Risk management is the process of identifying, examining, measuring, mitigating, or transferring risk. Its main goal is to reduce the probability or impact of an identified risk. The risk management lifecycle includes all risk-related actions such as Risk Assessment, Analysis, Mitigation, and Ongoing Risk Monitoring which we will each of these in more depth in this article.

Lifecycle of Risk Management

  1. Risk assessment: This is where you will categorize, classify and evaluate assets, as well as identify threats and vulnerabilities associated with you these assets and your organisation.
  2. Risk analysis: Risk analysis is the process of studying the risks in detail that the organisation’s assets are susceptible to due to the existence of the previously-identified vulnerabilities.
  3. Risk mitigation/response: Includes reducing or avoiding risk, transferring risk, and accepting or rejecting risk
  4. Risk Monitoring: Risks change over time and hence risk management will be most effective where it is dynamic and evolving. Monitoring and review are integral to successful risk management and entities may wish to consider articulating who is responsible for conducting monitoring and review activities.

Each section within the lifecycle is crucial for CISSP and has been further defined below.

1. Risk assessment

This step can also be known as the risk Identification step. You cannot begin planning how you will respond to potential risks until you understand your systems in-depth and what risks are associated with your systems. Without proper consideration and evaluation of risks, the correct controls may not be implemented. The risk assessment step of the lifestyle ensures that we identify and evaluate our assets, and then identify threats and their corresponding vulnerabilities. The following steps are officially part of a risk assessment as per NIST 800-30:

  • System characterization – In this step, the boundaries of the IT system are identified, along with the resources and the information that constitute the system. In summary, you are basically auditing your system and noting all systems, Software, hardware and even people and the purpose of each of these to the business. Characterizing an IT system establishes the scope of the risk assessment and provides information essential to defining the risks.
  • Threat identification – A threat is defined as any event that could harm an organization’s people or assets.  In this step, you will list all of the threats you can imagine including intentional, unintentional, technical, non-technical, and structural.
  • Vulnerability identification – A vulnerability is any potential weak point that could allow a threat to cause damage. For example, outdated antivirus software is a vulnerability that can allow a malware attack to succeed. The analysis of the threat to an IT system must include an analysis of the vulnerabilities associated with the system environment. The goal of this step is to develop a list of system vulnerabilities (flaws or weaknesses) that could be exploited by the potential threat sources.
  • Control analysis – The goal of this step is to analyze the controls that have been implemented, or are planned for implementation, by the organization to minimize or eliminate the likelihood (or probability) of a threat’s exercising a system vulnerability.
  • Likelihood determination – Assess the probability that a vulnerability might actually be exploited, taking into account the type of vulnerability, the capability and motivation of the threat source, and the existence and effectiveness of your controls.
  • Impact analysis – The next major step in measuring the level of risk is to determine the adverse impact resulting from a successful threat exercise of a vulnerability. This analysis should factor in the mission of the asset and any processes that depend upon it, the value of the asset to the organization and the sensitivity of the asset and the data associated with the asset.
  • Risk determination – The purpose of this step is to assess the level of risk to the IT system. The determination of risk for a particular threat/vulnerability pair should be based on the likelihood that the threat will exploit the vulnerability, the approximate cost of each of these occurrences and the adequacy of the existing or planned information system security controls for eliminating or reducing the risk.
  • Control recommendation – During this step of the process, controls that could mitigate or eliminate the identified risks, as appropriate to the organization’s operations, are provided. The goal of the recommended controls is to reduce the level of risk to the IT system and its data to an acceptable level.
  • Results documentation – The final step in the risk assessment process is to develop a risk assessment report to support management in making appropriate decisions on budget, policies, procedures and so on.

2. Risk analysis

The risk assessment stage is a great way to start identifying the risks and get them documented. The risk analysis stage is where you can start taking a deeper look at each of these risks. Risk analysis is a process that is used to take the information you have gathered in the risk assessment stage identify risk and quantify the possible damages that can occur to the information assets to determine the most cost-effective way to mitigate the risks. Risk analysis also assesses the possibility that the risk will occur in order to weigh the cost of mitigation. As information security professionals, we would like to create a secure, risk-free environment. However, it might not be possible to do so without a significant cost. As a security manager, you will have to weigh the costs versus the potential costs of loss.

Risk can be analyzed through a qualitative and quantitative lens.

What is Qualitative Risk Analysis?

Out of the two risk analysis techniques explained here, Qualitative is considered the easiest of the two and less time-consuming. Qualitative risk assessment is subjective and uses a rating or scoring based on a person’s perception of the severity and likelihood of its consequences. Each risk might be ranked with adjectives such as “low,” “medium,” or “severe.”The goal of qualitative risk analysis is to come up with a shortlist of risks that need to be prioritized above others.

What is Quantitative Risk Analysis?

Quantitative risk analysis looks at risks in a little more depth and relies on data and information to calculate the risk. The goal of quantitative risk analysis is to further specify how much will the impact of the risk cost the business. This is achieved by using what’s already known to predict or estimate an outcome. 

Quantitative analysis is objective and numbers-driven. It requires more experience than qualitative analysis and involves calculations to determine a dollar value associated with each risk element. Business decisions are fundamentally driven by this type of analysis. It is an essential step in order to conduct a cost/benefit analysis

Key data used in the calculations for risk analysis include:

  • AV: Asset value
  • EF: Exposure factor
  • ARO: Annual rate of occurrence
  • Single loss expectancy = AV * EF
  • Annual loss expectancy = SLE * ARO
  • Risk value = probability * impact (Probability is how likely it is for the threat to materialize and impact the extent of the damage)

By using information gathered from experience and past events, the numerical values outlined above can be used to calculate a more accurate risk analysis.

3. Mitigating risk

Risk mitigation is an essential business practice of developing plans and taking actions to reduce threats to an organization. Risk mitigation, the second process of risk management, involves prioritizing, evaluating, and implementing the appropriate risk-reducing controls recommended by the risk assessment process.
Because the elimination of all risk is usually impractical or close to impossible, it is the
responsibility of senior management and functional and business managers to use the least-cost
approach and implement the most appropriate controls to decrease mission risk to an acceptable
level, with minimal adverse impact on the organization’s resources and mission.

Responses to risk mitigation:

  • Reduce/ Mitigate – this is where you will actively implement a security control to mitigate or reduce the risk. Risk mitigation represents an investment in order to reduce the risk on a project.
  • Risk avoidance – An organization avoids investments or operations in areas with too significant a risk or cost. This technique usually involves developing an alternative strategy that is more likely to succeed but is usually linked to a higher cost.
  • Risk acceptance – Operating with an understanding that some risk will occur in one area so the organization can prioritize mitigating or profiting in other areas.  
  • Risk transfer – The process of allocating a portion of risk to a third party. An insurance policy is one example. 
  • Risk monitoring – Watching for changes in risks and their potential impact on an organization. 

Each of these mitigation techniques can be an effective tool to reduce individual risks and the risk profile of the project.

4. Risk Monitoring and Review

Technology and constantly changing and the risks that are associated with it will change it. The monitoring and review of risks is a crucial step to successful risk management. Key objectives of risk monitoring and review include:

  • the detection of changes in the internal and external environment
  • identifying new or emerging risks
  • the continued review of the effectiveness and relevance of existing controls
  • increased understanding and management of already identified risks
  • analysing and learning lessons from events, including near-misses, successes and failures

The ultimate objective of CM is to determine if the security and privacy controls implemented by an organization continue to be effective over time considering the inevitable changes that occur in the environment in which the organization operates. Continuous monitoring provides an effective mechanism to update security and privacy plans, assessment reports, and plans of action and milestones.