Risks are organized and identified based on where they come from and where they are targeting.
- External
- Internal
- Multi-party
- Intellectual Property Theft
- Software licensing and compliance
- Legacy systems Risks can be calculated as Quantitative Risk - numerical values to show how likely an issue is to occur and how damaging it would be.
- Single Loss Expectancy (SLE): Amount lost in a single incident. SLE = Asset Value x Exposure Value (how likely that the issue will occur)
- Annualized Loss Expectancy: SLE x annual expected rate of occurrence Qualitative Risk is an opinion based measurement of risks, seen as Critical, High, Medium or Low probability for Irreplaceable, High Value, Medium Value and Low Value assets.
- Low: minor damage or loss
- Moderate: Significant damage or loss
- High: Major damage or loss of capability to perform essential functions (total loss) Risk is inherent in all systems and actions. Inherent risk is risk that is in the system before any remediation is attempted (gross risk). Risk mitigation, remediation and deterrence reduces the overall risk. Risk that remains after all attempts to reduce it is known as Residual Risk. Whether this is acceptable is based on the organization's Risk Appetite. Assessments of inherent, residual risks for all assets should be stored in a document known as a risk register for comparison to an organization's risk appetite. Multiple risk registers may show how much less effective a security control has become over time - the difference or inflationary effect of a system is known as the control risk.
- Avoidance: stop doing things that generate risk
- Transference: make the risk another group's problem (insurance)
- Acceptance/Tolerance: no countermeasures because of cost or capability The process of analyzing the effects and potential losses for various scenario is a Business impact analysis. A major criteria for a BIA could be if mission essential functions would be impacted during an event.
- Maximum tolerable downtime : longest period that an outage should occur without causing irrecoverable failure.
- Recovery time objective : period following a disaster that a system may remain offline (time to identify a problem and fix it)
- Work Recovery Time: time to reintegrate systems that are being recovered.
- Recovery Point Objective: time to last safe backup/image. Mean time to Failure, Mean time between Failures: expected lifetime of a product/system. MttF is used for systems that are non-repairable Mean time to Repair is time to restore full operation.