March 28, 2017 By Koen Van Impe 5 min read


Most modern IT security departments use risk management to find a balance between realizing opportunities and minimizing potential losses. Risk management is more than just a technology; it is the process of identifying, quantifying and prioritizing the risks organizations face.

A risk doesn’t need to be a nightmare or a showstopper for innovation — it is something that can be managed.

A Common Formula for Risk

A common formula used to describe risk is: Risk = Threat x Vulnerability x Consequence. This should not be taken literally as a mathematical formula, but rather a model to demonstrate a concept.

For a complete mathematical formula, there should be some common, neutral units of measurement for defining a threat, vulnerability or consequence. Unfortunately, that doesn’t exist today. There are some common units, such as CVSS to describe a vulnerability, for parts of the formula, but these are dependent upon the environment or subjective to those that use the formula.

On the other hand, if you are able to remove one part of the formula, such as the threat or vulnerability part, and then replace it with near zero, the resulting value of risk also gets reduced to virtually nothing.

Measuring Risk Likelihood

The first part of the formula for risk, Threat x Vulnerability, can also be looked at as probability. This likelihood is a rough measure that describes the chances a given vulnerability will be discovered and used by a threat actor.

While you can limit some factors, the threat actor is, in most cases, out of your control. The rating of the threat actor depends on a number of values, including:

  • The skill level of the attacker;
  • The motive of the actor;
  • The opportunity — whether the attacker possesses the required knowledge and access; and
  • The capabilities of the opponent you’re facing, including his or her financial resources.

There are different methods through which an attacker can discover a vulnerability, such as reconnaissance, scanning and information disclosure. The likelihood of a vulnerability being discovered and exploited is described by the following:

  • The ease of discovery — is there a service or application banner that indicates that the application is vulnerable?
  • The ease of exploitation — can it be done with automated, easy-to-use scripting tools or does it require a series of events that are difficult to achieve?
  • Awareness — is it a known vulnerability?
  • Detection — is it easy to identify the attempts to exploit the vulnerability, and is it likely that the organization takes countermeasures to block these attempts?

When evaluating vulnerabilities, you should not limit yourself to system vulnerabilities. Be sure to consider the human factor — running an environment with no system vulnerabilities but with a user base that can run email attachments without restriction should also count as a vulnerability.

Assessing the Impact of a Vulnerability

The last part of the formula describes the consequences, or impact, of a successful attack by a threat actor. It is defined by two main factors:

  • The technical impact, described by the confidentiality, integrity, availability and accountability of data; and
  • The business impact, described by the business impact analysis, which accounts for financial damage, noncompliance as a result of a breach and legal or privacy implications.

The combination of the likelihood and the impact describes the severity of the risk.

You can limit the consequences and thus the severity of an intrusion by imposing security policies, processes and procedures. This will not prevent a breach, but it can greatly limit the impact of any intrusion that takes place.

Prepare, Log, Monitor, Detect and Respond

Now that you can quantify what you’re up against, how do you integrate countermeasures into your security environment so you can better deal with these risks? You can follow these four steps as a basic road map:

  • Be prepared.
    • Make sure your staff is well-trained.
    • Conduct regular exercises.
    • Raise awareness to increase the knowledge level of your staff and constituency.
    • Create boundaries between important business segments.
  • Log and monitor the important events from all your resources.
    • Know what assets are on your network.
    • Define the different log sources.
    • Centralize the logs, making sure they are in a uniform format and reliable.
    • Correlate events.
  • Detect the anomalies and the potential security incidents.
    • Differentiate between normal and abnormal behavior.
    • Apply threat information.
    • Work together with your operations team to understand what is going on.
  • Respond to these incidents.
    • Mitigate, eradicate and recover from incidents.
    • Apply the lessons learned to improve your security posture.

Threat Management

One part of the formula is the threat actor. We already described that this part is out of your control, but you should still be aware of what types of threats you face. By making use of different threat intelligence sources, you can acquire knowledge about the tools, techniques and methods used by threat actors. You can also learn about threats against players in your industry and tune your defense mechanisms accordingly.

There are many good sources of threat intelligence available, but don’t just rely on a single vendor. Threat intelligence data is more valuable when it’s enriched by the shared experience, sightings and research of a large community.

Sharing is important, so make sure your security staff gets involved with different sharing groups and knows how to interact with their national computer security incident response team (CSIRT) and security researchers.

Patch and Vulnerability Management

If you remove the vulnerability from the equation, it becomes more difficult for an attacker to get a foothold in your organization. Lowering the chances of a vulnerability going unnoticed minimizes the risk.

How do you achieve this? There are different approaches, but it basically consists of having up-to-date asset information, conducting patch and vulnerability management, and establishing policies and processes to deal with them. Understand that this is not a one-shot operation but something that must be integrated as a continuous process in your IT management.

Incident Response Plans

If, despite all the necessary protection measures, attackers are still able to gain access to your environment, you should start your incident response plan. Make sure you have set up capabilities to detect the intrusion and log sources to conduct the investigation. Detection is more that just looking at abnormal events. Combine the different events together and hunt for anomalies with human and threat intelligence.

Your incident response plan will help you to contain the incident, eradicate the actions of the attacker and recover. It is important to take stock of lessons learned after every incident to limit the chances of a repeat offense.

Striking a Balance With Risk Management

The terms threat, vulnerability and risk are often misunderstood. While they all represent very different aspects of risk, they relate to each other in nuanced ways and help security analysts strike the right balance between seizing opportunities and keeping critical systems and data safe.

More from Risk Management

Operationalize cyber risk quantification for smart security

4 min read - Organizations constantly face new tactics from cyber criminals who aim to compromise their most valuable assets. Yet despite evolving techniques, many security leaders still rely on subjective terms, such as low, medium and high, to communicate and manage cyber risk. These vague terms do not convey the necessary detail or insight to produce actionable outcomes that accurately identify, measure, manage and communicate cyber risks. As a result, executives and board members remain uninformed and ill-prepared to manage organizational risk effectively.…

The evolution of ransomware: Lessons for the future

5 min read - Ransomware has been part of the cyber crime ecosystem since the late 1980s and remains a major threat in the cyber landscape today. Evolving ransomware attacks are becoming increasingly more sophisticated as threat actors leverage vulnerabilities, social engineering and insider threats. While the future of ransomware is full of unknown threats, we can look to the past and recent trends to predict the future. 2005 to 2020: A rapidly changing landscape While the first ransomware incident was observed in 1989,…

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today