Why Manage Risks?

Impact: negative consequence arising from a threat exploiting a vulnerability of an asset.

Asset: any element representing value for an organisation/company.

Generally speaking, security aims to reduce both the number and the scope of these impacts:

• financial
• legal
• on reputation
• on time (lost)
• on expertise
• on health.

Most impacts, except for financial ones, cannot be covered by any form of insurance. They, therefore, need to be prevented from arising in the first place, respectively mitigating their consequences by reducing the vulnerabilities of the various assets. This reduction of vulnerabilities is often difficult to achieve and may incur substantial costs, especially, if you have to create redundancies. However, it is not possible to act on threats, as they are beyond the control of the organisation.

As it is not possible, or at least not immediately possible to address all vulnerabilities, it is preferable to address vulnerabilities whose exploitation could lead to significant or even critical impacts. We need to introduce the concept of priorities and a ‘road map’.

Standard ISO/IEC 27005 (risk management) puts forward a methodological strategy aimed at identifying existing risks, quantifying them, assessing them, and ultimately proposing a way to deal with them. The standard proposes four types of treatment:

• reduction, by implementing the measures identified in ISO/IEC 27002,
• transferring the risk to a specialist (sub-contracting),
• accepting the risk
• rejection or the risk, which obviously involves stopping the activity in question.

Using this method, it is possible to identify the various risks faced by an organisation. For each professional and informational process, the support assets necessary for their treatment are analysed from a threat, vulnerabilities, and impacts standpoint. For each asset, the various existing threats and vulnerabilities are listed. Realistic threat-vulnerability pairings, also known as ‘attack scenarios’ are retained, and the risk is then calculated based on the importance of the asset (importance for the primary process concerning the value of the asset).

The risk assessment is a calculation based on:

• the probability of the threat,
• the ease of exploiting the vulnerability (considering existing security measures)
• the scope of the impact (risk estimation).

When assessing risk, we sort through the various risks based on their significance.

Finally, treatments for each element are proposed arising from the assessment of risks presenting an unacceptable level of risk.

This strategy may seem arduous, but it is the only way to prioritise investments safely. The effectiveness of these strategies lies in the fact that they are adapted to the most “promising” attack scenarios.

Why invest millions in fire protection when the main threat comes from water?