Lessons for conducting an IT security risk assessment

29 September 2021 Consultancy-me.com

As part of their security strategy, organizations need to continuously assess the risks within their IT function and technology infrastructure. Vincenzo Casillo, a Principal at Cedar Management Consulting, explains how an IT risk assessment framework can help curb and mitigate risks. 

Information security risk assessment (ISRA) is the process undertaken to identify, prioritize and analyze the risk of availability, integrity and confidentiality of data and their information systems. The adoption of a systematic approach to information security risk management that is aligned to the overall enterprise risk management is generally important for all organizations, particularly for those which are heavily reliant on IT and clients’ data to deliver their services. 

As the technology risk permeates the operations of all business functions, the ISRA should be based on a holistic approach. In practice, there is no one model that suits for all, due to the diversity in the way IT risks are captured, assessed, and treated at each enterprise. However, there are few general guidelines that organizations will have to observe when performing a successful IT risk assessment exercise.

Lessons for conducting an IT security risk assessment

To begin with, the execution of ISRA should not be limited to cybersecurity, but it should cover all IT threats, including physical damages, unauthorized actions, natural disasters, technical failures and loss of essential services. To better clarify the meaning of all these threats, essentially:

  • cybersecurity threats refer to electronic threats which aim at compromising business information (e.g. hackers performing activities that are criminal in nature – such as fraudulent attacks);
  • physical threats arise from physical access or damage to IT resources, and can include theft, damage for fire or flood or unauthorized access to confidential data by an employee or outsider;
  • technical failure threats refer to software bugs, computer crashes or failure of computer components;
  • infrastructure failure threats refer to loss of connectivity that can interrupt the business;
  • human error threat is any accidental incident caused by a human during business operations.

Keeping in mind the multitude of threats, the challenge for IT risk managers across sectors is to establish a sustainable and effective risk mitigation strategy: in other words, achieving the optimal security at a reasonable cost.

To begin with, the assessment stems from the definition and maintenance of an IT asset inventory which constitutes the scope of work for the assessment. While the term “IT asset” may lead to think of hardware and software in the first place, it actually encompasses anything that has value in the organization and that requires protection including IT processes, people and know-how.

From this perspective, determining how critical each asset is across the business value chain, is the very first step that allows organizations to address their resources on what requires attention.

IT security assessment methodologies can either be quantitative, qualitative or a mix of both and there are several guidelines available in literature to drive them, mainly ISO 27005, COBIT 5, OCTAVE, NIST 800-39. The choice of which model to adopt and how to do so hinges essentially on data availability, the timeline to complete the exercise and information expected in the final risk assessment report.

Quantitative

A quantitative assessment measures risks using monetary amounts and numeric data, including the frequency of risk occurrence, the asset value and the probability of associated loss. For example, in case of a server crash, it would consider the cost of a server and its connected revenues, historical observation of its crashes and the estimated loss incurred in each crash.

Key calculations that are usually performed by processing measured data are typically the single loss expectancy (costs to incur if the incident occurs once); the annual rate of occurrence (how many times the risk can be expected to occur over the year) and the annual loss expectancy (which is the total risk value expected to occur over a year).

In quantitative assessments, monetary results are key indicators to drive risk mitigation investments on material threats (the “very likely” to happen cases, which can be either expensive to fix or affecting the business adversely). Focusing on the materiality of the threat is a key principle to follow for effective risk strategies, which deters from using resources to treat risks with negligible impacts. Cost/benefit analysis is generally used to determine the level of investment to make risk treatment worthwhile.

While quantitative measurement may sound very appealing in the first place, the IT risk manager should consider present and historical data availability very carefully (probability and cost estimates) before embarking in this approach.

Qualitative

The second way of performing the risk analysis is through a qualitative measurement model. This risk assessment approach relies on subjective judgement to classify risks based on a scale of probability of occurrence, and impact, typically on a low-medium-high scale.

The same can be done with respect to cost and impact. Once ratings are determined, the risk assessment matrix is created to help in the categorization of risk levels for each risk event. Such classification can support the IT risk manager to make the right decision – deciding which risks to mitigate using controls, which to accept, and which to transfer.

Hybrid

The third way to perform an IT risk assessment is through a hybrid approach, which combines elements of both quantitative and qualitative analysis. The quantitative data can be used to assess the value of assets and loss expectancy, but also involve business stakeholders to gain their expert insights. While on the downside this approach may take more effort and time, it can result in a better understanding of the risks and better information that each method would provide alone.

Once risks are identified, assessed, and prioritized, they need to be treated. If risks cannot be removed or reduced to an acceptable level, the impact of potential incidents can be offset (for example, by setting procedures for detecting problems or to purchase an insurance against the cost of security breaches). 

Establishing an effective IT risk assessment is surely not a short journey in terms of time and effort needed to build the approach and keep the model consistently applied, however, innovative solutions such as automated and configurable tools can aid IT risk managers who seek to drive this exercise effectively. 

There are several IT risk managements suites on the market. A few of them include: “Archer IT Security and Risk Management” by RSA, “Highbond” by Galvanize, “ServiceNow Governance Risk and Compliance” by ServiceNow, “Lockpath” by NAVEX Global, “Metricstream IT Risk Management” by Metricstream, “OpenPages” by IBM, “Insight Risk Management” by Allgress, and “OneTrust IT & Security Risk Management” by OneTrust.

IT risk tools typically offer a basic suite of applications encompassing centralized control library that maps controls to processes, risks and regulations; a self-assessment and testing module which allows to plan and design self-assessments and control tests with pre-defined questionnaires and surveys; an issue remediation and closure module where deficiencies are identified, documented and tracked to closure; graphic dashboards and reports with charts and test results; the possibility to configure the risk scoring methodology, which is the capability to adjust the values and range for a custom measure of risk.

The most advanced solutions also leverage intelligent process automation capabilities to connect enterprise data and maintain a live data ecosystem by integrating data sources across business applications and processes, thus reducing the effort related to data gathering in the assessment phase.

In conclusion

To conclude, IT risk assessment is a complex exercise that permeates across the organization, which requires to be carefully planned and thought through. Its effectiveness is function of how the risk model fits the enterprise, and of its capability to identify, report and treat key risks promptly. Leveraging IT risk assessment tools is an opportunity to standardize assessments and ensure a thorough and systemic application of the IT risk management model.