Businesses today have to manage a lot of risk. When it comes to technology, the risks are vast and can be difficult to calculate. The effectiveness of a security or disaster recovery solution can be especially hard to calculate. How do you know if you have enough redundancy and tight enough security controls to keep your business safe? Until something happens, you really don’t know. And then when it does, of course, it’s too late.
There are several ways to manage risk when it comes to technology. A security professional can perform a risk analysis to help you to determine your risk threshold, or the balance between mitigation and acceptance. This is also referred to as risk ‘appetite’ or ‘tolerance’.
Risk Avoidance – Often the risk to too great and it’s best to hold off on the solution until the risk can be mitigated. The risk analysis will tell you if you should avoid the solution or mitigate the risk.
Risk Acceptance – Sometimes, a risk is accepted and the organization decides to roll the dice and hope nothing happens. Again, this is not always a bad decision, the risk analysis will help you determine that. You’ll need to review your risk threshold and the mitigation costs so you don’t create more vulnerability than you’re comfortable with.
Risk Mitigation – Anytime a risk assessment is performed, mitigation costs should accompany it. The cost of mitigation should be considered anytime a vulnerability is discovered.
Risk Transference – One of the better benefits of Cloud Computing and Managed Services is that it often allows you to transfer the risk to another party. The feasibility of this boils down to the contract. There should be a Service Level Agreement (SLA) in place that indicates where the provider’s responsibility begins and ends and where their liability ends. This will help you to uncover how much risk has been transferred to the other party and how much you should still be worried about.
Qualitative vs Quantitative Risk Assessment
Information security professionals will generally perform risk assessments as either one of these. A Qualitative Risk Assessment is a more general version where risks and vulnerabilities are qualified as high, medium and low risk. There isn’t a lot of numbers involved in a Qualitative Risk Assessment. It’s more of a lower cost solution to help you define your current posture.
For a detailed risk assessment where dollar amounts are assigned to each component, consider a Quantitative Risk Assessment. In this type of assessment, risks are calculated down to a specific number. There is a lot of math that goes into this so it can be a rather expensive task. Security professionals will calculate the following factors:
Single Loss Expectancy (SLE) – is the cost a single incident will cost if it occurs
Annual Rate of Occurance (ARO) – how many times an asset was lost due to the risk
Annualized Loss Expectancy (ALE) – annual anticipated loss due to the risk; this is calculated by multiplying the SLE by the ARO
Exposure Factor – a number calculated by how much loss could incur. For example if it’s determined that a building would burn halfway through on average if it catches on fire, the exposure factor would be 0.5 or 50%
Safeguard Value – this equates to how much you’re willing to spend to mitigate a specific risk
There are several formulas used to calculate the values above and define a risk tolerance. I won’t go into all of them since that’s a book all on its own. If you’re dying of curiosity, you can read all 495 pages of The Security Risk Assessment Handbook. For now, just know that there are two different kinds of risk assessments, and best of all, there are trusted companies to help you perform one. Ideally, every company should at least have a Qualitative Risk Assessment performed.