With few exceptions, whether related to financial, physical, or technological resources, different types of risk can be calculated using the same universal formula. Risk can be defined by the following calculation:
Risk = asset value × threat × vulnerability
As you can see with the preceding equation, there are three elements of risk: asset value, threat, and vulnerability. Estimating these elements correctly is critical to assessing risk accurately.
Normally represented as a monetary value, assets can be defined as anything of worth to an organization that can be damaged, compromised, or destroyed by an accidental or deliberate action. In reality, an asset's worth is rarely the simple cost of replacement; therefore, to get an accurate measure of risk, an asset should be valued taking into account the bottom-line cost of its compromise. For example, a breach of personal information may not cause a monetary loss at first glance, but if it actually were realized, it likely would result in legal action, damage to the company's reputation, and regulatory penalties. These consequences potentially would cause a significant financial loss. In this case, the asset-value portion of the equation would represent the personal information. The calculated value of the personal information would include an estimate of the cumulative dollar cost of the legal action, reputation damage, and regulatory penalties.
A threat can be defined as a potential event that, if realized, would cause an undesirable impact. The undesirable impact can come in many forms, but often results in a financial loss. Threats are generalized as a percentage, but two factors play into the severity of a threat: degree of loss and likelihood of occurrence. The exposure factor is used to represent the degree of loss. It is simply an estimate of the percentage of asset loss if a threat is realized. For example, if we estimate that a fire will cause a 70 percent loss of asset value if it occurs, the exposure factor is 70 percent, or 0.7. The annual rate of occurrence, on the other hand, represents the likelihood that a given threat would be realized in a single year in the event of a complete absence of controls. For example, if we estimate that a fire will occur every 3 years, the annual rate of occurrence would be 33 percent, or 0.33. A threat, therefore, can be calculated as a percentage by multiplying the exposure factor by the annual rate of occurrence. Given the preceding example, the threat of fire would result in a value of 23.1 percent, or 0.231.
Vulnerabilities can be defined as the absence or weakness of cumulative controls protecting a particular asset. Vulnerabilities are estimated as percentages based on the level of control weakness. We can calculate control deficiency (CD) by subtracting the effectiveness of the control by 1 or 100 percent. For example, we may determine that our industrial espionage controls are 70 percent effective, so 100 percent - 70 percent = 30 percent (CD). This vulnerability would be represented as 30 percent, or 0.3.
Most of the time, more than one control is employed to protect an asset. For example, we may have identified the threat of an employee stealing trade secrets and selling them to the competition. To counter this threat, we implement an information classification policy, monitor outgoing e-mail, and prohibit the use of portable storage devices.
Now that we've defined how to analyze risk, we can begin to put it into practice. Below are a couple of examples of how this equation is relevant in IT as well as other areas.
The U.S. government regards a command and control center at a military installation in the Middle East to be critical to its ability to operate in the region. If this facility is destroyed, it likely will cause loss of life (both in the facility and in the field), damage to the facility itself, and a setback to military objectives.
In this example, the asset is the command and control center. The actual value of the command and control center includes the lives of the soldiers that would be affected, the command and control facility itself, and the military objectives that would go unmet in the event of its loss. The experts estimate that the cumulative cost of a loss of the command and control center would be $500 million (not that you can put a dollar figure on a soldier's life). We have identified a threat of a bomb to the facility and estimate that a successful attack would cause an 85 percent loss. The experts say that this type of attempted attack would occur once per week, or 52 times annually, if no controls were in place to prevent it. The command and control center has several safeguards, such as physical barriers, perimeter alarm systems, military police patrols, and 3,500 additional soldiers on base protecting it. As a result, we estimate that the controls are 99.99 percent effective, or 0.01 percent deficient. With this information, we can calculate the monetary value of the risk of a command and control center bomb to be $500 million [asset value] × 0.85 loss (EF) × 52 times per year (ARO) [threat] × 0.001 control deficiency (CD) [vulnerability] = $22,100,000 [risk].
To take this exercise a step further, we can justify a total investment of up to $22.1 million to protect the command and control center. The exact amount that we can justify will depend entirely on the dollars already spent to mitigate this risk and the projected level of risk reduction for the selected control. We are aiming for maximum risk mitigation by reducing the vulnerability part of the risk equation. We will get into more detail on choosing controls later in this chapter.
The IT audit director at a national retailer has determined that the legal climate is changing in relation to the credit-card information with which the company is entrusted. Until now, the company had not considered the risk of a disclosure of its customer's personal or credit-card-specific information.
After interviewing public relations, legal, and finance stakeholders, the IT audit director estimates the cost of a single breach to be approximately $30 million in lost revenues, legal costs, and regulatory consequences. So we now know that the asset is personal credit-card and associated financial information and that its value to the company is $30 million. Since there have been several breaches in the news recently that involved hacking, the audit director decides to explore this threat. In a conversation with the information security director, the audit director learns that the company is under constant attack, although most of the attacks are nothing more than probes for vulnerabilities. He estimates that there is about one actual attack per week and that a compromise of the credit-card processing system would result in a complete asset loss. The information security director estimates that current controls are 99.99 percent effective but that if the company does not invest in additional controls, a successful breach is imminent. Given this information, we can calculate the risk of an external security breach to be $30 million [asset value] × 100 percent loss (EF) × 52 hacking attempts per year (ARO) [threat] × 0.01 percent or 0.0001 control deficiency (CD) [vulnerability] = $156,000 [risk].
Okay, we know what you're thinking: "This is all pie in the sky. In the real world, there is barely enough time to perform essential job duties, let alone spend a lot of time calculating risk. Though these calculations are great theory, I don't have the time to apply them for every threat? In fact, who has time to identify every threat?" Well, the truth is that it is impractical to perform these calculations for every threat, although you should do your best to identify all the threats that your organization faces.
If you haven't tried to identify your organization's current threats, it may be worthwhile to do so. From there, identifying new threats can be a daily mental exercise. As business or technology changes, you should be asking, "What new threats does this change introduce." If realized, how would these threats affect your business? When you identify significant threats and want to make a business justification for purchasing additional controls, then you can use the preceding calculations to support your case.
Most risk analyses attempted today result in bottom-line estimates that are way off the mark. Unfortunately, when organizational management loses faith in the risk information that is presented to it, it tends to dismiss a disproportionate number of requests for risk-mitigation investments. Management is interested in investing limited resources in areas that either will make the organization money or will save the organization money. This is why it is so important to present a solid analysis of risk whenever approaching management for additional resources. Below are the most common causes of risk-analysis inaccuracies.
The most common cause of inaccuracies in the risk-analysis process is the failure to identify assets, threats, and vulnerabilities. This is mostly due to the fact that most organizations do not use a formal risk-management process and practitioners have not been trained to analyze risk. As we pointed out earlier, it can be especially difficult to identify threats and vulnerabilities because they are dynamic in nature. For example, we know that new variants of viruses, worms, and other forms of malware are introduced daily. Additionally, new computer-related vulnerabilities are discovered almost daily. Although identifying threats and vulnerabilities can be difficult, there are resources that can help, such as information security alerts from CERT, Bugtraq, and other free and subscription-based security vulnerability notification services. IT auditors also can examine security incidents when they are publicized to learn how such violations occur. One Internet web resource that consolidates and chronicles information about security incidents is http://www.privacyrights.org/ar/ChronDataBreaches.htm. We will discuss proven methods for identifying assets, threats, and vulnerabilities later in this chapter.
In February 2005, Bank of America made national headlines by losing the personal information of 1.2 million customers while shipping backup tapes through a common carrier. Two months later, in April, the incident was virtually repeated when Ameritrade lost the personal information of 200,000 customers during the shipment of backup tapes through a common carrier. Yet again, in June 2005, Citi Financial lost the personal information of 3.9 million customers while shipping backup tapes through UPS. Although the Bank of America incident made national headlines, Ameritrade and Citi Finacial apparently failed to identify the threat of tapes being lost by a common carrier and implement the necessary controls to prevent unauthorized disclosure of customers' private information. As you can see, it is important to monitor the headlines to identify emerging threats, not to mention keep your organization's name off the privacyrights.org list.
Unfortunately, there is a fair amount of estimation involved in analyzing risk, which makes it an inexact science. Many errors can be attributed to this fact.
Assets The traditional approach to risk analysis does not take into account the costs resulting from a compromise outside of the loss to the asset itself. As we saw in the preceding examples, the cost of a compromise rarely stops at the asset book value. Therefore, it is important to include the consequential losses as well as the actual loss in asset value. Including these costs will increase the accuracy of your risk assessment.
Threats Unlike assets or vulnerabilities, the threat is the only element of the risk-analysis equation that is always derived from a single value. In the IT risk scenario discussed earlier, the threat involved hacking attempts. Combining the hacking threat with another threat such as employees abusing access privileges, stealing, and selling credit-card information would cause an inaccurate calculation of risk.
Another common error is failing to estimate and incorporate the exposure factor into the threat value. This error often inflates the risk value. In order to calculate an accurate threat value, both exposure factor and annual rate of occurrence must be included.
Vulnerabilities As we discussed earlier, vulnerability is the absence of or weaknesses in cumulative controls. Therefore, in order to identify a vulnerability, we must understand the strength of the controls. Risk-analysis errors are made often because the strength of a control is not evaluated properly or compensating controls are not taken into account.