CASES.LU

In depth articles

Why manage risks?

Impact: negative consequence arising from a threat exploiting a vulnerability of an asset.

Asset: any element representing value for an organisation/company

Generally speaking, security aims to reduce both the number and the scope of these impacts:

  • financial
  • legal
  • on reputation
  • on time (lost)
  • on expertise
  • on health

Most impacts, except for financial impacts, cannot be covered by any form of insurance. They therefore need to be prevented from arising in the first place, respectively mitigating their consequences by reducing the vulnerabilities of the various assets. This reduction of vulnerabilities is often difficult to achieve and may incur substantial costs, especially if you have to create redundancies. However, it is not possible to act on threats, as they are beyond the control of the organisation.

As it is not possible, or at least not immediately possible, to address all vulnerabilities, it is preferable to address vulnerabilities whose exploitation could lead to significant or even critical impacts. We need to introduce the concept of priorities and a “road map”.

Standard ISO/IEC 27005 (risk management) puts forward a methodological strategy aimed at identifying existing risks, quantifying them, assessing them and ultimately proposing a way to deal with them. The standard proposes four types of treatment:

  • reduction, by implementing the measures identified in ISO/IEC 27002,
  • transferring the risk to a specialist (sub-contracting),
  • accepting the risk
  • rejection which obviously involves stopping the activity in question.

Using this method, it is possible to identify the various risks faced by an organisation. For each professional and information process, the support assets necessary for their treatment are analysed from a threat, vulnerabilities and impacts standpoint. For each asset the various existing threats and vulnerabilities are listed. Realistic threat-vulnerability pairings, also known as “attack scenarios” are retained, and calculate the risk is then calculated based on the importance of the asset (importance for the primary process with respect to the value of the asset).

The risk assessment is a calculation based on:

  • the probability of the threat,
  • the ease of exploiting the vulnerability (taking into account existing security measures)
  • the scope of the impact (risk estimate).

When assessing risk, we sort through the various risks based on their significance.

Finally, treatments for each element are proposed arising from the assessment of risks presenting an unacceptable level of risk.

This strategy may seem arduous, but it is the only way to prioritise investments safely. The effectiveness of these strategies lies in the fact that they are adapted to the most “promising” attack scenarios.

Why invest millions investing in fire protection when the main threat comes from water?