Most modern IT security departments use risk management to find a balance between realizing opportunities and minimizing potential losses. Risk management is more than just a technology; it is the process of identifying, quantifying and prioritizing the risks organizations face.

A risk doesn’t need to be a nightmare or a showstopper for innovation — it is something that can be managed.

A Common Formula for Risk

A common formula used to describe risk is: Risk = Threat x Vulnerability x Consequence. This should not be taken literally as a mathematical formula, but rather a model to demonstrate a concept.

For a complete mathematical formula, there should be some common, neutral units of measurement for defining a threat, vulnerability or consequence. Unfortunately, that doesn’t exist today. There are some common units, such as CVSS to describe a vulnerability, for parts of the formula, but these are dependent upon the environment or subjective to those that use the formula.

On the other hand, if you are able to remove one part of the formula, such as the threat or vulnerability part, and then replace it with near zero, the resulting value of risk also gets reduced to virtually nothing.

Measuring Risk Likelihood

The first part of the formula for risk, Threat x Vulnerability, can also be looked at as probability. This likelihood is a rough measure that describes the chances a given vulnerability will be discovered and used by a threat actor.

While you can limit some factors, the threat actor is, in most cases, out of your control. The rating of the threat actor depends on a number of values, including:

  • The skill level of the attacker;
  • The motive of the actor;
  • The opportunity — whether the attacker possesses the required knowledge and access; and
  • The capabilities of the opponent you’re facing, including his or her financial resources.

There are different methods through which an attacker can discover a vulnerability, such as reconnaissance, scanning and information disclosure. The likelihood of a vulnerability being discovered and exploited is described by the following:

  • The ease of discovery — is there a service or application banner that indicates that the application is vulnerable?
  • The ease of exploitation — can it be done with automated, easy-to-use scripting tools or does it require a series of events that are difficult to achieve?
  • Awareness — is it a known vulnerability?
  • Detection — is it easy to identify the attempts to exploit the vulnerability, and is it likely that the organization takes countermeasures to block these attempts?

When evaluating vulnerabilities, you should not limit yourself to system vulnerabilities. Be sure to consider the human factor — running an environment with no system vulnerabilities but with a user base that can run email attachments without restriction should also count as a vulnerability.

Assessing the Impact of a Vulnerability

The last part of the formula describes the consequences, or impact, of a successful attack by a threat actor. It is defined by two main factors:

  • The technical impact, described by the confidentiality, integrity, availability and accountability of data; and
  • The business impact, described by the business impact analysis, which accounts for financial damage, noncompliance as a result of a breach and legal or privacy implications.

The combination of the likelihood and the impact describes the severity of the risk.

You can limit the consequences and thus the severity of an intrusion by imposing security policies, processes and procedures. This will not prevent a breach, but it can greatly limit the impact of any intrusion that takes place.

Prepare, Log, Monitor, Detect and Respond

Now that you can quantify what you’re up against, how do you integrate countermeasures into your security environment so you can better deal with these risks? You can follow these four steps as a basic road map:

  • Be prepared.
    • Make sure your staff is well-trained.
    • Conduct regular exercises.
    • Raise awareness to increase the knowledge level of your staff and constituency.
    • Create boundaries between important business segments.
  • Log and monitor the important events from all your resources.
    • Know what assets are on your network.
    • Define the different log sources.
    • Centralize the logs, making sure they are in a uniform format and reliable.
    • Correlate events.
  • Detect the anomalies and the potential security incidents.
    • Differentiate between normal and abnormal behavior.
    • Apply threat information.
    • Work together with your operations team to understand what is going on.
  • Respond to these incidents.
    • Mitigate, eradicate and recover from incidents.
    • Apply the lessons learned to improve your security posture.

Threat Management

One part of the formula is the threat actor. We already described that this part is out of your control, but you should still be aware of what types of threats you face. By making use of different threat intelligence sources, you can acquire knowledge about the tools, techniques and methods used by threat actors. You can also learn about threats against players in your industry and tune your defense mechanisms accordingly.

There are many good sources of threat intelligence available, but don’t just rely on a single vendor. Threat intelligence data is more valuable when it’s enriched by the shared experience, sightings and research of a large community.

Sharing is important, so make sure your security staff gets involved with different sharing groups and knows how to interact with their national computer security incident response team (CSIRT) and security researchers.

Patch and Vulnerability Management

If you remove the vulnerability from the equation, it becomes more difficult for an attacker to get a foothold in your organization. Lowering the chances of a vulnerability going unnoticed minimizes the risk.

How do you achieve this? There are different approaches, but it basically consists of having up-to-date asset information, conducting patch and vulnerability management, and establishing policies and processes to deal with them. Understand that this is not a one-shot operation but something that must be integrated as a continuous process in your IT management.

Incident Response Plans

If, despite all the necessary protection measures, attackers are still able to gain access to your environment, you should start your incident response plan. Make sure you have set up capabilities to detect the intrusion and log sources to conduct the investigation. Detection is more that just looking at abnormal events. Combine the different events together and hunt for anomalies with human and threat intelligence.

Your incident response plan will help you to contain the incident, eradicate the actions of the attacker and recover. It is important to take stock of lessons learned after every incident to limit the chances of a repeat offense.

Striking a Balance With Risk Management

The terms threat, vulnerability and risk are often misunderstood. While they all represent very different aspects of risk, they relate to each other in nuanced ways and help security analysts strike the right balance between seizing opportunities and keeping critical systems and data safe.

More from Incident Response

SOCs Spend 32% of the Day On Incidents That Pose No Threat

4 min read - When it comes to the first line of defense for any company, its Security Operations Center (SOC) is an essential component. A SOC is a dedicated team of professionals who monitor networks and systems for potential threats, provide analysis of detected issues and take the necessary actions to remediate any risks they uncover. Unfortunately, SOC members spend nearly one-third (32%) of their day investigating incidents that don't actually pose a real threat to the business according to a new report…

4 min read

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

Expert Insights on the X-Force Threat Intelligence Index

5 min read - Top insights are in from this year’s IBM Security X-Force Threat Intelligence Index, but what do they mean? Three IBM Security X-Force experts share their thoughts on the implications of the most pressing cybersecurity threats, and offer guidance for what organizations can do to better protect themselves. Moving Left of Boom: Early Backdoor Detection Andy Piazza, Global Head of Threat Intelligence at IBM Security X-Force, sat down with Security Intelligence to chat with us about the rise in the deployment…

5 min read