CHAPTER 2: RISK MANAGEMENT – The Psychology of Information Security

CHAPTER 2: RISK MANAGEMENT

From the information security perspective, the people, processes and technology supporting the business are not bulletproof, and their vulnerabilities may be exploited. This scenario is called a threat, which has a certain impact on a company’s assets.

Impact = Vulnerability × Threat

Threats vary in probability and therefore the degree of impact. For example, in a company which handles customers’ personal data online, the probability of human error leading to disclosure of sensitive information might be greater and have a larger business impact than someone bringing down the website.

Additionally, the exploitation of a vulnerable critical system may have a greater impact than that of one used purely for archiving.

This relationship defines risk.

Risk = Probability × Impact

In order to reduce the probability and impact of the threat, information security professionals can implement countermeasures, otherwise known as controls.

When thinking in terms of protection measures, it is useful to know who the attackers are. Security professionals should understand that attackers are people too, who differ in resources, motivation, ability and risk propensity. According to Bruce Schneier, author of Beyond Fear,1 the categories of attacker are:

  • Opportunists: The most common type of attacker. As the category indicates, they spot and seize an ‘opportunity’ and are convinced that they will not get caught. It is easy to deter such attackers via cursory countermeasures.
  • Emotional attackers: They may accept a high level of risk and usually want to make a statement through their attack. The most common motivation for them is revenge against an organisation due to actual or perceived injustice. Although emotional attackers feel powerful when causing harm, they sometimes ‘hope to get caught’ as a way of solving the issues they were unhappy with but were unable to change from the beginning.
  • Cold intellectual attackers: Skilled and resourceful professionals who attack for their own gain or are employed to do so. They target information, not the system, and often use insiders to get it. Unlike opportunists, cold intellectual attackers are not discouraged by cursory countermeasures.
  • Terrorists: They accept high risk to gain visibility and make a statement. Not only are they hard to deter by cursory countermeasures, but they can even see them as a thrill.
  • Friends and relations: They may introduce a problem to both individuals (in the form of financial fraud, for example) and companies (by abusing authorisation credentials provided to legitimate employees). In this scenario, a victim and an attacker are sharing physical space, which makes it very easy to gain login and other sensitive information.

Figure 2: Categories of attackers

Information security vulnerabilities, threats and risks are part of today’s corporate world, and are just as relevant and important to information security specialists as to the business.

Information security professionals are comfortable thinking in terms of threats and vulnerabilities, but the focus of risk management should be on assets, not threats. Focusing solely on security regardless of the business’s needs can be counterproductive.

Information security should support and enable the business – as such, security professionals must consider the cost aspect of implementing countermeasures. They should implement the controls ensuring that the cost is appropriate for the asset to which it is applied.

Many information security professionals view risk negatively and believe that all risk must be removed. It is, however, also important to communicate the positive aspects of risk as well. Threats in this paradigm could be replaced by opportunities, vulnerabilities by strengths and impact by benefits.

Despite this negative view, operational risk-taking is required in order to realise business opportunities. Security professionals should make a habit of communicating information security risks to the business in a positive way.

For example, employees may believe that security professionals’ only priority is to stop viruses, in order to prevent widespread infection across the network. In reality, there is also a valid business reason for such activities. Security team members therefore have to go a step further and demonstrate that virus prevention can also increase the availability of resources and the productivity of employees, because they can focus on their work rather than waiting for their laptop to be cleared of malicious software (malware).

Among other concerns, business personnel may care about enabling business opportunities or enhancing brand reputation and trust. In order to find out what their priorities are, security professionals must engage them to collect business drivers, goals and objectives and understand how they can support the business.

A clear link should be preserved between business concerns and countermeasures so that security professionals can demonstrate the value they bring.

Business teams are much more likely to accept this perspective, because doing business means taking risks and exploiting opportunities. Therefore a company’s risk appetite must be determined.

To determine the risk appetite, one should understand that security risk is just one of the many types of risk that a business faces on a day-to-day basis: socio-economic, financial, geopolitical, legal and personnel are just a few examples. Any of these may be a higher priority to the company than security, which security professionals should bear in mind. Based on this prioritisation, a company can define an acceptable level of risk under which to operate.

It is perfectly normal to accept the risk that falls below this threshold.

Treating information security risks as another facet of the business can yield great results. For example, SWOT and PEST analyses can be performed to broaden the view of risk.

SWOT stands for Strengths, Weaknesses, Opportunities and Threats. It is a simple technique, which involves listing external and internal factors that are helpful and harmful for an organisation.

Figure 3: SWOT analysis

When performing this analysis in a security context, one should consider using the strengths both to exploit opportunities and to confront threats.

For example, a business partner would be reassured in the safety of doing business with a company if said company had implemented adequate security measures, which also mitigate the risk of cyber attacks. Effective security can therefore lead to the additional benefit of increasing trust and, as a result, sales.

One should also consider mitigating weaknesses that might be exploited by threats. For instance, adopting a vulnerability management programme ensures that the latest updates are applied to a company’s software, by addressing known flaws.

Similarly, security professionals should also search for ways of strengthening weaknesses that might hinder the exploration of opportunities.

For example, an e-commence provider which has developed their own internal cloud solution may wish to grow their business by marketing such a product to external customers. However, vulnerabilities present in the solution might negatively impact their reputation if compromised. Therefore, investing in patching these flaws would enable the business to expand.

In order to focus on the broader external factors, security professionals can also utilise the PEST analysis. It takes Political, Economic, Social and Technological factors into consideration. Here is an example:

Figure 4: PEST analysis

There are variations of this tool which include other factors, such as legal or environmental. Performing this analysis enables security professionals to see the bigger picture of enterprise-wide risks. This, in turn, encourages early identification of potential risk treatment options, like countermeasures, in a proactive manner.

These tools and techniques are a good start, but in order to appreciate an example of applied risk management, I interviewed Thom Langford, Chief Information Security Officer at Publicis Groupe, and asked his opinion on this subject. Thom has delivered a number of industry presentations on information security and his pragmatic view on this subject will summarise this discussion on risk management and provide some real-life case studies.

“I think everybody has a view on risk management, and it is not always a good one”, he started, “Traditionally, risks are seen as bad and have to be removed. They never change and the same risks are going to be there all the time.”

He described a conventional approach where everything is perceived as static and security professionals live in the world of spreadsheets: “You list your risks in them, you list what you are going to do about them, how you are going to measure them, and then you decide whether you’ve fixed them or not.”

That attitude has changed drastically for him in the last four years: “If you act this way, the business will be stifled quite dramatically because of your security implementations.” Any measure that completely disregards the nature of the business and its context will become an obstacle, or even be counterproductive.

“All you are doing is reducing the ability of the business to work effectively because you don’t see the big picture of how it operates.”

If security professionals can connect the benefits of a security program to the ability of a company to increase sales, to safely enter riskier markets, to give assurance to their clients and to bring confidence to the industry, then they are truly adding value to the business. If security professionals are just doing security for security’s sake, they go back to stifling the business rather than supporting it.

“If you haven’t even read your company’s annual report,” – Langford continues, “how do you know what your security programme is supporting?”

“If you haven’t attended a shareholder meeting or an earnings call, you can’t really know what you are doing. If you don’t understand what the core purpose of the business is, how can you actually align your security with it?”

Security professionals should talk to as many people as possible across the business. For instance, if they are ensuring successful security implementation at a manufacturing plant, they could start by talking to the people on the factory floor to see how they operate.

The aim for security professionals is to understand what others do and how they do it, as well as what others need from security and their level of security awareness.

If, for example, the shift manager tells a security professional that smokers are leaving the doors open to have their cigarette break then he is understandably concerned about the risk of theft. As another example, a manager notices that her computer is running slow and strange pop-up messages are appearing. At first glance, these appear to be small issues, but potentially important ones which a security professional could assist with.

Security professionals should also try to understand what the business needs from security. As an example, a CFO’s primary goal may be to ensure that she’s able to get reports and the payroll out on a monthly basis. She might find herself staying awake at night worrying that the systems will go down, which would allow security professionals to focus on the integrity and availability of the data, prioritising disaster recovery and business continuity.

Solving such problems, perceived or otherwise, can start to build advocates for security. If the people aspect of security is not considered, there is a good chance that the security solution, no matter how perfect it is, may be blocked by the business.

1 Bruce Schneier, Beyond Fear: Thinking Sensibly about Security in an Uncertain World, Copernicus Books, 2003.