Risk is always an interesting topic of discussion within the infosec world. We have our own industry definitions for risk, and dozens of models to draw from when measuring or managing risk. One of the most intriguing aspects of risk-oriented work within this field is indeed how we measure risk – and how we use the results to help us make better decisions.
There are several different risk assessment frameworks and methodologies that we see being employed in companies of all types and sizes. However, we tend to isolate our thinking to the application of one or two approaches that we’ve become familiar with – making the problem fit the solution instead of the other way around.
Based on my experiences over the past 23 years, I see a particular need for four different ‘types’ of security assessments that are needed within most organizations:
Rapid Risk Assessment: We need at least one risk assessment tool that we can always keep in our pocket and use in meetings to illustrate a point… It’s also a way of analyzing risks quickly and easily; to give a general idea of what the level of risk MIGHT be. Remember – risk measurement is really all about decision making. You’re supporting the decision-making process with the output of your risk assessment – “do we or don’t we”? When you’re talking about quick and easy – a rapid risk assessment is like putting your finger up in the air to see if you can feel which way the wind is blowing. It’s not going to give you the kind of answers you’re going to need to make real decisions.
Detailed Risk Assessment: We need a whole new layer of abstraction when it comes to taking real risk measurements – ones that can inform the decision-making process in a meaningful way. Whereas the rapid risk approach will help you figure out which direction the wind is blowing in, a detailed risk assessment will also help you figure out just how hard that wind is blowing, how warm or cool it may be, whether or not it carries a scent, etc. Either way, we generally use rapid and detailed risk assessment methods when we’re talking about a well-defined process or technology boundary – a specific issue or specific system, application, etc.
Contextual Risk Assessment: Looking beyond a single process or technology boundary, we start to take a bigger picture look at security. We need an assessment approach ‘type’ that’s focused on a specific ‘context’. We might be applying it to a cloud security context, or a PCI compliance context, or a program or project context. However you look at it, there are a TON of specialized security ‘contexts’ that might apply in terms of risk. The focus here? We’re looking beyond a singular point of focus and finding a mechanism by which we can consider risk from a bird’s eye view – or within as broader but more specialized scope. That said, there may also be a need to connect one or more rapid or detailed risk assessments to a larger contextual one – perhaps using them as building blocks to draw a broader range of conclusions.
Organizational Risk Assessment: We also need a way to look at risk across the organization. We always say that it’s industry best practice to conduct an organization-wide risk assessment at least once a year. Some of us can push this envelope out to 18 month intervals – which is still fine. After 18 months things have likely changed SO MUCH that you really have no excuse whatsoever for blowing past that time frame to. When you’re talking about information security risk across an entire organization though, the process can be quite daunting. Organizational risk assessments are a special case unto the mselves that have very carefully laid out processes to help streamline activities while gathering the information you need; all while avoiding the common pitfalls that cause most large-scale risk assessments to fail in meeting their true intended purpose.
By presenting these ‘types’ of risk assessment approaches, I am not by any means suggesting that this is the ‘end of the rainbow’ so to speak. We still need quantified and qualified risk measurement variants, assessments that focus on networks, systems, applications, processes, etc., assessments that help us stay compliant or meet specific governance requirements, assessments that help us make good (or at least better, more informed) decisions in general.
For me, it’s all about having the right tool to perform that job at hand as efficiently and effectively as possible!