Information systems and their security are a major headache for most business owners, managers, and administrators due to their complexity and abundance of technical jargon. This article aims to present Information Risk Analysis in a clear and accessible way.
1. Giving an existential twist to information risk analysis
A crew of astronauts is heading into space to save humanity. One of them pilots the ship, along with a second, the copilot, and together they monitor the handheld display—a complex system of buttons and sounds that shows the most relevant information for decision-making—to see what is happening in real time. The buttons turn red and the sounds activate, creating a sense of imminent danger: the ship is about to pass through a meteor shower in a matter of seconds. The difference between the mission's success and failure is life and death, or in other words: the future of an entire species.
This is a typical scenario in science fiction films. They all share a pattern: the protagonist is a leader who makes decisions in times of crisis based on one thing only: information. Information from multiple sources and supported by a TEAM by specialists. In most cases, the final result depends on the screenwriter's imagination, but in real life the result depends on two factors: creativity and preparation.
The formula seems clear, although getting the right ingredients and mix is probably the biggest challenge for any organization:
Success = people + information + preparation
What will happen this time if you're the protagonist? What will happen if you don't have the information or the team to support you in making a decision? Okay, maybe you're not piloting a spaceship or humanity doesn't depend on you, but you do have a team and other kinds of responsibilities on your shoulders: perhaps as a manager, entrepreneur, employee, or team leader. Who supports you? Who advises you?
Creativity, vision, and experience are three qualities that rarely occur simultaneously in one person, which is why they are among the most sought after. A creative, skilled, and experienced individual is the golden goose of any organization. It's the difference between success and failure in business: a sustainable future or a liquidation sign.
2. What is risk analysis and why is it important?
El information risk analysis It is a process of understanding and assessing information assets, their vulnerabilities, and threats with the ultimate goal of protecting them. This involves considering the company's various systems as well as their relationships with external systems.
Article How to be prepared in a world with 12 cyberattacks per second It has already shown us that it is a fact that we are not aware of the value of our assets, their vulnerabilities, and all the threats that loom over their security every day.
It is common knowledge that "Better to prevent than to cure"¨ International organizations and governments are increasingly investing in prevention to address humanity's greatest challenges because they are fully aware that there is no better solution: why solve problems when we can prevent them? Preparedness is key.
Being prepared in terms of cybersecurity or information security involves conducting a risk analysis and management. To do this, we must answer many questions:
- What are our information assets, what is their value and what are their vulnerabilities?
- What are the threats that each of them faces and what is their impact on the organization?
- How can we mitigate vulnerabilities and maximize security against threats?
For our organization, conducting a proper risk analysis does not require a great effort if we are convinced of its usefulness and, above all, if we compare it with the benefits it can bring us by helping us to reduce, and even avoid, the impact that threats would have on the business and its continuity if they materialize.
As Steve Jobs said…
3. Risk analysis in 7 easy steps
Several methodologies exist for conducting a comprehensive risk analysis: Magerit, NIST's "Guide for Conducting Risk Assessments," ISO/IEC 27005:2011, and its equivalent Spanish standard UNE 71504:2008, among others. They all share the common benefit of following these fundamental steps:
3.1. Determine the scope of the risk analysis
Every organization is a large system divided into smaller systems that are distinct yet interconnected. For example, when conducting a risk analysis of the entire organization, we might begin with the Management System, the Sales System, or the Financial System.
This aspect is fundamental in terms of its consequences and to coherently evaluate the investment that will be necessary to obtain satisfactory results: safer systems, a safer organization.
3.2. List the assets and assess their criticality
The information assets They are any data or system related to the processing of data, defined and managed as a single unit that can be understood, shared, protected and exploited efficiently.
Information assets They have value, risk, content, and life cycles that are susceptible to valuation and managementTherefore, their protection is essential. There are different categorization systems, but for the sake of simplicity, one fundamentally useful distinction is worth considering:
- Tangible: a person, a computer, a smartphone, or a server.
- Intangible: a database, an email address, or data from colleagues and clients
Identifying the assets that underpin our company's processes and services is a fundamental step in obtaining the big picture and take appropriate actions to protect them. Therefore, in the asset identification stage, the fundamental output is the asset map.
|
ID |
Active |
Responsible and adaptable |
Criticality (1-3) |
|
ID_BD01 |
Customer bank account database |
commercial director |
3 |
|
ID_S01 |
Main server |
Systems Director |
3 |
|
ID_PM01 |
New flagship launch prototypes for 2018 |
Product Manager |
3 |
33. Identify and categorize the threats to each of the assets.
The next step is to identify and review the threats to each asset. We examine their vulnerabilities, the threats to which they are exposed, and the potential impact should these threats materialize. This allows us to assess the assets and, consequently, determine the impact on the processes and services they support. At this stage, we also determine which risks the organization can accept and which cannot, requiring further action.
3. 4. Identify vulnerabilities and safeguards
The benefit of listing and evaluating each information asset is the opportunity to get to know them better: their vulnerabilities, and to remedy their security: to safeguard them.
Vulnerability = exposure x susceptibility / resilience
Similarly, we will analyze our current security measures to determine if these vulnerabilities are currently being protected or if, on the contrary, it is necessary to incorporate new systems and processes to protect them.
For example, the knowledge of a lack of backups, outdated software, or a poor location of the data center are situations that can be easily improved if there is awareness of them.
3.5. Assess the risk
Risk is calculated by estimating the probability, based on our vulnerabilities, of a threat occurring and its impact. The numerical calculation is more complex, but these tables aim to give you a qualitative understanding of how we assess the true risk to your information systems:
Threat probability calculation table:
| Qualitative | Quantitative | Description |
| Low | 1 | The threat occurs once a year. |
| Media | 2 | The threat occurs once a month. |
| High | 3 | The threat occurs once a week |
Impact calculation table:
|
Qualitative |
Quantitative |
Description |
|
Low |
1 |
The damage resulting from the threat has no relevant consequences for the organization |
|
Media |
2 |
The damage resulting from the threat has significant consequences for the organization |
|
High |
3 |
The damage resulting from the threat has serious consequences for the organization |
Once we have assessed and classified the vulnerabilities, threats and their impact, then we can solve the risk equation:
Risk = threat x vulnerability x impact
With the help of the risk matrix We can qualitatively assess what type of risk we face:
3.6. Addressing the risk: Selection and implementation of security measures.
Once we are aware of the risks we face, half the battle is won. The penultimate step is then to select the most appropriate measures to eliminate or reduce the risk to a level acceptable to the organization.
Once identified, they are grouped into programs and activities, and those responsible for implementing them are designated.
3.7. Record the experience so that the learning remains in the organization: safeguarding the know-how.
El technical know-how It is one of the greatest competitive advantages and, along with creativity, what allows our organizations and societies to move forward. For this reason, we always recommend creating and updating records of the circumstances experienced within the organization and which alternatives have worked, and which haven't, in order to improve them.
In this way, we will not only keep our organization's knowledge well in mind, but we will also facilitate its understanding by collaborators who may join in the future.
4. Cost and benefit of a risk analysis
In June, we already addressed in How to be prepared in a world with 12 cyberattacks per second Average costs of neglecting your cybersecurity:
According to the “Global Survey on the State of CybersecurityAccording to a study by the consulting firm PwC, losses in Spanish companies resulting solely from cyberattacks could average around 1,4 million euros in 2016If we focus on the case of SMEs, the insurer Mapfre, based on various studies, estimates that amount to be between €20.000 and €50.000 on average.
All these losses of information can represent a high cost for companies, not only in terms of the interruption of activity, but also in the loss of image, trust, and even customers, and the recovery of information assets themselves.Although this amount depends on the company's activity and the sensitivity of the lost data, the same study estimates that the average recovery cost of a data record lost due to a cyberattack is €152. This amount is significantly higher than that resulting from system errors or human factors, estimated at between €119 and €123 respectively. These figures give us an idea of the significant impact that losing several thousand records of sensitive business information can have on a company.
As a company contracting Information Security and Management services, your cost will depend on the scope of the project and the type of professional hired. At EPUNTO Interim Management, we have senior managers with over 15 years of experience in information systems and security who work on a project basis for the duration you require. In this way, we place a temporary manager within your company who will help you understand and address your challenges, resulting in a process of solutions, learning, and management independence.
The benefits of handling the management and security of information systems are clear:
- Avoid problems
- React more quickly and accurately
- Being more efficient: better results with less investment
- Expand and improve our understanding of our organization and our people
- Be smarter
Conclusions
We began by talking about scenes, or in other words, a succession of frames. And that's because Everything changes over time: the processes, the assets, the services, the people, the vulnerabilities, the threats and their impacts.
Information and technology are sectors that, by their very nature, grow exponentially and at breakneck speed. Therefore, our constant attention and care are essential to be prepared in a world with 12 cyberattacks per second. It's a process of continuous improvement, and its technical nature requires a team with experience and both general and detailed knowledge.