Information Security

by Andy Taylor

Step 3 – Analyse the potential business impact

So, you’ve identified the risks, but this is only part of the problem. The next question is – does each risk matter? If an identified risk does not lead to some clear and significant consequence, then there is probably no need to spend money on controls for that risk.

The next stage is therefore a Business Impact Assessment (BIA). Having said that, in complex situations steps 2 and 3 are iterative.

MTPD versus RTO

The assessment as to how long the organisation can survive without a particular system or piece of information is often known as the Maximum Tolerable Period of Disruption (MTPD). It is usually a further requirement to determine, not only how long the organisation can survive without a system (MTPD), but also how quickly it would be possible to get back to some semblance of normal operations (sometimes called the Recovery Time Objective or RTO). These two times are often very different. If the MTPD is greater than the RTO, things are fairly straightforward. On the other hand, if the system takes longer to recover than the organisation can reasonably do without it, there is a major issue to be managed.

So our standard phrase from the risk assessment needs to be enhanced with a clear potential consequence so that it reads something like: there is risk that... which would result in... having the effect of...

Taking the sample risks identified in Step 2 as a start, the following additions might be required:

  • There is a risk that, if a computer hacker gains access to the HR system, they could corrupt the information stored, having the effect of allowing false accounts to be established and unauthorised payments to be made
  • There is a risk that, if the HR staff possess read/write (editing) access to the marketing information, they could inadvertently change the prices of products, causing the customers dissatisfaction and prompting them to question the reliability of the company
  • There is a risk that, if a fire started in the marketing department and all customer paper records were lost, it would cost 300 man-years to recover and recreate them
  • There is a risk that, if the level of the river at the back of the office was to rise, the cellar would be flooded, having the effect that all records stored there would be written off.

The effects identified in this BIA are, then, the most important or significant events that might result from the risks materialising. They are usually also consequences that can be valued in a sensible way. Clearly the valuation is much easier to quantify and deal with if it is financial, but naturally this is not always the case.

The financial impact

Most of the outcomes given above can be quantified in financial terms or at least in terms that can be given a financial valuation. Where there is a threat to customer satisfaction, life is little trickier, since customers’ perceptions are difficult to measure and even more difficult to quantify. Nevertheless, customer feedback, customer retention surveys and the like can be used to assess the level of customer satisfaction. Combined with a value for the cost of gaining new customers, for example, it is possible to give a rough estimation of the financial impact of a risk occurring.

Reality checking

Naturally, a good dose of reality has to be applied in any business impact analysis. It is easy to imagine all sorts of incidents and potential disasters, ranging from the bizarre to the outrageous. So in any BIA, the likelihood of the event happening has to be taken into account. It would be an unusual organisation that could afford to take protection against all eventualities, even assuming they could all be identified.

In some cases, a specific, if unusual, risk should be considered. Businesses near the Buncefield oil distribution centre in the UK, which exploded in 2005, causing a major fire, should have considered the possibly of an incident reducing their normal operations. In many cases, however, the specific causes – fire, terrorism and so on – are less predictable than the consequences, so it is wise to consider general lack of access as a risk in itself.

Do I need both a risk assessment and a BIA?

It should be clear from the examples and discussion above that both the identification of risks and the analysis of the business impact of them occurring must be done. This allows your always-limited resources to be targeted at those risks with the most serious business impacts. It also gives confidence to senior management, shareholders, customers and others likely to be affected by a major incident that the organisation is doing all that it can to identify and address the potential problems. Without either step, there is a real likelihood that key risks will be missed or that effort and money could be wasted on dealing with those risks which are perhaps easier to manage, while other risks, with greater business impact, are ignored.

One key point here is to recognise that the business impact analysis is very much a business requirement. It is not a technical assessment of security or even a risk specialist’s assessment. It must be undertaken by the business for the benefit of the business. It is critical that the business buys-in to the principle and that people understand exactly why they are doing the work. It may not be cheap and it is essential people at all levels within the business know how the money that is spent is protecting the organisation.

It is at this point that the business representatives must be realistic about how they operate. If they really need a system to be available 24 hours a day seven days a week, then they have to accept there is a significant cost associated with this. Just being available during normal working hours, perhaps with extra coverage available at a price, would cost much less, but may not meet the needs of the business.

It is not always the most dramatic risks that need the most attention. The chances of an aeroplane crashing on the roof are not high, though it would clearly be catastrophic to most organisations. However, the chance of a poorly-trained member of staff accidentally corrupting or deleting a database of clients, meaning that lucrative customers are lost, could appear a relatively unexciting risk, but have a huge business impact.