Most modern IT security departments use risk management to find a balance between realizing opportunities and minimizing potential losses. Risk management is more than just a technology; it is the process of identifying, quantifying and prioritizing the risks organizations face.

A risk doesn’t need to be a nightmare or a showstopper for innovation — it is something that can be managed.

A Common Formula for Risk

A common formula used to describe risk is: Risk = Threat x Vulnerability x Consequence. This should not be taken literally as a mathematical formula, but rather a model to demonstrate a concept.

For a complete mathematical formula, there should be some common, neutral units of measurement for defining a threat, vulnerability or consequence. Unfortunately, that doesn’t exist today. There are some common units, such as CVSS to describe a vulnerability, for parts of the formula, but these are dependent upon the environment or subjective to those that use the formula.

On the other hand, if you are able to remove one part of the formula, such as the threat or vulnerability part, and then replace it with near zero, the resulting value of risk also gets reduced to virtually nothing.

Measuring Risk Likelihood

The first part of the formula for risk, Threat x Vulnerability, can also be looked at as probability. This likelihood is a rough measure that describes the chances a given vulnerability will be discovered and used by a threat actor.

While you can limit some factors, the threat actor is, in most cases, out of your control. The rating of the threat actor depends on a number of values, including:

  • The skill level of the attacker;
  • The motive of the actor;
  • The opportunity — whether the attacker possesses the required knowledge and access; and
  • The capabilities of the opponent you’re facing, including his or her financial resources.

There are different methods through which an attacker can discover a vulnerability, such as reconnaissance, scanning and information disclosure. The likelihood of a vulnerability being discovered and exploited is described by the following:

  • The ease of discovery — is there a service or application banner that indicates that the application is vulnerable?
  • The ease of exploitation — can it be done with automated, easy-to-use scripting tools or does it require a series of events that are difficult to achieve?
  • Awareness — is it a known vulnerability?
  • Detection — is it easy to identify the attempts to exploit the vulnerability, and is it likely that the organization takes countermeasures to block these attempts?

When evaluating vulnerabilities, you should not limit yourself to system vulnerabilities. Be sure to consider the human factor — running an environment with no system vulnerabilities but with a user base that can run email attachments without restriction should also count as a vulnerability.

Assessing the Impact of a Vulnerability

The last part of the formula describes the consequences, or impact, of a successful attack by a threat actor. It is defined by two main factors:

  • The technical impact, described by the confidentiality, integrity, availability and accountability of data; and
  • The business impact, described by the business impact analysis, which accounts for financial damage, noncompliance as a result of a breach and legal or privacy implications.

The combination of the likelihood and the impact describes the severity of the risk.

You can limit the consequences and thus the severity of an intrusion by imposing security policies, processes and procedures. This will not prevent a breach, but it can greatly limit the impact of any intrusion that takes place.

Prepare, Log, Monitor, Detect and Respond

Now that you can quantify what you’re up against, how do you integrate countermeasures into your security environment so you can better deal with these risks? You can follow these four steps as a basic road map:

  • Be prepared.
    • Make sure your staff is well-trained.
    • Conduct regular exercises.
    • Raise awareness to increase the knowledge level of your staff and constituency.
    • Create boundaries between important business segments.
  • Log and monitor the important events from all your resources.
    • Know what assets are on your network.
    • Define the different log sources.
    • Centralize the logs, making sure they are in a uniform format and reliable.
    • Correlate events.
  • Detect the anomalies and the potential security incidents.
    • Differentiate between normal and abnormal behavior.
    • Apply threat information.
    • Work together with your operations team to understand what is going on.
  • Respond to these incidents.
    • Mitigate, eradicate and recover from incidents.
    • Apply the lessons learned to improve your security posture.

Threat Management

One part of the formula is the threat actor. We already described that this part is out of your control, but you should still be aware of what types of threats you face. By making use of different threat intelligence sources, you can acquire knowledge about the tools, techniques and methods used by threat actors. You can also learn about threats against players in your industry and tune your defense mechanisms accordingly.

There are many good sources of threat intelligence available, but don’t just rely on a single vendor. Threat intelligence data is more valuable when it’s enriched by the shared experience, sightings and research of a large community.

Sharing is important, so make sure your security staff gets involved with different sharing groups and knows how to interact with their national computer security incident response team (CSIRT) and security researchers.

Patch and Vulnerability Management

If you remove the vulnerability from the equation, it becomes more difficult for an attacker to get a foothold in your organization. Lowering the chances of a vulnerability going unnoticed minimizes the risk.

How do you achieve this? There are different approaches, but it basically consists of having up-to-date asset information, conducting patch and vulnerability management, and establishing policies and processes to deal with them. Understand that this is not a one-shot operation but something that must be integrated as a continuous process in your IT management.

Incident Response Plans

If, despite all the necessary protection measures, attackers are still able to gain access to your environment, you should start your incident response plan. Make sure you have set up capabilities to detect the intrusion and log sources to conduct the investigation. Detection is more that just looking at abnormal events. Combine the different events together and hunt for anomalies with human and threat intelligence.

Your incident response plan will help you to contain the incident, eradicate the actions of the attacker and recover. It is important to take stock of lessons learned after every incident to limit the chances of a repeat offense.

Striking a Balance With Risk Management

The terms threat, vulnerability and risk are often misunderstood. While they all represent very different aspects of risk, they relate to each other in nuanced ways and help security analysts strike the right balance between seizing opportunities and keeping critical systems and data safe.

More from Risk Management

Ransomware payouts hit all-time high, but that’s not the whole story

3 min read - Ransomware payments hit an all-time high of $1.1 billion in 2023, following a steep drop in total payouts in 2022. Some factors that may have contributed to the decline in 2022 were the Ukraine conflict, fewer victims paying ransoms and cyber group takedowns by legal authorities.In 2023, however, ransomware payouts came roaring back to set a new all-time record. During 2023, nefarious actors targeted high-profile institutions and critical infrastructure, including hospitals, schools and government agencies.Still, it’s not all roses for…

GenAI: The next frontier in AI security threats

3 min read - Threat actors aren’t attacking generative AI (GenAI) at scale yet, but these AI security threats are coming. That prediction comes from the 2024 X-Force Threat Intelligence Index. Here’s a review of the threat intelligence types underpinning that report.Cyber criminals are shifting focusIncreased chatter in illicit markets and dark web forums is a sign of interest. X-Force hasn’t seen any AI-engineered campaigns yet. However, cyber criminals are actively exploring the topic. In 2023, X-Force found the terms “AI” and “GPT” mentioned…

How will the Merck settlement affect the insurance industry?

3 min read - A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today