Risk Management

How to manage risk?

Understanding and managing the risk involved with IT operations is a crucial factor in your business. When you feel uncertain, get professional help. A risk analysis identifies the level of protection your data requires and helps you find the best way to handle your risks. Potential threats to your data and communications involve loss, theft, disclosure, unauthorized manipulation and the disruption of availability. Each threat poses a financial or reputational risk should the event arise. Almost every threat can be counteracted by technical, organizational or legal means, but some of them may be too expensive to implement in your particular situation. As technology develops and your business grows the way you view certain risks changes too. Hence it is important to regularly review and adjust your risk management strategy.

How to manage risk?

Risk management includes four steps: analysis, classification, assessment and controlling.

  • Risk analysis lets you identify protectable assets in your workflows and the threats and vulnerabilities your IT infrastructure is exposed to.
  • Risk classification assigns subjective labels to threats and vulnerabilities to descibe their damage potential and the probability of occurance.
  • In risk assessment you objectively map your classifications to actionable risk classes, or in other words, you decide on a plan.
  • Risk control encompasses proactive monitoring and review of your strategy in order to learn how effective it actually prevents risks and to adjust it to technological progress and evolving threats.

Step 1: Analyze Vulnerabilities

A good starting point for identifying vulnerabilities and protectable assets is a visualizing your workflows. Draw data flow charts for each individual workflow, include the devices used, draw lines for data exchange, mention formats and software used to echange data and note down roles and responsibilities of people who get in touch with your IT infrastructure. Based on the visualization compile lists of protectable assets which may be physical things (e.g. shuttle drives, laptops, recorders, cameras) and digital things (media files, personal data, messages, software licenses, passwords, etc.).

Step 2: Classify Threats

Based on the lists from step 1 you assign a damage potential and a probability of occurence for each threat to every asset type. To make it easier and give you room for expressing your subjective situation you pick the damage potential from three severity classes (low, medium, high) and occurance probabilities also from three classes (low, medium, high). Here's a brief guideline that helps you make a decision:

The damage potential (severity) on my business for a given threat to become real is

  • low because the impact is limited and costs are predictable
  • medium because the impact is considerable, but I could find sufficient protection
  • high because the asset is mission-critical and the impact would be catastrophic
Likewise, you assign probability class

  • low: when the occurence is very unlikely (< 10e-6, less than one in a million)
  • high: when the occurence is highly likely (> 10e-3, one in thousand or larger)
  • medium: when the occurence is likely or unkown to you

Sometimes it is useful to also classify the cost of different methods you could employ to counteract a threat, simply because different methods have a different price and this may change your assessment of damage and occurence above.

The cost of preventing or protecting from a threat are

  • low: because they are lower than 1% of my project budget
  • medium: because they are between 1 and 20% of my project budget
  • high: because they are greater than 20% of my project budget

Step 3: Assess Risk

Deciding on a plan is straight-forward after you've assigned classes in step 2. You simply map your threat classifications for each asset into an actionable risk class. The best tool for this purpose is a 2-dimensional diagram with impact on the x-axis and occurance probability on the y-axis. This diagram is also called risk matrix.

It is useful to have only three classes, but you may have more when you see more independent options to deal with each risk class. With 3 classes, everything in the lower left corner becomes class 1, everything in the upper right corner falls under class 3 and everything inbetween is assigned class 2. Where exactly you put borders between the classes is up to your subjective decision. The lines do not have to be straight. If you need an objective way, use costs from step 2 multiplied by the probability of occurance as metric for the y axis.

Now, actions for the risk classes are as follows

  • Class 1 ignore: You can choose to bear the risk of these threats and deal with problems ad-hoc when they occur. Costs are justifyable, the impact is low and the probability is small.
  • Class 2 mitigate: You must definitely take action and implement some active countermeasures (e.g. add redundancy, run backups, encrypt data and protect keys) or limit the impact (e.g. get an insurance, limit or outsource liability). Clearly document all the everyday procedures people have to follow in order to prevent threats and also cleary document and test your disaster recovery procedures.
  • Class 3 avoid: Don't use a technology, product, service or workflow that falls under this class because its cost-benefit relation is unreasonable. It's too risky.

Step 4: Control Risk

Up to this point you don't know if your risk strategy is effective, but at least you have one. In order to improve your strategy and adjust it to emerging risks and technological progress you need to follow up. Some things you can do proactively and on your own, for other issues you need professional help from security auditors.

Things you can do on your own are

  • keep logs from IT systems for later incident analysis
  • increase awareness, educate people on best security practices
  • document key procedures such as:
  • employee onboarding
  • credential revocation
  • password policies
  • key rotation
  • keep policies and procedures as simple as possible
  • remember, it's your non-expert employees who must execute them

Things you should get professional help for are

  • perform periodic security reviews for improving your strategy
  • analyze security breaches and other security-related incidents
  • perform penetration tests to check if your security level is what you expect it to be