The National Institute of Standards and Technology (NIST) produced the NIST Special Publication (SP) 800-30 to help conduct risk assessments.
A risk is where a threat intersects with vulnerability, e.g. where a vulnerability exists and is used by a threat. Threat sources can come in many forms such as:
- Adversarial e.g., individuals, groups, organisations and states.
- Accidental e.g., user taking making a mistake
- Structural e.g., failure of equipment, environmental controls
- Environmental e.g., natural or man made disasters that are outside of the control of the organisation
Vulnerabilities also come in many forms such as:
- Unpatched software
- Faulty door lock
- Data centre built in the flood plain of a river
The risk is scored where a vulnerability (e.g., unpatched software with known CVE) overlaps with a threat (e.g., a hacking group that is actively targeting the organisation). If the vulnerability doesn’t overlap with the threat such as an adversarial threat and the vulnerability of the data centre’s location on a flood plain then the risk is very low.
The qualitative values (very low to very high) can be set against quantitative values:
|Qualitative Values||Quantitative Values||Quantitative Values|
|Very High||96 – 100||10|
|High||80 – 95||8|
|Moderate||21 – 79||5|
|Low||5 – 20||2|
|Very Low||0 – 4||0|
Quantitative Risk Calculation
Likelihood of event occurring – Annualised Rate of Occurrence (ARO)
Single Loss Expectancy (SLE) – what is the monetary loss if a single event occurs
Annual Loss Expectancy (ALE) – ARO x SLE
Identify and document the risk of each step in a project. Identify and document possible solutions before choosing the most apt solution and monitoring results.
Business Impact Analysis
What is the businesses objectives and what are the critical functions that help to achieve these objectives? If these functions were unavailable what would be impacted (legal requirements, customer service, monitory loss).
Avoidance – e.g., stop participating in activity
Transference – e.g., buy insurance
Acceptance – e.g., accept and document the risk
Mitigation – Decrease the risk (e.g. increase security)