Generally speaking, security aims to reduce both the number and the scope of these impacts:
Most impacts, except for financial ones, cannot be covered by any form of insurance. They, therefore, need to be prevented from arising in the first place, respectively mitigating their consequences by reducing the vulnerabilities of the various assets. This reduction of vulnerabilities is often difficult to achieve and may incur substantial costs, especially, if you have to create redundancies. However, it is not possible to act on threats, as they are beyond the control of the organisation.
As it is not possible, or at least not immediately possible to address all vulnerabilities, it is preferable to address vulnerabilities whose exploitation could lead to significant or even critical impacts. We need to introduce the concept of priorities and a ‘road map’.
Standard ISO/IEC 27005 (risk management) puts forward a methodological strategy aimed at identifying existing risks, quantifying them, assessing them, and ultimately proposing a way to deal with them. The standard proposes four types of treatment:
Using this method, it is possible to identify the various risks faced by an organisation. For each professional and informational process, the support assets necessary for their treatment are analysed from a threat, vulnerabilities, and impacts standpoint. For each asset, the various existing threats and vulnerabilities are listed. Realistic threat-vulnerability pairings, also known as ‘attack scenarios’ are retained, and the risk is then calculated based on the importance of the asset (importance for the primary process concerning the value of the asset).
The risk assessment is a calculation based on:
When assessing risk, we sort through the various risks based on their significance.
Finally, treatments for each element are proposed arising from the assessment of risks presenting an unacceptable level of risk.
This strategy may seem arduous, but it is the only way to prioritise investments safely. The effectiveness of these strategies lies in the fact that they are adapted to the most “promising” attack scenarios.
Why invest millions in fire protection when the main threat comes from water?