Much information security planning advice includes doing an information security risk assessment. Among the smaller organizations we serve, however, few of them seem to get it done. We suspect this is because risk assessment is intimidating.
Don’t be intimidated! This is definitely a case where “perfect” is the enemy of “good,” particularly since “perfect” can’t be achieved. The three main ingredients of most risk assessments are identification of the possible assets at risk, the severity of the compromise of each asset, and the likelihood that each asset will be compromised. Identifying assets is fairly objective, if tedious. Assigning severity and likelihood are inevitably subjective. You are not going to get a perfect answer.
Parts of calculating the severity of an information breach are fairly objective. You can characterize severity as consisting of the four “C’s”: commitments, compliance, consequences and consensus. Compliance is the most straightforward. If you must comply with regulations, such as HIPPA, not protecting those assets can have consequences. Even in that case, however, there is the question of whether penalties will be enforced. Often, in the past, they have not been.
Commitments are similar to compliance. If you have contracts or agreements, such as nondisclosure agreements, with other organizations, losing their confidential information could be a special problem, although, again, in certain circumstances, your partners may be understanding.
What Are the Consequences?
Estimating the consequences of an information breach can be largely subjective, particularly for organizations that do not possess much payment card information, personal health information or personally identifiable information. If you lose that kind of data, you may incur costs to reimburse people and institutions, such as credit card companies, who are involved. Many, although certainly not all, foundations have little of this kind of information.
One consequence, of course, will be the costs of cleaning up your systems after the breach. This is probably part of your incident response plan. Do you have one, don’t you?
The big consequence usually is damage to the organization’s reputation, and estimating this can be very subjective. Foundations tend to be very protective of their reputations, and rightly so. But in this age when many are saying it’s not a question of if but of when you’ll have a breach, how much will that reflect on the organization in general? Beyond that, there’s the question of how widely the breach will be publicized. Ideally, organizations would report being breached, so that we could all get a better idea of how often it happens. Frequently, however, this is not the case. So this is definitely a risk, but how big? Hard to say.
Getting Agreement about Risks
This brings us to consensus. Ultimately, the opinions in your organization that matter are going to be the people who decide how much time and money will be devoted to information security. These are not necessarily the best informed opinions. We still know of organizations where top executives pride themselves on not being very good with computers. Certainly, they are less likely to be involved with questions of security than folks in IT or finance. Under these circumstances, they are likely either to express a fairly arbitrary estimate of severity or to mistrust their ability to give a good estimate and to look elsewhere for one.
Risk estimates often rely on surveys or interviews. It may not be a consensus, but at least it will be an average. Surveys, and particularly interviews, have the positive effects of getting people to think about risks, even to discuss them. But as some experts have noted, the results of surveys, and even of interviews, can result in a lot of estimates clustered in a middle range. A good description of this is an article by Bonnie Hancock, the Executive Director of North Carolina State’s Enterprise Risk Management Initiative. Hancock recommends considering forced ranking of risks as an alternative to conventional surveys. This and other methods are covered in another paper from the Initiative, “Survey of Risk Assessment Practices.”
As this paper points out, it’s good to follow a survey or interviews with a meeting to discuss the results. This provides a guided way to get to an agreement.
My, I do go on… Nevertheless, I’ll wrap up by saying that deciding on likelihood also has a lot of subjective elements. Spend some time with Google to try and get a good estimate on what percentage of organizations in the U.S. have experienced a serious information breach. Take into consideration who is providing the statistics. They mostly come from security vendors. Also, try to figure out what different sources mean by security events, attacks and incidents, let alone breaches. IBM recorded 81,342,747 security events in 2014, but only 12,017 attacks, and a mere 109 incidents. So it depends on what you’re talking about.
Then there’s the question of how whatever general probabilities you can come up with apply to your special case. Lots of room for subjectivity here.
So What Do You Do?
Once you realize that there is no perfect answer, forge ahead. Even a rough idea of priorities is better than no priorities at all. I’ll post my take on an adequate, not perfect, risk assessment methodology soon.