by The Open University
Available in 39 free installments
Owner:
Having looked at threats, vulnerabilities, outcomes and impacts, we are now in a position to offer a definition of risk with regard to threats to the information assets of an organisation. This definition will lead to an approach to measuring and assessing risk that is consistent with the Standard and with IT Governance: A Manager's Guide to Data Security & BS 7799/ISO 177799 (the Set Book). This systematic approach to risk assessment corresponds to Stage 3 of the ISMS documentation task in the ISMS planning process.
Parker (1981, p. 141) defines risk as ‘the product of the amount that may be lost [the impact] and the probability of losing it [the likelihood]?. Parker here uses the word ‘product? in its loosest mathematical sense, i.e. as the combination of two quantities in some way. According to this definition, then, risk comprises two quantities ? an impact and a likelihood ? combined in some way. As we have seen, the impact of a threat is harm done to an organisation if the threat were to turn into a successful attack. The likelihood of the threat is the probability that the threat will result in a successful attack.
Parker's definition of risk suggests that both the impact and the likelihood could be expressed as numbers. However, estimating numerical values for these quantities is, as you might imagine, fraught with difficulty. Therefore, in this unit, we take the pragmatic, but effective, widely used and respected, qualitative approach to risk, in which impact and likelihood can take only three values: low, medium or high. These values are best interpreted in their relation to one another: for instance, a low-impact event will cost the organisation less than a medium-impact event, and a medium-likelihood event will, on average, occur less frequently than a high-likelihood event. However, the ISMS documentation should include some rough-and-ready definition of what ‘low?, ‘medium? and ‘high? are to be taken to mean. For example, definitions of levels of impact might be:
low impact means ‘has negligible effect on the organisation?;
medium impact means ‘has considerable effect on the organisation, but the organisation's existence is not threatened?;
high impact means ‘the organisation's existence is threatened?.
For likelihood, examples are:
low likelihood means ‘practically never?;
medium likelihood means ‘in the order of once a year?;
high likelihood means ‘in the order of once a week, or more often?.
The choice of scales for measuring impact and likelihood should be justified by reference to the organisation's objectives and its environment.
Using these scales, we can combine impact and likelihood to produce a risk combination table, which provides a measure of risk. One way of doing this is to consider impact and likelihood as being equally important, giving rise to the following risk combination table.
Using this table, we would classify a medium impact, high likelihood threat as of high risk.
Another possible risk combination table, which de-emphasises impact, is the following.
Using this table, we would classify a medium impact, high likelihood risk as of medium risk.
The final task in defining the organisation's approach to risk is to decide what constitutes an acceptable level of risk. If a risk combination table is being used, there are only three possibilities.
No risks are acceptable: all risks, whether low, medium or high, should be treated.
Low risks are acceptable: only medium and high risks should be treated.
Low and medium risks are acceptable: only high risks should be treated.
For any organisation, the choice will be based upon several interrelated factors, including the resources (money, personnel, etc.) available for implementing the ISMS, past experience of information security breaches, and the maturity of the current ISMS (if there is one). It should also reflect the current approach to risk of other organisations in the same sector. In addition, an organisation's approach to risk may change if new legislation or regulation comes into force, or if new contractual obligations arise.
The approach to risk ? the characterisation of impact and likelihood levels, the risk combination table and the acceptable level of risk, together with their justifications ? is recorded as part of Stage 3 of the ISMS documentation task in the ISMS planning process.
(a) In Activity 11, you identified an information asset that is valuable to your organisation. In terms of low, medium and high impact, as we interpreted them above, assess the impact that a breach of its security requirements could have on your organisation. What do you think is the likelihood of a breach?
(b) Estimate the impact and likelihood of email being unavailable for (i) one day, (ii) one week, (iii) one month in your organisation.
(c) Estimate the impact and likelihood of secure communications with your customers or clients being unavailable for (i) one day, (ii) one week, (iii) one month in your organisation.
(d) (i) Define a risk combination table that is suitable for an organisation with few resources to allocate to security. What would be an acceptable level of risk for such an organisation?
(ii) For your organisation, define a risk combination table and the level of risk that would be acceptable.
In most cases, such as those of (b) and (c), it is difficult to estimate impact and likelihood. The best we can do generally is to act on our gut feeling, informed by experience. The danger of a mistaken evaluation of impact and likelihood is that the wrong risks will be treated, or that some risks will not be treated at all. For the purposes of this unit, however, it is sufficient just to try to make appropriate estimates, to record your decisions and to justify your choices. The experience you gain from this will mean that, if you should ever come to implement an ISMS for real, you will be well aware of the complications that can arise.
(a) As in Activity 11, we select the Open University as the organisation on which to base our discussion and Tutor Notes as the information asset.
We believe that a wide-scale breach of confidentiality could result in the OU being unable to rely on the results of the TMAs to which the Tutor Notes pertain. Worse, if it took a long time for the breach in confidentiality to be detected, the OU might even have to withdraw course awards, leading to terrible publicity and even legal action. Although this could have a severe effect on the OU, we judge it unlikely to threaten the OU's existence, and so we would rate it as medium impact. Tutor Notes are indeed recognised as valuable, and so are protected by a security system. The likelihood of a breach of their confidentiality is, therefore, low.
Damage to the integrity of Tutor Notes would mean only that they would need correcting, and so we think this is a low-impact risk, which is also of low likelihood since great vigilance is required from those involved in their production.
A reduction in availability could result in an inability to mark TMAs and make awards. So we would rate it, like confidentiality, as of medium impact but low likelihood.
The OU is a not-for-profit institution. If your organisation is for-profit, the situation may be very different. For instance, a breach in the confidentiality of a tender (at the wrong time) might certainly threaten the organisation's existence, and so would be of high impact. Its likelihood might well be high also, as competitors may actively be seeking this information.
(b) We base discussion on the Open University and the members of the M886 Course Team.
(i) Many of us feel that if email were unavailable for one day this might actually improve our work situation. (We would all welcome a short period in which the email torrent dried up.) Consequently, the impact of a short period of its loss would be low. In fact, our mail server does go down from time to time, and it may take a day or so to transfer information to a replacement system. This happens about once a year, on average, so the threat is of medium likelihood.
(ii) However, we do use email extensively for arranging meetings, exchanging documents and external communications at short notice. If the system was unavailable for one week, then we would have to fall back on old-fashioned means of communication. Nevertheless, it would take a period of many weeks' interruption to disrupt our work in any serious way; so one week's absence of service would probably be of low impact. And the absence of email for a week could only happen if there was a catastrophic failure in the OU's mail system, with no replacement available. This is of low likelihood.
(iii) We rely on email to help us meet our deadlines, such as for the submission of external funding bids and the organisation of consortia, which are major sources of research funding. For email to be unavailable for one month or longer could, if this period coincided with a number of such important cut-off dates, have severe consequences for the research finances of academic units. In the worst case, then, this is a medium-impact threat. Although it is unthinkable that all email could be unavailable for a year, and is therefore of low likelihood, we have found that, quite regularly, single messages can go astray, only reappearing months later. So we estimate the risk of long-term loss of important messages as being of high likelihood. Recent experience of internet service providers marking genuine business email as spam has convinced us that this could occur often.
(c) We base this discussion on the case of secure electronic communication between students and the OU handled by the eTMA system.
(i) Loss of the eTMA system for one day around the time of a course deadline could certainly inconvenience all students on that course. However, without wishing to trivialise this inconvenience, we think a single occurrence would have low impact. We asked the developers and maintainers of the eTMA systems about the likelihood of the system becoming unavailable: it is quite possible, we were told, but it hasn't occurred yet. Therefore, we would assess the risk as of medium likelihood.
(ii) If the eTMA system were unavailable for one week at the time of a deadline, it would have a considerable effect on the business of the OU: students? personal timetables would be badly disrupted, and this would in turn affect the work that tutors have to do. In the worst case, confidence in the eTMA system could be damaged, as could the reputation of the OU. The impact of such a failure would thus be medium; but the likelihood of it is low.
(iii) If the eTMA system were unavailable for one month, many courses would have their assessment timetables badly disrupted and thousands of students would have their plans dislocated. Depending on the quality of the OU's backup plans, the reputation of the OU could be severely damaged, perhaps (if it happened more than once) even putting into doubt the future of the institution itself. Without doubt, this is a high-impact threat; but, again, it is of low likelihood.
(d) (i) A cash-strapped organisation will need to focus on the high risks, so that low and medium risks are acceptable. It should also classify as high risk only those threats of high impact and high likelihood. One possible risk combination table is the following.
Any table in which the only high-risk threats are those of high impact and high likelihood would be suitable.
(ii) To define the risk combination table and the acceptable level of risk, you should have considered the availability of resources for ISMS development and your organisation's attitude to risk.
Original Copyright © 2007 The Open University. Now made available within the Creative Commons framework under the CC Attribution – Non-commercial licence (see http://creativecommons.org/by-nc-sa/2.0/uk/).
