RISKY ABOUT RISK 2

(and similar concepts)

Doc. Ing. Jaroslav Sivák, CSc., MBA

This article continues the reflections on basic concepts used in the categories of "protection and security." As noted in the first article, "risky" applies here because the claims contained in this article may not appeal to academic workers, employees of security departments who created and use (or don't use) terminological dictionaries, and who create laws and other legal norms in the security field, and many others.

The fundamental security truth remains: RISK is the probability (or measure) that a THREAT will exploit a VULNERABILITY of an ASSET and cause an IMPACT on it.

Threat is defined in the Terminological Dictionary of Crisis Management published by the Government Office of the Slovak Republic in 2017 on page 11 as: "An objectively existing possibility whose fulfillment is capable of causing a negative consequence." It is necessary to distinguish between "threat" and "endangerment." Threat is a potential category. Endangerment refers to an immediate event, i.e., when a threat is actively occurring. In the aforementioned Terminological Dictionary on page 24, it states: "Endangerment is an activated threat in space and time."

Threats can be categorized according to their origin and are typically divided into:

1.      Anthropogenic threats - threats whose cause and primary stimulus is in humans and the social sphere.

2.      Natural threats - caused by manifestations of nature.

3.      Technological threats - caused by technological elements.

4.      Combined threats (simultaneous action of the above threats).

In current terminology, the concept of hybrid threat has appeared, which can be considered, in certain respects, a combined threat.

Naturally, there are officially approved and used classifications of threats and their sources. For example, ISO/IEC 27 000:20xx Information Technology – Security Techniques – Information SECURITY RISK Management, or materials issued by the Civil Protection Department of the Ministry of Interior. The Fire Brigade also has them well categorized, and others.

Threat analysis includes identifying and evaluating parameters according to well-measurable and poorly measurable manifestations (heuristic and expert estimates on a scale). Evaluation is usually performed by a defined metric - a measurement method or other threat quantification methodology. Among the identified parameters are: significance, threat accessibility to the asset, threat recognizability and identifiability.

Assessing the significance of a threat means predicting the impact. To evaluate how significantly a threat could disrupt, limit, or prevent the system from functioning within its designed parameters. Accessibility for a threat means how the asset is protected against a specific threat. Knowledge of the threat enables specific, targeted preventive measures.

Threat assessment is often heavily influenced by a parameter we call "impact on the population." Each threat can ultimately evoke a feeling of fear in the population. This factor can have an impact on the so-called domino effect, where rational (more often irrational) fear of people represents a separate threat.

The Terminological Dictionary of Crisis Management on page 32 states regarding the concept of vulnerability: "A complex property reflecting the weak points of a system, its reduced resistance to possible disruption of its function, damage, or destruction." The categorization of vulnerabilities is identical to that of threats, i.e., anthropological, natural, technological, and combined.

When assessing vulnerabilities, it is necessary to consider the probable attack scenario, the degree of protection, or the resilience of the vulnerability carrier. Vulnerability recognizability means whether we know about the vulnerability or if it is unrecognized, unknown. We often encounter ignoring the significance of vulnerability by trivializing the actual state. And we're not even talking about cases described by Nassim Nicholas Taleb in his book Black Swan. These are events whose probability of occurrence is extremely low and the impact extremely high (complete collapse of financial markets, WTC 2001, etc.).

We evaluate the degree of vulnerability on a scale (metric) considering the significance of the vulnerability, the attacker's access to the vulnerability, and its recognizability.

An asset is everything that an organization (system, process) values. What is important for an organization, system, or specific process, the damage or loss of which would mean deviation from the designed (intended, usual) parameters of functioning. The Terminological Dictionary defines an asset on page 7 as: "A value that needs to be protected."

Assets can be divided into tangible and intangible, or existing in the real or virtual world. We interpret the value of an asset as the measure of resource intensity (people, time, finances, and others) needed to replace the asset or restore it to its original state.

Note: "Restoration to the original state" is a misleading phrase. The reconstruction process must include measures that will be an effective response to the threats and vulnerabilities that precede reconstruction. It is therefore not possible to simply restore the original state; it is necessary to take measures beyond simple reconstruction.

Impact is the result of the action of previous factors and is most often perceived as harm, damage, loss, thus in a negative connotation. For a complete understanding of impact, it is necessary to admit the existence of such types of impact that may ultimately mean improvement. An example may be a captured attack on communication infrastructure that triggers positive changes in the opinion of those responsible for security and protection. Insuring property (a way of managing risk) that was destroyed by a natural disaster, in the second plane is not a negative impact. This does not refer to insurance fraud.

Assessing the level (size) of impact depends on the specific conditions and parameters of the protected system, organization, or process. For quantification, a rule is usually used where it is evaluated how many resources and their availability need to be expended to restore the functioning of the affected structure. This statement also fully answers the question of how much one byte of information costs. As much as the resources needed to restore or acquire it.

In addition to material elements of impact, it is necessary to include in considerations also intangible elements such as various forms of so-called reputational damage (loss of Goodwill).

After determining, measuring, or estimating all previous components, it remains to calculate, estimate, determine the value of risk. There are several mathematical models for calculating the resulting value of risk. However, it is important to interpret this value correctly. After considering all the specifics of the assessed organization, system, or process (risk analysis), it is necessary to establish pair categories: Risk Value – Impact Significance.

For example, stealing a certain amount of flammable material from a warehouse represents only a very small impact in a medium-secured warehouse. However, the risk of theft is relatively high. The carriers of such risk are usually employees (organizations strongly resist this fact). The risk value is high – the impact relatively low.

The risk that someone will set fire to a flammable material warehouse is relatively low (strict fire prevention measures, regularly instructed personnel, non-sparking tools, etc.). If this act were completed, the explosion (burning) of the warehouse represents a significantly negative impact. Risk value low – impact high.

Risk assessment is an extremely complex process. Using recommendations in the form of ISO procedures or specific standards is a good guide, but not an exhaustive answer. The risk determination model must therefore be developed for each use in an almost unique way with high respect for the specific conditions in which it is deployed.

The interpretation of risk determination results is crucial. Another key parameter is the dynamics of changes in the security environment. This parameter determines the frequency of repeating the processes of risk analysis.

The logical outcome of the described processes is determining how the identified and quantified risk will be managed. For this purpose, we know several procedures ranging from risk elimination, risk level reduction to transferring risk to other entities or processes.