Risk Appetite has had many attempts at explanation, the reason for the problem is that things get real murky when details are reviewed. It is all in the details and they are mushy like jello.
Why is Risk Analysis difficult?
It depends on your industry - if in health industry, the obvious data to protect is patient data. But if one swipes credit cards then accounting information is also important. What about your discussions between various doctors? Is that important? When discussing Industry trends and insurance industry details is that important? Is data only important when patient data is included? Do new internet capable patient monitoring devices have risks builtin?
So in this one industry we thought 1 piece of data was the most important (patient data) and now I have listed several other pieces in a couple of minutes:
- Credit Card information
- Intra-agency doctor conversations
- Insurance details without patient data
- Internet capable patient monitoring devices fitbit like, heart devices, etc.
other potential problems: Risk is not always looked at in aggregate - in total.
Maybe the 1, 2, and 3 are not as risky, but if they are connected in some way now the risk is higher, and thus the impact is higher.
Should we just throw in the towel and proclaim everything is important and protect everything already?
Managing risk means to rate risk and then we have to rate our risk appetite.
Here is a risk appetite matrix from ISACA¹
Of course the remote code execution vulnerabilities in technologies "hosting customer data" must be fixed immediately.
And now already we have a different risk appetite in vulnerabilities with no authentication to exploits on websites. I.e. different problems with lesser vulnerabilities already can be taken on as risks with fixing the vulnerability when time permits.
What about escalation privilege? This type of vulnerability is only useful to the attacker when it is combined with other attacks. So by itself it is not as risky, but added to another vulnerability makes it more potent.
The problem is, we have to learn to be comfortable with a little bit of discomfort - the real question is: How much discomfort can we really live with?
If you never review your true risk profile and catalog your data then you don't even know what you have?
Think about this for a minute (or 2) ... if you have a high level of risk appetite for a specific vulnerability how good is your decision in not fixing this vulnerability? Have you put down the gory details? We choose not to fix this vulnerability for the next 2 months because X, Y, and Z? If you say "we choose not to fix a vulnerability" then you better have a good reason for not fixing - besides we can't do it, or we do not have time etc.
Can you answer these questions quickly without doing further research?
What is your technique for handling new uncertainty? Is it clear?
What is the decision tree for New items coming?
Is there a policy for when a new incident comes in? and changes the equation? giving examples is sometimes not enough, as we don't know the things we don't know... how comfortable are you really?
Also once the lines are drawn - medium low and high impact, would a smidge in one direction make it go to high impact? So what was your decision that made the medium impact?
There are many questions to answer - many questions to review the details of the answers. And don't forget to bring up the supporting proof.
Is "high risk" fixing a vulnerability in 1 month? or 2 weeks?
Can you fix all high risk vulnerabilities in 2 weeks? Because if not, then you ARE taking on more risk unless a change of IT procedures reduces vulnerability fixes in time.
The most likely circumstances are that risk analysis is not being done to the degree you know your risks, especially as your environment changes.
We have worked with companies to develop a good risk matrix with impacts and risk probabilities assigned to the IT assets in companies (Databases of employee and customer data among others).
Sometimes it is the proposal and project files that are important. (can you afford to be down for a few days within a project execution?).
what has to be done to finalize the analysis of risk is to find the impact of data resources and the likelihood of vulnerabilities.
High likelihood = 3
Med likelihood = 2
Low likelihood = 1
High Impact = 3
Med impact = 2
Low impact = 1
risk = likelihood * impact
Another way to view this Risk analysis table is a 3D graph with risk being the height of the column while the axis are likelihood and impact.
Contact Tony Zafiropoulos Now to Discuss Risk Analysis - 314-504-3974 or tonyz"@"fixvirus.com