Managing information security risks is a key process underpinning the security of every organization. Unfortunately, in many cases, information security risk management is still an area of improvement, with many organizations primarily focusing on the implementation of best practice security controls rather than the systematic assessment and appropriate treatment of risks. When it comes to information security risks, very few organization are in a good position to clearly say “these are the risks we are currently facing and these are the controls we have put in place and these are the risks we have accepted”. To begin with, the very same understanding of risks is not commonplace amongst organizations. In this article we are going to refer to the definitions defined in the ISO27005 standard, which gives guidelines for the management of information security risks. According to ISO27005:
“An information security risks is the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization”
In other words, for a risk to be there we must have an asset (something of value to the organization such as information or business processes etc.) and there must be the possibility of some incidents that may occur, in relation to that asset, that will have a negative impact to the organization. The following definitions are very important.
Risk Analysis – This is the process of identifying and quantifying risks. The output of the risk analysis process is a list of risk statements and the associated value (e.g. High, Medium, Low or 1, 2, 3). Risk analysis gives us an idea of the risks we are facing and the impact to the organization.
Risk Assessment – This is process of prioritizing risks based on what is important for the organization. Risk assessment takes the output from the risk analysis and sorts the risks according to some criteria that reflect the priorities and values of the organization.
Risk Treatment – Once risks have been sorted, this is the process of “dealing” with risks and deciding what to do about them. The traditional four risk treatment options are:
- Accept – The risk is accepted as other options are not viable
- Mitigate – Security controls are put in place to reduce the value of the risk (e.g. reducing the impact or the likelihood of the even etc.)
- Avoid – Removing the source of the risk by changing for instance the way we operate.
- Transfer – This option transfer the impact of the risk to a third party. However the ownership of the risk still lies with the company
Risk Management – This is the overall process of assessing and treating the risks.
Based on the above definitions, the most serious ones are the following two:
1) Lack of Senior Management Commitment
Senior Management expects their staff to manage risks. However, as we have seen, risk management includes two activities, each requiring input from the Senior Management:
- Risk Assessment: Risks cannot be prioritized unless Senior Management clearly communicates what is important for the organization. For instance, is it reputation or finance?
- Risk Treatment: Once risks have been sorted in order of importance, a decision has to be made on how to deal with them. Which risks are to be accepted and what are the criteria for acceptance? This decision lies with the Senior Management. The process can be streamlined once the criteria have been defined but lack of involvement means that risks will not be treated according to the business. In many cases Senior Management refuses to take ownership of the risk while at the same time denying the resources required for the risk mitigation!
2) Lack of documented methodology
For risk management to work, the organization must clearly document how each of the risk management activities are to be carried out in order to ensure that the process will produce comparable and reproducible results. Risk is a subjective concept. What may be considered a risk by one organization may not be considered as a risk by another one. The same two different organizations may agree on a risk but each organization may value the risk differently. Subjectivity is accepted and to be expected. However, subjectivity must be consistently applied. For instance, a risk management methodologies where the risk acceptance process simply states “Risk Acceptance is responsibility of the Senior Management” is completely insufficient since the same risk may be deemed acceptable or unacceptable depending on the mood of the Management on the day!
To conclude, risk management is the process of rationalizing the use of company resources for the treatment of information security risks. If ineffective, it results in resources being wasted and risks not being addressed appropriately. Senior Management is responsible for the establishment of the risks management process and when risks are not being managed, the finger should be pointing upstairs, always.