1. COMP.SEC.100
  2. 3. Risk Management and Governance
  3. 3.3 Why is it important to assess and manage risks?

Why is it important to assess and manage risks?

Risk assessment consists of three key parts:

  1. Identifying and, when possible, evaluating the hazard.
  2. Searching for and assessing exposures and vulnerabilities.
  3. Estimation of the magnitude of the risk by combining probability and severity.

In item 1, identification means defining possible bad events and their consequences, and hazard evaluation means estimating the relative severity of those consequences. Item 2 identifies the components (e.g., people, devices, databases) that are exposed to different threats and evaluates their vulnerabilities—i.e., the characteristics that an attack can target (e.g., susceptibility to fraud, hardware faults, software bugs). In item 3, the magnitude of a risk may be quantitative (e.g., probability‑based) or qualitative (e.g., scenario‑based) and it represents the expected impact of the realized risk.

Risk Identification

After discovering the https://haveibeenpwned.com/ website, Teija Teekkari has begun to reflect on her own password hygiene. She has used the same password for almost a decade across several services, but after reading the article, she recognized the associated risk. She noticed that her email address and MD5-hashed password had leaked from a tennis forum, and after reading the article she understands that once an attacker cracks the MD5 hash (MD5 is an outdated but unfortunately still often used hashing algorithm), they could gain access to nearly all services Teija uses.

Without an analytical structured process, there is no basis to understand what threats a complex system is exposed to, or to make a plan for them. An easily forgotten part of risk assessment is the evaluation of concerns. This includes a broader system perspective, including stakeholders’ understanding, for example, of dangers, the after-effects of risks, fears, the monitoring of risk management, and trust in the leaders who are responsible for risk management.

Based on the risk assessment, decisions are made concerning the identified risks. As a result, each risk is one of the following:

  • Intolerable: the system component must be rejected or replaced (so that the risk is avoided), or if that is not possible, vulnerabilities must be reduced and exposure limited.
  • Tolerable: the risk has been reduced to the lowest possible level by reasonable and appropriate means, and it becomes a residual risk. The range of measures includes risk reduction, sharing, and transfer. The methods used depend on how the company wants to handle risks.
  • Acceptable: risk reduction is not necessary and operations can continue without intervention. The risk can also be used to explore opportunities (so-called upside-down risk), and also then the outcome may be risk acceptance rather than reduction (Taking risks is a more common expression in everyday life.)

Risk Assessment

Teija considers the most severe consequences of her leaked password. Fortunately, her banking credentials are behind the bank’s phone‑based authenticator, so the attacker would not have direct access. However, her email and social media accounts are vulnerable.

If the attacker gained access to Teija’s email, they could find, for example, her rental contract containing her personal identity number. With this, the attacker could apply for loans in Teija’s name. In addition, the attacker could arbitrarily change Teija’s passwords for any service registered with that email address.

Regarding her social media account, Teija considers identity theft the greatest risk, which would also expose her followers to attacks if the attacker were to, for example, send messages from her account.

Both risks cause at least significant inconvenience and, at worst, financial harm to Teija or her close ones. Therefore, she classifies the risks as intolerable.

The decision depends on many factors, such as uncertainty, the consequences of risk realization (consequences may be good or bad, minor or severe), willingness to take risks, and the organization’s risk tolerance.

Different types of risks require different kinds of risk management. Types of risks include:

  • Regular risks are those whose probability and impact are fairly well known. Handling follows the normal managerial decision-making process. Statistics and relevant information are determined, desired outcomes and acceptable limits are defined, and risk mitigation measures are implemented and put into practice. Examples: automobile accidents, safety devices.
  • For complex risks it may be necessary to consider broader information, e.g., cost‑benefit analysis or cost‑effectiveness assessment. For example, medical treatment effects or climate change are complex risks whose impact assessment is complicated by differing opinions compared to scientific consensus.
  • Uncertain risks are difficult to predict. In this case, useful considerations may include the irreversibility, permanence, and extent of consequences. The precautionary principle should be followed together with the controlled development of systems, ensuring that harmful side effects can be managed and changes reversed if necessary. Tolerance for uncertainty is important here.
  • Risks are ambiguous when multiple stakeholders, e.g., operational staff or society, interpret them differently (e.g., having different points of view, or lacking consensus on countermeasures). In such cases, risk management should investigate the reasons for differing opinions to reduce ambiguity and to allow the methods of risk treatment to be evaluated.

Thanks to well-managed risk management, it is possible to be more confident that the system operates to achieve its objectives. Then it is also likely that the system cannot be manipulated to produce undesired outcomes and that there are processes in place that minimize the impacts if something unwanted occurs.

Risk management produces information in a transparent, understandable, and easily interpretable manner for different audiences. This ensures stakeholders are aware of the risks, how they are managed, and who is responsible for it. Stakeholders may also form an opinion about the acceptable threshold of risk exposure. This is essential for successful risk management because if risks are not clearly communicated to decision‑makers, the impacts of unmanaged risk are easily overlooked, leaving the system exposed. Similarly, if the purpose of risk management is unclear to operational personnel and they lack understanding of their responsibilities, they may not participate in risk management, leaving the system vulnerable.

Risk Management

Teija has concluded that reusing the same passwords cannot continue. Her risk management measure is therefore to change her passwords. There is, however, choice in how to do this. She recalls an illustrative comic about passphrases and wonders whether this would be an appropriate risk mitigation method. On the other hand, she has heard many recommend a password manager. Both options allow Teija to create strong passwords, so the comparison is mainly between cost and memory requirements. A password manager would require a paid subscription, but only one password would need to be remembered (the master password). Creating passphrases would be free, but she would need to remember at least a dozen different passwords.

Answer the questions.

What does a tolerable risk mean?
Which type of risk does the example represent? “The CEO of Hipster Inc. is worried about corporate espionage carried out by an employee of Hipster Inc. He considers it a likely risk because Hipster Inc. is about to patent its new technology. However, the HR manager does not share the concern. He believes that the recruitment process adequately considers employee backgrounds, and therefore there is no threat of insider espionage.”
Which type of risk does the example represent? “According to Hipster Inc.’s review, its employees receive a large amount of phishing‑related spam. Although employees have so far avoided falling for them, there have been several ‘near miss’ situations. Hipster Inc. decides to increase training on recognizing phishing messages. In addition, it is decided that the amount of spam must be reduced and effective filters introduced. The effectiveness of the measures is monitored by tracking the number of ‘near miss’ situations.”
Posting submission...