What is Risk Management Processes And Concepts – The whole goal of I.T. security is protected our stuff from bad things so we do that through what we call risk management. Now to paraphrase Wikipedia a little bit risk management is: the identification, assessment, and prioritization of risk. When we talk about risk we’re talking about the potential to harm organizations, people, I.T. equipment, whatever it might be. And that’s very much true. When we’re talking about both risk and risk management. So let’s get some of these terms down. The first one I’d like to start with is assets.
Assets are any part of our infrastructure that we are worried about getting harmed. As a security person you need to think a little bit deeper. For example people can be assets what if you’ve got a person who’s got this one person only knows how to do this one job nobody else knows how to do it. What if that person were to disappear tomorrow? That could cause harm. Equally we could run into things like for example our physical plant. What if you have a server room door that is unlocked and anybody can go into it. In that case we’d want to do something to protect that door so that people can’t just go walking in and out of our server room. In fact assets can even include things like intangibles like the reputation of our company. So assets cover a lot of things. Now the next one I want to cover is vulnerabilities.
A vulnerability is a weakness to an asset that leaves it open to bad things happening to it. A couple of great examples of vulnerability would be oh how about if you have a SOHO router but you never change the default username and password so anybody can get to it. Or what if you have a server room and the server room is unlocked and anybody can get in it. Those are two examples of vulnerabilities and they’re something we have to watch out for. Risk Management Processes
Weakness that allows an asset to be exploited.
A threat is a negative event that exploits a vulnerability. So some great examples now keeping with what we were talking about before. So if somebody actually goes in and accesses your SOHO router because they know what the default username and password is that would be one great example of that. Somebody actually walking into the server room because there is no lock and they go in they steal a server. That is a threat. Or that one supercritical person suddenly quits like at 5 o’clock on a Friday and we don’t have anybody for Monday morning.
A threat is a discovered action that exploits a vulnerability’s potential to do harm to an asset.
So a threat agent is often a human being that’s doing something. But for example a threat agent could also be a hurricane that then blows down your offices or something like that. So always be sure to be able to separate the idea of a threat from a threat agent. Now since we have a pretty base idea on all of these main pieces I want to move into the next two which are important.
And the first one is called likelihood. So if we’re going to talk about some particular threat then we’re going to say in the course of a year what is the likelihood of that happening. So we often use it as a percentage. Now there’s two different ways to measure likelihood when we’re talking about risk. First is quantitative. Now let’s say I’ve got a Cisco router and this Cisco router has a power supply in it. Now there is a risk that that power supply might die in the course of a year. But luckily for us Cisco has decades of historical data that we can refer to and look at it in terms of a percentage chance of happening in any given year. What is the chance that I’m going to lose the power supply. Risk Management Processes
Impact is the actual harm caused by a threat. So in order to have that impact you actually have a threat that has actually hit you in some way. Now what we talk about impact we can look at it in a lot of different ways. First of all we can look at it quantitatively. So for example let’s say Oh I don’t know some bad guy came in and knocked my router down and now I don’t have a router. So nobody in the office can get on the Internet and it’s a problem. So we can measure that.
Impact is the harm caused by threat
For example we can measure it by cost. How much is it going to cost to get somebody in here to get this router back up and running. So that’s one way. Another way to do it would be labor. How much labor am I losing. How many man hours am I losing as a result of this being down. Another one would be time. How long is it going to take for somebody to get this router back up so we can get back to work. And as you can imagine these quantitative values are very much intertwined.