Risk management

Risk management is the process of identifying, assessing, and prioritizing risks. If the losses are significant enough πŸ’°, and the loss is greater than the cost to handle the risk πŸ”₯, the organization will most likely not ignore the risk and try to:

  • πŸ›Ÿ reduce a risk under an acceptable level
  • πŸ‘Œ completely mitigate a risk

There are two categories of risks:

  • Speculative risks πŸ’΅ : a risk taken by the company in the pursuit of opportunities for gain or growth (investments...)
  • Non-speculative risks πŸ”₯ : a risk due to an organization's operations (natural disasters, operational issues...)

There are many types of risks (financial losses, natural disasters, security breaches, operational issues, legal liabilities...) such as:

  • πŸ”₯ Misfunction/outage of the Domain Controller (Active Directory)
  • πŸ™…β€β™€οΈ Accidental removal of data/accounts
  • πŸ” Unauthorized access/... to sensible/critical data
  • πŸ’° Improper/illegal use of data (ex: use of a client's credit card)
  • πŸ”« Infections, DDoS, hacking, data leak...
  • πŸ§‘β€πŸ’» Communication/passwords being intercepted/compromised
  • πŸ—ƒοΈ See also data governance risks

Risk assessment

There are many ways to assess the impact of a risk on the organization, which will help to prioritize them or to request a budget.

Quantitative risk assessment: we assign a financial value to a risk. The main problem is that is it hard to find the numerical values.

  1. Find the Asset Value (AV)
  2. Find the Exposure Factor to the risk (EF)
  3. Find the loss per event (SLE=SingleLossExpected=AV*EF)
  4. Find the annual rate occurrence (ARO)
  5. Find the annual loss expected (ALE=ARO*SLE)
Example

The AV is 45 millions. Two out of three times we can mitigate the risk, it means that the risk occurs 1 out of 3 times, so EF=1/3. The loss per event is SLE=45M*(1/3)=15M. The risk occur two times per year, so ARO=2 and ALE=15M*2=30M. It means that we won't pay insurance or means to mitigate the risk greater than 30 millions.

Qualitative risk assessment: we gather a group of experts on each asset, and ask them to make a judgment based on likelihood, occurrence, impact, and the cost to mitigate the risk. A risk matrix is often used to visualize the ranking of assessed risks.

Risk matrix: a matrix in which we put risks in cells based on likelihood and severity. We usually add colors to cells like grey, yellow, orange, and red, to indicate their importance.

Vulnerability assessments: [...]

Threat modeling: identify and assess potential threats and vulnerabilities to develop an effective strategy against them.

Business impact analysis: [...]

Role-based risk assessment: a qualitative risk assessment. We identify risks associated to each role (ex: CEO, CTO...) of the company (meaning their job, duties, responsibilities...). We could use a table with

  • rows πŸ’°: assets broken down into smaller parts (ex: customer data)
  • columns πŸ§‘: business units broken down into roles (marketing in ...)

Cells are the operation (ex: create), and the level of criticality (how much is this asset required to perform the task?). You could use levels live 1 to 5.


Risk mitigation

Common strategies are:

  • ➑️ Avoidance: change your way of doing things
  • ➑️ Mitigation: use/do something to prevent the risk
  • ➑️ Monitor and react: make it so that you are able to react in a fast and appropriate way when the risk occurs
  • ➑️ Transfer: transfer the risk to an external entity/someone else
  • ➑️ Acceptation: accept the risk and don't do anything