Ranking Your Findings
During the assessment, you may have discovered potential problems that will need to be presented to management in a structured order. This can be done by calculating a risk score. A risk score gives us a way to quantify our findings and determine a prioritized list of what is most important. The risk score takes into account two key items: raw risk and policy control.
Tip
Raw risk has two basic components, which are probability and impact. What's probability? It is the likelihood of an event happening. Impact can be best defined as an attempt to identify the extent of the consequences should a given event occur. If you multiply the probability by the impact, you can get a raw risk score that is easy to chart.
Probability * Impact = Raw Risk
Policy control is an analysis of the current state of the organization's policies. This has been discussed throughout the bookgood policies are a real requirement. Policies that are deficient or nonexistent will factor heavily into our final calculations. The real objective here is to use raw risk and policy control to develop a risk ranking. This risk ranking can be used to group potential risk. It gives us a way to identify high-impact, high-probability risks, as seen in Figure 9.1. This is the area where management should concentrate on improving policy control.
Figure 9.1. Impact and probability matrix.
This methodology assigns a numerical value to both the raw risk and policy control. This is not an exact science and is quite subjective. Let's continue this discussion by reviewing the first variable in the raw risk formula: impact.
Caution
Calculating impact and probability is highly subjective, so it's important to work with your team as you work through your analysis. Their input and judgment can be of help here. Make sure to clearly document your thought process so those reviewing the final report can see how you arrived at specific findings.
Impact Rating
As previously stated, impact ratings are highly subjective. The following scale is based on a numeric scale of one to three. For your analysis, you may decide that a scale of one to five should be used. In the end, this is just a method of gauging potential damage. The larger the scale, the more granular the results. We like a one-to-three scale because it is easy to work with and users relate well to a high, medium, and low scale. When discussing impact, you are basically asking what the potential damage is if a particular risk becomes a problem. Our three-tiered scale defines damage as follows:
- High (3)Significant loss of revenue, core business process significantly affected, permanent loss of customers
- Medium (2)Some loss of revenue, core business processes somewhat affected, customers upset with loss of service or outage
- Low (1)No loss of revenue, but inconvenient; work around if possible so that core business process continues, customers unaware or unaffected by loss of service or change in service
Other criteria can be used or added to the preceding descriptions as needed. Overall, what's important is to classify your findings in a consistent manner.
Probability Scale
Although we have no way of being able to actually predict what potential risks may become a problem, the capability to determine the probability can help us quantify the risk. Probability is seeking to answer what the likelihood is of a particular risk becoming a problem. For our calculations, we will again use a scale of one to three to measure probability.
- High (3)Significant probability of occurrence
- Medium (2)Some possibility of occurrence
- Low (1)Low probability of occurrence
Note
Does the scale have to be one to three? Of course not, you could just as easily use a probability scale of one to five. If this is what you decide to do, be sure to clearly quantify each level and be consistent with its use.
Determining Raw Risk
We have now discussed impact and probability. They are the two components of raw risk. With these values established, we can now calculate raw risk. Remember the formula
Probability * Impact = Raw Risk
Because both impact and probability have three potential levels, there are a total of nine values. These nine values are divided as follows:
- Low1 to 3
- Medium4 to 6
- High7 to 9
This means that a raw risk rating from one to three is considered low, four to six is ranked as medium, and seven to nine is a high ranking. Although the rankings are evenly distributed, after we place these into a matrix, something becomes apparent that may not have been easily discernable before. Table 9.1 displays these results.
Low |
Medium |
High |
||
---|---|---|---|---|
Probability |
(Multiplier) |
1 |
2 |
3 |
High |
3 |
3 - Low |
6 - Medium |
9 - High |
Medium |
2 |
2 - Low |
4 - Medium |
6 - Medium |
Low |
1 |
1 - Low |
2 - Low |
3 - Low |
What you can see by looking at Table 9.1 is that there is only one instance where it is possible to get a high rating. Only a high-probability, high-impact event will result in a high raw risk rating. What is great about this is that a high rating is not diluted. Most findings should not have a high rating. This score should be reserved for only the most urgent and important findings. After a raw risk ranking is calculated, the resulting value along with a policy control level can be used to determine priority.
Before we move on to that step, let's review what has been discussed so far. This is best accomplished by plugging some numbers into our equations and discussing the results. For example, let's assume that during the assessment, it was determined that proper media controls were not in place. Interviews with the cleaning staff revealed that sensitive documents were thrown in the trash and were not properly disposed of. During a walk-through inspection of several areas, you noticed that there were no paper shredders. One of your team members also volunteered to do a little dumpster diving and later presented some documents with sensitive information; others had client information, and even a credit card number was found.
These findings led you and your team to believe that there is a probability of a "3" that a loss of confidential information could have occurred. Your team has also reached the conclusion that if this had happened, the impact probably would not put the organization out of business, but could result in embarrassment, loss of income, or a loss of customers. As such, the team has rated impact as a "2."
Probability * Impact = Raw Risk (or) 3 * 2 = 6
Control Level
With the raw risk ranking calculations complete, we can move to our second set of calculations. The purpose of this set is to examine the state of the organization's policies and examine the effect this has on our findings thus far. Policy controls are one of the most important security mechanisms. Earlier in the book, we identified three categories of control and 18 classes, as shown in Table 9.2.
Management |
Technical |
Operational |
---|---|---|
INFOSEC documentation |
Identification and authentication |
Media controls |
INFOSEC roles and responsibilities |
Account management |
Labeling |
Contingency planning |
Session controls |
Physical environment |
Configuration management |
Auditing |
Personal security |
Malicious code protection |
Education training and awareness |
|
Maintenance |
||
System assurance |
||
Networking Connectivity |
||
Communications security |
Although there are many different states that each of these 18 individual policy classes can exist in, they have been divided into three for ease of analysis. These three states are defined as follows:
- Ratings of "1" should be assigned to policies that are developed and in place but that lack enforcement or are not completely followed. Little work would be required to achieve a level of compliance.
- Ratings of "2" should be assigned to policies that are existent but are somehow deficient. The deficiency can be by any number of factors: It simply hasn't been kept up to date; it may require employees to be trained, or may even require additional technologies to fully implement or correct.
- Ratings of "3" are for situations where no policy exists. A 3 is the highest rating and would be used either when there is no policy or the existing policy is completely out of date or completely fails to address the security risk.
This scale, like the previous two, is highly subjective. Although three possibilities are used here, you could just as easily use a scale with five distinct levels. Other criteria can be used or added to the preceding descriptions as needed. This examination of where we are versus where we need to be is a form of gap analysis. Overall, what's important here is to classify your findings in a consistent manner that is documented so that individuals reviewing your findings can follow the process and determine how you arrived at your results.
Calculating the Risk Score
Now let's talk a little about how the risk scale is calculated. The risk score formula is as follows:
Risk Score = Raw Risk * Level of Control
How do risk score ratings compare to those of raw risk? There were a total of nine possibilities in our raw risk matrix and three levels of policy control; therefore, the risk score matrix has a total of 27 possibilities. By dividing these into categories of low, medium, and high, we are left with the following values:
- Low1 to 9
- Medium10 to 18
- High19 to 27
The matrix displaying these values can be seen in Table 9.3. As with the raw risk rating matrix, here again it can be seen that the hardest rating to achieve is high risk. A high-risk rating should be used for only the most critical findings.
Raw Risk |
1 |
2 |
3 |
|
---|---|---|---|---|
High |
9 |
Medium - 9 |
Medium - 18 |
High - 27 |
8 |
Low - 8 |
Medium - 16 |
High - 24 |
|
7 |
Low - 7 |
Medium - 14 |
High - 21 |
|
Medium |
6 |
Low - 6 |
Medium - 12 |
Medium - 18 |
5 |
Low - 5 |
Medium - 10 |
Medium - 15 |
|
4 |
Low - 4 |
Low - 8 |
Medium - 12 |
|
Low |
3 |
Low - 3 |
Low - 6 |
Low - 9 |
2 |
Low - 2 |
Low - 4 |
Low - 6 |
|
1 |
Low - 1 |
Low - 2 |
Low - 3 |
Let's continue this discussion using the previous example of raw risk that resulted in a "6"medium raw risk rating. During that discussion, we determined that a lack of adequate media controls could pose a risk to the organization. Our findings indicate that there is a media control policy, but because there were no shredders in all locations and users had not been trained to practice effective media control and destruction, the policy was deficient. This led the team to a decision that the level of control be ranked as a "2."
Risk Score = Business Impact x Level of Control or 6 * 2 = 12
These values would lead us to a final risk score of "12." This correlates to a medium threat value.
The risk score helps quantify the risk discovered during the vulnerability assessment. It also gives you a way to present your findings to management in a way that they can relate to. You should step them through the methodology used to reach your conclusions. Educating them helps them understand how you reached each risk score.