The Risk Analysis

Today, there are very interesting business opportunities in an incredibly diverse environment. This diversity brings huge opportunities for every business. However, we have to be aware of the rules. Where there is an opportunity, there is a risk; the greater the opportunity, the greater the risk we must assume.

Companies are aware of this fact and focus on the opportunity analysis using CRM and other specialized tools. The area of opportunity assessment is therefore mastered.

If a company focuses on risks, it is aware of the fact that risks exist. In addition to the awareness, there are a lot of questions. What risks can we expect? Where might the danger come from? Where are our vulnerabilities? Can we defend ourselves effectively?

Let us be aware that these are not general risks. The risks that the company is exploring at that moment are in an area that is certainly not static; it is about information. Information has interesting properties: it arises, it is modified, it moves, it disappears and, above all, it is of great interest.

The result of these questions is, at best, a few charts that make a good faith effort to describe the issue. Their relevance gradually disappears with the fluctuation of human resources. The attempt to manage the risks is supported by a chart with a promise that the responsible person will comply with the requirement and implement the measures.

In the worst case scenario, those in charge will become scared of the rather difficult task that management has imposed on them and will not even begin, with the excuse that it cannot be done.

We will therefore try to highlight the key milestones that lead to gaining control over risks in a company.

At the beginning of the risk analysis, we need to identify the key company services that the risk analysis will address. For appropriate selection, we can focus on the areas of internal company operations, services provided to customers, high creditworthiness services, high penalty services, services with sensitive information, etc.

The risk analysis uses the term Primary Asset for services defined in this way.

Every service provided requires premises, human resources, equipment and information. So let's use the common term – asset. It is therefore necessary to identify the key assets for each service in the risk analysis. The number of services increases with the number of assets, and some services use the same assets. This is the point at which the charts stop working properly and the system becomes unsustainable.

It is advisable to define the types of assets and categorize each item by type into people, hardware, software, network elements, information, etc.

It is much easier to gain control over a smaller group of elements.

Three aspects of information security should be used to evaluate the asset.

Confidentiality – the level of classified information with which the asset comes into contact.

Integrity – the value of the impact of an unauthorized change to the information.

Availability – impact value of unavailability of information.

Using an appropriate methodology, we determine the value of the asset and thus obtain an attribute by which we can determine the priority of each asset

This point in the development of the risk analysis will provide the company with the first answers to the above questions.

For beginners, it is advisable to use the standard threats and vulnerabilities codebook. More advanced and experienced ones can create threats according to the experience and knowledge of their company.

Just ask yourself a basic question: "What can put information at risk?" Let’s consider the printed form, the electronic form on media, the electronic form in information systems.

I think most of us can think of threats such as fire, flooding, theft, vandalism or user error. Of the modern threats, we think of cybercrime in its many forms, ransomware, phishing and malware. Of course, there are also special threats arising from the services provided to customers. It is advisable to consult such threats directly with the customer and agree on a risk assessment procedure.

Determining vulnerability is understanding how a threat affects and hurts our assets. Vulnerabilities include identity theft, malicious code injection, unauthorized modification, unauthorized access, etc.

Risk perception is very subjective, so it is advisable to establish a uniform methodology. For smaller companies with up to 250 employees, where we assume fewer services and assets, we make do with the attributes such as asset value, threat impact and expected threat occurrence. Multiplying these values gives a sufficient range of values.

For companies with multiple employees or a robust IT environment, there is a plethora of methodologies to choose from that will meet very stringent requirements.

In addition to the calculated value, a detailed description is very important for a proper understanding of the risk. This will guarantee continuity, but above all, a correct understanding of why we perceive risk at this level. When we subsequently review or when presenting it to the company management, we have prepared transparent documentation and the reason for the risk value.

With this step, we have achieved our goal. We have described our company in terms of risk analysis. We have an overview of key services, we have key assets under control, we know the threats, we know the risks, but...

At this point, the company has learned the fact that, in addition to the opportunities, there are real risks which are described and which have a calculated value. What happens next?

We are now entering a crucial phase where the company will begin to address the identified risks with an appropriate strategy.

At the beginning of the preparation of the plan, it is advisable to set a minimum risk value from which the risk will be treated.

Risks defined are treated by actions which are called measures in a risk analysis. There is a plethora of measures on offer. For the sake of clarity, it is advisable to refer to the recommended set of measures following from ISO 27002 or to use the CIS recommendations in the area of Internet security. This enables compliance with ISO 27001.

For the selected measure, the impact of the measure on the existing risk value should be evaluated before implementation. The people responsible will therefore determine the value of the expected residual risk. This will prevent ineffective implementation of measures with no effect on the risk itself.

For effective implementation of the measures, those responsible should ensure that sufficient information is available for decisions by the company management. Important information includes the estimated cost of the measure, human resource capacity and estimated time of implementation. This avoids a situation where the cost of implementation itself disproportionately exceeds the cost of the risk taken.

An integral part is to verify the functionality of the deployed measure and to check the actual impact on the asset.

By taking the preceding steps, the company has achieved a true risk analysis. To keep the tool operational, it is advisable to perform some periodic operations. Checking the timeliness of services and assets. Threat and vulnerability updates. Risk review and reassessment. Updating and reviewing the action implementation plan.

Thus we have reached an imaginary goal. However, risk analysis is a living organism, constantly evolving. It belongs to the area of continuous improvement tools and is applicable by the PDCA method.

Our company has been through situations similar to those mentioned at the beginning of this article. The beginnings were difficult; we were striving for ISO 27001 certification; our risk analysis was not updated, not clear, just charts and chaos.

A change occurred when we understood the issues and invested in the development of the Risk Analysis Application. Thanks to the increased clarity of assets, the creation of a threat codebook, and detailed risk descriptions, everything started to make more sense. The results of the risk analysis can be transparently presented to the company management.

The introduction of standardized ISO 27002 and CIS measures have set a clear standard for the implementation of appropriate measures.

Now we have introduced the ISMS Audit module into the Risk Analysis application, thanks to which we have information security issues in one place.

So we can focus more on the current situation, here and now, which is very important for security.

To all the readers who have read the article to this point, thank you for your demonstrated endurance and determination. Information security and risk analysis are very interesting areas for people and enthusiasts working in IT. It adds a unifying element to each sector, which is a sense of security.

Václav Voříšek
COM PLUS CZ a.s. Security Director