Life is a risk. Risk is something we encounter, assess and manage in our lives on a daily basis. Whether its crossing a road, driving a car or just going shopping. When we encounter something that has an associated risk, like crossing a road, we have to assess if it's safe or not. Once we have made our assessment we can, if there is low risk, cross the road or if the risk is too high, we can mitigate the risk by walking to a safe crossing.

Information Governance and Security often calls for a formal risk assessment to be carried out.

A risk assessment is the process of ascertaining the risks that exist for a given element. The element can be anything that can have something bad happen to it. It can be something that can happen to a person e.g. they can fall over and injure themselves, something that can happen to an organisation or something that can happen to a computer system. There are many other things that can have risks associated with them but for our purposes we will stick with computers, people (staff and customers) and the organisation itself. The same process will apply to all of these but, of course, the risks will differ.

Before we get started on a Risk Assessment process, we should decide on what is the level of risk the organisation is prepared to accept and the definitions as to what each level of risk means

What is a risk?

A risk is something that has a vulnerability that can be exploited by someone or something. We look at a Risk as having firstly a threat or a number of threats against it, each of the threats have a vulnerability or a number of vulnerabilities which can be exploited.

An example of a threat could be Fire, and the vulnerability is what can cause the fire e.g. Paper is stored on top of a heater, or somebody with malicious intent can start a fire.

In the example above, we have identified 2 risks:

• Fire => Paper is stored on top of a heater
• Fire => Malicious Intent (Criminal Action)

So, to perform a risk assessment we must identify all the Threat<=>Vulnerability pairs associated with each element we are risk assessing. Once the risks have been identified, we need to decide on the level of severity of the risk. We will discuss this later.

Also, we should consider the associated attribute of information security that could be affected. These are Confidentiality, Integrity and Availability, CIA for short.

Confidentiality – Prevent information from reaching the wrong people, while making sure that the right people can in fact access the information.

Integrity - Maintaining the consistency, accuracy, and trustworthiness of the information. The information must not be changed in transit, and cannot be altered by unauthorised people.

Availability - Integrity is ensuring that the Asset or the Information is available to use when it is required.

Why perform a risk assessment?

There are a number of reasons a risk assessment should be performed; it is often something the organisation must do be compliant with regulations or standards. This is often a tick box exercise, but the advantages of the risk assessment will pay off in other ways.

The Risk Assessment shows you where your risks are and helps indicate and prioritise where your risk reduction efforts should be targeted.  This will help ensure that you spend your budget wisely and it is directed in the areas that security is required rather than simply making a guess that a particular security software tool or appliance is necessary.

For example, we were discussing the' risk of fire' above; the risk assessment identified two vulnerabilities namely 'paper stored inappropriately' and 'malicious action'. Rather than investing in a full fire sprinkler system it is much cheaper to 1) move the paper and 2) buy a lock for the door.

What are Levels of risk?

So far, we have discussed what a risk is. As in life, not all risks are equal. Some are riskier, while others have a very low level of risk. We need a method of determining the level of risk (HIGH to LOW) of each of the identified risks. But what makes a risk higher or lower than others?  We have already looked at 'threats' and 'vulnerabilities', we now need to look at 'Impact' and 'likelihood'.

`Impact` is the effect or outcome the risk would have on the organisation if it were to happen or 'be exploited'. `Likelihood` is the chance of the risk being exploited; in other words how likely is it to happen.

The risk assessment process will identify many (probably thousands) of risks to the organisations assets and this will get complicated. To simplify things, we need a method to quantify the risk, so we'll choose a scale, perhaps 1 to 5 for both Impact and Likelihood, 1 being the lowest, 5 being the highest.

A risk assessment should be 'justifiable, repeatable and comparable'. This means that others would reach a similar conclusion if they were preforming the risk assessment to determine the risk score. To achieve the 'repeatable and comparable' we cannot just say this has a level 2 Impact.  We need to define what each level (1-5) of `Impact` and `likelihood` actually means.

Impact

There are a number of scoring 'schemes' that are used to assign values to the different levels (High to Low) for Impact assessment. We have documented 3 options below.

In order to help ensure risk assessments across an organisation are consistent, it is important that you decide on the definitions you will use and stick with it.

This definition is concerned with the impact to the operation of a business system:

IMPACT
Catastrophic	Major	Moderate	Minor	Insignificant
5	4	3	2	1
May cause system extended outage or to be permanently closed, causing operations to resume in a Hot Site environment.	May cause considerable system outage, and/or loss of connected customers or business confidence.	May cause damage to the reputation of system management, and/or notable loss of confidence in the systems resources or services.	Will result in some tangible harm, albeit negligible and perhaps only noted by a few individuals.	Will have some minor effect on the system.

This definition is concerned with services which are delivered to customers:

IMPACT
Catastrophic	Major	Moderate	Minor	Insignificant
5	4	3	2	1
Permanent loss of key service or facility	Sustained loss of key service which has serious impact on delivery of services to customer	Some disruption in key service with unacceptable impact on delivery of services to customer.	Short term disruption of key service with minor impact on delivery of service to customer	Interruption of key service which does not impact on the delivery of service to customer

This definition is concerned with the impact to the organisation's reputation:

IMPACT
Catastrophic	Major	Moderate	Minor	Insignificant
5	4	3	2	1
May result in unrecoverable repair to the organisations reputation and may cause failure of the business	It will require significant expenditure and significant resources to repair the reputation	It will require expenditure and resources to repair the reputation	May cause embarrassment. It will require some expenditure or resources to repair.	Will not cause any harm to the organisation's reputation

Likelihood

These definitions may be used for the likelihood of a risk to occur:

LIKELIHOOD
Probable	Possible	Unlikely	Rare	Negligible
5	4	3	2	1
More likely to occur than not	Reasonable chance of occurring	Unlikely to occur	Will only occur in rare circumstances	Will only occur in exceptional circumstances
Will occur numerous times per month	Will occur once per month or less.	Will occur once every six months or less.	Will occur once every year or less.	Will occur once or twice every five years.
More than 50%	More than 5%	More than 0.5%	More than 0.05%	More than 0.005%
More than 1 in 2 chance	More than 1 in 20 chance	More than 1 in 200 chance	More than 1 in 2000 chance	More than 1 in 20,000 chance

We now have our definition for the `Impact` and `Likelihood`.  Let's apply these to our 'risk of fire'.

What is the impact and likelihood of fire occurring?

Looking at Fire => Paper is stored on top of a heater

So far, we have only looked at the treat <=> Vulnerability of Fire. When we look at calculating the risk level this will differ, (probably quite significantly), when we look at the different assets we have. We must now define the asset that we are assessing for risk. Let us consider the risk of fire to the ecommerce server which is a critical asset to the organisation.

So, if fire should break out and destroy the ecommerce system, how would this impact us?

IMPACT
Catastrophic	Major	Moderate	Minor	Insignificant
5	4	3	2	1
May cause system extended outage or to be permanently closed, causing operations to resume in a Hot Site environment.	May cause considerable system outage, and/or loss of connected customers or business confidence.	May cause damage to the reputation of system management, and/or notable loss of confidence in the system's resources or services.	Will result in some tangible harm, albeit negligible and perhaps only noted by a few individuals.	Will have some minor effect on the system.

We would probably agree that it would cause a `considerable system outage` so the 'Impact' is 'Major' i.e. assigned a value of 4

Now the Likelihood of Fire.

LIKELIHOOD
Probable	Possible	Unlikely	Rare	Negligible
5	4	3	2	1
More likely to occur than not	Reasonable chance of occurring	Unlikely to occur	Will only occur in rare circumstances	Will only occur in exceptional circumstances

We think that if there is a pile of paper put on top of a heater then there is a 'Reasonable chance' that this will occur, so the Likelihood in 'Possible' is assigned a value of 4.

The Impact is 4 and the Likelihood is 4, what is the risk level?

For the risk Fire=> Malicious Intent (Criminal Action) we think the Impact would be the same i.e. it would be 'Major' i.e. Level 4 but the likelihood is 'Negligible' a Level of 1.

How do I calculate the value of a risk?

To calculate the risk, we could simply add the Impact value to the Likelihood value. If the impact was 1 and the likelihood was 1 we would have a value of 2. Adding together the values would give a risk range of 2-10, which is not easy to use. It would be simpler if the scale was 1-9, this is easily achievable just by subtracting 1 from the result.

Our formula for Risk Assessment is:

(Impact + likelihood) – 1

As an example, our risk of Fire (Paper Storage) 4+4-1 = 7 and our Fire (Malicious Action) 4+1-1= 4. We now have our risk values.

Acceptable level of risk

Senior management and the board should determine what the acceptable level of risk for the organisation should be (its ‘risk appetite’). This process should be documented and published within a risk assessment policy.

Accepting risk occurs when the cost of managing a certain level of risk is accepted, because the risk involved is not adequate enough to warrant the additional cost it will take to avoid or mitigate the paricular risk.

As we are using a scale of 1-9 for our 'Risk levels', we must use the same scale (1-9) for the level of risk that the organisation will accept.

An example of Risk Appetite levels definitions is shown below:

Very Low	Very Low / Low	Low	Low / Moderate	Moderate	Moderate / High	Significant	Significant / High	High
1	2	3	4	5	6	7	8	9

Let's assume the organisations board have agreed that they will accept risks to a level of Moderate (5). Our risk score for 'Fire (Paper Storage)' was calculated as being 7, which indicates that the risk score is above the accepted level. The Risk 'Fire (Malicious Action)' is level 4 which is acceptable.

As the level of risk for 'Risk (Paper Storage)' is above the accepted level, we will need to find a method to lower the risk so that it becomes acceptable. i.e. put the paper in a cupboard.

The risk 'Fire (Malicious Action)' is at level 4. This means that at present, we do not need to take any further action, but our risk appetite in the future may change.

A common way to visualise risk is using an Impact v Likelihood grid. The grid is set up so that any risk above the acceptable value of 3 is shown as red. In our previous example, the 'Risk of Fire' had an Impact score of 4 and a Likelihood score of 4. When these are recorded on the grid we can see that the level of risk is ABOVE the 'Accepted level of risk'.

Risk Mitigation Strategies

There are a number of strategies we can take with risks which are above the accepted risk threshold for the organisation.

We can:

Accept – a justifiable decision by the risk owner to accept and not implement a risk treatment plan to mitigate the risk. The Board can after reviewing all options choose to accept the risk. This is only chosen only in exceptional circumstances.

Avoid – typically involves either removing the asset, or changing or terminating the associated asset processes to avoid the risk.

Reduce – implementation of a risk treatment plan to lower the residual risk to an acceptable level.

Transfer – the risk is shared with another party that can most effectively manage risk. This may be that the organisation purchases insurance against the event.

Normally, an organisation will choose to `Reduce` risk. In our examples, our risk mitigation plan (to reduce the risk) involved moving the paper storage and to put locks on doors.

We can recalculate the risk after we have implemented the 'controls' :

• Fire => Paper is stored on top of a heater

Our risk level would now be Impact of 'Major' level 4, but the Likelihood would reduce to 'Negligible' level 1, i.e. a risk of 4+1-1=4

• Fire=> Malicious Intent (Criminal Action)
  Our risk level would now be Impact of 'Major' level 4, but the Likelihood would reduce to 'Negligible' level 1, i.e. a risk of 4+1-1=4

Both of our risks are below the level accepted by the organisation's board, no further action is required

What should I perform a risk assessment on?

According to the ISO27001 standard, you should compile an information asset register to identify your assets and include all assets that have a value to the organisation and these should all be risk assessed.

If we were to risk assess every asset individually it would take an eternity. I would recommend firstly creating your asset register to find and understand the asset you have. Once you have identified your assets you can then group assets together (which have a similar function or configuration), such as desktop computers, laptop computers, network printers, web servers etc. etc.

Once you have your groups, it will be much simpler to risk assess each group of assets, providing they are similar function, similar configuration and a similar risk profile. If you have a number of web servers but some are Windows based and others are Linux based then they have a similar function but not a similar configuration.

How do I perform a risk assessment?

We now have the knowledge of how to do the Risk Assessment and what to perform the Risk Assessment on, but how do we actually perform the assessment. We could just sit down in a darkened room and work out the risks. A far more practical approach is to workshop the assessment.

Start by building a programme for the workshops. We have already created the groups of assets which need assessing and the other assets which require individual assessment. Set up a number of workshops to assess similar categories of devices and invite the relevant stake holders, Asset Owners, Risk Owners, technical specialists, etc.

For each workshop, set a time limit of say 1 hour per asset group.  This will focus attention.  In the first 15 minutes, try to find the top 5 Threats. Once you have the list of threats, then work out the top 3 vulnerabilities for each threat and agree on the Impact and Likelihood for each of these.

Once the workshop is complete, you will need to formally record the finding in your risk register. At a later date you will need to determine the correct control needed in order to reduce and mitigate the risk. Risks that are above the accepted level can be lowered by implementing the mitigating controls, such as those described within Annex A of ISO 2700. Again the controls implemented should be documented in the risk register and the 'residual risk' assessed. If the residual risk is still above the organisations accepted risk level further risk mitigation must be employed.

Alternatively an external company could help you with your ISO27001 such as DLP Assured