How to Assess Risk Part I: Asking the Right Questions

Tuesday, December 14, 2010

Danny Lieberman


It seems to me that self-assessment of risk is a difficult process to understand and execute, primarily because the employees who are asked to assess the risk in their business process, a) don’t really understand the notion of risk and b) don’t really care.

Let’s face it – risk is difficult to understand, since it is a function of many different, often-interdependent variables.

So the question I am going to pose today is:  What is the best way to do a risk assessment?

And the answer is: Start by asking the right questions.

Let’s say that you have the job to collect data for a risk assessment in your business unit. You sit down with the security and compliance manager and schedule meetings with people in the unit.

You figure you’re going to be less than thrilled with the quality of information you receive and the employees may not be excited by your standard checklist questions.

However, you know that whistleblowing is innate in all of us and it’s worth trying to get to first base.

Drop the compliance checklist and use an attack modeling approach instead.

Explain the notion of valuable company assets, vulnerabilities, threats that exploit vulnerabilities and security countermeasures.

It will take a few minutes and every employee I’ve ever met will grok the concept immediately.

For starters – ask 7 questions (you notice how all the process improvement methodologies always have 7 steps…)

  • What is the single most important asset in your job?
  • What do you think is the single biggest threat to that asset?
  • How do you think attackers cause damage to the asset?
  • Can you give me one example of a security exploit (on conditions of non-disclosure)?
  • If you could give the risk and compliance manager one suggestion, what would it be?
  • If you had to give the CEO one suggestion, what would it be?
  • If you had to give President Obama one suggestion on how to reduce the threat of global terror, what would it be?
Cross-posted from Israeli Software
Possibly Related Articles:
Enterprise Security
Enterprise Security Risk Assessments Data Loss Prevention Security Audits Employees
Post Rating I Like this!
Clint Laskowski This is a wonderful article and great questions to ask.

However, the truly first step in conducting a risk assessment is to establish the context (see ISO 31000, Risk Management). In this first step, you should (1) make sure you understand the business from an internal and (2) external perspective, (3) decide how you are going to calculate risk, and (4) decide how much risk you'll accept before you'll decide that a risk needs to be treated.

I think the rather informal questions you describe in this post are perfect, however, for a preliminary risk assessment or as a tool to determine if a more complete risk assessment is appropriate.

Here's two more for the list:

* Has this most important asset in your job ever been attacked before?

* How much damage will it cause to the organization if that important asset is unavailable for an hour? A day? A week?
Danny Lieberman Clint,

Excellent input. This is first part in a series - and I will be developing the notion of using attack modeling in risk assessment all the way from the data collection phases through value at risk calculation and prioritizing security and compliance controls.

The informal questions are a way of putting employees at ease and serve as stimuli to drilling further down. The context is always a business context where everything is estimated/calculated in dollars - because at the end of the day that is the one thing the CEO understands.

There is also a structured methodology we use in a higher level setting called Top Mapping - which you can read about here -

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.