Risk Management Lectures (4)

The following series represents lecture material that I’ve used from time to time in discussing the problem of IT Risk Management. I’ll be providing this material on my blog as a series of information related to the topic.

***

Risk Assessment Process

We recognize that technology isn’t cool-it is critical to ongoing business operations. Therefore, securing the information system requires a multifaceted approach as the electronic information system poses a significant risk the organization.

1. Risk of loss or damage
2. Risk of exposure or compromise
3. Risk of regulatory non-compliance
4. Risk of obsolescence and incompatibility

Lack of attention to managing the information systems security exposes a company to increased risk and liability because of the perception that management did not respond to their obligations. So on the one hand when a management implements ATP controls and safeguards, they’re responding to the need to mitigate the loss of an asset, yet they are also demonstrating their reasonable response to potential exposure. Also, management may implement these controls and safeguards in response to regulatory compliance and business continuity preparations that had been placed upon them by government agencies. In some situations, the lack of “due care” can actually result not just in civil penalties like fines and citations, but may also result in criminal prosecution.

Quantitative Risk Assessment Qualitative Risk Assessment

There are various Risk Assessment approaches and methodologies but, generally, they can be broken down into two camps: methods that are more qualitative in nature versus quantitative in nature.

Qualitative approaches tend to address the emotional response we have to a disaster incident and built a prioritization of response based on _perceived_ importance. A good example of this is the FRAP (Facilitated Risk Assessment Process) method as espoused by Peltier and others that encourage dialog, surveys, and solicit opinion to determine perceived areas of risk within an organization.

Quantitative approaches attempt to quantify – usually using financial metrics – the loss to an organization if a disaster was to occur. Quantifying the risk of disaster is referred to PARA (Practical Application of Risk Analysis) techniques. Often there is a mechanism by which to determine the potential loss of an asset based off the probability (the risk) of the incident occurring, thus you could apply that single loss expectancy to an annualized rate of occurrence to arrive at an estimated annual loss. As a manager, this financial number could be compared to the cost of insurance, for example, and weighed against the conceivable cost of a countermeasure.

Qualitative approaches attempt to gain a sense of urgency, priority, and the significance of risk by employing discussions, focus groups, and surveys. These assessments rely – typically – on the perceptions and opinions of employees in order to arrive at criticality and risk. FRAAP (Facilitated Risk Analysis and Assessment Process) was developed by our author, Peltier, as a quantitative method for analyzing and prioritizing risk assessment. Peltier’s presentation is highly-organized and thorough FRAAP’s outcomes lack the convincing nature of monetary values

In the coming weeks, we will be exploring both quantitative and qualitative ways to conduct risk assessment (RA). I think it’s safe to say that we will conclude that a purely quantitative RA method is not 100-percent accurate; that we require a qualitative RA method to counterbalance what numerical assessments miss or cannot foretell. Using one RA method exclusively is probably too narrow of an assessment that could have the potential of being too myopic.

To quantitative risk analysis, RA is an assessment practice to:

1. Identify a company’s assets
2. Assign values to assets
3. Identify the assets’ vulnerabilities and threats
4. Calculate their associated risks
5. Estimate potential loss and damages
6. Provide solutions and remedies that do not exceed the value of the asset

To qualitative risk analysis, RA is an assessment practice to:

1. Identify a company’s assets
2. Ascertain risk through the collection of opinions and observations.
3. Determine a scope of effect if the asset were rendered unavailable.
4. Prioritize risk based on the impact of the scope of effect.
5. Provide solutions and remedies that either constrain the scope, or, mitigate the risk.

Notice that there are similar, traditional steps to RA regardless of method. We identify assets, we attempt to valuate assets, we attempt to identify how our assets are vulnerable to damage or loss, and we attempt to calculate the financial (or qualitative) risk associated with the loss. Finally, an outcome of RA is to “provide solutions”, or, recommend safeguards that would address the vulnerability of exposure and potentially mitigate or eliminate the risk of financial loss to an asset.

Given our understanding of this process, we can see a distinction between RA and financial analysis and auditing functions. RA deals with evaluating the _risk_ to assets; financial auditing attempts to evaluate the current _value_ of assets. Financial audits attempt to confirm the validity of accounting records to GAAP principles, and provides transparency of accounting practices to stakeholders; RA is a method to expose vulnerabilities and setup a framework for responding to them. This is good to remember as many second parties to our companies (our financial auditor, insurance auditor) are getting into the RA business and are attempting to market their services in parallel to RA, which may be a dangerous situation, considering that the RA investigates holes in information systems, while, the financial auditor relies upon the integrity of the information system to arrive at their conclusions. Hence you have a fox guarding the hen-house kind of problem.

RA exposes risk to vulnerabilities and attempts to communicate to management some quantification/qualification of that risk, so that management can respond; take action; implement Administrative, Technical, or Physical controls to reinforce the CIA Triad.

R

Russell Mickler works a technology consultant in Battle Ground, WA, USA. With over thirteen years of experience, Mickler holds a CISSP, MCSE, a Masters Degree in Information Technology, and is pursuing his Doctorate at Walden University. His website can be found at www.micklerandassociates.com; he can be contacted at mickler@micklerandassociates.com.

Name (required)

Mail (will not be published) (required)

Website