How should a small organization quantify risk when it comes to IT security?  

In my last post, I discussed how people with little or no IT security experience are often put in charge of IT security at small companies. I explained how they might approach telling their boss how things are going on the security front on a day-to-day basis.

The ability to quantify risk guides the path forward for an IT security program, and is best expressed as the answer to three questions: What is the threat likelihood?  How vulnerable are we? What would be the impact or consequence?

Threats are events or activities, generally external to the system, which may, at some point, affect the inherent weak points, causing impact. The Threat level is based on the threat source, threat likelihood and the characteristics of the threat (i.e., forewarning, speed of onset, impact duration).

Vulnerabilities are weaknesses within the system or process under consideration, which may at some point be exploited by the threats.  The Vulnerability level is based on the level of controls in place and the ease at which the lack of controls can be exploited. For example, does it take a hacker with expertise and money, or can any unschooled “script kiddie” do it?

Impacts are the short and long-term organizational [adverse] consequences, should threats happen to exploit vulnerabilities.  The important factors in determining Impact are:

  1. The sensitivity of the data or application
  2. The criticality of the application or process and
  3. The recovery capabilities that are in place

Now, onto the questions you should ask yourself:

What is the threat likelihood? Let’s say that your data center in a remote location is hot and as a result the backdoor is left open to a dusty lot outside.  Potential threats include dust getting into the equipment or a terrorist gaining entrance and wreaking havoc. The chance of dust causing a problem is quite likely. The chance of a terrorist entering the open the door and causing problems is much less likely.

How vulnerable are we? Vulnerability pertains to the level of protection you have. In the case of viruses, if you have adequate anti-virus software and update it regularly, you are not very vulnerable to viruses.  On the other hand, if you leave the door of your data center open to a sandy desert, you are very vulnerable.

What would be the impact or consequence? If a virus infects a single machine in your system and you have anti-virus software, the impact is relatively minimal. In contrast, if a terrorist gains access to your data center, the impact could be very high.  

Once you answer these three questions, you can establish a prioritization for addressing Risks, Vulnerabilities and Incidents, based on risk ranking level, such as:

  • Address Critical Immediately
  • Address High within 30 days
  • Address Medium within 90 days
  • Address Low within 180 days

Finally, define the approvals necessary to accept, mitigate or remediate each risk level. That way, if you do need to call up your CEO at 2 in the morning because of a threat, you’ll be able to justify your decision to escalate based on your risk assessment plan – instead of a spur-of-the-moment hunch.