As threats to cyber systems grow more and more complex, risk assessments help companies determine appropriate responses to mitigate risks to their organizations, guide investment strategies and maintain ongoing situational awareness of the state of their systems.

Overall guidance for risk assessment for information security can be found in

*Managing Information Security Risk: Organization, Mission, and Information System View*(NIST SP 800-39).

The NIST guidelines for risk management are based on the ISO 31000 risk management standards, which borrowed heavily from the AS/NZS 4360 risk management standards that proceeded them by a decade. All of these standards follow a common approach for assessing inherent (uncontrolled) risk. The most common risk assesment model is to use a 5 x 5 risk matrix, with one axis for the different levels of Likelihood and the other axis for different levels of Consequences (called Impact by the NIST guidelines). Where the columns and rows intersect in the risk matrix (see Table G-5), determines the inherent risk score, which falls into one of several severity bands (very high,high, moderate, low, very low in the example). Therefore an Impact of Very High and a Likelihood of Moderate in this model would result in an inherent risk score falling into the High severity band. These are subjective descriptions, but if you also assign numeric scores to the columns and rows of the risk matrix and calculate the result using multiplication then an inherent risk score of 15 would be the result of C5 x L3, and a score of 15 would fall within the numeric score range defined for the high severity band. This is great for calculating the inherent risk score, and where we have a single control the residual risk score could be similarly calculated by identifying how the control impacts either the Likelihood or the Impact. Say, the control moves the likelihood from Moderate down to Low, the residual risk score would now be 10 (C5 x L2), which falls within the Moderate score band.

ReplyDeleteUnfortunately, while all of the standards discuss the concept of residual risk, none of them clearly explain how you actually arrive at a residual risk score when more than one control is implemented.

An advantage of calculating the inherent and residual risk scores numerically, is that you can easily calculate a numeric value for each control by subtracting the inherent risk score from the residual risk score for each control in isolation, and then subtract the sum of multiple controls from the numeric score of the inherent risk.This approach also means that the residual risk score (where multiple controls are applied) can actually exceed the lowest numeric value possible within the risk matrix, in other words you can have a negative value for the residual risk. This could mean that you have raised more controls than are absolutely necessary, but that is OK provided it is deliberate and you can justify the cost and effort of some over-controlling. Another advantage of numerically scoring each control is to highlight any controls that don't have any effect on either the likelihood or the impact. This simply means that they are not really controls at all.

Ian:

ReplyDeleteI can't quite follow your logic. What are the scales for the various ranges? Also using what you have said and creating the matrix I found some inconsistencies (if I am understanding what you are saying correctly). See below. Can you help me understand? Thanks.

Threat LikelihoodImpactVery Low (1)Low (2)Moderate (3)High (4)Very High (5)Very High (5)Low (5)Moderate (10)High (15)Very High (20)Very High (25)High (4)Low (4)Moderate (8)High (12)High (16)Very High (20)Moderate (3)Very Low (3) Low (6)Moderate (9)Moderate (12)High (15)Low (2)Very Low (2)Low (4)Low (6)Low (8)Moderate (10)Very Low (1)Very Low (1)Very Low (2)Very Low (3)Low (4)Low (5)