Security Scanning is not Risk Analysis

Printer Friendly Version

Many information technology (IT) decision makers assume that performing a security vulnerability assessment is the same thing as risk analysis. However, these two processes are very different. Performing a security vulnerability assessment helps you determine what the existing holes and vulnerabilities are in your systems and networks at single moment in time.

A good security vulnerability assessment service will deliver a comprehensive report that includes detailed information about what exploits and possible threats your systems and networks are vulnerable to, and will rank these exploits and threats according to their risk levels. It should also include information about the exploits and threats, specifically naming them and describing how they work, and also provide recommendations for mitigating actions.

A risk analysis, in the classical sense, is a process that an organization goes through to determine their risk exposure. Risk is the possibility that damage could happen to a business or organization. The goal of a risk analysis is to determine the probability of potential risks, in order to integrate financial objectives with security objectives.

Differentiating Scanning from Risk Analysis
There are many system and network security scanners that have the word "risk" in their product names. However, what differentiates network and system security risk assessment tools from classical risk analysis tools is whether or not the tool has the capability of calculating loss metrics and financial metrics. The most commonly used loss metric is Annualized Loss Expectancy (ALE). ALE was developed in 1979 by the National Bureau of Standards. The National Bureau of Standards was absorbed into the National Institute of Standards and Technology (NIST) in the mid-80s. Financial metrics typically used to measure loss include cost of risk mitigation (the cost of implementing safeguards), return on investment, and cost benefit analysis.

How Risk Analyis Works

The three primary steps to performing a risk analysis include:

• Identifying the risks
• Determining the impact of the threats
• Balancing the impact of the threats with safeguards

In identifying the risks, clearly it's necessary to determine what is at risk. There are three risk categories that I suggest IT decision-makers focus on in performing a risk analysis:

• Asset risks
• Mission risks
• Security risks

Assets are physical or tangible items that have a financial value associated with them. Missions are functions, jobs, or tasks that need to be performed. Security is the ability to keep safe the missions and the assets, and really is a specialized mission. However, I like to list security separately, to emphasize its importance, and how it integrates with both assets and missions.

When you determine the security risk exposure, you are determining the vulnerabilities that exist that have the potential to cripple people, data, or other assets. When you determine the mission exposure, you are determining the vulnerabilities that exist that have the potential to prevent an organization from accomplishing its chartered mission. When you determine the asset risk, you are determining the vulnerabilities that exist that have the potential to harm a business's physical or tangible assets.

Threats are what subject an organizations assets and missions to risk. When you consider threats, you need to determine the probability of their occurrence, and also the severity of how bad they will be if they occur. In order to manage threats, you need to be able to measure risks. As was noted earlier, risk is the possibility of loss, and you need to be able to assign a numerical value to that possibility to determine your risk exposure.

Probability, Severity, and Calculations
Best practices and standards have been established to calculate risk exposure. To calculate risk exposure, two variables P(L) and S(L) are used. P(L) is the probability of loss, and it is a threat frequency value. S(L) is the severity of the potential loss. By factoring these two components together, we can determine a risk exposure numeric. To summarize:

P (L) = the probability of the potential loss

S (L) = the severity of the potential loss

R (E) = the total risk exposure

P (L) x S (L) = R (E)

Typically P (L) is normalized for a particular geographic location. For example, the threat of a hurricane is much great in Florida than in Illinois. When we normalize P (L) for a particular geographic location, we use what is known as LAFE and SAFE. LAFE stands for Local Annual Frequency Estimate, and SAFE stands for Standard Annual Frequency Estimate. LAFE is typically applied to the exact location of a risk, e.g. Pensacola, Florida. SAFE is applied to a much bigger geographic area such as North America.

The reduction in value of an asset from one threatening incident is called the Single Loss Expectancy (SLE). SLE is resulting value after a threat has been applied. Another way of understanding SLE is that it is current value (after the threat has been applied) subtracted from the total cost of ownership. To summarize:

SLE = Original Total Cost of Ownership - Remaining Value

Go to page: 1  2  3