Risk analysis in the IT security space is often misunderstood. Many, if not most, security professionals do not really understand the concept and have no real idea how to apply it in their jobs. This is not necessarily a bad thing, as much of what is done in the name of 'risk analysis' is simply wasted effort. However, for those organizations that must conduct risk assessments to pacify regulators or show appropriate due-diligence, a little clarity is required.
There are three basic methods that can be used to evaluate the security of an organization:
- Compliance Assessments
- Are the controls that are prescribed to prevent unauthorized disclosure, modification, and interruption in-place?
- Vulnerability Assessments
- Are the controls that are in-place working properly to prevent unauthorized disclosure, modification, and interruption?
- Risk Assessments
- What controls are required to appropriately prevent unauthorized disclosure, modification, and interruption?
Many organizations understand method 2, but often confuse methods 1 and 3.
What is a risk?
The best definition I have ever heard is "A risk is the potential for something bad to happen."
However, many organizations conduct a "risk assessment" simply by comparing the controls in-place to a list of prescribed controls and label every gap as a risk. The use of an analogy is helpful in explaining the disconnect with this.
Car Insurance Analogy
Is the lack of car insurance a risk? According to the definition above, clearly not. Getting your car wrecked is an example of a bad thing that can happen (an Event), and there is clearly some potential for this with every car owned in the world. However, not having car insurance simply increases the impact of the Event. There are many other Conditions that contribute to the impact of the Event, e.g. price of car, availability of repair parts, responsibility of damage, extent of damage, etc... There are also Conditions that contribute to the likelihood of the Event, e.g. number of miles driven, frequency of driving, road congestion, road conditions, etc...
Evaluating the potential of a car wreck must involve analysis of (at least some of) these Conditions.
Most US States prescribe minimum coverages for car insurance, here are the minimums for vehicle liability in Illinois:
- $20,000 - injury or death of one person in an accident
- $40,000 - injury or death of more than one person in an accident
- $15,000 - damage to property of another person
A compliance assessment can be used to easily determine whether or not the insurance in-place meets the requirements. It will not, however, tell us whether or not the insurance in-place is appropriate given the Conditions identified. Obviously, these minimums do not cover damage to the insured vehicle itself and the appropriateness of that coverage amount is directly tied to the value of the vehicle.