Security Assessment

Information Security Risk Management (ISRM)

For security practitioners, ISRM is

…the proper application of business risk mitigation tools and methods resulting in the implementation of security controls that, when operating properly—either alone or as part of a layered set of safeguards—mitigate business risk associated with an information system to a level acceptable to management. This must be done in a way that maintains the highest possible operational effectiveness of the personnel and processes using the systems protected by these controls (Olzak, 2008, p. 3).

Simply, it is our job to reduce the probability that a threat agent will exploit a vulnerability and cause significant harm to the business or its customers, employees, investors, or the public in general. Figure 2-1 is a different approach to the risk formula introduced in Chapter 1.

In our new formula, I replace probability of occurrence with means, opportunity, and motive. Reactively, investigators use these to identify subjects. Proactively, we can use them to understand how a criminal might look at our information assets.

2-1

Figure 2-1: Modified Risk Formula

Means, Motive, and Opportunity

Probability of occurrence traditionally translates to (threats * vulnerabilities). In Figure 2-1, threats break down to means and motive. Opportunity is another way of describing the physical and logical doors and windows left open. In other words, a threat possesses skills or capabilities (means) needed to satisfy financial, political, personal, or other objectives (motive). The threat uses a threat agent or action to launch an attack or cause unwanted network or system effects.

Motive is often the most important variable. For example, a person with a strong motive might relentlessly pursue his target. Attackers with weak motivation might simply give up after hitting the first difficult prevention control. Understand the possible targets within your organization and how criminals,...