Should Risk Impact (not likelihood or overall risk) be quantified by the initial impact, or should you quantify by eventual (potential) impact

Question

I am undertaking a risk assessment and trying to work out the risk impact on confidentiality for if a company employee (specifically a System Administrator) steals Server Hardware.

On the one hand the System Admin already has a in depth knowledge of how the company works and will gain very little additional knowledge from theft.
On the other hand the System Admin could now more readily distribute the information to a third party and impact could be very high.

Is there any common agreement on how in depth you should go when assessing impact, and thus whether I should choose 1 or 2 above?

Thanks in advance

There is a mismatch between title and question. Are you concerned about stealing the hardware or the information? — Steffen Ullrich, Jul 12 '17 at 11:59
This is more towards trusts and law. If you live a region that stealing is not a felony act, you need a locked room, hot online backup facilities, etc the list can be endless Or perhaps you need to visit psychiatrists for some advice. — mootmoot, Jul 12 '17 at 12:59
you need to assess the impact *on the company* - you go as far as you need to — schroeder, Jul 12 '17 at 19:07

score 2 · Answer 1 · answered Jul 12 '17 at 12:05

This answer to this question is depending a lot on the environment. Some examples:

If you are in a market with fierce competition, underpaid or otherwise unsatisfied workers, where the employees have access to valuable information, then the chance that these information will leak is very high, i.e. the risk an employee takes when stealing the information is probably low compared to the possible gain.
But if you treat your employees well, have no fierce competition and the information are not that valuable the gain from stealing is very low compared to the taken risk and thus stealing is less likely.

This the risk assessment should include looking at the value of the information, the trust you can have in your employees (which depends a lot on how you treat them but also on what your competition offers) and applicable laws which an employee will take into account when comparing his own risk when stealing to the gain.

Hi Stephen, thanks for your response. In this scenario I am trying to gauge risk impact if a server gets stolen (At this point I am not considering likelihood). I am also (in this scenario) there are no controls in place. My question is whether I should look at the initial impact of an admin stealing a server and getting access to the information on it, or should I look at the consequences further down the line? — Kay, Jul 12 '17 at 15:05
@Kay: Again, it depends on the exact circumstances: if there are critical information on the server the stolen server hardware is probably less the problem but instead the lost access to and possible leak of critical information. But, if this is just a newly bought expensive server not used in production yet the missing server itself is the main problem. — Steffen Ullrich, Jul 12 '17 at 15:48

score 1 · Answer 2 · answered Jul 12 '17 at 14:49

Risk management is typically done by quantifying the chance of something happening and also the impact to the business if that happens. For data leakage risk, the impact can be extremely high for companies that have intellectual property (IP) which if disclosed to a competitor would cause loss of market share down the road (because the competitor got the blueprint to the companies next big thing and went to market with it first). Or, the impact can be devastating impact to reputation, or regulatory fines or even criminal charges. So usually you gauge the impact as being extremely high.

The probability of that happening depends on a lot of things, such as whether their are any controls around the IP in digital form. Is it encrypted? Is access controlled? Is there monitoring in place to detect suspicious access to that IP? That is just a few but the list of controls that should be in place to protect digital IP is long.

In addition to controls, you also gauge how feasible it is to get that stolen IP off the premises. Again, the list of controls is long but to name a few: Locking down desktops and disabling portable storage like USB, implementing email controls to detect and prevent emailing of that IP, network security that prevents accessing cloud storage services (dropbox, etc), network security that makes it impossible to get an endpoint onto the network that isn't under the control of the company, e.g. a personal laptop, raspberry pi, etc.

So the answer to your question on how high the risk of data theft is "it depends" on a lot of things, which is going to vary from company to company.

Yes, the title and the question are out of alignment. Stealing server hardware is just one way proprietary information can be stolen. I don't even consider that a possibility because the last time I saw a company with servers not in a well-controlled data center was back in the 90s. That doesn't mean it can't be done, but again how likely that is depends on the controls around access into the data center and equipment moving in and out.

Assessing this risk really has to be done on a case-by-case basis, and to be done right needs to follow an assessment of the controls that impact this risk rating.

Hi Thomas, thanks for your response. In this scenario I am trying to gauge risk impact (and impact alone) if a server gets stolen (At this point I am not considering likelihood). I am also (in this scenario) assuming there are no controls in place. My question is, say a server had already been stolen by a system admin, whether I should look at the initial impact of an admin stealing a server and getting access to the information on it, or should I look at the consequences further down the line? — Kay, Jul 12 '17 at 15:06
In the companies I have worked, business impact usually materializes as loss of money, damage to the companies reputation, or legal/regulatory. So the impact of the hypothetical stolen server would really depend on what was on it, and how much damage can come from it. Again, though, controls play a factor too. If the local admin password is strong and the entire disk is encrypted, you have a little less to worry about. — Thomas Carlisle, Jul 12 '17 at 15:16
Okay thanks, so I think that assuming there are no controls, and access can be gained freely once stolen, we will assume impact is high, rather than just looking at the confidentiality lost if the admin has it in their possession. — Kay, Jul 12 '17 at 15:54
Assuming no controls is the best bet. I have run across far more cases where the company thinks it has better controls in place than it really does, and makes decisions based on that. I was thinking about it earlier, and I should have mentioned that there is also the impact of that server missing from the environment. So aside from the data leakage aspect, you also have some type of business impediment due to a missing server. A good company has a CMDB that ties servers to applications, and applications to business functions and criticality tiers. — Thomas Carlisle, Jul 12 '17 at 19:23
If it's the system administrator who's stolen the computer, then any access controls may be rather irrelevant. The first thing they will do when the get home will be to log on using their admin account, and disable all the controls. — Simon B, Jul 13 '17 at 12:45

score 1 · Answer 3 · answered Jul 12 '17 at 14:50

Knowledge of how the company works is largely irrelavant. In most cases, it will be "badly".

What matters is the files on those servers. All your product designs. All your proprietary software. All your current bids and proposals. All your detailed contract cost calculations. And so on.

Should Risk Impact (not likelihood or overall risk) be quantified by the initial impact, or should you quantify by eventual (potential) impact

3 Answers3