Upplýsingaöryggi - InfoSec

Risk management

Risk management, resilience, risk assessment

Many people are surely wondering how well their operations (or homes) are prepared for the various disasters that could occur.  The author has been involved in risk assessment for close to 30 years for organisations around Europe though mostly in Iceland. He wants to share his experience here, although in this case only a rough overview is given.

(Apology that this article is published on the website betriakvordun.is, but the page secprico.is is still under design but will be available in the next few months.)

A few basic questions are relevant:

•           What to protect?

•           What to protect against?

•           What are the likely impact of an event?

•           What is the worst impact of an event?

•           What is the probability of an event?

•           What can be done to prevent an event?

•           How can you respond to an event?

Each will be examined in more detail below.

What to protect?

The foundation of all risk management is understanding what it is that needs protection. This is generally referred to as assets, and in the security management standards that word is used. It doesn't matter what form the asset takes or whether or not a financial value can be placed on it. Assets can be something tangible or intangible. Tangible assets include infrastructure, people, equipment, housing, etc. Intangible assets are all kinds of electronic information assets, reputation, goodwill, services, etc. A list of assets is therefore generally the first document that is compiled when preparing a risk assessment.

What to protect against?

The word threat is usually used for what needs to be protected against, also danger or woe. Threat is used here. Threats can be diverse, and the person who carries out a risk assessment must either have a fertile imagination or have access to experts with good knowledge, each in their own field. Each threat can appear in diverse forms, with different effects and consequences. However, most threats from the physical world have in common that they materialize very rarely and even never in the lifetime of the person performing the risk assessment, while those related to the electronic world can hit information assets every second. Threats therefore have different effects, probability of occurrence and different recurrence times. But for a threat to have an effect, it must have the potential to do so. There must be vulnerabilities that allow the threat to have the harmful effects that are being assessed. Two things are important to understand in this context. Another thing is that if there are no threats, there is nothing to defend against. The other is that if there are no vulnerabilities that the threats can take advantage of, there will be no harm, even if a threat actually occurs. The author believes that when threats are examined, priority should be given to examining on the one hand those that are most likely and on the other hand those that can cause the most damage, regardless of how likely they are to occur. Here again, a distinction must be made between the physical world and the logical world.

What are the likely impact of an event?

It is very different what the effect will be if a threat actually occurs. It can depend on the location, the time of day, week, month or year, the importance of the underlying assets and the protections already in place. However, the author believes that when making a risk assessment, risks without defenses should be assessed first, because the risk assessment should be able to support the measures implemented. Properly implemented risk management addresses all risks and leaves no unacceptable risk without first attempting to mitigate it with measures. Such measures can be the strengthening of protection, transfer of risk (e.g. outsourcing of operations or purchase of insurance) or avoidance of it. If it has not been found possible to reduce the risk to an acceptable level, then the owner/custodian of the relevant asset (or risk if that approach is used) must accept the redundant risk.

What is the worst impact of an event?

The impact of events can vary, but it is important to define the worst-case outcome. Not because it's necessarily the most likely outcome, but because it could happen. However, it must be limited to what can realistically happen within the time frame of the risk assessment. E.g. if the time frame is limited to 10 years, then the probable worst events are generally quite different and milder, than if you are looking at 50 years, 100 or 200. Then it is unlikely that a organisation’s risk assessment made on any given day will exceed 100 years, if only because technological progress is unknown. Local authorities may want risk assessments for residential areas to extend further into the future. There is no need to go further ahead in time than the worst possible event. If the worst possible event associated with a threat is likely to occur in the next 10 years, there is no reason to consider less severe events that could occur 100 years later.

However, the future is unpredictable and the worst possible event, predicted within 300 years, could happen in the next day, month or year. If there are indications that such an event could be shorter than previously thought, the risk assessment, the responses and the defenses must of course be reviewed.

What is the probability of an event?

Events have very different probabilities and in fact it is not wise to use the same severity scale for the frequency of all events. A banking system is attacked every day, most of which are brought down by the protections that have been installed. There is therefore a high probability every hour of such attacks and a considerable probability of their success. Privacy breaches will most likely happen every week in the banking systems too (if I'll continue to use banks as an example). Thus, there is a high probability of privacy breaches every week. However, this probability is on a different probability scale than the cyber-attacks. Therefore, we cannot use the same scale for both events, but we want to weigh them equally, as we do not want to reduce the severity of the privacy breaches because some other event happens more often. The difference between different probability scales becomes even more apparent when we start talking about natural hazards. Unusual weather is most likely, but it still only happens a few times a year. Floods occur several times a century. Major earthquakes every 50 years. Volcanic eruptions occur every 800-1000 years.  (Well depending on where you live.)

How then should we handle the risk of these possible events? In what order should we do it? In this case, it is assumed that each event can have a big impact, each in its own way. Risk management must be able to handle this, but the method of prioritization is up to each organisation.

What can be done to prevent an event?

Risk treatment can be done in three ways: Prevention, transfer or avoidance. Prevention can consist of implementing technical or organizational measures. It can also include spreading the risk by having multiple locations. The transfer is moving the risk elsewhere, e.g. with the outsourcing of activities with risk, or buying insurance, so that if there is a loss, the organisation concerned will be compensated for the loss. The risk can be avoided e.g. with changed methods or moving the activity to an area not under the influence of the danger.

It is possible that none of this will bring the risk down to an acceptable level according to the organisation's definition of what is considered acceptable. It is therefore necessary to have plans for business continuity, incident response plans, emergency plans and disaster recovery plans. Although such plans do not exist for all versions of all possible events, knowledge is built up about the responses that can be transferred to other events.

How can you respond to an event?

If incident response plans and emergency plans are documented, they are the first thing to look at. Emergency plans are generally used when people's lives and health are at risk. They include the evacuation of housing and land. Often, during the preparation of emergency plans, it has been discovered that evacuation routes are not available, they are unsafe, closed, used as storage areas or are most likely not usable in the most common cases of evacuation. Therefore, an important part of making an emergency plan is to ensure that evacuation routes are available and usable. It has been repeatedly reported that people were killed in fires at entertainment venues because the emergency exits were closed with chains.

Incident response plans are for emergency management and incident response teams to follow. There is documented information on response by severity of incident, call lists, response and emergency levels, field management, and more. It makes all response work easier that incident response plans have been prepared, although they were not specifically prepared for the situations that arose. If the structure of an incident response plan is good, it is usually easy to transfer it to different situations.

About the author

The author of the document is Marinó G. Njálsson, a consultant in the field of risk management, information security and privacy. Marinó was the security manager at deCODE Genetic from 1997-2000 and has since worked as a consultant. He has been an information security and privacy consultant for many large companies both in Iceland and around Europe. In Iceland, at VÍS, Landsbanki Íslands, covering all the country's pension funds, for the Ministry of Justice and the National Police Commissioner due to the Schengen information system, Valitor (now Rapyd), covering all elementary schools in the country, covering all kindergartens in the country and with the Commissioner of Police in the capital area. Outside Iceland at APMM (Denmark), Nokia (Finland), BMW for ISO/IEC 27001, TISAX and personal protection (Germany) and Økonomistyrelsen for privacy (Denmark), to name a few. In a recent auditor’s review it was stated about the authors risk management approach:  „The risk assessment framework is very well documented and the approach is among the most mature the auditor has seen.“ 

For more information please send email to security@internet.is or Marino G. Njalsson á LinkedIn

Back to English front page