Risk Assessment method design
It is so easy it is scary
Useful risk assessment methods are hard to come by. In order to be really useful, a RA method should:
- Inform us of something we did not know when we started the analysis. Otherwise the analysis is banal and a waste.
- List the important threats to the organization.
- Gauge how safe we are, or how likely it is an incident will happen and how much it will cost.
- Give an indication of how much we should invest in cybersecurity.
Every time some designs a new RA method, they face the same problems and degrees of freedom.
- For threats, they need a Threat Taxonomy, most methods invent one rather than rely on an existing taxonomy.
- For controls/countermeasures a Controls Taxonomy, like the ISO 27x controls, PCI-DSS controls, NIST 800–53 controls, Cyber Essentials, Cobit, etc…
- For the information systems (or assets), a Model of the information systems, modelled with adequate scope and depth
And some additional factors that you can review in this graph:
Unfortunately there are so many degrees of freedom that almost every professional makes up his own method, combining the ten factors above, sometimes fewer, sometimes more. Because of this multiplicity of methods, it is exceedingly difficult to compare risk between companies, or even between different points in time in the same company.
The combination depend as well on the scale use to measure the value, cost, strength or severity, frequently one of the following are used:
- Monetary units.
- High-Medium-Low
- Numeric scales free of dimensions (1 to 5, 1 to 10)
- Likelihood 0–0.99
I have been bold enough to bet that someone in the audience invented his own RA method every time I speak in public about this subject. Never lost so far!
Appendix
If you are still interested about learning about one more risk assessment method, I explain O-ISM3 RA in the long video below:
More about RA in: Risk Assessment is not even wrong!