In this video Mike talks about the definitions and basics of risk management and how they might affect the audit process.
- [Instructor] Alright, let's talk a little bit about risk analysis and risk management. So, when we talk about risk it's important to understand a few definitions. So a vulnerability. A vulnerability is some weakness in the mechanism that can threaten the confidentiality, integrity, or availability of that asset. Now that confidentiality integrity availability, that's important. We refer to that often times as the CIA triad, or the IAC triad and anytime you're talking about the security of something you're talking about something threatening its confidentiality, integrity, or its availability.
We'll be hearing that throughout this course and many other courses that we have to talk about security in. Another interesting thing about a vulnerability is it's also, when you have the lack of a countermeasure or some control. If you don't have a sufficient control in place, that itself is considered a vulnerability. So just keep that in mind when we talk about this more in this course, and in other courses related to security. A threat is something that exploits a vulnerability. It's the bad guy, it's the burglar or the hacker or the fire or the hurricane.
It's the thing that does the damage to the asset. So threats exploit vulnerabilities. A countermeasure, or control, and we often refer to them as controls when we're talking about auditing, is something that you put into place to mitigate either the probability of something bad happening or the pain or business impact that you would endure if it did happen. For example, the probability that a hurricane will strike, that's one thing, and then the pain that you would endure if that hurricane did strike, that's the business impact.
Those two things together we call risk and we'll see that in another slide, but a control is something that you put in place to reduce either one or both of those factors, either the likelihood of something bad happening or the pain that you would endure if it did happen. That's a control or a countermeasure. So, what is risk? Well, risk is as I said, the probability of something bad happening and the resulting pain that you would endure, or the resulting business impact if that bad thing does happen. So, if we take a look at this little image here we can see here that the probability of occurrence is going down on the horizontal access on the bottom of the screen in the caption.
That's the how likely it is to occur, how likely it is that a fire will happen or we will get hacked or a hurricane will hit us. The vertical axis tells us how bad it's going to hurt if something were to occur. So if the hurricane does hit us, we expect to lose 50% of the value of our facility, for example, or some asset. And then you break it down into these little quadrants we have here. So, things that happen down here in the bottom left quadrant, they are things that don't happen very often and when they do they don't hurt very bad.
Conversely, things that happen in that top right quadrant happen all the time and they hurt a lot. So that's where you're going to end up spending most of your money to protect yourself, or that's where you're going to shift most of your resources and your defense and countermeasures. This is just how we look at calculating or understanding risk. So let's talk about the risk management process. So, risk management is made up of three different phases. We plan, collect information, and then define some recommendations on how to handle that risk.
So let's talk about the planning phase first. In planning, we identify the team, who is going to be on this team and typically that is just about everybody in the organization is going to have some voice, the management team is going to have a representative, legal, HR, the business units themselves, the business leaders et cetera, they're all going to have a voice a the table. Then we're going to identify the scope. How much of this organization are we going to be performing risk management on? What processes, what departments? Do we need to do the whole thing or are we going to do just this region, say US versus Europe. We're going to identify the method whether it's qualitative or quantitative.
When I say quantitative I'm typically talking about how much money something's going to cost me. When I talk about qualitative I'm usually talking about something like a scale of one to 10. On a scale of one to 10, which is the riskier thing? On a qualitative analysis I'm saying, which of two of these options is going to cost me more money? Or, if I don't put this control in place how much money do I expect to lose if this bad thing happens? That's a quantitative analysis. Qualitative I can say well, on a scale of one to 10 it's more likely that I'm going to get hacked than catch fire for example, on my server or my data set.
We're also going to identify the tools that we're going to use, if there are any tools that are going to be used to help you with your risk analysis process and there are many tools now that will help you in the processing of the information and representing it in graphs and charts and doing some predictive analysis, et cetera, so you identify which of those you're going to use. The last and perhaps the most important thing that we're going to do in this planning phase is understand the acceptable risk level and that's something dictated to you by management. Management's going to say, this is the level beyond which we can go no further.
This is the most risk we can tolerate within this organization. So, once you know what that is, now you have some way to understand where we need to manage our risk down to and we're going to take a look at the options and how we do that in a second. So that's the planning phase. Then we go into the collection phase, and this is where most of the work gets done. We identify all the assets that we care about within this particular analysis. Now if that's determined by the scope how much you're going to be looking at, maybe you're only looking at one business process, but you're going to identify all those assets, all the data sets of information, the intellectual property, looking at all the physical assets like hardware, software, we're going to look at human resource assets potentially, all the things that we care about, then we're going to assign values to those assets.
Well this piece of information over here in this database, that's worth you know, $50,000 to me based on how much we've invested in it by now and how much it's useful to us and how much a competitor may be willing to pay for it, or a adversary might be willing to pay for it. This server over here is worth X amount, it costs this much to acquire and we've put this much amount of time into it. So you assign a value to each of those assets, then you come down and you identify the vulnerabilities and the threats to those assets. So this server for example, is vulnerable to being hacked, it's vulnerable to losing power, it's vulnerable to getting stolen.
So we list out all the threats and vulnerabilities to each asset and then we calculate the risks. How likely is this bad thing to occur and if it does, how much do we expect to lose of the asset's value. So we've already picked what the asset's value is in step number two, now we're going to calculate how likely that is, and that's where we look at that two factor risk thing, the probability of occurrence and the resulting business impact, right, and then we do a cost benefit analysis. We try and figure out if we were to put a control in place, if we were to put a counter measure in place, how much would that counter measure cost versus the benefit it provides? Well, this firewall for example costs $100 to implement, but we're only putting it in place to protect $10,000 worth of asset.
That doesn't make sense. So you have to do a cost benefit analysis to figure out whether what you're doing as a control makes sense and is cost effective. Then we come back and do an uncertainty analysis. This is where we take a look at how much guess work we've been putting into our analysis. You know, sometimes it comes down to a range and you can say well, we expect to lose between 20 and $30,000 if this bad thing were to happen to that asset. Well, that's a reasonable range, the tighter the range you can get it the less guess work is in your math.
So if you can say well, we expect to lose between 25 and 26,000, that's a nice little tight range. If on the other hand you said, we expect to lose somewhere between 10,000 and 50,000, well that's a pretty wide range, it's hard to really know what you're going to lose there. So we call that fairly uncertain. There's a lot of guessing in that if your range is that broad. So that's what an uncertainty analysis is there to do, is to figure out how much guessing have you been doing, do we need to go back and re-look at these numbers. Finally, we come back in this phased approach to actually doing something about it.
This is where we deal with handling the risk or managing the risk and there are four things you can do to handle risk. There's one, risk mitigation, two, risk transference, three, you can accept it, and then four, you can avoid it. Now, you present these options to management and then management makes the call of what we're going to do of those four options. So, they're either going to mitigate it by putting some kind of control or countermeasure in place. We put a firewall in place to reduce the likelihood of getting hacked for example, we put fire suppression and fire detection controls in place to reduce the likelihood and impact of fire.
That's mitigation or risk reduction you might hear it referred to as. We can transfer risk, which means we are contractually obligating somebody else to be responsible for this bad thing happening. Now that most of the time takes the form of buying insurance. You buy insurance and now, when the hurricane strikes the damage that's caused is paid for by the insurance company and not you. You've transferred the risk to them. Risk acceptance means, as it name implies, you just accept it and do nothing, you just take the risk. Now you can only do this of course if the risk is within the acceptable risk level as dictated to you by management.
You can't just accept things willy nilly. You can only accept it if it's tolerable. And then finally we have risk avoidance. Whatever it is that's risky, you stop doing it altogether. There's no other way to handle it. Now that is the least desirable option but sometimes you have to do it. Now, that typically means you have to alter some kind of business process because you've got to stop doing this risky thing altogether. So, mitigate or reduce, transfer, accept and avoid. Those are your four options for handling, or managing risk.
And management makes that decision and that's the risk management process.
Note: This series was created by Human Element, Michael Lester, Jordan Genung, and Steve Bennett.
- Managing an IS audit
- Regulatory drivers
- IS controls
- Performing an IS audit
- Communicating audit results
- Evolving the audit process
- Continuous auditing