Basic Rules for Creating a Risk Assessment Process

Side Note: The Information Security community has attracted a significant number of highly intelligent individuals who have a propensity for finding defects wherever they can. On one level that is a good thing - we need smart people looking for control weaknesses in obvious and hard to find places. On the other level - this often leads to arcane and obtuse arguments within the community as to control weaknesses, which only serve to confuse the rest of us. Couple this with the large number of information security officers who are driven to control risks and drive their organizations to follow the rules - resulting in the issuance of voluminous and daunting policies and procedures.

All of this has spilled over to the area of risk assessment. There is an abundance of highly sophisticated and complex risk methodologies, all of which are based on sound principles, and none of which could be described as simple or intuitive. For example, the COSO relationship model to the right attempts to meld business entity objectives and the enterprise risk management components. If you look at the individual elements in the model, it appears to make sense. Who can argue that "Objective Setting" in risk assessments does not support corporate objectives? But what are the right objectives, how do I set them and how do they integrate with the other objectives? The elements are correct, but when you combine them no simple, intuitive process emerges.
COSO Risk Framework

How then do we create a simple, objective and intuitive risk assessment methodology? We need to address three requirements within the Simple Risk Model:

  1. KISS - We need to avoid the tendency to address every issue, every risk and every control. We need to keep it simple. Our goal is not perfection, but the reduction of risk to an acceptable level. As long as we have addressed the material risks, then we can declare success. We don't have to address all of them.
  2. Show Me the Money - It is very easy to get lost in the minutiae of Information security and lose sight of what is really important. Even stating that focusing on "risk" is most important may not prove helpful when everyone around you has their own ideas about what is the highest risk to the business. That is when you need to step back and ask the simple question, "How much money will it cost us?" How much money could we lose from fraud, the loss of reputation and our customer's decision to go elsewhere, legal actions by disgruntled investors, regulatory fines and penalties, repairing systems and processes to prevent further losses, etc. If no one can put a price on the risk, then the risk is a good candidate for the "low" heap.
  3. The Devil is in the Details - While monetary exposure is a good standard to use in assessing risk, it is often difficult to set an exact dollar amount on the potential loss, especially when there is not an extensive history of losses within the business or the industry from the risk. This is when it is helpful to break the risk down into to successively smaller components until you have reached a level where the potential losses become more objective. What is the potential loss from employees sharing passwords? That question can not be answered objectively. On the other hand, what is the potential loss if a manager shares his or her password with an administrator such that the administrator can now unilaterally cut a check or send a wire without the manager's approval? Now we're getting somewhere.

©2009 ISRMC, LLC