I’ve been doing a lot of security awareness training internally over the last few weeks. I thought I’d share one particular way of looking at risks that we found useful.
One problem in risk analysis comes early in the process: identifying the risks you want to assess. People – even security professionals – tend to focus on big-ticket risks, like natural disasters or directed hacks. Why? Because we’re human, and we react to the media around us and to our instinctive fears – fire, flood, enemy attack. Some of these risks are real, and some may also be disastrous if not mitigated, but they’re rarely the most relevant to our day-to-day business operations.
So how do you make sure you’ve covered a wider range of risks, without getting bogged down in detail, or distracted by wild speculation? This latter is usually the wag in the room who pipes up with “What if there’s an asteroid strike on the data centre?”. No so funny after last week’s Russian experience, but still pretty unlikely, and I don’t think the board will be signing off on the space shuttle and roughnecks budget any time soon.
Our approach is to break risk down into two dimensions and two categories, with two inflections for one of the categories, as follows:
Endogenous risk relates to risks inside your organisation.
Exogenous risk means risk from the outside.
Intentional risk implies active malicious intent; this can be inflected as:
- Directed risk is targeted at you, specifically.
- Undirected risk affects you by chance, or as part of a wider spread of impact.
Unintentional risk results from accident or carelessness
Endogenous intentional directed – bad stuff done by your people to you on purpose. People on the inside are best placed to cause real damage, so worry about this. As you’ll see, though, there are other things to worry about more.
Endogenous intentional undirected – means nothing: it can’t be intentional and undirected, if it’s internal: obviously they’re attacking you on purpose.
Exogenous intentional directed –for example, actual hackers actually hacking you rather than someone else. Your Hugh Jackman in Swordfish moment. This is on the rise; it could happen to you. But unless there’s a good reason for you to be a target, it’s not high on the likelihood scale. See below, too:
Exogenous intentional undirected – viruses and malware are the obvious examples. You are under attack from these agents right now – and so is everyone else. You’ve almost certainly been compromised. In some cases, this may open you up to a directed attack, once the malware phones home and the hackers find out what you’ve got. But don’t just think about technology: burglary is an exogenous intentional threat, too, and most burglars are opportunists – although, once more, you might also be a visible juicy target for an intentional intrusion, depending on what you do for a living.
Endogenous unintentional – the big kahuna. If you worry about one thing, worry about this. The greater part of all your infosec risk arises from staff negligence and, frankly, stupid behaviour. Not only is this your biggest risk, it’s also the one you benefit most from fixing, as the mitigation is usually process improvements and training, which will filter through to productivity and customer satisfaction as well as information security.
Exogenous unintentional – flood, fire, famine, pandemic, earthquake, asteroid impact. But not just the big, rare, scary stuff. Also the transport strike, the local power outage, the network congestion, the currency crisis – anything that the outside world can throw at you that might threaten the confidentiality, integrity or availability of your data and by extension your business.
So we end up with five groups of risk:
Work through each group, brainstorming the list and plotting each one on a typical likelihood/impact Boston square. Then go away to work out all the usual cost/benefit mitigation analysis, starting with the stuff in the top right corner – high likelihood, high-impact. You’ll end up with a manageable risk analysis exercise that has only just enough Hollywood seasoning to keep it interesting.