By continuing to browse the Hospitality Upgrade website, you accept the use of cookies for the purpose of analyzing and measuring website traffic, frequency and browsing.
Follow us on:
To reprint an article or any part of an article from Hospitality Upgrade please email geneva@hospitalityupgrade.com. Fee is $250 per reprint. One-time reprint. Fee may be waived under certain circumstances.
SEND EMAIL
In Security Risk Management Body of Knowledge ( John Wiley & Sons, 2009), Julian Talbot and Miles Jakeman define security risk as “any event that could result in the compromise of organizational assets.” They go on to note that “The unauthorized use, loss, damage, disclosure or modification of organizational assets for the profit, personal interest or political interests of individuals, groups or other entities, constitutes a compromise of the asset.” This includes the risk of harm to people. And they add that compromise of organizational assets may adversely affect the enterprise, its business units and its clients.
You can calculate risk with this deceptively simple formula: Risk = (the amount of loss) X (the probability of loss). The amount of loss is equal to your recovery cost. The probability of loss is the likelihood that loss occurs. You’ll want to calculate risk value in currency, like dollars. You can use that amount to justify the cost of securing your assets. While the formula is simple, determining which numbers to plug into it can be a challenge. The amount you spend protecting your assets should be proportional to the calculated risk. This forms a basis for how much you should budget for IT security.
Assets are the valuable things your company owns that need protection. The types of assets we’re most interested in are those that can be directly or indirectly impacted by an attack on information technology resources. These include:
Other concerns that are less likely to result from information technology attacks include loss or damage to:
The impacts or consequences represent the cost or amount of a loss resulting from a specific event. The loss from an attack or business failure is the sum of the costs for all the consequences. Let’s look at the potential consequences linked to the loss or compromise of specific assets.
We define these consequences as the loss or reduction of the businesses’ ability to generate operational revenue. They can include: the inability to conduct business, damage to business, deduction of business including loss of sales without a corresponding loss of capabilities, loss of revenue or income resulting from breakage, theft, cyber-theft or ransomware situations, or increase of costs without a corresponding ability to adjust prices.
We defined probability as the likelihood of an event that will cause compromise or loss of an asset. It’s usually measured as a percentage: 100% means the event will definitely occur; 0% indicates it will never happen. Probability is also constrained by a measure of time.
One way to determine probability is to examine how often businesses in any given industry experience a similar harmful event. For example, based on data from previous years, we might say that any hotel company has a 5% chance of being hit by a ransomware attack sometime in the next two years.
Another way to determine an event’s probability is to develop an understanding of the actors, threats and vulnerabilities. An actor (or threat actor) is the party initiating the event. Normally they have some form of motivation that causes them to want to attack.
The threat attack vector, or threat path, is the means they use to carry out their attack. Each threat represents another way a system can be attacked or compromised. Think of a burglar trying to enter your home. Threat vectors might include picking the lock on a door, kicking a door down or breaking through a window.
Vulnerabilities are weaknesses that actors can exploit. A burglar may look at several houses in the neighborhood and decide to use lock picking as their attack vector. They select houses with locks that are easiest to pick. The burglar is the threat agent. The vulnerability is the locks that are easy to pick.
Once you’re aware of a vulnerability – like, say, unpatched security updates —and you know how often this vulnerability is being used as an attack vector, you can make a reasonable guess at the probability of being attacked.
A best practice — and a Payment Card Industry (PCI) Security Standards Council requirement —is to perform an annual risk assessment. You should also complete one any time you add a new system. Risk assessment should be a core piece of any security architecture work.
Once you’ve done the assessment, figure out how much – in dollars and other terms — you stand to lose in an attack. Remember: How much you spend on security should be proportional to the risk. After all, the Hope diamond isn’t stored in a cardboard box.
JOHN BELL IS THE PRINCIPLE CONSULTANT FOR AJONTECH LLC, A COMPANY OFFERING IT ARCHITECTURE SERVICES FOR THE HOSPITALITY INDUSTRY. HE CAN BE REACHED AT JTBELL@AJONTECH.COM
Sign up to receive our twice-a-month Watercooler and Siegel Sez Newsletters and never miss another article or news story.