Module 1

MODULE 1 - RISK ASSESSMENT

What is Risk?

• Risk involves uncertainty.

RISK = PROBABILITY x IMPACT

• Probability: it is the likeliness of a security event occurring.
o One can use statistical and analytical methods to calculate approximate likelihood
if it is unknown.
o Probability ranges from 0 per cent to 100 per cent.

• Impact: it is the result or consequence of a security event occurring.
o If the impact is unknown, then it can be approximated through analyzing indirect
and direct consequences, context, performing threat modelling, evaluating assets,
etc.

RISK = (THREAT x VULNERABILITY) x IMPACT

• Factors involved in the likelihood of an incident happening:
o Threat
o Vulnerability

• Risk: uncertainty’s effect on the objectives or the product of the likelihood of a security
event occurring and the impact of the event.

• Threat: an entity that can cause damage to an organisation’s assets or the organisation
itself. A threat is the cause of a security event occurring.

• Threat agent: entity accountable for a security threat.
o Threat agents can be classified into the following categories:
➢ Natural
▪ Disasters such as earthquakes, tornadoes, floods, hurricanes, etc.
➢ Man-made
▪ Unintentional
❖ Insiders
❖ Outsiders
▪ Intentional
❖ Insiders

o Former employees

o Suppliers

o Current employees
❖ Outsiders

o Hacktivists

o Industrial espionage

o Amateur hackers

o Nation state

o Terrorist group

o Professional hackers

o Organized crime

• Vulnerability: it is an exploitable flaw in an asset or a group of assets. It can be hacked

by one or several threats.

• Asset: it can be anything that needs to be protected because it holds some value to an

organisation.
o Indirect asset: this type of asset gets damaged indirectly due to the damage
caused to another asset. E.g. an indirect asset could be an organisation’s

reputation that could get harmed due to the damage caused by hackers to the
customer data stored in the organisation’s databases.

• Impact: impact of a security event is the result of the security event occurring. Only a

part of an asset or several assets can be impacted by a security event. The extent to which

a security event is successful decides the impact related to that security event. The value

of the impact that results from the security event and that of the asset have an vital

difference.

PDCA cycle
• The plan-do-check-act (PDCA) cycle was made famous by E. Deming.
• Quality management is based on PDCA.
• Risk management is essential for ensuring good quality.

(Continuous improvement)



• PDCA cycle explained:
o Plan:
➢ The risk management plan is designed in this phase
▪ Any risk assessment, controls and risk treatment plans should be
created.
o Do:
➢ The risk management plan should be implemented and deployed.
▪ Any controls should also be implemented.
o Check:
➢ The risk management plan in place should be monitored and reviewed.
▪ The risks should be monitored and reassessed.
o Act:
➢ The risk management plan should be maintained and enhanced.
▪ The risk controls should be enhanced.

The process of Risk Management

Risk Assessment

One should identify risks, quantify them or qualitatively describe them, and also prioritize the risks
against risk evaluation.

The apparent criticality and some other recognised criteria can be used by managers to prioritise
risks.

Activities of the Process:

1. Risk Identification
2. Risk Analysis
3. Risk Evaluation

Important Note:

General guidance on what to do is provided by the ISO 27005 standard. It does not, however, give
information on how things have to be done.

1. Risk identification (What could happen?)
• Identification of existing controls
• Identification of consequences
• Identification of assets
• Identification of vulnerabilities
• Identification of threats

2. Risk Analysis (How bad would it be?)
• Assessment of consequences
• Risk level determination
• Risk analysis methodologies

3. Risk Evaluation (Is a risk we can accept?)
• Risk levels are compared against risk acceptance criteria

Risk Identification

1. Identification of existing controls
• It is unlikely that the security management will start form zero.
• Identifying controls already in place avoids unnecessary expenses.

2. Identification of consequences
• Which are the potential impacts to confidentiality, availability and integrity?
(Financial costs, time loss, opportunity loss, reputation loss, etc.)

3. Identification of Assets
• Assets inventory

4. Identification of vulnerabilities
• Knowing the threats and existing controls, what are the remaining gaps?

5. Identification of Threats
• Information on threats obtained from incident reviewing, asset owners, users
and other sources, including external threat catalogues.

• Threat modelling (e.g. STRIDE)

Risk Register
Risk analysis results and risk response planning are logged in this document. The type and level
of information contained in the risk register are increased with time as more information regarding
the outcomes of various risk management processes that are conducted is added to the risk register.

• Identified risks list:
o Details about the risk that are identified are provided.
o Risk statements may be used to describe risks.
o Events and conditions that may cause risks should be considered and logged to
support any future risk identification.

• Likely responses list:
o Identify any likely responses to a risk while identifying risks and record them.
These responses should be used as reference for planning risk responses.

Risk analysis
Quantitative risk analysis: the impact of an identified risk is analysed by using numerical
methods.
Qualitative risk analysis: it is the procedure, by assessing and combining the probability of
occurrence and the impact of a risk, prioritisation of risk is done for any further action or analysis.

Pros and cons of the qualitative methods
Pros and cons of the quantitative methods

Examples of qualitative techniques and tools:
• Probability and Impact matrix
• Risk Register
• Validation of assumptions
• Risk categorisation
• Experts judgement

Examples of quantitative techniques and tools:
• Probabilistic methods
• Estimation of threat capability
• Estimation of vulnerability/ risk exposure

• Estimation of likelihood of an event
• Estimation of monetary costs (impacts)
• Quantify risks
• Cost-benefit analysis

Quantitative as well as qualitative forms can be used to convey the business impact value.
However, an efficient decision-making process can be created using methods with which monetary
value can be assigned.