10

In assigning budget rationally - ie proportionally to the risk in a particular area, how can you calculate the relative risks?

I can think of examples where clients of mine have secured their websites very well, but have no security on their front door and no vetting of contractors - this seems crazy but usually boils down to the fact they have had no way to compare risks.

Answers can be quantitative or qualitative, but I'm just interested in how this is done in organisations you know.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • @Lucas the 2 answers here already have credible AND official sources - NIST is pretty much as official as you get, and pretty credible in this area. FAIR is also well known and well regarded, and that is the official site for it. So what are you looking for? – AviD Dec 19 '13 at 20:23

2 Answers2

12

I'm sure there's many processes - the general term to search for is 'risk analysis' or 'risk assessment'. The process I'm most familiar with is what's advocated by NIST.

Generally, the NIST process :

  • what is your system - what counts as part of your system and not part of your system

  • what are your threats? what groups or people, what are they after, what are their resources?

  • what are your vulnerabilities? what can be exploited by one of these threats?

  • what do you have protecting your vulnerabilities already? How effective is it?

  • how likely is it that your vulnerability will be exploited by a threat, despite your controls.

  • what is the impact if the vulnerability is exploited? how much will you loose? Both in assets, or the ability to make future money, or damage to reputation

  • combine likelihood and impact - if both are high - this is your MUST DO list. If both are low, you have candidates for things to defer.

  • investigate new protections - balance the cost of the protection vs. the cost of vulnerability exploitation to see if it's worth it to pay the money.

Put together a plan for what protections you'll spend money on now. Keep in mind there's other options beyond stopping the exploit - for example, and insurance policy to prevent losses.

bethlakshmi
  • 11,606
  • 1
  • 27
  • 58
  • 2
    All the above come together in NIST Special Publication 800-30: Risk Management Guide for Information Technology Systems. IMHO if you only have time for one of the NIST Risk Framework documents that's the one you should be reading – George May 06 '11 at 09:14
  • Thanks for the reference. I was trying to dig it up, but NIST was painfully slow yesterday (or at least it was from my computer...) – bethlakshmi May 06 '11 at 19:12
10

If you're not familiar with it, FAIR (a quantitative risk framework) should give an organization the tools to do this.
From the website:

Factor Analysis of Information Risk (FAIR) provides a framework for understanding, analyzing, and measuring information risk. The outcomes are more cost-effective information risk management, greater credibility for the information security profession, and a foundation from which to develop a scientific approach to information risk management.

FAIR allows organizations to:

  • Speak in one language concerning their risk
  • Be able to consistently study and apply risk to any object or asset
  • View organizational risk in total
  • Defend or challenge risk determination using an advanced analysis framework
  • Understand how time and money will impact their security profile

In short, using FAIR you can produce a risk "number", which can be a dollar (or pounds) value for the risk.
This can then be "compared" objectively to other risks, on an equal scale - as opposed to comparing apples and oranges (or more commonly, apples and purple).

Note also that this does not apply only to technical or computer risks....

AviD
  • 72,138
  • 22
  • 136
  • 218
  • 3
    We use the FAIR model at my work. We feel like it strikes the nice balance between simple enough to use, and detailed enough to be useful. – Scott Pack May 05 '11 at 23:17
  • 1
    @Scott, can you pop up some more information that? E.g. how it would help with the above situation, in your work: balancing between securing the website and the front door... – AviD May 06 '11 at 09:33