Information Securityby Andy Taylor
Step 4 – Consider your options
Having undertaken a full assessment of the potential risks and the impact, should these occur, the senior staff must make some hard decisions. It would be unrealistic to expect to be able to afford, manage and address all the risks and to cover all bases. The expense of such a course of action would be unbearable for most organisations, so the senior management must choose their priorities and decide where the money should be spent to best effect. This is where the real business interest has to be the dominant factor.
There are four main ways of responding to risks, sometimes known as mitigations or treatments. These responses are referred to in different ways by various risk management methods, but they are all of a similar nature.
- Remove, avoid – actually do things differently so as to avoid the risk altogether. If there is a risk of hackers getting into an office network from the internet and thereby doing some damage, remove the link to the internet. This stops that risk altogether (although it clearly has an impact elsewhere!).
- Reduce, mitigate – do something to reduce either the impact of the risk, should it occur, or the likelihood of the risk occurring. In the case of a fire risk, it might be putting in a sprinkler system so that if a fire starts its damage is limited to a small area. Or perhaps you could build with non-flammable materials so that a fire would be less likely in the first place. Your response could also be a ‘plan B’ – some course of action to take if the risk materialises, such as having copies of important documents held at another site unlikely to be affected by the same fire.
- Transfer, share – take some action to move the impact of the risk, or possibly its management, to another party. A typical example might be taking out fire insurance. Then, if there is a fire, the financial impact of the risk is passed to the insurance company. It must be noted, though, that there will still be other impacts – the lack of availability of the premises, damage to stock and so on. It is rare to find that transferring a risk covers all aspects of its management; hence this is sometimes known as ‘share’. This means the impact of a risk occurring is shared between the two parties in an agreed manner.
- Accept – there are cases where the cost of mitigation (the cost of an insurance premium, for example) is so high or the likelihood is so small that the business leaders decide to simply accept the risk – to take no further action. This must not be seen though as doing nothing. Monitoring the risk and ensuring that it doesn’t change in any way is always a significant part of accepting the risk. This is also the case when some other action is taken to reduce the risk down to a reasonable level so it can then accepted by the senior management.
The point at which managers decide not to take any further action is sometimes called their risk appetite. This may vary within different parts of the organisation: there may be a much lower appetite in the production area (where the money is made) than in the HR department, where the consequences of risks materialising may be less urgent. It may also vary according to other factors, such as the time of year. The Passport Office may be more willing to accept risks occurring at their quieter times than at their peak business times. The impact on reputation (which is so often a critical factor) may drive the risk appetite down significantly to the point at which, for example, a freeze on technology updates is established during the busy periods.
Could mitigation create new risks?
It must also be borne in mind additional or different risks will often be created by taking a particular course of mitigation. The example above relating to accessing the internet might remove one risk but increase another: the chance of losing business, perhaps, or of staff finding other ways of surfing the internet in their work time. The latter might include elicit connections to the internet through modems and telephone lines – probably an unacceptable risk.
The possible controls can now be added to be original risk diagram.
The specific controls preventing access to information can be written on the appropriate lines – there could be several from the different types available. Perhaps a locked door gives access to a particular room where there is then a computer, with a password or other technical control giving controlled and perhaps limited access to certain management systems. As a further deterrent (control), there may then be a written rule stating that misuse of the information will be punished.
There are three types of controls that can be used in any situation and in any combination in order to achieve the desired result.
This covers the physical security put in place often around buildings – walls, doors, locks and fences and so on.
This is anything that uses technology to achieve the necessary security. It will include IT measures, such as passwords, logons, firewalls, encryption and the like. It could also include technological devices, such as CCTV, electronic locks and other such items, although here the borderline with physical security gets blurred sometimes. It is also likely to include other detection and monitoring systems used in many organisations where there’s a security watch over the activities of users on the corporate network to ensure they are not doing inappropriate things.
Procedural security is sometimes also called people security. This is about how people are persuaded to act in a secure manner and so might include training and awareness programmes. It would also include information security policies and disciplinary procedures for those who transgress the prescribed way of working. It might also cover rules, such as the ‘two-person’ rule for entering secure areas to reduce the risk of unauthorised activities by one person working on their own.
Naturally the bottom line of this area is very much about the trust placed in the staff or other users. With higher levels of trust, this could be the main security taken, while in areas of low trust, or perhaps higher risk, then the security placed purely in trust might be significantly reduced.
In addition, controls can be categorised as described below.
- Detective measures may show a risk has materialised and so allow reactive measures to be taken to reduce the likelihood of a reoccurrence. These might also identify where, how and by whom the attack took place, allowing punitive action to be taken. CCTV is often considered to fit this type – it doesn’t really stop crime (except perhaps through having a small deterrent effect), but it can help the detective work that takes place after the attack.
- Corrective measures deal with the consequences of a risk arising and so, again, allow reactive actions to deal with the consequences. There might, for example, be a clause in the contract of a misguided employee, who is then charged for the additional work that has to be done to rectify the situation they have caused.
- Preventative measures take proactive action to stop a risk occurring or reduce its likelihood to an acceptably low level. A firewall protects a network from hackers; it doesn’t remove the risk altogether, but does reduce the risk significantly.
- Directive measures take proactive actions to ensure a particular event doesn’t happen. Examples might be using data-entry checking routines to ensure users don’t make errors. The directive nature of these controls means that in certain circumstances, if employees choose not to follow the directive, action could be taken to penalise them if the risk materialises.
There are therefore a number of different types of measure that can be taken to try to reduce the consequences of risks occurring. Each has its own application, costs, merits and demerits and ease of application. A combination of measures is often the best option.
It is often possible to identify one countermeasure that will deal with several risks. This is where root cause analysis can help. If the root cause for a group of risks can be found, then there is a fair chance several consequential outcomes can be covered by one countermeasure.
Before you choose which options to go for, you will obviously need a fairly accurate idea of the financial cost of each measure. Establishing a new rule or protocol may cost relatively little; installing new software and retraining staff throughout all branches, or putting in sprinklers, humidity controls, fire doors and so on, could be extremely costly. You may need to use specialists within and outside the company here: a new security software system may appear to tick all the boxes, for example, but is it compatible with your existing set-up? If not, then the cost of installing it could obviously rise sky high.
Once you have established the cost of the different measures under discussion, this is where the balance must be struck between the probability, impact and cost of countermeasures or mitigation. A small impact risk that happens every day could be significantly more important than a high impact risk that might realistically occur once in a hundred years. If the business has £X to spend on countermeasures, is the former better value for money or the latter? Only those within the business can decide and make the sort of value judgements that are necessary.
So now the organisation has a risk register showing all the potential risks the survey has come up with and some form of analysis and assessment, both in terms of the likelihood and of the business impact. The senior managers have made their priorities known and some value judgements have now been made to decide which risks are to be dealt with and which just accepted.