Understanding the Risk Management Process - Part 2

Understanding the Risk Management Process - Part 2

This is in continuation of https://www.googlinux.com/understanding-the-risk-management-process/

Considering Vulnerabilities, Threats, and Risks

  • Confidentiality, Integrity, and Availability (CIA) factors span the risk management assessments of vulnerabilities, threats, and risks.
  • Assets can be categorized as data, systems, facilities, and people.

Concerning information assets, the enterprise should consider vulnerabilities, threats, and risks in terms of the CIA factors rather than considering them separately.

Risk Analysis and Mitigation

Once confidentiality, integrity, and availability risks have been identified—and they likely will not be the same levels of risk for each factor - risk mitigation can be considered. Risk mitigation is only one of the possible treatments, but it is the one that gets the most attention in the cybersecurity process.

Risk analysis is needed before risk mitigation can be implemented. Risk analysis characterizes risk in terms of its magnitude - high, medium, or low. The below table shows the first step to evaluate the risk in terms of its probability and impact.

With this framework as a context, one can see that risk mitigation has the effect of reducing either the probability of an incident or the impact of the incident. Mitigation that reduces both probability and impact is the most effective.

Cybersecurity Controls

The next risk management process component is the identification of cybersecurity controls to help mitigate enterprise risks. There are four ways these controls reduce confidentiality, integrity, or availability risks.

  1. Reduce risk probability
  2. Reduce risk impact
  3. Detect occurrences of incidents involving the risk
  4. Collect evidence to support evaluations of security and investigations of incidents related to the risk.

Cybersecurity control types to mitigate enterprise risks include the following:

  • Preventive Controls, which block the threat and prevent incidents from occurring altogether
  • Detective Controls, which detect when the risk has transpired and generate alerts that can then be acted upon
  • Forensic Controls, which collect records of activities related to the risk and can be used to produce artifacts to support the operation of detective controls, investigations of incidents, and audits of controls to verify their operation and effectiveness
  • Audit Controls, which investigate for the presence of the risk, incidents associated with the risk, and the operation of controls that mitigate the risk

It is important to consider how the four cybersecurity control types interact with each other and how the four types serve useful purposes individually. Audit controls are frequently neglected, even though a simple audit can often find malicious activity that is otherwise missed.

Historically, disproportionate consideration has been given to preventive controls - for example, firewalls that block unwanted protocols—at the expense of the other control types. However, modern threats such as Advanced Persistent Threats (APTs) are designed to get around preventive controls and turn the enterprise against itself. Responding to the threat of APT attack by enacting more and more preventive controls can bring about its own set of problems. This figure highlights some interesting results regarding each control type’s strengths and weaknesses.

Ideally, all four control types are designed and operated in parallel, supporting each other. For example, a firewall may block unwanted ports, detect a port scan, record legitimate traffic for correlation with other alerts, and, finally, perform packet captures for certain types of traffic, all from a single platform.

When looking at security technologies, it is useful to evaluate them in terms of what types of control functionality they primarily provide. When evaluating security technologies, it is also important to understand how the different control objectives are going to be achieved.