This blog post is, at least in my opinion, part of the most important piece of your cyber security strategy puzzle; your risk management. If you look at information security in general, and ISO27001 in particular, you always need to find that sweet spot that gives you the most protection for your money. Blindly following checklists that have been handed down for generations will help you in some way, but it will certainly not provide you with the best solution (protection and moneywise).
So how do you find that sweet spot? By carefully planning and executing your risk management on a regular basis. Your risk management will provide you with the actual threat, vulnerabilities, impacts and mitigations that suit your situation and context. Executing your risk management will enable you to focus on actual security issues and risks that need to be addressed, instead of using fear mongering to try to do it all.
Oh, and why do I say “your” risk management? Because each organisation is unique, and therefore needs to find and adapt their own methodology, criteria and mitigations. This is where ISO27001 really helps you – it requires you to have a risk management process in place and active, but it does not force you to perform it in a predefined way. Just make sure you apply it consistently throughout your organisation and make sure you document the process and the results.
To make sure we’re all on the same page, I would like to share with you the definitions I use for threat, impact, vulnerability and risk. There is some confusion about these terms, and threats and risks in particular are (wrongly) used interchangeably. I stick to the definitions PECB uses in its training material.
And bear in mind that you can use the same process to identify opportunities as well. These are just ‘risks’ with a positive outcome and connotation.
So here it goes…
Threat: an event that can happen and has an impact on your business goals and drivers. In cyber security a threat almost always has a negative impact, e.g. a threat damages your reputation, or encrypts your data, etc. Examples of threats are data theft, ransomware, data breaches etc. Threats will always exist, and can have an internal or external source.
The opposite of a threat would be an advantage, an event that provides a benefit to the organisation, and has a positive impact.
Vulnerability: a weakness in a control, asset, process or organisation that enables a threat to actually have the impact and cause damage. Examples of vulnerabilities are lack of an up to
date virus scanner, lack of awareness training for personnel, etc. And please note that increasing your tolerance to vulnerabilities may help you to seize business opportunities because it can improve your time-to-market or other driving factors. As long as you apply proper risk management, you can make a balanced decision.
Impact: this is obviously the direct and indirect damage you suffer once a threat has materialized. And again, the impact may also be a positive one, let’s call that a reward.
Likelihood: the chance that a threat (or benefit) will actually materialize. This is based on statistics but often also involves gut instinct.. This is the hardest part of the risk equation to get right. Rare cases (i.e. the black swans), that have a very small (but not 0) chance of occurring but have a huge impact, are often the hardest. Management often don’t want to spend a lot of money on these, but on the other hand, they don’t want to sign off on them either. I might do a special post on this in the near future, we have had enough events recently (Twitter, Garmin) that warrant a new look at these black swans.
Risk: in its simplest form, the risk (or opportunity) is a result of multiplying the likelihood and impact and can often be expressed as a number. This can result in a quantitative value (often money related) or a quantitative value, (critical, high, medium, low).
So the next time you hear someone say that ‘the risk is theft of personal data’, what they actually mean is the ‘threat’.
And on a final note, if you use a quanlitative risk model, please use a scale with an even number of steps (1, 2, 3, 4 or critical, high, medium, low). Most people like to make safe choices and if you use a scale with an uneven number, they tend to go for the middle one. Using a scale with an even number forces them to make a choice.
This brings us to the conclusion of this post. In the next one I will look with you at how to apply the risk model and look at a simple, but very effective, model for identifying threats.
Until next time, as always, stay safe!