Information technology risk, IT risk, IT-related risk, or cyber risk is any risk relating to information technology.[1] While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Revolution has led to organizations becoming increasingly dependent on information, information processing and especially IT. Various events or incidents that compromise IT in some way can therefore cause adverse impacts on the organization's business processes or mission, ranging from inconsequential to catastrophic in scale.

Assessing the probability or likelihood of various types of event/incident with their predicted impacts or consequences, should they occur, is a common way to assess and measure IT risks.[2] Alternative methods of measuring IT risk typically involve assessing other contributory factors such as the threats, vulnerabilities, exposures, and asset values.[3][4]

Definitions

ISO

IT risk: the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization. It is measured in terms of a combination of the probability of occurrence of an event and its consequence.[5]

Committee on National Security Systems

The Committee on National Security Systems of United States of America defined risk in different documents:

National Information Assurance Training and Education Center defines risk in the IT field as:[8]

  1. The loss potential that exists as the result of threat-vulnerability pairs. Reducing either the threat or the vulnerability reduces the risk.
  2. The uncertainty of loss expressed in terms of probability of such loss.
  3. The probability that a hostile entity will successfully exploit a particular telecommunications or COMSEC system for intelligence purposes; its factors are threat and vulnerability.
  4. A combination of the likelihood that a threat shall occur, the likelihood that a threat occurrence shall result in an adverse impact, and the severity of the resulting adverse impact.
  5. the probability that a particular threat will exploit a particular vulnerability of the system.

NIST

Many NIST publications define risk in IT context in different publications: FISMApedia[9] term[10] provide a list. Between them:

NIST SP 800-30[11] defines:

IT-related risk
The net mission impact considering:
  1. the probability that a particular threat-source will exercise (accidentally trigger or intentionally exploit) a particular information system vulnerability and
  2. the resulting impact if this should occur. IT-related risks arise from legal liability or mission loss due to:
    1. Unauthorized (malicious or accidental) disclosure, modification, or destruction of information
    2. Unintentional errors and omissions
    3. IT disruptions due to natural or man-made disasters
    4. Failure to exercise due care and diligence in the implementation and operation of the IT system.

Risk management insight

IT risk is the probable frequency and probable magnitude of future loss.[13]

ISACA

ISACA published the Risk IT Framework in order to provide an end-to-end, comprehensive view of all risks related to the use of IT. There,[14] IT risk is defined as:

The business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise

According to Risk IT,[14] IT risk has a broader meaning: it encompasses not just only the negative impact of operations and service delivery which can bring destruction or reduction of the value of the organization, but also the benefit\value enabling risk associated to missing opportunities to use technology to enable or enhance business or the IT project management for aspects like overspending or late delivery with adverse business impact

Measuring IT risk

You can't effectively and consistently manage what you can't measure, and you can't measure what you haven't defined.[13][15]

Measuring IT risk (or cyber risk) can occur at many levels. At a business level, the risks are managed categorically. Front line IT departments and NOC's tend to measure more discrete, individual risks. Managing the nexus between them is a key role for modern CISO's.

When measuring risk of any kind, selecting the correct equation for a given threat, asset, and available data is an important step. Doing so is subject unto itself, but there are common components of risk equations that are helpful to understand.

There are four fundamental forces involved in risk management, which also apply to cybersecurity. They are assets, impact, threats, and likelihood. You have internal knowledge of and a fair amount of control over assets, which are tangible and intangible things that have value. You also have some control over impact, which refers to loss of, or damage to, an asset. However, threats that represent adversaries and their methods of attack are external to your control. Likelihood is the wild card in the bunch. Likelihoods determine if and when a threat will materialize, succeed, and do damage. While never fully under your control, likelihoods can be shaped and influenced to manage the risk. [16]

Mathematically, the forces can be represented in a formula such as: where p() is the likelihood that a Threat will materialize/succeed against an Asset, and d() is the likelihood of various levels of damage that may occur.[17]

The field of IT risk management has spawned a number of terms and techniques which are unique to the industry. Some industry terms have yet to be reconciled. For example, the term vulnerability is often used interchangeably with likelihood of occurrence, which can be problematic. Often encountered IT risk management terms and techniques include:

Information security event
An identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of safeguards, or a previously unknown situation that may be security relevant.[5]
Occurrence of a particular set of circumstances[18]
  • The event can be certain or uncertain.
  • The event can be a single occurrence or a series of occurrences. :(ISO/IEC Guide 73)
Information security incident
is indicated by a single or a series of unwanted information security events that have a significant probability of compromising business operations and threatening information security[5]
An event [G.11] that has been assessed as having an actual or potentially adverse effect on the security or performance of a system.[19]
Impact[20]
The result of an unwanted incident [G.17].(ISO/IEC PDTR 13335-1)
Consequence[21]
Outcome of an event [G.11]
  • There can be more than one consequence from one event.
  • Consequences can range from positive to negative.
  • Consequences can be expressed qualitatively or quantitatively (ISO/IEC Guide 73)

The risk R is the product of the likelihood L of a security incident occurring times the impact I that will be incurred to the organization due to the incident, that is:[22]

R = L × I

The likelihood of a security incident occurrence is a function of the likelihood that a threat appears and the likelihood that the threat can successfully exploit the relevant system vulnerabilities.

The consequence of the occurrence of a security incident are a function of likely impact that the incident will have on the organization as a result of the harm the organization assets will sustain. Harm is related to the value of the assets to the organization; the same asset can have different values to different organizations.

So R can be function of four factors:

If numerical values (money for impact and probabilities for the other factors), the risk can be expressed in monetary terms and compared to the cost of countermeasures and the residual risk after applying the security control. It is not always practical to express this values, so in the first step of risk evaluation, risk are graded dimensionless in three or five steps scales.

OWASP proposes a practical risk measurement guideline[22] based on:

Overall Risk Severity
Impact HIGH Medium High Critical
MEDIUM Low Medium High
LOW None Low Medium
  LOW MEDIUM HIGH
  Likelihood

IT risk management

Risk Management Elements

Main article: IT risk management

IT risk management can be considered a component of a wider enterprise risk management system.[23]

The establishment, maintenance and continuous update of an information security management system (ISMS) provide a strong indication that a company is using a systematic approach for the identification, assessment and management of information security risks.[24]

Different methodologies have been proposed to manage IT risks, each of them divided into processes and steps.[25]

The Certified Information Systems Auditor Review Manual 2006 produced by ISACA, an international professional association focused on IT Governance, provides the following definition of risk management: "Risk management is the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization."[26]

The NIST Cybersecurity Framework encourages organizations to manage IT risk as part the Identify (ID) function:[27][28]

Risk Assessment (ID.RA): The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.

Risk Management Strategy (ID.RM): The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.

IT risk laws and regulations

In the following a brief description of applicable rules organized by source.[29]

OECD

OECD issued the following:

European Union

The European Union issued the following, divided by topic:

Council of Europe

United States

United States issued the following, divided by topic:


As legislation evolves, there has been increased focus to require 'reasonable security' for information management. CCPA states that "manufacturers of connected devices to equip the device with reasonable security."[32] New York's SHIELD Act requires that organizations that manage NY residents' information “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information including, but not limited to, disposal of data.” This concept will influence how businesses manage their risk management plan as compliance requirements develop.

Standards organizations and standards

Short description of standards

The list is chiefly based on:[29]

ISO

BSI

Information Security Forum

See also

References

  1. ^ "What is IT risk? | nibusinessinfo.co.uk". www.nibusinessinfo.co.uk. Retrieved 2021-09-04.
  2. ^ "Risk is a combination of the likelihood of an occurrence of a hazardous event or exposure(s) and the severity of injury or ill health that can be caused by the event or exposure(s)" (OHSAS 18001:2007)
  3. ^ "3 Types Of Cybersecurity Assessments – Threat Sketch". Threat Sketch. 2016-05-16. Archived from the original on 2018-11-07. Retrieved 2017-10-07.
  4. ^ "Information Security Assessment Types". danielmiessler.com. Retrieved 2017-10-07.
  5. ^ a b c ISO/IEC, "Information technology – Security techniques-Information security risk management" ISO/IEC FIDIS 27005:2008
  6. ^ CNSS Instruction No. 4009 Archived 2012-02-27 at the Wayback Machine dated 26 April 2010
  7. ^ National Information Assurance Certification and Accreditation Process (NIACAP) by National Security Telecommunications and Information Systems Security Committee
  8. ^ "Glossary of Terms". Retrieved 23 May 2016.
  9. ^ a wiki project devoted to FISMA
  10. ^ FISMApedia Risk term
  11. ^ a b NIST SP 800-30 Risk Management Guide for Information Technology Systems
  12. ^ FIPS Publication 200 Minimum Security Requirements for Federal Information and Information Systems
  13. ^ a b FAIR: Factor Analysis for Information Risks Archived 2014-11-18 at the Wayback Machine
  14. ^ a b ISACA THE RISK IT FRAMEWORK Archived 2010-07-05 at the Wayback Machine ISBN 978-1-60420-111-6 (registration required)
  15. ^ Technical Standard Risk Taxonomy ISBN 1-931624-77-1 Document Number: C081 Published by The Open Group, January 2009.
  16. ^ Arnold, Rob (2017). Cybersecurity: A Business Solution: An executive perspective on managing cyber risk. Threat Sketch, LLC. ISBN 9780692944158.
  17. ^ Arnold, Rob (2017). Cybersecurity: A Business Solution. Threat Sketch, LLC. p. 22. ISBN 978-0692944158.
  18. ^ "Glossary". Archived from the original on 29 February 2012. Retrieved 23 May 2016.
  19. ^ "Glossary". Archived from the original on 29 February 2012. Retrieved 23 May 2016.
  20. ^ "Glossary". Archived from the original on 29 February 2012. Retrieved 23 May 2016.
  21. ^ "Glossary". Archived from the original on 29 February 2012. Retrieved 23 May 2016.
  22. ^ a b "OWASP Risk Rating Methodology". Retrieved 23 May 2016.
  23. ^ "ISACA THE RISK IT FRAMEWORK (registration required)" (PDF). Archived from the original (PDF) on 2010-07-05. Retrieved 2010-12-14.
  24. ^ Enisa Risk management, Risk assessment inventory, page 46
  25. ^ Katsicas, Sokratis K. (2009). "35". In Vacca, John (ed.). Computer and Information Security Handbook. Morgan Kaufmann Publications. Elsevier Inc. p. 605. ISBN 978-0-12-374354-1.
  26. ^ ISACA (2006). CISA Review Manual 2006. Information Systems Audit and Control Association. p. 85. ISBN 978-1-933284-15-6.
  27. ^ Keller, Nicole (2013-11-12). "Cybersecurity Framework". NIST. Retrieved 2017-10-07.
  28. ^ Arnold, Rob. "A 10 Minute Guide to the NIST Cybersecurity Framework". Threat Sketch. Archived from the original on 2021-04-14. Retrieved 2018-02-14.
  29. ^ a b Risk Management / Risk Assessment in European regulation, international guidelines and codes of practice Archived 2011-07-23 at the Wayback Machine Conducted by the Technical Department of ENISA Section Risk Management in cooperation with: Prof. J. Dumortier and Hans Graux www.lawfort.be June 2007
  30. ^ "Privacy Impact Assessments". Department of Homeland Security. 2009-07-06. Retrieved 2020-12-12.
  31. ^ "Securities and Exchange Commission (SEC)" (PDF). Securities and Exchange Commission (SEC).
  32. ^ IAPP. "The evolution of the 'reasonable security' standard in the US context".

External links

Categories