Most modern IT security departments use risk management to find a balance between realizing opportunities and minimizing potential losses. Risk management is more than just a technology; it is the process of identifying, quantifying and prioritizing the risks organizations face.

A risk doesn’t need to be a nightmare or a showstopper for innovation — it is something that can be managed.

A Common Formula for Risk

A common formula used to describe risk is: Risk = Threat x Vulnerability x Consequence. This should not be taken literally as a mathematical formula, but rather a model to demonstrate a concept.

For a complete mathematical formula, there should be some common, neutral units of measurement for defining a threat, vulnerability or consequence. Unfortunately, that doesn’t exist today. There are some common units, such as CVSS to describe a vulnerability, for parts of the formula, but these are dependent upon the environment or subjective to those that use the formula.

On the other hand, if you are able to remove one part of the formula, such as the threat or vulnerability part, and then replace it with near zero, the resulting value of risk also gets reduced to virtually nothing.

Measuring Risk Likelihood

The first part of the formula for risk, Threat x Vulnerability, can also be looked at as probability. This likelihood is a rough measure that describes the chances a given vulnerability will be discovered and used by a threat actor.

While you can limit some factors, the threat actor is, in most cases, out of your control. The rating of the threat actor depends on a number of values, including:

  • The skill level of the attacker;
  • The motive of the actor;
  • The opportunity — whether the attacker possesses the required knowledge and access; and
  • The capabilities of the opponent you’re facing, including his or her financial resources.

There are different methods through which an attacker can discover a vulnerability, such as reconnaissance, scanning and information disclosure. The likelihood of a vulnerability being discovered and exploited is described by the following:

  • The ease of discovery — is there a service or application banner that indicates that the application is vulnerable?
  • The ease of exploitation — can it be done with automated, easy-to-use scripting tools or does it require a series of events that are difficult to achieve?
  • Awareness — is it a known vulnerability?
  • Detection — is it easy to identify the attempts to exploit the vulnerability, and is it likely that the organization takes countermeasures to block these attempts?

When evaluating vulnerabilities, you should not limit yourself to system vulnerabilities. Be sure to consider the human factor — running an environment with no system vulnerabilities but with a user base that can run email attachments without restriction should also count as a vulnerability.

Assessing the Impact of a Vulnerability

The last part of the formula describes the consequences, or impact, of a successful attack by a threat actor. It is defined by two main factors:

  • The technical impact, described by the confidentiality, integrity, availability and accountability of data; and
  • The business impact, described by the business impact analysis, which accounts for financial damage, noncompliance as a result of a breach and legal or privacy implications.

The combination of the likelihood and the impact describes the severity of the risk.

You can limit the consequences and thus the severity of an intrusion by imposing security policies, processes and procedures. This will not prevent a breach, but it can greatly limit the impact of any intrusion that takes place.

Prepare, Log, Monitor, Detect and Respond

Now that you can quantify what you’re up against, how do you integrate countermeasures into your security environment so you can better deal with these risks? You can follow these four steps as a basic road map:

  • Be prepared.
    • Make sure your staff is well-trained.
    • Conduct regular exercises.
    • Raise awareness to increase the knowledge level of your staff and constituency.
    • Create boundaries between important business segments.
  • Log and monitor the important events from all your resources.
    • Know what assets are on your network.
    • Define the different log sources.
    • Centralize the logs, making sure they are in a uniform format and reliable.
    • Correlate events.
  • Detect the anomalies and the potential security incidents.
    • Differentiate between normal and abnormal behavior.
    • Apply threat information.
    • Work together with your operations team to understand what is going on.
  • Respond to these incidents.
    • Mitigate, eradicate and recover from incidents.
    • Apply the lessons learned to improve your security posture.

Threat Management

One part of the formula is the threat actor. We already described that this part is out of your control, but you should still be aware of what types of threats you face. By making use of different threat intelligence sources, you can acquire knowledge about the tools, techniques and methods used by threat actors. You can also learn about threats against players in your industry and tune your defense mechanisms accordingly.

There are many good sources of threat intelligence available, but don’t just rely on a single vendor. Threat intelligence data is more valuable when it’s enriched by the shared experience, sightings and research of a large community.

Sharing is important, so make sure your security staff gets involved with different sharing groups and knows how to interact with their national computer security incident response team (CSIRT) and security researchers.

Patch and Vulnerability Management

If you remove the vulnerability from the equation, it becomes more difficult for an attacker to get a foothold in your organization. Lowering the chances of a vulnerability going unnoticed minimizes the risk.

How do you achieve this? There are different approaches, but it basically consists of having up-to-date asset information, conducting patch and vulnerability management, and establishing policies and processes to deal with them. Understand that this is not a one-shot operation but something that must be integrated as a continuous process in your IT management.

Incident Response Plans

If, despite all the necessary protection measures, attackers are still able to gain access to your environment, you should start your incident response plan. Make sure you have set up capabilities to detect the intrusion and log sources to conduct the investigation. Detection is more that just looking at abnormal events. Combine the different events together and hunt for anomalies with human and threat intelligence.

Your incident response plan will help you to contain the incident, eradicate the actions of the attacker and recover. It is important to take stock of lessons learned after every incident to limit the chances of a repeat offense.

Striking a Balance With Risk Management

The terms threat, vulnerability and risk are often misunderstood. While they all represent very different aspects of risk, they relate to each other in nuanced ways and help security analysts strike the right balance between seizing opportunities and keeping critical systems and data safe.

More from Risk Management

Are we getting better at quantifying risk management?

4 min read - As cyber threats grow more sophisticated and pervasive, the need for effective risk management has never been greater. The challenge lies not only in defining risk mitigation strategy but also in quantifying risk in ways that resonate with business leaders. The ability to translate complex technical risks into understandable and actionable business terms has become a crucial component of securing the necessary resources for cybersecurity programs.What approach do companies use today for cyber risk quantification? And how has cyber risk…

Cybersecurity Awareness Month: Cybersecurity awareness for developers

3 min read - It's the 21st annual Cybersecurity Awareness Month, and we’re covering many different angles to help organizations manage their cybersecurity challenges. In this mini-series of articles, we’re focusing on specific job roles outside of cybersecurity and how their teams approach security.For developers, cybersecurity has historically been a love-hate issue. The common school of thought is that coders are frustrated with having to tailor their work to fit within cybersecurity rules. However, many companies are embracing a security-first approach, and some developers…

Spooky action: Phantom domains create hijackable hyperlinks

4 min read - According to a recent paper published at the 2024 Web Conference, so-called "phantom domains" make it possible for malicious actors to hijack hyperlinks and exploit users' trust in familiar websites.The research defines phantom domains as active links to dot-com domains that have never been registered.Here's what enterprises need to know about how phantom domains emerge, the potential risks they represent and what they can do to disrupt phantom attacks. There are two common types of phantom domains: Errors and placeholders.Domain errorsErrors…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today