Archive for July, 2009

The Who, Why and What of Risk Analysis

Tuesday, July 7th, 2009

I just finished teaching an Information Security Risk Management course, and the area the students seemed to struggle with the most is describing the Threat, Vulnerability, and resulting Risk. They often got these concepts confused, so I came up with the following simple way to remember the differences:

Threat - Who … will exploit the weakness?
Vulnerability - Why … is the resource exploitable?
Risk - What … could happen when the weakness is exploited?

Generally the Threat describes the source of the ‘attack’ (attack is in quotes because it will not always be an intentional or malicious threat). Essentially the Threat has the potential to harm the resource. I like to use the following high-level threat categories to keep things simple:

  • External Targeted Attack
  • External Mass Attack
  • Insider Abuse
  • Infrastructure Failure
  • Environmental

The Vulnerability should always describe a weakness. We should avoid describing the vulnerability as just the lack of a control. For example, a vulnerability for backup media with sensitive data might be described as “sensitive data is readable by anyone with physical access to the backup media in transit or in storage” as opposed to saying “backup media is not encrypted.” The latter assumes a solution, which we should try to avoid. Rather we need to describe the fundamental weakness. Notice also that I don’t describe the results of getting access to the backup media, that would be the Risk.

Similarly, just describing the vulnerability as “the server is connected directly to the Internet” would not be a sufficient vulnerability description. In some cases, this may be an adequate level of protection. It all depends on the context of the resource and its purpose.

Finally, the Risk describes the outcome of a successful exploit by the Threat of the Vulnerability. Sometimes this is called the ‘impact’ or ‘consequence’ and is always tied to a particular Threat/Vulnerability pair. Continuing the previous example, an exploit of the easily readable backup media could lead to “an unauthorized disclosure of sensitive data for all customers, which would require a breach notification to regulators and affected clients.” Notice that this description helps us rate the Severity of the exploit by indicating the scope of which data will be disclosed (sensitive, regulated customer data) and how much data (all client data). It also indicates that a notification to clients will be required which affects reputation, costs money, and could expose them to civil legal action.

Of course this is a simple way of looking at Threats (Who), Vulnerabilities (Why), and Risks (What), but it seems to have helped my students to conceptualize the differences.