• TechnologyInnovator
• NextInnovator
• EnterpriseInnovator
• SecurityInnovator
• DefenseInnovator
• WirelessInnovator 
• HPinnovator
• EnergyInnovator
• TransportationInnovator
• SMBinnovator (beta)

• NextInnovator(at)Live.com

• Ghost City
• Frontline Sentinel
• Innovation Insights
• WebInno
• Over the River
• Enderle Group
• Security Insights Blog 
• McAfee Audio Parasitics
• Rethinking Security
• Ovum
• iSuppli
• Canalys
• eMarketer 
• CRM Help Desk SW 
• Rethink Research
• The Gadgeteer
• Master the Moment

 

Regulatory and legislative pressures, which have increased markedly over recent years, have brought greater focus to bear on the management of risk. For each asset, the cost of applying security must be proportionate to the risk to the organization from the particular compromises that are possible. Consequently, risk assessment is an essential step to understanding the need for security protection, and will enable IT security to be seen as a beneficial business asset, rather than an expensive liability. Realizing the importance of properly understanding risk and how it affects them, many organizations are undergoing a relatively new experience in undertaking risk assessments of their operations.

Choosing a risk assessment methodology is an important step

A number of risk assessment methodologies are in widespread use, so one important decision to be taken is which one to adopt. Methodologies have different characteristics and focus areas that can make some better suited than others to an organization. Factors that might be considered in making the selection include whether the methodology is appropriate for the organization’s size and business type. However, perhaps surprisingly, one of the most important considerations is whether it fits with the corporate culture.

The Operationally Critical Threat, Asset, and Vulnerability Evaluation (Octave) methodology has been used successfully in the financial, insurance, medical, airline, automotive, manufacturing, and federal government sectors. It is framework-neutral, so, for example, it may be used as the risk assessment component within governance frameworks, such as that from The Committee of Sponsoring Organizations of the Treadway Commission (COSO) and Control Objectives for Information and Related Technologies (COBIT). It involves an information-led process of risk analysis that identifies risks to the confidentiality, integrity, and availability of critical information. It starts by building asset-based threat profiles, using knowledge from people throughout different levels of the organization, and is therefore appropriate only for organizations that have sufficient commitment to providing the necessary resources. The second stage involves identifying infrastructure vulnerabilities in core operational and selected areas that are of recognized importance. This allows the threat profiles to be more fully detailed before the final phase, which involves transforming the information into a risk analysis, and subsequently developing the security protection strategy.

CCTA Risk Analysis and Management Method (CRAMM) incorporates an information security and risk analysis framework originally developed in the 1980s by the UK’s Central Computer and Telecommunications Agency (CCTA), which is now the UK’s Office of Government Commerce (OGC). As a methodology, CRAMM focuses on information security risks and mitigation advice, and its analysis process assists with the identification of assets (information systems and networks), their values, threat and vulnerability assessment, and recommendations for countermeasures (security requirements and solutions). It is one of the most popular methods and is used in many countries, although it is often considered to need qualified and experienced resources to gain the objective benefits, and is believed to be somewhat difficult to use without assistance from a software tool.

A more efficiency-focused methodology is available in the Cost of Risk Analysis System (CORAS), a European-based standard for IT security risk assessments that takes a component-based approach to security risk assessment. It incorporates elements from other assessment standards, including CRAMM, and uses a model-based approach (again, a software tool is needed) to assess potential incidents and behavior, and the likelihood of their giving rise to risk.

Avoiding pitfalls and choosing efficient options helps to limit the cost

If organizations fail to understand the nature and extent of risks to information resources, and the potential impact on operational activities, it will be impossible to devise a relevant risk management program and therefore have any certainty about avoiding potential problems. While many organizations no longer have a choice about whether to do so, it will be clear from the selection of assessment methodologies that to assess risk meaningfully is an undertaking that requires a considerable commitment of resources.

Whichever methodology is used, some planning is essential in order to avoid the whole exercise running out of control. Defining the scope of assets and areas to be assessed avoids a sweep of the whole organization in circumstances where that would be too onerous.

One useful way to limit resource needs is to consider grouping assets while analyzing threats and vulnerabilities. There is no point in separately assessing separate data resources within the same system that are each subject to the same quantifiable threats. Instead, they can be treated as a single composite asset as long as the organizational impact of a security breach does not vary across the group of resources, because the level of risk would then be different.