in general they can be grouped into three categories:
- Technical vulnerabilities – are generally flaws in the production process and/or design flaws in a business system or a set of security or risk controls around an asset (such as a door lock, an operating system, a web server, a telephone exchange unit or a mechanical mail handling device) that can be used to subvert the to system or control in order to cause it behave in a fraudulent fashion or to deliver an outcome other than was intended by the business owners of the system or the asset.
- Process vulnerabilities – these are the flaws found in processes, (such as gaps in validation, gaps in document handling, unsafe assumptions, and the like) which can be used to subvert the process in order to cause it behave in a fraudulent fashion or to deliver an outcome other than was intended by the business owners of the process.
- People and Social vulnerabilities – these “flaws” are unwanted and often unintended behaviours, that arise from social, psychological and cultural conditioning (such as politeness, and helpfulness of the people who carry out the processes or operate the systems, which can be used to to subvert the system or the process in order to cause it behave in a fraudulent fashion or to deliver an outcome other than was intended by the business owners of the process.
- Environmental vulnerabilities – the features of the environment in which the business systems, processes and assets have to operate, which can ins ome way be used to the detriment of these systems, processes and assets. For, example when choosing a site for a major data centre, a location within 50 year flood line on a major floodplain might well be seen as an environmental vulnerability to a flood.
Potential for exploitation of vulnerability generally expressed as a simple phrase such as “unlikely” or “highly possible” or a numerical value is the main outcome of vulnerability analysis. This potential is based on how easy it is to exploit the vulnerability given the current set of security and risk controls in place, and the actual nature of the vulnerability.
Threats are events which present a danger to, or have a detrimental effect on, the business systems, processes and assets that are the subjects of the risk analysis process.
- Exploitation of a vulnerability – This is the threat that arises from a person or an organisation attempting to use the the existence of a vulnerability in business systems, processes and assets. An example of this would be a theft from a room with a poorly constructed lock or a website defacement where the web server had a well known flaw.
- Direct Threats: – These threats are the direct action by a person or an organisation to take direct action against business systems, processes and assets. An example of this would be deliberate and targeted action such as arson, a robbery or a burglary aimed to obtain a particular item, or even a so called “spear-fishing” cyber-attack campaign.
- Indirect Threats: – These threats that arise form the effects of the actions of a person or an organisation, where these effects have a detrimental to the business systems, processes and assets. This can take form of a new legislation, political instability and similar.
- Environmental Threats – These are environmental disasters such as floods, earthquakes, fires and the like. These threats do not have a human actor in it.
Probability of occurrence is the most critical part of the risk analysis. In this part, the methodology must be rigorous and as much as possible to rely on quantitative methods in order to avoid the natural human bias in estimation of probability of the occurrence of threats. This calculation must take into account the current set of security and risk controls in place.
Putting it all together: the likelihood of a risk.
The most appropriate measure of how likely it is that a risk event will be realised is derived form a combination of the potential for exploitation of a vulnerability and the probability of occurrence of a threat, combined with the effect of the current set of security and risk controls in place.
Most risk management frameworks and provide a set set of guidelines on how to calculate and consistently describe the resulting likelihood or a risk, and how to make use of the resulting information.
Notes on Risk Analysis:
All the threat and vulnerability analysis and evaluation must be done the in context that has been set at the outset of the risk management process. Otherwise the results will be inconsistent.
Pick a well documented Risk Management standard, which is relevant for the for the type of risk management you are undertaking (there are separate standards that relate to ICT systems risk management, medical systems risks management, etc. ) Use of a well documented standard provides a well understood and documented risk analysis methodologies. Adoption of a well documented standard makes it easier to find reference materials, and to get skilled peer review and overall acceptance of the results.
The aim is to use the the same methodology for all risks analysis unless there are very good reasons to change to another standard. If we wish to compare the results from different methodologies, we need to bear in mind that a change to methodology, will naturally lead to inconsistent results in risk analysis.
This fact, along with needs to be kept in mind when comparing the results produced under two different methodologies such as AS/NZS 4360 and that in the ISO 31000 series.
Conversely, results of analysis in undertaken within two different organisations but using similar contexts, and using the same risk management framework can be compared with a reasonably high degree of confidence.