Information Securityby Andy Taylor
Step 2 – Determine the risks
Having determined the information assets, the next stage is to consider what are the risks to that information. Some will be generic and well known, while others may be technical, very specialist in nature and known only to a few technicians.
A formal risk assessment can have a number of benefits to any organisation prepared to invest the time and effort required to carry it out effectively.
What is a risk to the security of information?
To determine the risks appropriately, it is necessary to understand what the key threats are. From this start point, the vulnerabilities are then considered and it is a combination of these two aspects that provide the real risks.
Risk analysis is covered in detail in another section of this resource and so is not discussed too deeply here. The generic process described there is quite appropriate for this purpose, although the sort of risks considered will naturally need to be those associated with information rather than, say, health and safety.
The risk assessment will provide information on the vulnerabilities in the information and its processing and storage facilities. When combined with the threats to exploit those vulnerabilities, an estimate of the likelihood of the risk occurring can be determined.
It might be worthwhile to consider what is meant by a risk. A risk comes in three parts:
- Firstly, there has to be a threat of some type
- Secondly, there has to be a vulnerability
- Thirdly, there has to be an effect – a consequence of the threat and the vulnerability combining to cause some unwanted result.
To take a classic example from the IT world to illustrate this point, we are all constantly warned of the threats posed by the internet – viruses, phishing attacks, other malware, hackers and so on. These are clearly threats to the security of our information. There are clearly vulnerabilities – software and hardware are continually being updated to address the weaknesses of programming, configuration and so on. There is also the vulnerability arising from people doing the wrong thing – opening attachments to emails or clicking on uncertified links and so on.
However, if the IT system is not connected to the internet, there is no risk and therefore money would be wasted trying to address such non-existent risks in anything but a cursory manner. While this may seem obvious, there have been many occasions when sophisticated and expensive safeguards have been put in place to address a non-existent risk.
That said, you will still need to check on other things that might be happening – if staff bring in CDs or USB Memory sticks, for example, they could bring in some malware, and you certainly would not want that to happen.
The risks to information can be brought down to a number of categories, albeit with many sub-categories. They are:
- Theft (taking or unauthorised copying of information)
- Intentional damage (deletion or corruption of information)
- Unintentional damage (user error or system failures)
- Inappropriate accessing (perhaps a variation of theft)
- Lack of availability (as, where and when required).
The next stage, then, is to consider which of these risks might affect the various information categories identified earlier.
There is an alternative way to demonstrate this idea. Consider the diagram showing some different generic information types at the bottom and a few potential groups of people at the top. Lines can be drawn from the blocks at the top to those at the bottom, defining where access needs to be blocked, a line meaning the access must be prevented or controlled in some way.
(This is a much simplified diagram from that which might result from a real assessment. For example, it is suggested here that management information should be available to everyone, but senior management might have information they do not want to share. Some HR information might only be available to specific individuals.)
Once the diagram is well formed (not complete, because there are almost always going to be amendments), the next stage is to put on paper what the risks really are. The best way to do this is to formalise the statements in a way that everyone can understand. There need to be clear statements of a cause and an effect: there is risk that... which would result in...
- There is a risk that, if a computer hacker gains access to the HR system, they could corrupt the information stored there
- There is a risk that, if the HR staff are allowed read/write (editing) access to the marketing information, they could inadvertently change the prices of products
- There is a risk that, if a fire started in the marketing department, all customer paper records would be lost
- There is a risk that, if the level of the river at the back of the office was to rise, the cellar would be flooded.
It is best if the number of risks is kept to the minimum possible, simply to reduce effort and confusion. It is therefore often preferable to try to take risks back to their origin or basic cause, rather than having a lot of different consequences from one basic problem.
This is the first part of the risk analysis, helping to define why there need to be some controls. Note that if, at this stage, it is not possible to write statements that gain unequivocal buy-in from senior staff, it is unlikely that the resulting controls will prove a resounding success.
With computer systems playing such a critical role in most organisations in the modern world, risks from the internet to those systems are worthy of particular concern (see Internet attacks).
Once the risk is identified, it is vital that the likelihood or probability of that risk materialising is also assessed. One scale that could be used is very low (less than 20 per cent chance), low (20 to 40 per cent chance), medium (41 to 60 per cent chance), high (61 to 80 per cent chance) and very high (over 80 per cent).
The proximity or time within which the risk might materialise should also be assessed and this can also be done in a number of ways. A useful scale might be imminent (within one month), short term (one to three months), medium term (three to twelve months) or long term (more than twelve months).
Differences between organisations
Are there differences in the information security needs of public, commercial, charitable or fourth sector organisations? After all, the same legislation applies to all organisations in one way or another. However, the risks faced by each type of organisation can be subtly different, so the solutions may differ quite widely. One size does not fit all in this respect.
As is discussed in some detail later, the risk assessment, followed up by the business impact assessment, is where the differences will first show up. The risks that are the main causes of concern for banks, large industrial companies and other commercial sector organisations are frequently and largely to do with money. A competitor gaining access to some new invention or product line could cause a company to cease trading in extreme circumstances. On the other hand, in government departments, it is more often the risks to their reputation as a reliable delivery agent and source of accurate information that is perhaps their biggest concern.
In the charity and fourth sector worlds, it may be reputation for perhaps doing things efficiently, rather than wasting money on unnecessary bureaucracy, that is their biggest concern. If an investigative journalist accessed confidential records showing that the chief executive claimed huge expenses for their efforts on behalf of the charity, it could be disastrous for their fund-raising activities.
Whenever information security is considered, it must be the business impact of a risk occurring that has to be the bottom line and must justify the expenditure or security measure put in place. Without that justification, there is highly likely to be a major mismatch between the measures taken and the potential impact to the organisation. This will usually result in excessive or even unnecessary expenditure.