Most risk equations include the standard approach of probability and impact. Nowadays, with the changing threat landscape, a new approach to the risk equation should be looked at. In this article Adesh Rampat explains why adding resilience and incident response to the risk equation provides a more useful and measurable metric.
Standard risk equations use probability and impact to calculate the extent of a particular risk, often displaying the result in a risk matrix. However, such an approach neglects two important aspects from an organizational perspective: resilience and incident response. To rectify this I propose a new approach, as follows:
Risk = Impact x Resilience/Incident Response
This equation allows for risk to be easily understood especially when it comes to the level of incident response required to address an event. It also assists in the assessment process as to the critical areas to focus on in today’s constantly changing threat landscape.
When an organization is hit by a cyber attack, for example, the probable questions that are asked include:
- What is the impact?
- What systems within the network has the attack penetrated?
- Is our current incident response plan effective?
Resilience and incident response have been specifically brought into this equation primarily because organizations must have resiliency and incident response built in to the security framework – these are not nice to have – they are a must have.
Let’s analyze what this equation is about:
Impact: this is the effect on the organization due to the occurrence of a risk.
Resilience: organizational resilience against threats. This must take into consideration the following:
- Ability to deal with the effects of a natural disaster – this will include the relocation of systems and staff required to have the organization functioning within a reasonable period of time.
- Ability to withstand the effect of technology related threats such as distributed denial of service attacks (DDOS). Resiliency in this area would range from employing sufficient bandwidth to ‘cushion’ such an attack to recognizing a threat through the use of monitoring systems.
- Conducting periodic penetration tests (both on the external perimeter and internal network) to understand where vulnerability exists and implementing the necessary fixes.
- Employing user awareness programs, to combat, for example, against Ransomware and other social engineering threats.
Measuring resilience can be broad ranging; however, the organization needs to determine what is important to ensure a risk-based approach that is focused on protecting all its ‘crown jewels’. Through its security operations center (SOC), an organization can determine how to assess and respond to threats as they emerge because of its continuous monitoring processes thereby building its resiliency and, more so, a strong security posture.
Incident response: the time it takes for an organization to respond to an attack in the event that its systems have been penetrated or have been hit by a natural disaster. An organization must have a sound incident management plan which it can use to be able to recover within the shortest possible time.
For measuring each of the variables in the equation (impact, resilience and incident response) a scale of 1 to 10 can be used:
Let’s look at two hypothetical examples as to how this equation can be applied:
The organization is reviewing its ability to withstand a DDOS attack. The questions that can be asked are: What is the impact of this attack on the organization if systems deemed critical are affected? Can the organization’s IT infrastructure withstand such an attack (resiliency)? In the event that the organization’s systems have been penetrated, how sound is the incident response?
Applying the risk equation:
Impact: High (6-8)
Resilience: Medium (3-5) the organization has determined that its perimeter defense / defence is adequate; however, it may need to make some improvements.
Incident response: Medium (3-5) the organization already has an incident response plan, however it has determined that this plan requires some modification to ensure that its business continuity mechanisms are adequate.
Taking the low ends of the scale for each of the variables, the overall risk can be calculated as follows: 6 x 3 / 3 = 6
Therefore, the organization’s overall risk to a DDOS attack considering the three variables is rated as HIGH.
In the following example an organization is looking at its internal controls to determine effectiveness against fraud. The questions that can be asked are: What is the impact to the organization of an employee committing fraud? Are the organization’s IT internal controls and procedures sound enough to prevent fraud? In the event that the organization’s systems and procedures have been compromised, how sound is the organization’s incident response?
Applying the risk equation:
Impact: High (6-8)
Resilience: High (6-8) the organization has completed a risk assessment on its systems and procedures and determined that is has a number of recommendations to implement.
Incident response: High (6-8) the organization’s incident response plan does not cover incidents relating to fraud and requires major modification to ensure that its business continuity mechanisms are adequate enough to deal with this incident.
Taking the low ends of the scale for each of the variables, the overall risk can be calculated as follows: 6 x 6 / 6 = 6
The organization’s overall risk in dealing with a fraud related incident considering the three variables is rated as HIGH.
With this new approach to calculating risk, organizations can have a much clearer view as to the risks faced when its resilience and incident response are being tested.
Adesh Rampat currently works for a financial institution and has 28 years of experience in the IT industry including 10 years in operational risk management. He can be reached at email@example.com
Continuity Central comment
The first question that readers may raise is why remove probability from the risk equation: but from a business continuity perspective this does not seem to raise too many issues. Business continuity deals with business impacts (loss of facilities, people, processes, suppliers etc) rather than specific risks. For example: a bomb attack, chemical spillage, gate failure, police incident or a plane falling from the sky are all individual risks that can engender the business impact of denial of access to a key building. The probability of any individual risk is not important for business impact analysis.
Adding resilience and incident response to the equation provides a useful metric which can help business continuity managers to measure the effects that business continuity strategies have had and to highlight where additional action is needed. The metrics will be more accurate if they are verified through the use of exercises and tests.