Whether you’re addressing cyber security on your own, following ISO 27001 or using the guidance outlined in the GDPR (General Data Protection Regulation), the process begins by assessing the risks you face.
You might have a broad idea of what a risk is, but did you know there’s a specific way you can calculate it? It looks like this:
A + T + V = risk
In this equation, ‘A’ refers to ‘asset’, ‘T’ to ‘threat’ and ‘V’ to vulnerability. By identifying and defining these three elements, you will gain an accurate picture of each risk.
To help you do that, let’s break down each of these terms and how they work within your organisation.
What’s an asset?
An asset is any data, device or other component of an organisation’s systems that is valuable – often because it contains sensitive data or can be used to access such information.
For example, an employee’s desktop computer, laptop or company phone would be considered an asset, as would applications on those devices. Likewise, critical infrastructure, such as servers and support systems, are assets.
An organisation’s most common assets are information assets. These are things such as databases and physical files – i.e. the sensitive data that you store.
A related concept is the ‘information asset container’, which is where that information is kept. In the case of databases, this would be the application that was used to create the database. For physical files, it would be the filing cabinet where the information resides.
What’s a threat?
A threat is any incident that could negatively affect an asset – for example, if it’s lost, knocked offline or accessed by an unauthorised party.
Threats can be categorised as circumstances that compromise the confidentiality, integrity or availability of an asset, and can either be intentional or accidental.
Intentional threats include things such as criminal hacking or a malicious insider stealing information, whereas accidental threats generally involve employee error, a technical malfunction or an event that causes physical damage, such as a fire or natural disaster.
What’s a vulnerability?
A vulnerability is an organisational flaw that can be exploited by a threat to destroy, damage or compromise an asset.
You are most likely to encounter a vulnerability in your software, due to their complexity and the frequency with which they are updated. These weaknesses, known as bugs, can be used by criminal hackers to access to sensitive information.
Vulnerabilities don’t only refer to technological flaws, though. They can be physical weaknesses, such as a broken lock that lets unauthorised parties into a restricted part of your premises, or poorly written (or non-existent) processes that could lead to employees exposing information.
Other vulnerabilities include inherent human weaknesses, such as our susceptibility to phishing emails; structural flaws in the premises, such as a leaky pipe near a power outlet; and communication errors, such as employees’ sending information to the wrong person.
Now that we’ve explained the constituent elements of risk, you can see that the concept is a lot more complex than you might have thought. But, although it sounds counterintuitive, that’s not necessarily a bad thing.
That’s because the specificity of what counts as a risk means that you may well have fewer of them than you estimated.
After all, an information security risk must have something that’s in jeopardy (an asset), an actor that can exploit it (a threat) and a way that they can happen (a vulnerability).
If you’ve identified a vulnerability, but there is no threat to exploit it, you have little to no risk. Likewise, you might detect a threat but have already secured any weaknesses that it could exploit.
Of course, identifying risks is only the first step towards securing your organisation. You need to document them, assess and prioritise them, and finally implement measures to secure them.
This can be a labour-intensive task, but our risk assessment tool, vsRisk, does much of the work for you.
This software package provides a simple and fast way to create your risk assessment methodology and deliver repeatable, consistent assessments year after year.
Its asset library assigns organisational roles to each asset group, applying relevant potential threats and risks by default.
Meanwhile, its integrated risk, vulnerability and threat databases eliminate the need to compile a list of risks, and the built-in control sets help you comply with multiple frameworks.
A version of this blog was originally published on 15 February 2017.