Let’s start with a little exercise. Rate the risk for the following events.
Going 15 mph over the speed limit.
Using a public wireless internet connection at the airport.
Using a third party for payment services.
If you were to ask your neighbor how they would rate them, would it be the same? Go ahead and ask them, I’ll wait. For those not asking, do you think they would be the same? Probably not. Assigning a risk label to an event is too subjective. It’s based upon the person’s experience, profession, and situational awareness. How one labels risk most likely will not be the same as someone else. This is mostly due to the lack of comparable impacts. Assigning impact consistently is manageable with guidance. These may include factors such as:
Fiscal costs to replace/fix.
Employee hours needed (will you have to outsource?)
Damage to reputation (usually more for service providers)
Harm to individuals (employees and / or patients)?
Each of these factors and the threshold from one to the next is organization specific. $10,000 in replacement systems for one company may be fairly significant while for another it may be the budget for the annual holiday party. Establishing the different thresholds for each of your risk layers will make this a repeatable process. It’s an easier process than most think; just go through the possibilities for each. If this would cost our organization $__________ it would be bad, $____________ is really bad, and $_______________ is “I’m packing up my office right now.” Just keep doing that on all your impact decision factors. Creating a matrix will help quickly assign such risk impacts and also ensure that the right people are involved the process. That’s correct: assigning risks, the impact, and the likelihood, shouldn’t be a one person job; there are too many factors for one person to know. Healthcare is a great example. IT can determine how much it would cost to replace/fix a server but IT most likely will not be able to properly gauge organizational reputation damage and the potential harm to patients. Having more people with different roles also brings more situation awareness (i.e., threat likelihood) to the risk assignment process. They may be aware of additional controls which could lessen the change of the risk being realized. The more the situational awareness is raised allows your company to assess risks with greater understanding and accuracy. For example, would your risks you assigned to the examples above change with the following?
Going 15 mph over the speed limit in a school zone.
Using a public wireless internet connection at the airport after Defcon.
Using a third party for payment services that continues to suffer data breaches.
All of the aspects above increase the maturity level of risk assignments used in Risk Management programs, audits, and everyday operations. It helps everyone within the organization speak the same language and ensure that we compare apples to apples. When everyone is on the same plane and knows how the risks are being assigned there tends to also be less resistance to risk reducing initiatives. This level of organizational “buy-in” is crucial for those projects that have a large impact radius and cross many departmental boundaries. So how does this all start? The easiest is to integrate this process as part of your Risk Management program and during each Risk Assessment. Use the same processes for your internal audits and have external companies either use your process or provide enough information to allow your group to rate findings again internally. Document the process and the various factors and make sure all involved know what they are. This will lead you down some interesting conversations, but stick to it! Having an established and consistent process turns the arbitrary into the meaningful.
Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.
YouTube session cookie.
Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.
Analytics cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.
Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.
Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
Cookies are small text files that can be used by websites to make a user's experience more efficient. The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission. This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.
Discover why security operations teams choose NetSPI.