Information Security Risk Analysis
Following our popular article on Threat vs Vulnerability vs Risk, this article digs a little deeper into Risk Analysis, by considering Hybrid – qualitative and quantitative – Risk Analysis.
In our last article, we defined a Threat as the coincidence of an Actor, Motivation and an exploitable Vulnerability. We went on to define Risk as the product of a Threat, Probability and Business Impact.
Let us start this article with a flow chart illustrating the relationship between some of the concepts in Risk Analysis. We show the corporation in the centre, the threats on the right and the countermeasures on the left. The residual risk exposure, shown at the bottom, is the risk introduced by the threats, but that isn’t successfully avoided or mitigated. This residual risk must be accepted by the organisation.
NIST SP800-30 sets out s series of steps that should be carried out during Risk Analysis (also known as Risk Assessment). The steps, shown below, are a hybrid of quantitative and qualitative analysis. Where quantities are known, they should be included, where threats, risks, or assets are subjective, scenarios should be developed. ‘High / Med / Low’ can be substituted for figures in both likelihood and impact assessments.
The output of a Risk Analysis is the current exposure of the organisation and a proposal for the introduction of controls to mitigate some or all of that risk.
When conducting Quantitative Risk Analysis, a loss expectancy is calculated for each asset vulnerability. Each asset must be valued (AV), and the exposure (as a %) of that asset, given the particular vulnerability in question, must also be calculated. For example, confidential business plans worth £1m may cost only £200k to redevelop if they were lost in a fire. The exposure of this asset is therefore 20%. A single loss would cost the business £200,000.
Single Loss Expectancy (SLE) = Asset Value (AV) x Exposure Factor (EF)
The business must then estimate the number of occurrences, annually, of this particular loss. This can be a whole number or a fraction if the event occurs less than once per year. The Annual Rate of Occurrence (ARO) can be predicted based on historical figures. It is essentially the balance of the adversary capability against the countermeasures (controls) put in place by the Security Manager.
Looking back at our flow chart, then, the Asset and Vulnerability are used to calculate the Single Loss Expectancy (SLE) and the Threat, Threat Actor, Controls and Security Manager can be used to estimate the Annual Rate of Occurrence (ARO).
The final calculation – Annual Loss Expectancy (ALE) – is a numeric approximation of risk. It can be used to help the business decide whether the risk should be:
- avoided – through changing business process
- mitigated – through introduction of countermeasures
- accepted – because the cost of avoidance or mitigation outweighs the ALE
Annual Loss Expectancy (ALE) = Single Loss Expectancy (SLE) x Annual Rate of Occurrence (ARO)
Countermeasures or Risk Avoidance measures should only be considered if the cost of adoption is less than the Annual Loss Expectancy for the particular threat. Risk transference (e.g. insurance) could also be considered though, again, if the cost is greater than the ALE, the organisation should probably consider ‘self-insuring’, assuming it is legal to do so.