Million Dollar Question: What is RISK? The reason why I refer it as a million dollar question lies in definition(s) of term ‘RISK’. The term ‘RISK’ has been defined in multiple ways and it can be accommodated anywhere anytime and in any situation as per requirement. Inspite of having vivid definition(s) of RISK, in practise every human being is a RISK-PRO. When I say everyone, I mean EVERYONE irrespective of literacy level or profession.
Let us take a simple illustration. During rainy season, street vendors generally keep a plastic cover to protect their articles. Why So? Because they know that PROBABILITY of having rain is high and it could IMPACT their valuable articles. In corporate environment, we will complicate the same example by saying “Articles are VULNERABLE to THREAT of rain and hence RISK RESPONCE is required in form of some CONTROL (i.e. plastic cover) to MITIGATE RISK ELEMENT.” Wow. Now our dear vendor also knows that it is not worth spending Rs. 100/- to purchase a plastic cover to protect his articles costing Rs. 50/-. In our terms: “COST of CONTROL should not exceed COST of RISK”. Now I doubt whether street vendors have ever heard about these terminologies in their life, but pretty much sure that they actually understand RISK and RISK TREATMENT in their daily activities.
Again. What is RISK? Let us look into some of the widely accepted definition of RISK.
that a given threat will potentialISO 27005: The exploit
vulnerabilities of an asset of group of assets and thereby cause harm to the organisation.
ISO/IEC 73: RISK is the combination of the probability of an event and its consequences.
Dictionary Meaning: a situation involving exposure to danger.
ISO 31000: RISK is the “effect of uncertainty on objectives”
Business Dictionary: A probability or threat of damage,injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through preventive action.
Oxford Dictionary: The probability of something happening multiplied by the resulting cost or benefit if it does.
If you observe, almost every definition speaks directly or indirectly about two terms: PROBABILITY & IMPACT. In simplest form, RISK is a product of PROBABILITY and IMPACT.
|
RISK= PROBABILITY*IMPACT
Both the terms are equally important while determining RISK. Let us continue with same plastic cover example. PROBABILITY of raining is very high, let say 1, however articles are water-proof and hence IMPACT is Nil i.e. zero even if it rains heavily.
So RISK of rain on articles will be:
|
Please note in real life scenario, quantifying RISK is not an easy task. Probability of arriving at ACCURATE PROBABILITY is itself questionable in certain scenario. Okay, I know that ACCURATE and PROBABILITY are incompatible with each other.
Another approach to understand the RISK is to understand the concept of VULNERABILITY and THREAT. Again there should be presence of both the elements (i.e. V*T) to constitute a RISK. A fort without guards is vulnerable to outside attack. However luckily now a days no one is interested to capture a ruined fort and hence THREAT is Nil. Hence RISK of attack is Nil inspite of high VULNERABILITY as there is absence THREAT.
RISK ASSESSMENT can be termed as systematic process of evaluating potential RISK. In other words Assessment of PROBABILITY/VULNERABILITY/IMPACT/THREAT. Prime objective of any RISK ASSESSMENT exercise is to identify the RISK, understand the RISK, quantity the RISK (though not possible always) and to TREAT the RISK.
Okay. We do all this exercise. Why? YES. To protect our precious ASSET. So very first step of RISK ASSESSMENT exercise is to identify the ASSET which we want to protect. This is essence of whole exercise. Why waste time and money on something that is not critical. It must be noted that criticality of ASSET is not always defined by its financial value but other attributes also to be accounted for. For example, Data Leakage Prevention Policy (DLPP) aims to protect DATA whose value can be negligible in absence of PRIVACY LAWS. DATA is considered valuable because of relevant regulations. Assets can be tangible or intangible. Many organisations consider their ‘REPUTATION’ as supreme asset.
Following is structured process to carry out RISK ASSESSMENT exercise:
- Identify the ASSETS.
- Identify VULNEREBILITIES/THREATS.
- Perform Impact Analysis. Define RISK INDICATOR. Remember, R = P*I. It can be quantified or qualified (High/Medium/Low).
- Apply Controls through appropriate RISK Treatment.
- Still some vulnerabilities present? Yes. If this acceptable? No. Then apply some more controls. But always ensure COST of CONTROL not to exceed COST of RISK. I would never pay one hundred and fifty crore rupees for insurance premium to protect my bungalow worth Rs. One hundred crore. (No. I don’t have 100 crore bungalow. But hope you got the point)
- Okay, now RISKS are acceptable? Yes. Then live happily with it. Let them reside with us. They are known as RESIDUAL RISKs.
RISK ASSESSMENT is iterative exercise. Above cycle to be repeated at regular interval to address new vulnerabilities. Continual RISK Assessment (CRA) is also critical to ensure that existing control are effective.
There are different standardised methodology specifically designed for RISK Assessment of Information Technology Systems like SP-800-30 document developed by NIST, FRAP (Facilitated RISK Analysis Process) and OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation). Though each methodology is developed for specific purpose they have same basic core components that we already discussed above i.e. identify vulnerabilities and threats and calculate RISK values.
- Prepared by CA. Hemang Doshi
FIII, CISA