I am writing a series of posts describing Information Security Risk, from concepts to analysis and management. This is the first, what is Information Security Risk itself.
Defining risk is a source of much debate from semantic to philosophical. What is clear is that risk refers to our uncertainty about what will happen in the future. Uncertainty can be slippery to pin down, but it often is defined by our doubt about our knowledge about future events and their consequences. We can be more or less confident about our predictions describing how future events will progress, but we can never be entirely certain without seeing those future events in advance.
The Oxford English Dictionary (OED) defines uncertainty as “The quality of being uncertain in respect of duration, continuance, occurrence, etc.; liability to chance or accident. Also, the quality of being indeterminate as to magnitude or value; the amount of variation in a numerical result that is consistent with observation.”
My preferred formal definition of risk comes from the International Standard for Risk Management, ISO 31000:2018, which describes risk as “the effect of uncertainty on objectives”. This definition makes risk practical as it ties the concept of risk to our objectives as well as ensuring it focuses on our doubt.
It is important to understand why we are interested in risk, as a measure of our uncertainty about the future. Understanding risk is important because it informs decisions we make about prioritisation, resource allocation and whether or not to take action. Without these decisions to inform, then risk analysis and management are a pointless waste of resources. If decisions are going to be made on ‘gut-feel’ and implicit mental models, then there is no need to analyse risk. Because of our various cognitive biases, a well-analysed risk assessment is likely to conflict with our gut feel, and we need to understand how we will handle that when it happens so that we don’t waste resources filling out the paperwork but never actually influencing better outcomes for the risk owners.
This definition in ISO 31000 is also adopted by the ISO 27000 for Information Security Management Systems (ISMS) vocabulary. ISO 27000 states explicitly that information security risk is the “effect of uncertainty on information security objectives” which are commonly held to be the confidentiality, integrity and availability of information and may also include authenticity, accountability, non-repudiation and reliability.
ISO 27000 states explicitly that information security risk is the “effect of uncertainty on information security objectives” which are commonly held to be the confidentiality, integrity and availability of information (CIA) and may also include authenticity, accountability, non-repudiation and reliability.
While I am unconvinced the information security objectives are themselves the maintenance of the CIA triad as separate from the goals of the risk owner, the identification of objectives is a key activity. I tend to believe the goals of the risk owner (or the more nebulous ‘business’) are more likely to be; avoiding or preventing security events, minimising the consequences of security events and balancing the friction that security controls introduce into generating value with the strength of the controls in protecting value. However, it is the job of the security leader and security risk analyst to engage with the risk owner and discover what their goals are.
These definitions of risk make no distinction between positive or negative effects and make it clear that effects could be both positive and negative deviations. There is a common debate about whether that risk can have both a downside and an upside as is often calculated in attempts to estimate the effect on business objectives such as Value at Risk (VaR).
The Oxford English Dictionary comes down clearly on the side of risk as a possible negative outcome when it defines risk as “Exposure to the possibility of loss, injury, or other adverse or unwelcome circumstance; a chance or situation involving such a possibility.” Or as “Exposure to the possibility of harm or damage causing financial loss, against which property or an individual may be insured. Also: the possibility of financial loss or failure as a quantifiable factor in evaluating the potential profit in a commercial enterprise or investment.“
For Information Security, we are focused on the minimisation of compromises of confidentiality, integrity and availability (CIA) which lead to negative consequences in line with Doug Hubbard’s view that risks can only have a downside. Almost all risk practitioners subscribe to this view, and commonly, the upside of uncertainty is opportunity.
As a result, defining Information Security Risk as ‘the negative effect of uncertainty on information security objectives‘ suits us well. This definition is entirely compatible with the definitions of Information Security Risk in a variety of standards, including:
The US Government Standard NIST 800-30 Guide for Conducting Risk Assessments which states: “Information security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organisational operations (i.e., mission, functions, image, or reputation), organisational assets, individuals, other organisations, and the Nation.”
The OpenFAIR Risk Taxonomy which states: “Risk estimates the probable frequency and magnitude of future loss“.
The Carnegie Mellon University OCTAVE risk assessment methodology which states: “A risk is the possibility of suffering harm or loss. Risk refers to a situation where a person could do something undesirable or a natural occurrence could cause an undesirable outcome, resulting in a negative impact or consequence.”
The UK Government and NATO standard CRAMM v5.1 states “Risk is the function of two separate components, the likelihood that an unwanted incident will occur and the impact that could result from the incident“.
The Cyber Security Body of Knowledge (CyBok) Risk Management and Governance Knowledge Area relies on Ortwin Renn’s definition that: “risk is the possibility that human actions or events lead to consequences that have an impact on what humans value” but also includes the following formal definition: “The probable frequency and probable magnitude of future loss.“
There is a lot more to these industry definitions, but I’ll come to that later as I start decomposing information security risks to see what characteristics and attributes they have.