Risk analysis is an intimidating topic for security risk management organizations. Analysis takes precious time and can be complicated. Many times identified risks are vague and there are not a lot of facts to put around the risks. Organizations want results quickly which can drive them to skip that analysis step and take action on risks that are not well defined. This can be a pitfall as vague risks can evaporate and/or be assigned an incorrect priority. Taking time to analyze your risks is the due diligence that will ensure you are spending your resources in the right place.
If you are just starting an analysis program I recommend you keep it very simple. As the program matures you can also develop the analysis. Installing a comprehensive model immediately will kill your program. People will find it heavy, the output incredible, and will try and skip the step. Below are my thoughts on risk analysis.
First scope the risk. What is the risk, threat, vulnerabilities, controls, etc.? Who are the actors? What is at risk? Where geographical regions are affected? Etc. Once the risk is scoped, add facts. Understand the potential impact and frequency of risk events. Understand how the current controls stop a risk event from occurring and/or reduce the impact. Document the facts. When you don’t have facts, document assumptions you make. Assumptions are a reality and should never be hidden. Especially as you start a program, you will have more assumptions than facts. As you gain more experience and data the number of assumptions will decrease.
Next you need a risk analysis methodology. Do you need to qualify the risk (describe it in words) or do you need to quantify the risk (describe it in Annualized Loss Expectancy – ALE)? Risk qualification is simple, quick, and easy. It is a great tool for understanding the magnitude of a risk and describing it. It does have limitations as it cannot easily support cost benefit analysis or risk aggregation. Risk Quantification takes more time and requires some math/modeling but its output supports risk aggregation and cost benefit analysis. Risk quantification also usually describes the magnitude of a risk in terms of ranges rather than single point. Understanding how the magnitude of risk events vary can be helpful.
Risk aggregation is something you will want to consider. It is difficult to implement as you may need to correlate related risks. But risk aggregation is important for understanding the overall level of risk in your organization. Risks viewed in silos may be prioritized differently than risks viewed holistically. For example a single building fire may not be worrisome. But if all your building are located together and separated by a foot, then a single building fire is very worrisome because all your buildings are likely to burn down. A holistic view of risk can change your decisions.
Cost benefits analysis is also something you want to consider. As always you want to make sure you are spending your resources as wisely as possible. Cost benefit analysis compares the cost of risk treatment to the risk mitigation it provides. In general you don’t want to mitigate a risk when the treatment is more expensive than the risk. You also want to find the low hanging fruit (inexpensive treatments that reduce risk). The goal is to reduce the most risk with limited resources.
Once your analysis is complete your organization can compare the level of risk against its risk tolerance/appetite. It can correctly prioritize the risks, and plan the appropriate risk treatment for your risk portfolio. Your due diligence helps ensure you are spending resources in the right place.
In closing… if you are just starting a program – keep the analysis simple to begin. Don’t be afraid of assumptions. Document them as you would facts. Keep the modeling simple. Use simple distribution curves (normal, exponential, etc). This is no time to “geek out.” Keep the math formulas simple “Impact x Frequency.” Leave risk aggregation for the second phase since correlation is always the hardest part. As your analysis matures, build in more facts where you had assumptions, build out your probability distributions, start trying cost benefit analysis, start working on risk aggregation. Apply the principles to your world if they make sense. Risk is a tool and should be customized to fit your needs. Don’t add new risk functionality if it does not add significant value. Keep it simple.