In order to make risk analysis a sound, repeatable process, you need to have a series of steps or phases you follow time and time again. I’ve realized that many new to risk quantification, and even those with “mature” risk programs lack a structured approach to risk analysis.
With that, I thought it would be helpful to outline the high-level process we use at RiskLens, sprinkling in some helpful tips I’ve learned along the way.
We always start with scoping, otherwise known as diagnosing and understanding the problem. I cannot understate how important this step is, and how I’ve seen it be the folly of many organizations when it comes to a shaky result at the end. As I’ve outlined in my post on scoping, a solid scope is comprised of understanding the following:
- Purpose: What is the reason for, or what decision are we trying to inform?
- Asset(s): What object or item is of value, or can cause liability if compromised?
- Loss Type(s): How does the loss manifest itself (Confidentiality, Integrity, Availability)?
- Loss Event: What event occurs that results in loss? What is the bad thing that we are worried about occurring?
Myself, along with some of our more sophisticated customers, will take this step up a notch by understanding how the scenario maps to the FAIR model. I’ve outlined a mapping approach in another post, but I’ve frequently seen it performed on whiteboards, pieces of paper, or just in passionate discussion/debate.
After we have a good grasp of the problem, and how the scenario maps to the FAIR model, we need to gather the data. We do this in the following ways:
- In-person or remote sessions: It’s been our experience that nothing works better than in-person sessions when trying to elicit data from subject matter experts (SMEs). Building face to face relationships are key as you’ll most likely reach out to these same SMEs again and again as you do more risk analysis. It also doesn’t hurt that you can read body language, overcoming the main downside to holding a remote session.
- “Data gathering helpers”: When getting ahold of SMEs is a problem, we rely on trying to gather the data at their leisure. In the past, we’ve developed what we call “data gathering helpers”, which are essentially the data points we need written out in a clear and coherent fashion for SMEs to answer. A word to the wise, knowing your audience here is critical. If they are someone who can provide input with limited information, then this approach should work well. On the other hand, if they are someone who will want to get into the weeds of why you are asking the questions, then you’re probably better off just scheduling an in-person or remote session.
- Leveraging sound industry sources: When all else fails, and the organization has limited visibility into the required data points, we look to sound industry sources as a basis for our estimates. In the past, we’ve leveraged data from Verizon’s Data Breach Investigations Report, Imperva’s Web Application Attack Report, and others. Keep in mind, any data gathered from a sound source should be viewed as a “jumping off point”, not the de facto answer to your analysis.
So, after doing an excellent job of scoping the analysis, understanding the problem, gathering all of the data, the most exciting part of the risk analysis process, bar none, is hitting the run button on the RiskLens application.
Yet, what makes an analysis ready for the next step, i.e. reporting, is the quality assurance, or refinement of the results. A good risk analyst will review the results with a critical eye ensuring they accurately reflect the problem under analysis, along with all of the information received along the way. It’s at this step that an analyst knows whether or not he or she can stand behind the results and get in front of the proverbial firing squad with the analysis.
When it comes to reporting, having a good understanding of your audience is key. Many decision makers have a pre-formatted template, or standard approach to getting their information. Some like seeing things in the red, yellow, green color spectrum of heat maps, while others are more comfortable seeing numbers.
My approach when it comes to reporting is to give decision makers what they want, and how they like seeing it, along with a little bit of what they should see. Remember, the goal at the end of a risk analysis is to provide insight that decision makers can use to make better, more well informed decisions. How you frame and relay the results plays a big role into how they use the information.
There you have it, the risk analysis process in four high level steps. We hope you found this helpful.