Security Resource Hub
Compliance/Risk Management

Topic 2: Risk Management

Complete & Continue Next Lesson Learn More

Understanding Risk Management

Risk management is a crucial aspect that helps identify, assess, and prioritize potential risks; individuals and organizations can proactively minimize the impact of adverse events and capitalize on opportunities.

Risk management involves carefully analyzing potential threats, evaluating their probability and potential impact, and devising strategies to mitigate or avoid them altogether. By doing so, individuals and organizations can make informed decisions, allocate resources effectively, and safeguard their interests. Ensuring data security or preparing for unexpected events, a robust risk management strategy is fundamental to resilience and sustainability.

Risk Identification Techniques

  • Identifying risks is one of the most challenging tasks. 

  • Identifying risk is experience-based. 

  • Information gathering is essential (Reconnaissance)

  • Brainstorming session with teams and senior engineers 

  • Delphi Technique (Questionnaires)

  • Interviewing 

  • Root Cause Analysis 

  • Swot Analysis (STRENGTH, Weakness, Opportunities And Threats)

Risk Assessment and Prioritization

Risk assessment is critical in identifying, evaluating, and prioritizing [quantify & qualify] potential risks or uncertainties in various scenarios. It involves a systematic approach to analyzing factors that could threaten the well-being of individuals, organizations, or the environment.

  • Quantitative Risk Assessments: Uses cost and asset values to quantify risks based on monetary values. 

  • Qualitative Risk Assessments: Uses judgments to categorize risks based on probability and impact.  

Prioritization Dependencies

  • Risk Mitigation: Risk Response reduces a risk to fit within an organization’s appetite.

  • Risk Avoidance: Response involving ceasing an activity that presents a risk to an org.

  • Risk Transfer: Moving the responsibility of the risk or sharing it with a third party.

  • Risk Acceptance: Determining that a risk falls within an organization’s appetite and has no countermeasures.

Risk Management Phases

Phase 1 [Systems Inventory]: Begin with those assets that are most critical to the continued accomplishment of the organization's mission. Necessary – the organization cannot operate with this asset temporarily. Essential – the organization could work around the loss of the information asset for days or a week, but eventually, the asset would have to be returned for use. Typical – the organization can operate without this information asset for an extended (though finite) period during which units or individuals may be inconvenienced and need to identify alternatives.

Phase 2 [Threat Analysis]:  Identifying potential threats critical to systems. It must involve business process owners and business process users. They are the ones who can recognize and appreciate the threats that have a vital livelihood and adversely affect their ability to accomplish their critical functions.

Phase 3 [Infrastructure Vulnerability Assessment]: Identifying technology vulnerabilities that can be exploited. The target system has been identified; the internal and external experts should examine the IT systems for weaknesses that could be exploited and the likelihood of someone attacking them. This should lead to a list of actions to correct. Many of these will be corrected on the spot but still should be documented. Some vulnerabilities may not be immediately correctable, but the process will document and recognize these vulnerabilities for subsequent risk management decisions.

Phase 4 [Developing Security recommendation]: The first three phases give you a measure of risk, threats, and vulnerabilities and an understanding of how these impact the organization's business. The risk-analysis process should lead the organization to control and define the residual risk. Controls are aimed at mitigating recognized risks to levels acceptable to the company. Implementation is a risk/value proposition because all controls have associated costs. Costs associated with operations and maintenance and those related to usability, scalability, and performance. Evaluating controls based on business risk lets you establish a coherent plan for risk mitigation instead of pointing out solutions for technical challenges.

Phase 5 [Decision]: Acting on the risk management recommendations. The recommendations should provide a strategic and tactical action plan. The business owners must be responsible for the decision phase with the advice of IT and security personnel, Informed decisions can be made with a focus on ensuring the continuity of business-critical assets and processes. Possible choices are to accept the risk (do nothing), mitigate the risk (implement controls), or transfer the risk (buy insurance). The Decision to implement controls should be based on the business value it adds. Risk management is not a goal, information should be protected only to support a business need or requirement. Such requirements should be spelled out in information security policies. Risk assessment builds a linkage between business needs and the security program. Onerous(Involving heavy operations) decisions that negatively impact the business practices, real or perceived, are best made in an informed manner and then documented and communicated.

Phase 6 [Communication and Monitoring]: User and management buy-in are critical to successfully implementing control. The final stage of the process is to ensure that risk-assessment results are communicated to business-process owners and end users, and the positive and negative results are monitored and assessed for net effect.

Risk Management Cycle

  • Assessing risks and determining protection needs. 

  • Selecting and implementing cost-effective policies and controls to meet these needs.

  • Promoting awareness of policies and controls of the risks that prompted their adoption among those responsible for complying with them.

  • Implementing a program of routine tests and examinations for evaluating the effectiveness of policies and related controls and reporting the resulting conclusions to those who can take appropriate corrective action.

Risk Management Failures

Poor security risk management leads to organizations that:

  • Are not fully aware of the information security risks to their operations,

  • Accept an unknown level of risk by default rather than consciously deciding what level is tolerable.

  • They have a false sense of security because they rely on ineffective controls. 

  • Deal with security on an ad-hoc reactive basis. 

  • They cannot make informed judgments about whether they spend too little or too much of their resources on security.