In our previous posts in the series on Risk (“Why Risk” and “Risk is the Yardstick”) we have spoken about why risk matters.   We have looked at risk in the context of information technology and we have looked at risk as the yardstick to measure the state of an organizations security.  Which begs the question: If Risk is the yardstick to measure the state of our security, how do we measure it?

As stated in the previous posts on risk, for too many organizations risk has been tied to a vulnerability and patch management program.  Vulnerabilities are a piece of the puzzle and both regular vulnerability scanning and a mature patch management system are  important, there is much more to managing risk effectively. Other factors need to be figured into the analysis.  Some of these factors are:

  1. Vulnerability – This is perhaps the most confusing term used in reference to Risk due to years of inconsistent usage in the industry (more on this in an up-coming post).  For the purpose of this post, we will consider a vulnerability an exploitable weakness in an asset.
  2. Reachability – By reachability we refer to the ability of a threat to access (reach) a known weakness (or vulnerability).   Put simply, “Can an attacker reach the vulnerable asset to exploit it?”  This may entail an analysis of how a known vulnerable asset can be reached. What path would be taken to reach the asset?  It can also include scenarios where multiple vulnerabilities, assets and exploits are used in concert to reach a higher value asset. An example would be attacking a low value asset to reach another higher value asset.  Many of the existing security technologies including firewalls, IDP, proxies, content filters and more are implemented specifically to prevent Reachability from a threat to an asset.  Taking existing technologies into account is critical when trying to measure the effectiveness of the security efforts.
  3.  Asset Value – To measure an “amount” of risk, you must measure the impact of the loss.  In IT terms, it is common to refer to the value of the asset.  This could be the physical value, an opportunity-loss value, the value of the data stored on the system, or the loss value if customer data were stolen. This is big topic, but it is critical to understand that is part of risk measurement calculation.
  4. Threats – Where the threat originates, the motivation of the threat and the capability of the threat are all factors that affect the risk to an asset.

Of course there is more to measuring risk then these few paragraphs, but hopefully this will give you some insight into the factors that must be figured into measuring risk.