This note shows some methods to manage, display and evaluate security risks in a structured way.
PDCA
So first we will start with the PDCA cycle. Is a method for continuously improve processes or implement or plan new projects.
P: Each process must be planned. It contains regular steps used in project planning. Also, make sure, there is an actual target performance analysis to estimate the potential of improvements.
D: The D stands for Do. At that point, you execute the idea. It is important to understand that you only build a POC or an MVP to assess if the new implementation is working in a day to day usage.
C: Here we check whether the first tests were successful or not.
A: At that point, we arrived at our most important step. We act and implement our newly assessed process for not only internal tests but also to production.
Risk management and Risk analysis
If you are doing risk analysis there are 4 types of management strategies you need to consider. The order of the following list can also be seen as a control flow. If one management strategy is not applicable, the next strategy needs to be considered.
Risk elimination: This is most probably the most expensive strategy. This strategy aims to eliminate a classified risk so it will not occur in the future.
Risk mitigation: Take precautions to lower the probability of the risk to occur in the future.
Risk transfer: Well this is the easiest one. Transfer the whole risk and responsibilities to another organization or organization unit.
Risk acceptance: If the costs related to the risk mitigation is extensively higher than the benefits themselves, many consider to accept the risk and hope it will never occur
Risk denial: Bonus points! It won't happen to us.
However, before we can plan our risk management strategy, we need to identify them. This can be achieved through methods like collection methods, analytical search methods and creativity methods. Most methods are just common sense and I won't cover it here.
At this point you found your risks and need to rate it accordingly. You can either quantitatively or qualitatively evaluate them.
Qualitative evaluation
During a qualitative evaluation you are using comparative values such as low, medium and high to assess the risk. The most used models are the scoring-model and the scenario-model
The scoring model uses the impact and probability as variables to evaluate the priority of certain risks. I am currently accepting, that the values on the score board are not quite correct, since the impact scores do not increase. Just imagine "Significant" has a value of 2 and "Fundamental to continuing of operations" has a value of 3. However, as you can see a score ranging from 1-2 is considered a low priority risk. A score ranging from 3-5 is considered to be a medium priority risk and a score ranging from 6-9 is considered to be a high priority risk. The risk gets the score assigned trough the variables and values you set and multiply them.
Quantitative evaluation
During a quantitative evaluation you use measurable values such as prices.
Example:
Risk: Bob buys an apple, there could be metal in there
Probability: 5%
Effective costs: 1000.- for tooth repair
Risk value: 200.- (1000.- / 5%)
Measure: Buying a metal detector to scan every apple costs 1500.-
This risk most probably will be accepted or denied since to costs in the measurements it way more higher than the risk value or even the effective costs.
Business impact analysis
Conducting a business impact analysis reveals possible negative effects if unexpected systems failures occur. Essences of a BIA are:
- Evaluate priorities: Gain knowledge about the company
- Define criticality: Decide how long a certain service is allowed to be down
- Define recovery time: Define when an unexpected issue has to be fixed
- Evaluate resources: Evaluate what resources are required to recover faulty services
- Evaluate dependencies: Find internal and external dependencies
At this point I am going to trow 2 subjects without any context at you.
Recovery time objective (RTO): Indicates how much time you have for your system to be back up for the users until it will have a critical impact on your business
Recovery point objective (RPO): The RPO is how much data, expressed as time, you are willing to lose.
Thanks for coming to my TED talk
Comments