Risk Analysis: Do It Right and Save Money

Updated: April 30, 2009

It sounds straightforward: Risk analysis calls for organizations to identify their key assets, the threats those assets face, the potential cost to the organization should a given threat come to pass and the cost of risk mitigation. When properly executed, risk analysis can help managers make informed decisions on where to invest their security dollars. It can also enable them to launch a comprehensive risk-management program.

In actual practice, however, risk analysis often falls short of this vision. Analytical exercises tend to be too limited in scope to be completely effective.

"It's one of the things in security that many organizations don't do well," said Jon Gossels, president of SystemExperts Corp., a Sudbury, Mass. computer and network security firm. Gossels said that security directives incorporated in such regulations as HIPAA ( Health Insurance Portability and Accountability Act) and PCI (Payment Card Industry) point toward risk analysis. The same holds true for security standards such as ISO 17799, he added.

"They all call for systematic security risk assessment," Gossels said. "Most organizations don't do that yet."

In many cases, explained Gossels, risk analysis tends to focus on tactical projects, such as a new application rollout.

Appetite for Risk

So what should security-minded managers do instead? The key is for executives to determine their greatest risks and their "appetite for those risks," said Ron Lepofsky, chief executive officer of ERE Information Security Auditors, a Toronto-based firm that performs cyberaudits on security standards for regulatory compliance. "Do they accept them or do something about them?"

If executives seek to address a risk, the task becomes putting a price on the downside risk and figuring out the cost of mitigating that risk.

ERE's approach is to conduct an information-security audit, identify vulnerabilities and associate each vulnerability with a business risk. The company presents the client with a list of business risks. The list is circulated among the client's executive committee, with each member estimating the cost of those risks, Lepofsky said. The estimates are plugged in to a spreadsheet tool that ERE provides. The estimates are averaged, and that becomes the projected downside cost.

ERE also identifies steps that the customer must take to mitigate IT security risks. Price quotes for addressing the various risks are obtained and entered into the tool, which then calculates the return on investment. It's then up to the executives to make a yes or no decision on a particular security investment, Lepofsky said.

Symantec Corp.'s consulting arm has developed its own risk-analysis approach, which it calls the Foundation IT Risk Assessment service. Symantec uses workshops and executive interviews, among other techniques, to cull out an organization's risk perceptions, noted Samir Kapuria, director of Global Consulting Services at Symantec.

Symantec also uses a toolset to facilitate risk analysis. Its Information Risk Model program helps gauge the maturity of an organization's capabilities for addressing risk. The toolset lets a customer benchmark competencies against like companies, Kapuria said.

Gossels, meanwhile, said he recommends the OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) methodology to clients pursuing risk analysis. OCTAVE was developed by Carnegie Mellon University's SEI (Software Engineering Institute), which describes OCTAVE as a framework for identifying important information assets and the risks to them.

OCTAVE, Gossels said, deals with security in "the proper business context."

Dollars and Risk

The business focus is critical to risk analysis, which Gossels described as "first and foremost a matter of understanding your business."

The risk-analysis process, added Lepofsky, "tends to remove any technobabble and discussion about technology from the executive discussion and allows the executives to talk about two subjects: dollars and risk."

Kapuria said the business and technology sides of the house view risk differently, noting that both sides should be brought together.

"There tends to be a big disconnect between how … technology-management groups look at risk versus how the business looks at risk," he said.

Kapuria said business executives identify risk in terms of brand protection or operational disruption. But as the execution of business functions increasingly relies on IT, a piece of technology infrastructure — a key application server, for instance — can also prove a source of risk, he said.

The goal of Symantec's service is to converge the two perspectives, Kapuria said. Regardless of approach, a thorough risk analysis can lead to wiser security investment.

"Risk analysis helps them manage their dollars more effectively," Lepofsky said, noting that ERE builds risk analysis into all of the secure audits it performs.

"Many organizations think risk assessment is an overhead cost," Gossels said. "In fact, if you do it properly, it can save money in the long run."

Related Categories
Featured Research
  • Securing Enterprise Information Technology

    In the 1980s and 1990s, business applications and data were largely confined within and protected by a Local Area Network (LAN). The 2000s introduced a significant change. Download this white paper now to learn why the shift to the cloud is changing how companies think about and manage their IT infrastructure. more

  • Office365 Adoption eGuide

    Microsoft moved to the cloud in 2014, and, as a result, Office 365 is taking off. Now, Okta customers are connecting to Office 365 in increasing numbers. This eGuide explains why IT departments should plan and deploy solutions around identity and mobility management in concert with their Office 365 roll out to get maximum user adoption. more

  • Okta Directory Integration

    For most companies, Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) play a central role in coordinating identity and access management policies. When on-premise applications are integrated to Active Directory or LDAP, users get the best possible experience. That's why Okta's cloud-based identity and access management service provides a highly useful single integration point. more

  • Top 8 Identity and Access Management Challenges with Your SaaS Applications

    With more and more businesses adopting Software-as-a-Service (SaaS) applications, enterprise IT is fundamentally changing. This whitepaper presents the eight biggest Identity and Access Management (IAM) challenges associated with adopting and deploying cloud and SaaS applications, and discusses best practices for addressing each of them. more

  • Better BYOD with Pulse Secure and MDM Partners

    Learn how Pulse Secure and leading MDM product partners are transforming the way employees and IT benefit from the productivity and flexibility of BYOD — without compromising security or increasing management complexity. more