How to manage risks?

We know that risks in IT infrastructures and cyber space are becoming more frequent and sophisticated. These are the consequences of technological progress optimized by digital transformation, which brings – along with benefits and possibilities – threats and vulnerabilities, true targets that hackers live to exploit! But what to do to manage these risks? What strategies to use to avoid or at least mitigate the impacts they can cause? After all, how to perform a Risk Analysis and Risk Assessment?

To start this conversation, let’s first understand what is actually considered “risk”.

Do you know what a RISK is?

RISK = Probability of an event occurring + consequence of that event.

A risk occurs when it is possible for a threatening agent (hacker) to take advantage of some vulnerability and its corresponding commercial impact. For example: a firewall with several open ports presents a higher probability of an unauthorized network invasion and its consequent damages.

Another example: a team of poorly informed employees about the company’s procedures and processes generates a higher probability of an unintentional error that could destroy data.

Another example: a network without an intrusion detection system installed offers a higher probability of some attack going unnoticed, and when it is realized, it may already be too late.

In short, we can say that risk links vulnerability, threat, and probability of exploitation to the related commercial impact.

And it is worth noting that risk in Information Security may be associated with threats of both an information asset and a group of information assets that could cause harm to an organization.

Because when a threat materializes, a risk arises for the organization. And in the Information Security process, threats are efficiently mapped so that both the extension analysis of the risk and the management of its evaluation determine the measures that must be taken to minimize the risk and what it can become.

Understand what a Risk Analysis is:

According to ISO 27005, we can understand the term ‘risk analysis’ as a process that defines and analyzes risks represented by potential adverse human and natural events, both for individuals and for companies and government agencies.

That is, Risk Analysis allows for risk estimates and provides the basis for proper evaluation and definition of the protection measures that need to be taken.

In practice, Risk Analysis is a tool to clarify which threats are relevant to operational processes and to identify associated risks.

It is through Risk Analysis that the appropriate level of security and associated security measures can be determined.

We can define the objectives of a Risk Analysis as:

• Identify assets and their values;
• Map vulnerabilities and threats;
• Analyze the risk of threats becoming a reality and interrupting the operational process;
• Specify the balance between the costs of an incident and the costs of a security measure, that is, a cost-benefit analysis.

Types of Risk Analysis

Risk Analysis can be quantitative and qualitative. Let’s better understand each one!

Quantitative Risk Analysis aims to calculate a risk value based on the level of financial loss and the probability that a threat may become an Information Security incident. Determines the value of each element in all operational processes. These values can be composed of the costs of Information Security measures, as well as the value of the property itself, including items such as hardware, software, information, and business impact.

The time for a Quantitative Risk Analysis should extend from the emergence of a threat to the effectiveness of Information Security measures.

However, a purely quantitative risk analysis is practically impossible! It is the qualitative risk analysis that maps out the scenarios and situations and the chances of a threat becoming a reality (based on intuition). 

Qualitative analysis also examines the operational process related to the threat and the Information Security measures already taken. This all leads to a subjective view of possible threats, so that measures can be subsequently taken to minimize the Information Security risk. 

However, the best result of an analysis is always achieved when carried out in a group, as this leads to a debate that avoids the monopoly of vision of a single person or department.

How to assess risks?

After the Risk Analysis is performed, the next step in management is Risk Assessment. 

According to ISO/IEC 27000:2012, Risk Assessment is the overall process of risk identification, risk analysis, and risk estimation. Risk Assessment, therefore, should include a systematic approach to estimating the magnitude of risks (Risk Analysis) and the process of comparing the estimated risks against risk criteria to determine the significance of the risks (Risk Estimation).

Risk assessment is the total sum of: 

• Asset evaluation and appreciation; 
• Threat evaluation and appreciation; 
• Vulnerability evaluation. 

And it is this total sum that provides the diagnosis of the scenario as a basis for defining the appropriate strategies. And what are these strategies? There are different types of strategies so that the most appropriate can be used based on the result of the risk assessment. Let’s see what they are:

Learn about 3 types of Strategies that can be applied in Risk Management

The first type of strategy is Risk Acceptability, in which:

• Certain risks are acceptable, since security measures are too expensive;
• Management may decide not to do anything, even if the costs of security measures do not exceed the costs of potential damages;
• Information security measures are generally repressive in nature.

Another type of strategy is Risk Neutral, in which security measures are taken so that:

• The threat ceases to exist;
• The resulting damage is minimized;
• The security measures taken are a combination of preventive, investigative, and repressive measures.

In the Risk Prevention strategy:

• The security measures taken are of such an order that the threat is neutralized to a degree that prevents an incident from occurring. For example, the addition of new software that ensures that errors in the old software are no longer a threat;
• The security measures taken are preventive in nature.

According to the result of the risk assessment, the most appropriate strategy for the scenario is chosen for the appropriate treatment.

Treating security risks

Before considering the treatment of a risk, the organization needs to define the criteria for determining whether risks can be accepted or not. 

Risks can be accepted if, for example, it is assessed that the risk is low or that the cost of treatment is not economically viable for the organization. 

For each of the identified risks, following risk analysis/assessment, a decision about the treatment of the risk needs to be made. 

Possible options for treating the risk include:

• Applying appropriate controls to reduce the risks;
• Knowing and objectively accepting the risks, knowing that they clearly meet the organization’s policy and risk acceptance criteria;
• Avoiding risks, by not allowing actions that could cause risks to occur;
• Transferring associated risks to other parties, such as insurers or suppliers.

It is recommended that for those risks where the treatment decision is to apply appropriate controls, those controls be selected and implemented to meet the requirements identified by the risk analysis/assessment. 

The controls should ensure that risks are reduced to an acceptable level, taking into account:

• National and international legislation and regulation requirements and constraints;
• Organizational objectives;

• Requirements and operational constraints;
• Cost of implementation and operation in relation to the risks being reduced and that remain proportional to the organization’s constraints and requirements;
• The need to balance investment in implementing and operating controls against the probability of damage resulting from information security failures.

So, is this Risk Management?

When a threat manifests itself, it becomes an incident. For example, a hacker gaining access to a company’s network or a serious power failure threatening business continuity. It is when the threat materializes that a risk to the company arises. 

The extent of the risk and its management determine which measures should be taken.

Therefore, Risk Management is the entire process of transforming a threat into a risk with the appropriate security measures in place. 

It is important to note that risk management is a continuous process in which risks are identified, examined, and reduced to an acceptable level. 

This process applies to all aspects of operational processes. In large organizations, the task of monitoring this process is carried out by an information security specialist.

Most of the measures taken by an organization’s information security department to neutralize the risk are a combination of preventive and repressive actions. 

When measures are taken to avoid the risk, the threat is neutralized in such a way that it does not lead to an incident. To illustrate in practice how to eliminate an existing threat, just imagine upgrading an old software to a more updated and error-free one.

Think carefully about this process!

Regardless of the strategy adopted, the key is to make a conscious decision based on risk analysis and evaluation. It is also important that management be aligned with the company’s security objectives and policies, as well as with the requirements and constraints of national and international legislation and regulation.

Risk Management is undoubtedly a very extensive and detailed subject. Each scenario requires a strategic adaptation. Therefore, an information security professional should always be contacted. But I hope that I have helped to clarify the perception of how to deal with the risks that haunt the protection of your data, information, and assets in general.

If this content was useful to you, share it with others! Good things are meant to be shared!