Subscribe to our Resources Blog RSS feed to stay up-to-date on latest news.
A commonly accepted definition of risk is: “The likelihood that a threat (or a threat agent) will exploit a given vulnerability, multiplied by the business impact of that exploit.” In information security, threats are typically broken down into the three categories of natural, facility or human, and the impacts are assessed against the confidentiality, integrity and availability of information assets. Organizations have been successfully implementing this formula to assess risk for years. What organizations struggle with is when to conduct this type of assessment, and how to use the results to make decisions to apply time, money and resources to reduce risk. From the perspective of information assets, the risk assessment approach I find to be the most effective is to assess risk in two ways:
The first step is to assess the inherent risk. The inherent risk of a system is the risk that the system poses “out of the box,” without any people, process or technology controls in place. When assessing inherent risk, the following questions should be answered:
The answers to the above questions should be used to generate a score for inherent risk. This can be either qualitative (high, medium, low, etc.) or quantitative (100, 50, 0, etc.), and the score calculation should be incorporated into an algorithm so that the scoring is repeatable for all systems assessed.
After the inherent risk score for a given system has been obtained, the next step is to determine the residual risk score. The residual risk of a system is the risk that remains after the people, process and technology security measures have been implemented. When assessing residual risk, the following questions should be answered:
The answers to the above questions should be used to generate a score for residual risk. The percentage of compliance is a quantitative score than can be converted to a qualitative “effectiveness” rating. For example, a control implementation of 90% or higher may be considered “highly effective,” while a control implementation of 70% or lower may be considered “ineffective.” Subsequently, the combination of the inherent risk score of a system and its percentage of compliance with the implementation of required controls results in the residual risk score, as reflected in the chart below:
The residual risk score is a qualitative score that is more granular than inherent risk. Inherent risk is commonly assigned one of the three scores of high, medium or low, while residual risk is commonly broken out into five or more scores of high, medium-high, medium, medium-low and low. This granularity will highlight control implementation progress over time and better reflect the change in overall risk.
The residual risk score is what should be driving decisions regarding the allocation of time, money and resources to reduce risk. Representatives from the business and executive board in an organization should establish what the acceptable residual risk score is for each system, and they will be able to make informed decisions regarding risk remediation if they are able to understand both the inherent risk of a system and the residual risk of that same system as it is currently implemented in their environment.