Last Updated on February 15, 2017
The “Goldilocks and the Three Bears” Approach
I’m sure most people are familiar with the children’s tale of “Goldilocks and the Three Bears.” What does that have to do with security risk assessments? I’ve found that when it comes to assessing information security risk (e.g., as a preliminary step toward ISO 27001 certification), many organizations elevate comparatively minor security risks too high, and/or rank a significant security risk too low. Rarely do I encounter an organization that gets it “just right” after the first security risk assessment.
This isn’t surprising, as risk assessment is highly subjective, and one of the few ways to inject objectivity into the process is through direct experience. Frameworks, models and matrices also help support objectivity, but even these supports often just serve to “structure the subjectivity” so it’s less arbitrary. This is especially the case when security risk assessment falls mostly on the shoulders of one person, often the CSO or CISO.
Many times, security risk assessment is happening in the first place because a company may be filling a Chief Security Officer (CSO) or Chief Information Security Officer (CISO) role for the first time, or there’s a new person in the position who wants to shake things up. In these situations, it seems that with this new responsibility comes a drive to uncover every possible risk and give it heightened importance—it’s a little like a three-alarm fire.
Risk assessment by committee also creates subjectivity challenges. “Group-think” can develop in some organizations, making it hard for them to see significant security risks lurking right under their noses.
For example, because I’m not only an InfoSec professional but also a lawyer, I frequently work with clients in the legal vertical. Recently I performed an internal audit for a large law practice with multiple offices. At one of their smaller workplaces, where only about 7-10 people were working, the suite was completely open. On the receptionist’s desk out front was a bell and a sign saying, basically, “Ring bell for service.”
The risk committee had rationalized this, saying, “This is a small office and everyone knows everyone. A stranger would be questioned by someone.” I flagged this as a nonconformity because it was an obvious and significant physical security issue that the client just wasn’t seeing. What if the “someone” you were depending on to enforce security was out at lunch, or in the bathroom? To cite just one of many attack scenarios, an interloper could opportunistically assess that situation, bolt in quickly, grab a laptop containing sensitive data off a desk—and there’s your breach.
Another challenge in any security risk assessment process is that the InfoSec media as well as the popular media tend to hyperbolize certain high-profile IT risks that many organizations aren’t likely to face. Most businesses won’t be targeted by nation state actors or hacktivists, for instance. But while they’re looking in that direction, plenty of them will fall victim to opportunists poised to steal and sell confidential data, exploit the processing power of their servers or extort money through ransomware.
A final challenge with risk assessment is that some significant security risks just aren’t on the radar. Take the well-publicized Ashley Madison data breach. The intent of the hackers wasn’t financial gain—they wanted to expose the website owner’s unethical business practices. The perceived risk related to unauthorized use of personal data, plus fear on the part of exposed users of being publically shamed. But government agencies and major corporations quickly saw a far greater risk: blackmail or extortion turning highly-placed individuals with access to confidential information into insider threats.
How do you predict and defend against a security risk like that? This is one of those areas where unbiased professional experience is helpful in identifying and assessing risk.
Learn more about security risk assessment:
- Balancing Objectivity and Subjectivity in Risk Assessment
- Has Your Business Correctly Assessed Its Information Security Risks?
- Rationalizing Risk Assessments—Objectivity Be Damned?
- The OWASP Risk Rating Methodology, which is designed to help estimate the actual risk associated with vulnerabilities
- Guidance from ISACA on performing a security risk assessment
- Intel’s threat agent risk assessment methodology, which “distills the immense number of possible information security attacks into a digest of only those exposures most likely to occur.”
Contact a Security Risk Assessment Expert
To get expert, objective guidance to support an informed risk assessment process so you can get it “just right” in a time- and cost-effective manner, contact Pivot Point Security.