The Very Basic of Information Security Risk Management

We all talk about the word “RISK” every day during many discussions both personally and professionally, with family and friends, with doctors and lawyers, with builders and stock brokers and with all others.

Have we understood the word “RISK”?

Reply: I…. Think…. Yesss.

RISK is integral part of EVERY ACTION that we do in our LIFE. Action could be anything, it could be walking on street, driving to office, having dinner at five star restaurant, Buying any objects, switch to new job etc. Every thing we do during a day is ACTION.

There is “RISK” OF ACCIDENT while walking on street or driving a car. There is a “RISK” OF THEFT/LOSS while buying any object. There is “RISK” OF DISEASE/FOOD POISONING while having dinner at restaurants.

From an INFORMATION SECURITY context, there is “RISK” OF LOSS OF CUSTOMER in case security requirements are violated by the organization. In fact, in today’s edge, this is not only about LOSS OF CUSTOMER but this may also come with other bigger aspects like “RISK” OF LOSS OF REPUTATION due to non compliance of contract or legal or regulatory requirements. This could event became worst in case of huge legal liability under legal & regulatory requirement and could result into huge financial penalty and may lead to “OUT of BUSINESS”.

So tell me what is RISK?

RISK” is a function of IMPACT and LIKELIHOOD OF OCCURRENCE

Every ACTION has POSITIVE or NEGATIVE IMPACT. Since we are talking about “RISK”, let’s think of negative outcome of an ACTION. Think of what worst could happen to BUSINESS. Think what could be the magnitude of IMPACT in terms of MONITORY LOSS or REPUTATION LOSS.

Unless we consider the likelihood factor, Magnitude of IMPACT shall always remains on HIGHER side hence this might not reflect accurate RISK POSTURE. Further without factoring likelihood of occurrence, “COST-EFFECTIVE” risk treatment plan is difficult to arrive.

But I have already implemented controls to reduce both IMPACT and LIKELIHOOD OF OCCURRENCE.

Reply: Great. These controls are implemented against VULNERABILITIES.

VULNERABILITY is a weakness associated with Information System. These could be “Improper Firewall Configuration”, “Unsecured Ports are OPEN”, “No Periodic Review of Access Rules” etc.

IN MOST OF THE CASE, primary reason of successful attack is existence of such VULNERABILITIES or WEAKNESSES.

Now, how would you prevent such attack?

Response: work on weaknesses.

In an ideal Information Security Risk Management, RISK is measured after considering existing VULNERABILITIES and existing IMPLEMENTED CONTROLS.

There are many Information Security Risk Management methodologies available. An organization can choose best suitable for them based on their requirements, level of complexity, capability to perform risk management and organization structure.