Risk Management for Security Professionals 1 : What is Risk?
Security is an important topic for many companies but if you think only security is the matter, you may go too far or wrong direction. Through this blog series, I will explain risk management general and look from a bit higher viewpoint than the security scope.
Risk includes probability
In one of the most common risk management frameworks ISO 31000:2018 Risk Management – Guidelines, risk is defined as “effect of uncertainty on objectives”. For those who are not familiar with risk management, “the possibility of something bad happening” (Cambridge Dictionary (online)) may be easier to understand. The point here is that risk includes probability.
Image below is example of a common risk assessment approach, risk heat map (or risk matrix). In this approach, risks are assessed by 2 or more dimensions including likelihood (or probability).
Risk Heat Map
| Impact
Likelihood |
Low - 1 | Medium - 2 | High - 3 |
|---|---|---|---|
| Very Likely - 3 | 3 | 6 | 9 |
| Likely - 2 | 2 | 4 | 6 |
| Unlikely - 1 | 1 | 2 | 3 |
Problem is not Risk
There are several terms often get confused with risk. Let’s check these concepts in the table below.
| Term | Definition | Example | |
|---|---|---|---|
| Threat | “potential cause of an unwanted incident, which can result in harm to a system or organization” (ISO/IEC 27000:2018) | Fire | Information disclosure |
| Vulnerability | “weakness of an asset or control that can be exploited by one or more threats” (ISO/IEC 27000:2018) | Lack of fire extinguisher | Poor access management |
| Hazard | “something that is dangerous and likely to cause damage” (Cambridge Dictionary (online)) | Large amount of gasoline | A compromised user credential |
| Problem | “a situation, person, or thing that needs attention and needs to be dealt with or solved” (Cambridge Dictionary (online)) “a cause, or potential cause, of one or more incidents” ( ITIL® 4) |
Lack of employees’ safety mindset | Lack of security personnel |
In reality, threat is often used to label the risk (e.g. “fire risk”), but you need to consider the probability when you discuss about the risk. In security area, it is also common to describe risk with threat and vulnerability like “risk = threat * vulnerability” (Certified Information Systems Security Professional (CISSP) Official Study Guide 9th Edition).
Risk is not Limited to Negative Risk
By the way, the ISO 31000 risk definition “effect of uncertainty on objectives” has some notes including “An effect is a deviation from the expected. It can be positive, negative or both, and can address, create or result in opportunities and threats.”. We normally look risks negatively but this note highlights that risk is actually not limited to negative risks. Investment is an example area that manages positive risks. Imagine a situation you are about to invest in a stock. You may select a newly launched business even probability of the business failure is more than large infrastructure companies. Why? Because the probability that the stock price will jump up is high as well.
Reducing risks may ruin opportunities of the positive effect too. That is why risk appetite (ISO 31000:2018 refers “amount and type of risk that may or may not be taken”) must be established based on the company’s context, and commitment of the management is essential for it. Risk management is indivisible from business strategy, so to say.
If you need any assistance or have any questions regarding Risk management or cybersecurity in general, feel free to contact us.
Reference
ISO 31000:2018 Risk management — Guidelines, https://www.iso.org/iso-31000-risk-management.html