Information Risk Assessment is central to practical cyber-security. All cyber-security involves a trade-off between benefits and costs. Information Risk Assessment is the first step to identifying the sweet spot in benefit-cost terms of appropriate cyber-protection.
Information risks can be reduced by changes to business process. This indicates it is important to see information risk as 'whole-of-business' cyber-security in which cyber-risks can be reduced or managed by business changes in addition to IT protection.
Information Risk Assessment
Information Risk Assessment draws on ideas from Information Security Assessment (ISA):
- Threats to assets: events that can cause the loss, damage or misuse of information assets
- Vulnerabilities: How easy it is to attack or compromise information assets
- Impacts: The scale of potential losses and the seriousness for the continuity or progress of the business.
Information risk assessment builds on these ideas to identify:
- Which information and data are important to the business and why?
- Which of that information and data are held directly by the business?
- Which of the information and data are held by others?
- What are the main threats to the business information and data?
- What are the main vulnerabilities to how the business’s information and data are held?
- Which of the information and data are important to be secured because they are essential to the operation of the business?
- Which of the information and data are important to be secured because they are confidential and would have adverse effects, liabilities etc. if they were obtained by others?
- Which of the information and data can be held by others if they can take full financial and legal responsibility for securing them, including all losses to the business if they fail?
- Which of the information and data must never be held by others because if they fail to secure them or make them available (for example due to collapse of their business), then the responsibility, liabilities and losses will all automatically transfer back to this business? (This is an example of a limitation of risk transfer, and there will be a future article about it.)
- Which information and data can or should the business NOT be holding or acquiring.
In the answers to the above questions, the information has different levels of business importance, e.g.:
- Critically important
- Less important
- Why are we holding this data?
A business can achieve its intended outcomes in many different ways with different business processes, technologies, people, etc. Depending on how a business arranges itself, it requires different kinds of business information and exposes itself to different information-related risks.
By assessing the information risks of a particular business configuration, we can identify how they can be reduced by a combinations of cyber-security and changes to business processes. For example, sometimes the easiest cyber-security solution is to not hold information.
A financial planning business was subject to an information risk from holding personal confidential information for a group of clients to complete a set of paper forms for them. By Information Risk Assessment and a change of business process in which the clients filled the forms themselves (supported by financial planner staff), there was no need to hold that information. The associated cyber-risks and cyber-security were almost completely removed.
Benefits of Information Risk Assessment include:
- It aligns with the reality of cyber-security that businesses will be hacked and the real challenge is to minimise the risk to business while helping the business take advantage of the information
- It firmly locates cyber-security as an aspect of management, business processes and decision-making
- It guides decisions about which information to hold and how
- It provides a sound easy to use basis for sorting information assets into different risk groups with different levels of cyber security.
Information Risk Assessment Methods
There are several different information risk assessment methods, including:
- Oxford University Information Risk Assessment process
- Factorial Information Risk Assessment (FAIR) method
- Information Risk Assessment Method (2) (IRAM2)
- ENISA’s SARP risk profile tool
- Verinice ISMS tool
Oxford University Information Risk Assessment process
The Oxford University Information Risk process is actually a collection of five information risk assessment methods:
- Standard (CIA) Information Risk Assessment
- Third Party Security Assessment (TPSA)
- Cloud Security Checklist
- Privacy Impact Assessment (PIA)
- Business Impact Assessment (BIA)
For small businesses we have collated these together into a single set of questions for management that can be addressed in a 1 hour session.
FAIR Information Risk Assessment Table
The FAIR method was originally intended as a supplement to IT-only information risk assessment and operates across business processes and IT. The FAIR information risk assessment structure has 4 phases:
- Phase 1: Identify components (assets and threats)
- Phase 2: Evaluate Loss Event Frequency
- Phase 3: Evaluate Probable Loss Magnitude
- Phase Four: Derive and articulate risk
Information Risk Assessment Method (2) (IRAM2)
IRAM2 is a proprietary information risk assessment methodology created and Managed by ISF. It has three phases:
- Phase 1: Business Impact Assessment
- Phase 2: Threat and Vulnerability Assessment
- Phase 3: Control Selection (selection of cyber-security controls/tools to reduce likelihood of events occurring
ENISA Information Risk Assessment Method
ENISA provides organizations with a high-level means to sketch their risk profile defined as the combination of their exposure to threat and vulnerabilities with the potential impact on their critical information assets. It does this via the SARP EBIOS questionnaire. The analysis results in a risk profile that provides advice about appropriate information risk management methods that an organization needs to consider.
Verinice is an open source information security management system that also includes information risk assessment support. It is more appropriate to long term information risk assessment support for larger companies due to its IT requirements.
Form small businesses we offer information risk assessment support using whichever of the above methods is most suitable and economical.
If you are interested in an Information risk assessment contact me on