In Security Risk Management Body of Knowledge ( John Wiley & Sons, 2009), Julian Talbot and Miles Jakeman define security risk as “any event that could result in the compromise of organizational assets.” They go on to note that “The unauthorized use, loss, damage, disclosure or modification of organizational assets for the profit, personal interest or political interests of individuals, groups or other entities, constitutes a compromise of the asset.” This includes the risk of harm to people. And they add that compromise of organizational assets may adversely affect the enterprise, its business units and its clients.

HOW TO DETERMINE RISK

You can calculate risk with this deceptively simple formula: Risk = (the amount of loss) X (the probability of loss). The amount of loss is equal to your recovery cost. The probability of loss is the likelihood that loss occurs. You’ll want to calculate risk value in currency, like dollars. You can use that amount to justify the cost of securing your assets. While the formula is simple, determining which numbers to plug into it can be a challenge. The amount you spend protecting your assets should be proportional to the calculated risk. This forms a basis for how much you should budget for IT security.

ASSETS, IMPACTS AND THE AMOUNT OF LOSS

Assets are the valuable things your company owns that need protection. The types of assets we’re most interested in are those that can be directly or indirectly impacted by an attack on information technology resources. These include:

• Business viability, including a loss or reduction in your revenue generating ability.
• Financial resources, including money, capital, business value and creditworthiness.
• Information resources, like data and applications used by your company, plus your customers and partners.
• IT infrastructure resources including operation and control of network equipment such as routers, switches and firewalls or shared devices on the network like cameras, printers and servers.
• Reputation or goodwill – this goes beyond assets to describe a company’s standing in the community or industry it serves.

Other concerns that are less likely to result from information technology attacks include loss or damage to:

• Facilities
• The physical property of others
• Employees,’ guests’ or visitors’ health and safety.
  

CALCULATING THE IMPACTS OF LOSS

The impacts or consequences represent the cost or amount of a loss resulting from a specific event. The loss from an attack or business failure is the sum of the costs for all the consequences. Let’s look at the potential consequences linked to the loss or compromise of specific assets.

BUSINESS IMPACTS

We define these consequences as the loss or reduction of the businesses’ ability to generate operational revenue. They can include: the inability to conduct business, damage to business, deduction of business including loss of sales without a corresponding loss of capabilities, loss of revenue or income resulting from breakage, theft, cyber-theft or ransomware situations, or increase of costs without a corresponding ability to adjust prices.

• Financial Impacts: These non-revenue costs can result from fines, remunerations and the price of raising capital.
• Reputation and Competitiveness Impacts: These refer to adverse effects on a company’s value that aren’t tied to its assets.
• Human Resources Impacts: Impacts on the labor force can increase the company’s costs without boosting productivity. This includes higher employee turnover and lower morale.
• Health and Safety Consequences: You must address these to protect the health and safety of guests, customers, partners, associates and employees. These costs are typically related to reimbursement for sickness and injury and fines or penalties reflecting failure to address the potential causes.

PROBABILITY: ATTACKS, THREATS AND VULNERABILITIES

We defined probability as the likelihood of an event that will cause compromise or loss of an asset. It’s usually measured as a percentage: 100% means the event will definitely occur; 0% indicates it will never happen. Probability is also constrained by a measure of time.

One way to determine probability is to examine how often businesses in any given industry experience a similar harmful event. For example, based on data from previous years, we might say that any hotel company has a 5% chance of being hit by a ransomware attack sometime in the next two years.

ACTORS AND ATTACK VECTORS

Another way to determine an event’s probability is to develop an understanding of the actors, threats and vulnerabilities. An actor (or threat actor) is the party initiating the event. Normally they have some form of motivation that causes them to want to attack.

The threat attack vector, or threat path, is the means they use to carry out their attack. Each threat represents another way a system can be attacked or compromised. Think of a burglar trying to enter your home. Threat vectors might include picking the lock on a door, kicking a door down or breaking through a window.

THREAT VULNERABILITIES

Vulnerabilities are weaknesses that actors can exploit. A burglar may look at several houses in the neighborhood and decide to use lock picking as their attack vector. They select houses with locks that are easiest to pick. The burglar is the threat agent. The vulnerability is the locks that are easy to pick.

Once you’re aware of a vulnerability – like, say, unpatched security updates —and you know how often this vulnerability is being used as an attack vector, you can make a reasonable guess at the probability of being attacked.

LOSS PREVENTION

A best practice — and a Payment Card Industry (PCI) Security Standards Council requirement —is to perform an annual risk assessment. You should also complete one any time you add a new system. Risk assessment should be a core piece of any security architecture work.

Once you’ve done the assessment, figure out how much – in dollars and other terms — you stand to lose in an attack. Remember: How much you spend on security should be proportional to the risk. After all, the Hope diamond isn’t stored in a cardboard box.