Question

What types of evidence are you looking for when you conduct a risk analysis and how do you find them?

Answer 1

Understand the business context

Taking risks is a necessary part of doing business in order to create opportunities and help deliver business objectives. Organisations should always be aware of the risks they are taking to achieve their aims.

To ensure meaningful outcomes, organisations need to provide a context in which risk management and risk assessment is conducted. This context can be set by answering the following questions:

• What is the organisation trying to achieve, and what does it really care about?
• What business assets are involved (for example systems, services, information and other business assets such as reputation), and what are they worth to the organisation?
• What risks is the organisation prepared/not prepared to take with those assets to achieve its objectives?
• Are there any external legal and regulatory requirements that need to be considered?
• Are there any third party risk management or contractual considerations to take into account?
• What rewards may be realised by taking risks?
• What governance structure will the organisation have in place to support risk management decision making?

Those responsible for making risk management decisions should contribute to, and agree with, the formulation of this context.

Decide on the risk management approach

Before taking any action, the organisation must understand and communicate what risk management approach the business is going to take to provide confidence that the technology and information used is secure enough. This is an important business decision because the security of the organisation and its assets depend on it.

Risk assessment and other risk management activities require technical, security and business skills and knowledge and resources. Choosing the wrong approach could be costly in terms of resource use and security compromise.

Organisations have a number of choices available to them to manage risks that have been identified. They can choose to avoid, accept, transfer or treat risks to their business. If an organisation has decided to manage the risks they face, through treatment using security controls, then three potential approaches are briefly outlined below:

1. Rely on the security provided by commercial products and services

In this approach, the organisation relies on the security provided by a commercial product or service, without conducting further security analysis. If the organisation adopts this approach, then there is no need to conduct customised technology and information risk assessments to help specify additional security controls. However, the organisation must accept that:

• it is completely reliant on the security claimed to be provided by commercial products and services, which can vary from ‘very robust’ to ‘almost none at all’
• security won’t be tailored to any specific needs the organisation might have

From a security perspective, this approach does not mean ‘do nothing’. Organisations that choose to take this approach still need to:

• have in place organisational controls (for example personnel security, physical security and security training for users)
• seek confidence and assurance that the commercial products and services they use are appropriate in the context of what they are doing and the threats they face
• make appropriate use of the security provided as standard by commercial products and services

Adopting this approach is dependent on having effective and appropriate commercial contracts and agreements in place. It should not be assumed that suppliers’ own standard commercial terms of business will provide an adequate basis for relying on the security provided by any product or service.

Organisations should also note that without risk assessment, the business will have no understanding of the technical and information risks it faces. This could result in a lack of security where it is needed, or the application of security where it is not needed, resulting in security compromise or unnecessary costs.

2. Apply common solutions to solve common problems

In this approach, the organisation applies the security provided by common security solutions to solve common technology problems. It only carries out tailored risk assessments (or specifies additional security controls) for those business objectives that are not entirely covered by the common solution.

This is illustrated in the diagram below:

Some examples of common solutions to common problems include:

• BYOD guidance
• Cloud security principles

If the organisation decides that its business objectives are not entirely covered by the risk assessment for a common solution, the next step is to understand where the differences lie. For example, is there a unique threat or unique asset to be considered? Once these differences have been understood, then this can be used to form the basis of a more tailored risk assessment activity to specify additional security controls.

3. Carry out risk assessments to specify security controls

In this approach, the organisation chooses an appropriate risk assessment method and makes informed risk management decisions about what security controls it will implement. When making these decisions, the business may choose to:

• manage risks using controls that are independent of any predefined control set
• use security controls and control sets intended to implement local, national or international policies and standards (eg ISO/IEC 27001); these control sets are general in nature and need to be tailored to meet the needs of the organisation

Decisions will be informed by what the organisation is, and what it is trying to achieve. Some organisations in certain sectors may need to demonstrate that they have applied security controls to comply with standards or a sector-specific regulatory requirement. For example:

• external factors (eg sector specific legislation or regulations)
• organisations may need to apply security controls based on the type of information they need to protect; for example those that store and process personal data will need to apply controls to demonstrate compliance with the Data Protection Act (DPA)
• organisations seeking compliance with ISO/IEC 27001 may choose to apply the ISO/IEC 27001/2 control set in the context of what the organisation is doing
• organisations conducting payment card transactions must apply the security controls and requirements set out in the Payment Card Industry (PCI) Data Security Standard
• certain business communities sharing services and infrastructure may choose to develop their own minimum set of security controls against which compliance can be demonstrated to protect the wider community
• organisations may choose to implement the advice provided by the 10 Steps to Cyber Security and/or the control set provided by the Cyber Essentials Scheme

The examples above should not be viewed as an exhaustive list of recommended control sets, as there are many to choose from. Some organisations may need to use a combination of control sets. Irrespective of the method, standard or framework used to make security control choices, decisions must be informed by and traceable to realistic risks affecting something that the organisation is actually doing.

Choose a risk assessment method that is right for the business

There are many methods for conducting risk assessments, and numerous tools to support them. Most risk assessment methods can be aligned to the approaches described in the ISO 31000 and ISO 27000 series of International Standards which seek to identify, analyse and evaluate risks. The method to be adopted should be appropriate for the organisation, so this is ultimately a business decision. It should be scaled to support whatever delivery model is being used and tailored as necessary to suit the needs of the business and the target audience.

When choosing a risk assessment method, the organisation is likely to need to answer the following questions:

• can I define the inputs I need (threats, vulnerabilities and impacts) using a particular method?
• will the output from the method reflect meaningful risks in a way the organisation will understand?
• will the output allow me to understand and prioritise risks in a meaningful way?
• can the output be communicated to third parties?
• is the method of assessment proportionate to what it is I am trying to achieve?
• will I need to employ specialist resources to use it, or to interpret the output for the organisation?
• are there any costs associated with using the method?
• can I repeat the method consistently?
• are there any contractual or commercial restrictions on how I can use the method?
• will the method support the commercial model operated by my organisation?
• do I understand the limitations of the assessment method I am considering or have chosen?

We have provided a summary of common risk methods and frameworks. Further information on the limitations of risk management methods and frameworks can found in our critical appraisal of risk methods and frameworks.

Understand the components that cause a risk to exist

Risk assessments have inputs and outputs. The most common inputs considered in a risk assessment are threat, vulnerability and impact. Risk is normally realised as a consequence of these inputs, although some risk assessment approaches will include other inputs (such as likelihood and asset value).

Regardless of the risk assessment method used, any inputs and outputs should be understandable and meaningful in the context of the business and what it is trying to achieve.

Threat

Threat describes the source of a risk being realised. Threats to systems and services include people who would seek to do the business harm through technology, and undesirable events such as environmental disasters and accidents. Some of the threats that an organisation may face are beyond the organisation’s control; they can only use threat-related knowledge to aid risk prioritisation.

Modelling threats can be a useful way of helping to understand what threats should be considered and how they may affect individual assets, the organisation, and what it is doing. Where threats are people, organisations should consider the motives that drive individuals to launch an attack, as well as their opportunities and capabilities to do so.

To achieve consistency between different risk assessments within the same organisation, the business should establish organisation-wide (or business area specific) 'threat assessment baselines', and use them as input to all risk assessments. These baselines will need to be amended if the threat landscape changes, or if something significant changes within the organisation.

Vulnerability

Vulnerability is a weakness which can be exploited by a threat to deliver an impact. A system or service could be compromised through the exploitation of vulnerabilities in people, places, processes or technology.

When assessing their risks, organisations should ensure that they have a clear and realistic understanding of where and how their systems and services are vulnerable. Whilst organisations can’t control the threats they face, they can reduce their vulnerabilities.

Impact

Impact describes the consequences of a risk being realised. To allow risk evaluation and prioritisation, impact should specify the negative effect that a risk’s realisation would entail.

This should include expected losses (eg financial and reputation losses) as well as business objectives which would not be achievable as a result of the impact. Organisations can exercise control over the negative impact that realisation of a risk would have, and should plan for this to happen.

Other inputs

Some risk assessment methods also consider likelihood and asset values as components of risk and inputs to assessments.

Likelihood estimates how likely it is for a threat to occur. It can be captured by examining historical records of compromises to estimate how history will be repeated. Some methods draw on likelihood to help determine vulnerability. Note that metrics of past occurrences are not necessarily a useful indicator of what will happen in the future.

Asset values are used to provide an understanding of what systems, services, information or other assets the organisation really cares about. This insight will provide organisations with a view of what it is they really want to protect.

Risk assessment output

Irrespective of the risk assessment method used, the output should be meaningful,understandable, realistic, and in context so that it informs risk management decisions and cannot be interpreted in different ways by different people.

The level and type of detail provided by the output (ie technical or not) will be dependent on who the risk assessment is for, and what risk management decision it is meant to inform.

Understand what risks exist

To understand what risks exist, the chosen risk assessment method should be applied in the context of what the organisation is trying to achieve. To do this, you should know:

• Which risk management decisions the assessment will inform?
• Who is responsible for making them?
• What level of detail is needed?

Before conducting a risk assessment, the organisation needs to decide and agree how risk assessment output will be presented. There is little value in a risk analyst producing a large and detailed risk assessment document, when the decision maker will only read the first page. Ensure that the scale and rigour of analysis performed (and the amount of documentation produced) matches the business context and is justified and proportionate.

The output of any risk assessment should be recorded for traceability purposes. Traceability is important so that risk management decisions and investment choices can be traced to an identified risk.

Prioritise the output from a risk assessment to allow the organisation to make informed risk management decisions. Any prioritisation of risk should be based on a meaningful understanding of what the organisation really cares about, not meaningless risk level boundaries.

Communicate risk consistently

Irrespective of the approach taken to assessing risks, the outcome should be captured in a way that can be used to inform business decision making. Output from risk assessment and other risk management activities may also need to be communicated to interested third parties.

The results of risk assessments depend largely on the experience and biases of the individual conducting them. As a result, it is difficult to obtain consistent risk assessments from different risk practitioners even when applying the same method. Consistency in risk assessment and risk management is important to enable effective decision making and communication. Consistency does not come from the repeated application of a specific risk assessment method. Consistency is achieved by ensuring that:

• the inputs to and outputs from assessments are meaningful in the context of what the business is trying to achieve
• risk professionals do not go about their work in isolation, but collaborate with the wider organisation to achieve a consistent view of the business context

Different organisations do not have to use the same risk assessment methods in order to communicate risk consistently, provided they use a common language that describes the inputs to and results of their risk assessment and risk management activities. The common language to be used is a matter for organisations to agree amongst themselves.

Agreeing how to communicate will create trust amongst a community who need to have confidence in the decisions made by others. Organisations should, as a minimum, be able to communicate:

• the threat context under which risk assessments have been conducted
• the willingness of their organisation to accept risk
• the status of managed risks, and what any risk valuations actually mean
• what control measures have been taken and how much rigour has been applied to managing risks within the organisation

You should also:

• Avoid situations where (for example) both organisations articulate risk in terms of levels, but the actual meaning of these levels in each organisation differ.
• Communicate risk to third party delivery partners by reflecting real and meaningful risk management requirements in contracts and service level agreements; it is not sufficient to say in a contract or agreement that a system or service must be 'accreditable' or compliant with the requirements of a particular standard.
• Ensure that security requirements in contracts and agreements are informed by and traceable to real risks or external requirements whilst being communicated in a meaningful and testable way. This will ensure that there is a shared understanding between consumer and provider of what outcome is required.

Make informed risk management decisions

Throughout the lifecycle of a system or service, the organisation will need to make objective decisions about what needs to be done to manage identified risks. This should be based on a clear and meaningful understanding of risk.

These decisions should be informed and supported by information, subject matter expertise and evidence. It is for the organisation to decide how much and what form of information is required, together with the level of expert advice and evidence needed to demonstrate that risks are being managed.

Examples of information and evidence that could be used to support risk management decisions include:

• statements from the organisation on what risks it will and will not take to achieve its objectives
• the output of a risk assessment in the context of what the organisation is trying to achieve
• a description of the security controls that are already in place (or those that are needed to manage the identified risks)
• the cost of controls needed to manage a risk
• evidence and information on how third parties are managing risk and any contractual considerations that could affect the decision
• evidence that provides confidence that security controls have been implemented to manage identified risks
• evidence that provides confidence that security controls will continue to manage risks throughout the whole lifecycle of the system or service
• a view of the status of risks after they have been managed

It is important that the organisation understands what effect its risk management actions have on the risks it has identified. The organisation must be capable of communicating this to partners or authorities as necessary.

Residual risks

It is not possible to say that a system or service is ‘risk free’, or 100% secure. After risk management action has taken place, some risks will remain. These are often referred to as residual risks.

Some risk management approaches estimate how much a specific risk management action reduces an identified risk from its original state. For example, a risk management action may reduce a risk from 'high' to 'medium'. It is not possible to quantify the level of risk reduction as a result of a single or suite of security controls, and basing risk management decisions on estimates of risk reduction can encourage a false sense of security.

Understanding the effect a security control is having on a risk can be useful in determining the value of risk management related investment decisions, and as a minimum, organisations should understand and be able to communicate:

• which risks are being actively managed
• how they are being managed
• the confidence the organisation has that measures are effective
• any risks that are not being managed at all