In order to make risk analysis a sound, repeatable process, you need to have a series of steps or phases you follow time and time again. I’ve realized that many new to risk quantification, and even those with “mature” risk programs lack a structured approach to risk analysis. With that, I thought it would be helpful to outline the high-level process we use at RiskLens, sprinkling in some helpful tips I’ve learned along the way.
ScopingWe always start with scoping, otherwise known as diagnosing and understanding the problem. I cannot understate how important this step is, and how I’ve seen it be the folly of many organizations when it comes to a shaky result at the end. As I’ve outlined in my post on scoping, a solid scope is comprised of understanding the following:
- Purpose: What is the reason for, or what decision are we trying to inform?
- Asset(s): What object or item is of value, or can cause liability if compromised?
- Loss Type(s): How does the loss manifest itself (Confidentiality, Integrity, Availability)?
- Loss Event: What event occurs that results in loss? What is the bad thing that we are worried about occurring?
- In-person or remote sessions: It’s been our experience that nothing works better than in-person sessions when trying to elicit data from subject matter experts (SMEs). Building face to face relationships are key as you’ll most likely reach out to these same SMEs again and again as you do more risk analysis. It also doesn’t hurt that you can read body language, overcoming the main downside to holding a remote session.
- “Data gathering helpers”: When getting ahold of SMEs is a problem, we rely on trying to gather the data at their leisure. In the past, we’ve developed what we call “data gathering helpers”, which are essentially the data points we need written out in a clear and coherent fashion for SMEs to answer. A word to the wise, knowing your audience here is critical. If they can provide input with limited information, then this approach should work well. On the other hand, if they want to get into the weeds of why you are asking the questions, then you’re probably better off just scheduling an in-person or remote session.
- Leveraging sound industry sources: When all else fails, and the organization has limited visibility into the required data points, we look to sound industry sources as a basis for our estimates. In the past, we’ve leveraged data from Verizon’s Data Breach Investigations Report, Imperva’s Web Application Attack Report, and others. Keep in mind, any data gathered from a sound source should be viewed as a “jumping off point”, not the de facto answer to your analysis.