In today’s organizations, risk management is a cornerstone when defining an optimal information security strategy.
In less mature entities, security focuses on technical aspects and tactical actions like detection and remediation, but if we want to have an overview that allows us to define efficient plans, it is necessary to take into account both vulnerabilities and threats, as well as the factors of probability and impact.
Risk management allows organizations to work properly with identification and prevention, providing information to decide in the best way where and how to allocate resources to improve security, mitigating risks where they exist and are higher, both with technical and organizational approaches.
In the technological field, the difference between a standard security management and risk management can be seen with the following example:
- In a company there are tens of thousands of computers and they want to ensure that they are patched and updated properly.
- As a technical solution, a vulnerability management system is used to identify all computers that are not patched and correctly configured.
- With this information, we can see which devices have different levels of deficiency and which are in optimal condition.
- Without more information, the way to act is to plan the update of all the devices, starting with those that are in a worse situation (more critical vulnerabilities, greater number of vulnerabilities), but without taking into account other factors.
With all this we know that a lot of computers have vulnerabilities, but do these vulnerabilities pose a risk to my organization? Do all devices generate the same risk? If the number of devices is very high, it is not always feasible to undertake these actions in a general way. How do we prioritize?
- With risk management, the technical information (vulnerability and threat) is combined with the information associated with the assets, in particular their value and the impact that a security incident can cause.
- With vulnerability and threat information, taking into account exposure and complexity factors, the likelihood of occurrence can be estimated: a computer accessible from the Internet is more likely to suffer an incident than an offline device.
- Thus, we can calculate risk as the product of likelihood and impact. With these results, a high level of risk indicates that there is a high probability associated with an element with a significant value/impact and a low risk indicates that the combination of likelihood and impact is reduced.
- In an organization in which risk management is used properly, risk maps are available in which the most valuable assets (information, devices, networks, areas, etc.) with a greater likelihood of occurrence of incidents are identified. Thus, we can plan the actions and deployment of security measures taking into account objective priorities.
- In our example, with risk management we will be able to prioritize and, of the entire computer installation, those with the highest level of risk will begin to be patched, which could be those that easily give access to confidential information or important systems (but not necessarily the ones with the greater number of vulnerabilities or the most critical deficiencies), and leave those with the lowest risk for the last phases, which could group those who do not handle sensitive data or are in isolated networks.
Furthermore, risk management is not limited to technical areas, but we can also evaluate risks associated with laws and regulations, procedures and organizational aspects.
And if we want to include people in risk management, how do we do it?
We will see it in upcoming Kymatio articles.