What the heck is risk? Most people don’t understand it, so let’s simplify. In the approximate words of Shon Harris, risk is the possibility of something bad happening. This is the simplest explanation I’ve ever seen.
Risk is usually stated in terms of high, medium, or low. Your job as the CISSP is to determine the level of risk and explain it to senior management.
Acceptable risk is the amount of risk that senior management is willing to accept, for example, every business has the risk of a break in happening. If your business manufactures valuable goods like TVs or electronics, and if it’s located a high crime area, there is a high risk of break-ins. If management decides not to put any locks on the doors and not hire any security guards, they are basically willing to accept the risk of a break in.
A Vulnerability is a weakness, such as a broken fence. Shon Harris also called a vulnerability a lack of a safeguard. The word safeguard and control are the same thing, they simply mean some type of protective mechanism.
A Threat is something that can take advantage of the vulnerability, such as a thief in our case of the broken fence. It can also be a circumstance, such as the weather.
Mitigation refers to the action taken to reduce the risk, such as fixing the fence. Mitigation can be partial or whole. Mitigation basically reduces the risk to an acceptable level. A related term is Residual Risk, this refers to the remaining risk after mitigation is performed. For example, people can still use a ladder to climb the fence, or use a tank to plow through the fence.
Management can only make four decisions about risk. Be sure to memorize these. The decisions are:
Mitigate, accept, transfer, or avoid , and we have examples there if you need them, and I believe we have a separate video on how to deal with risk, or at least I remember creating a slideshow for that at one point. If you need something to remember, think (MATA), which is Portuguese for “kill”, so in order to “kill” the risk, you need to do one of those four things.
Risk is sometimes rated using three factors, impact, likelihood, and exposure.
Impact is the monetary effect that will occur, or it can be expressed as the impact to human health. In our case of the broken fence, the impact would be the cost of making the TV that was stolen.
Likelihood is the measurement of possibility, usually calculated from historical data on past occurrences. For example, the likelihood of one person running through our broken fence to steal a TV could be a %.001 chance based on how many similar thefts have occurred in the past.
Exposure is when an organization becomes vulnerable to a threat, for example, the broken fence creates an exposure to the threat of burglary.
Risk analysis can be done in two ways, qualitative and quantitative:
Qualitative –is opinion based and more of a narrative discussion
Quantitative –is numeric and value based; this is the preferred method because it is more objective.
The Business Impact Analysis is a tool used to help understand the criticality of assets within an organization, and remember that assets typically refer to data in the CBK, but not always. The BIA aims to answer the questions of which assets or data are critical to the business, and level of criticality.
Now we move on to the traditional risk measurement model, which is a bit outdated, and ISC2 admits this, but it still has value in understanding how it works
Asset Value is of course the asset’s value
Exposure factor is the percent of the asset that can be lost from a certain event
Single loss expectancy is the AV x the EF, measured in money
The annual rate of occurrence is how many times in a year the event occurs, typically a decimal but it can be more.
The Annual loss expectancy is the SLE x ARO, which shows how much the business is currently losing without implementing safeguards. If the safeguards are cheaper than the ALE, it’s best to implement the safeguards.
Some other random terms thrown out in Module 1.3 are:
Layered defense or defense in depth – this refers to relying on multiple controls, and multiple types of controls to protect the organization’s assets. For example, if you have firewalls in place but no ACL, no configurations, and no locks on data closet doors, you are not using a layered defense.
Risk Framework refers to the model that your organization adopts to manage its risk. I have a separate video that covers the various frameworks and how to memorize them.
Supply chain – this refers to the flow of assets or data. Audits, surveys, reviews, and testing can be done in the supply chain, but the CBK says that it’s also acceptable to simply view the resulting reports of those reviews for entities within the supply chain, and recommend enhanced or reduced security to those entities.
For example, if your business contracts with IBM for custom computer parts, and there is an intermediary company that delivers those parts especially for you, they may be subject to certain types of audits or reviews. By reviewing their findings, you can discuss additional or more effective approaches to security.
The last concept in this module is
Threat modeling, but specifically STRIDE. STRIDE is a classification system developed by Microsoft in which threats are categorized into one of the following components:
Spoofing – faking an identity
Tampering – modifying the data
Repudiation – maintaining the ability to deny that they’ve done anything (remaining undetected)
Information disclosure – the release or theft of protected data
Denial of service – the impact to availability
Elevation of privilege – typically escalation to administrative rights on a system I highly recommend getting more familiar with these concepts, along with reading the book and other sources.