Small and Medium Enterprise Information Security Risk Assessment
According to a research conducted by Laboratory of Information Security of the Academy of Economic Studies of Moldova, most companies understand the importance of information security, but lack adequate measures to control and assess the risks in their information systems. This paper discusses the process of risk assessment applied to small and medium enterprises, some of the basic notions and definitions.
Wikipedia defines risk as “the potential that a chosen action or activity (including the choice of inaction) will lead to a loss (an undesirable outcome). The notion implies that a choice having an influence on the outcome exists (or existed). Potential losses themselves may also be called “risks”.” The definition is in our opinion somewhat vague, but is generally correct. We consider the definition provided by ISO/IEC 27005:2008 for an information security risk which is as follows: “the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization” to be more precise, succinct, and related to the domain under consideration.
According to ISO 27005 risk assessment is evaluation, estimation and evaluation of a risk. NIST SP 800-30 defines risk assessment as the analysis of threats in conjunction with vulnerabilities and existing controls. These definitions are in our opinion slightly indistinct and lack specifics. We define risk assessment as a recurrent process of analysis of threats to an information system, vulnerabilities existing in an information system, existent controls and their adequacy, probability of vulnerability exploitation, possible impact over information system under consideration, risk determination, and control recommendations. Further we will discuss parts of this definition in more detail.
The first step is system characterization. During this step company makes up a full list of all used hardware, software, interfaces, data, people and states the mission if its information system.
The next step is threat analysis. ISO 27005 defines threat as a “potential cause of an incident, which may result in harm of systems and organization”. NIST SP 800-30 defines a threat as “The potential for a threat-source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability”. Threat-source may be an intended or an unintended malefactor such as cracker, criminal, terrorist, industrial spy, or an insider. Each one of these categories has its own set of resources, goals, motivation, capabilities and potential.
Following threat analysis is vulnerability identification. ISO 27005 defines vulnerability as “a weakness of an asset or group of assets that can be exploited by one or more threats where an asset is anything that can has value to the organization, its business operations and their continuity, including information resources that support the organization’s mission”, NIST SP 800-30 provides the following definition for a vulnerability: “A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.”. Vulnerabilities may be acquired from the Internet sources, e.g. vendor and product web pages, previous risk assessment documents, audit reports, etc.
After all of the above elements were estimated, implemented and planned controls should be analyzed. Controls are destined to minimize or eliminate the likelihood of a threat exploiting system vulnerability. When all of the controls were determined, the analyst may determine the probability of a certain vulnerability being exploited by a threat-source.
The following step is determination of the impact over the information system being a result of a threat-source exploiting a vulnerability. The impact may cause loss of integrity, availability, or confidentiality. The magnitude of impact may be determined to be High, Medium, or Low. The topmost grade, High, means that impact over the information system may result in highly costly loss, significantly impede organization’s mission, reputation or interest or even result in human death or serious injury. Medium impact may result in costly loss of tangible assets, reputation or interest harm. Low impact may cause some resources or assets loss.
During the next step, risk to the information system is determined. The level of risk depends on the likelihood of a threat-source to exploit certain vulnerability, magnitude of the impact, and sufficiency of existent and planned controls. Generally, there are three grades of a risk: High, Medium, or Low. If a risk is determined to be of a high level, there is an urgent need of corrective measures as soon as reasonably possible. At medium risk level corrective measures are required to be implemented. Although it is not urgent, the risk should be treated within reasonable period of time. Low risk means that corrective measures may be necessary, but the risk can as well be accepted.
The goal of the following and penultimate step is to propose a list of recommended controls that should be applied to a system in order to reduce the risks to the information system to an acceptable level.
The final step of risk assessment process is compilation of the analysis to a resulting document, report, or a briefing. The document should help the senior management in making decisions on policy, budget and necessary system changes.
Above we provided a simplified and generalized model of risk assessment. In reality, and applied to real information systems, the process is much more complex, difficult and time consuming. Most part of small and medium business would be unable to handle all the required work by itself as it would require a team of highly qualified professionals. Therefore, in our opinion, development of advisory activity targeted at small and medium entrepreneurship is crucial.
1. Dharshan Shanthamurthy, Risk assessment as per ISO 27005, http://www.smart-ra.com/News/Uploads/100511122641_ISACA_CPE%20Meet_May%202011_1.pdf
2. Adrian Baldwin, Yolanta Beres, Geoffrey B. Duggan, Marco Casassa Mont, Hilary Johnson, Chris Middup, Simon Shiu, Economic methods and decision making by security professionals, http://weis2011.econinfosec.org/papers/Economic%20methods%20and%20decision%20making%20by%20security%20profession.pdf
3. British Standard Institute, Information technology – Security techniques – Management of information and communications technology security – Part 1: Concepts and models for information and communications technology security management, BS ISO/IEC 13335-1-2004
4. Gary Stoneburner, Alice Goguen, and Alexis Feringa, National Institute of Standards and Technology, Risk Management Guide for Information Technology Systems, http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf