Factor Analysis of IT & Information Risk
Framework for creating and maintaining a threat-modelled information risk framework.
Enables decision making for security related issues for organisations, based on accurate threat modelling, a quantifiable asset valuation, and ‘what if’ scenarios that consider both the deterrence factors of a security measure or process, as well as their cost.
Not a point‐in‐time solution, but rather a continuous practice in evaluating the current posture based on past experiences, up‐to‐date intelligence feeds, recognition of trends, and a valuation of the organisational assets.
Performed on two levels – informational and human
Business Process Mapping
Identifying data flows in the organisation, the critical processes, to be used later in the threat modelling and risk management process.
Provides the organisation a clear view of all its assets, including “replacement” value, and additional intrinsic values from a compliance standpoint, and a marketing/competitive damages value.
Values may differ with each threat scenario and as such they all need to be defined and available for the threat modelling and risk modelling.
Relevant threats for each asset are identified, correlated to the intelligence gathered, and evaluated on the basis of the threat’s exposure frequency to the asset, and its capability to successfully attack the asset.
This analysis of any means that are designed to detect incorrect data flows, includes DLP systems (Data Leak Protection/Prevention), as well as business processes that are in place to prevent information from getting to the wrong places inside the organisation and outside of it.
A risk model is constructed for the expected frequency and severity of such an incident: for all the identified assets, and a quantitative value applied to it, based on the expected liability it yields and the probability/frequency.
Vulnerability and Exposure Analysis
Analysis is not limited to technical vulnerabilities but also includes risks to business processes, 3rd party providers involved in the process and any other aspect of the asset life cycle.
A register of vulnerabilities is constructed incorporating countermeasures and classified accordingly. Key technical evaluations are focused on less standard devices e.g.mobile equipment replicating the approach of a motivated attacker.
When approaching a converged security risk, a different kind of mindset is needed. Our red team testing for businesses encapsulates this kind of attitude as it takes into account all the aspects of the business’ operating environment. This includes the simulation of real world threats which includes building custom malware, software and data analysis tools which enable client teams to explore vulnerabilities, derive conclusions & priorities and build consensus later around a risk register and security risk strategy.
What if scenarios are analysed for incident handling as well as placing, removing, & modifying controls over information assets. This modelling is critical in the decision making process for organisations who need to adapt to a changing landscape or when an acquisition of new technology is evaluated. Both infrastructure as well as security measures are modelled to see how they reflect on the overall future risk posture of the business.
Closing the Cycle
The full cycle from intelligence gathering through risk modelling to risk management is ongoing.
It should be updated as a basic risk management practice and used to support informed decision-making for both technologies, as well as business processes.
The model should be challenged and assumptions adapted from different areas of the organisation and refined in order to reflect the most accurate status:
In technological terms the threat landscape is always shifting.
Having established a profound risk model, decision‐making and risk management can be more confidently business-oriented. Senior management needs to define its tolerance to risk for each one of the assets or processes it owns.
This is achieved by analysing the risk capacity provided by the risk model, identifying the resources & capabilities that the organisation already possesses to mitigate the risk and any applicable regulation that may contribute to defining the risk tolerance.
Additionally, at this phase, any value propositions that would affect the risk model should be identified and analysed, and the overall impact to the risk posture should be calculated for these along with the required internal and capital resources of such a proposition.
Finally, the organisation can view the comprehensive risk model along with all the alternatives for impacting the risk posture and their cost & resource impacts in a way that allows informed decision making processes.