Risk Terminology for Beginners
7th September 2014
Amongst the key requirements of the ISO27001 Information Security Management System standard are activities related to the establishment, implementation, operation and management of an effective risk assessment framework. The standard expects that all relevant “threats” and “vulnerabilities” are assessed, but do we fully understand the difference between these two terms and “risk”?
A vulnerability is a weakness in an asset that by its ongoing existence could be used to cause it some damage or disruption, for example the existence of weak passwords, or not applying the latest security patches. A threat, on the other hand, is an activity (human based or an Act of God) which has the potential to exploit an asset’s vulnerabilities to cause harm: examples including computer viruses, activities of hackers or extremes of weather. Generally speaking organisations will be spending more time and effort on identifying and addressing vulnerabilities (the majority of which will be within their power to manage) instead of external threats (the nature of which is not often fully know by the organisation).
Risk is the combination of the probability (or likelihood) of something bad happening, and the impact on the asset (and therefore the organisation) if it were to do so. These two variables of probability and impact allow risk assessments to prioritise where action is needed most: a risk that is definitely going to take place and has the potential to threaten the organisation’s very existence will receive more urgent attention than very occasional risks that have such a negligible effect that nobody is likely to even notice them.
That is the reason why a formal, structured and effective risk assessment regime is so important to the protection of an organisation’s data, or the data of customers which has been entrusted during the provision of a service. There is no value in cutting corners to file incomplete or poorly completed assessments, as there is rarely the opportunity of a second chance to have another look once a serious information security breach of system failure has already taken place. By then the damage has been done.
Risk assessment is commonly perceived as a “dark art”, but there is no reason for this view. All that is needed is a framework which acknowledges a wide variety of vulnerabilities and threats, as applicable to the operations of the organisation, and diligent, trained employees who understand what they are being asked to do, and the importance of doing it well. Effective risk assessments allow the organisations to identify, implement or change the controls (or “good” activities) that are in place to manage, control, reduce or remove vulnerabilities and the likelihood of their exploitation by threats.