Rarely one can find a risk related discussion that is specific to IT risks and that reaches beyond IT Security. This is rather surprising given that most business processes today rely heavily on IT and that risk management is a hot topic in corporate governance as well as a major source of business for compliance consultants.
In this article we look at typical definitions of risk and then inspect what types of risks occur in the IT risk landscape. In the last section we look into the perception of risk, and consider where we can often find blind spots.
Below we list 3 definitions of IT Risk, two of them because they come from highly influential standardization organizations and the third one because it is concise and practical for risk assessments.
IT Risk: The potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization. It is measured in terms of a combination of the probability of an event and its consequence [ISO/IEC 13335-1:2005]
IT-Related Risk: The net mission impact considering (1) the probability that a particular threat-source will exercise (accidentally trigger or intentionally exploit) a particular information system vulnerability and (2) the resulting impact if this should occur. IT-related risks arise from legal liability or mission loss due to—
- Unauthorized (malicious or accidental) disclosure, modification, or destruction of information
- Unintentional errors and omissions
- IT disruptions due to natural or man-made disasters
- Failure to exercise due care and diligence in the implementation and operation of the IT system. [NIST 800-53 rev2]
Risk: The probable frequency and probable magnitude of future loss.
Let us take an IT related example, quasi our daily nightmare:
You patch your Windows desktops or you upgrade your critical application and your key employees are not able to execute their daily job because the systems hang or do not perform.
The impact is exactly the same as with an external hacker doing harm to your system, however the threat (agent) is different and the likelihood is completely different as well. In many environments the likelihood of a self inflicted denial of service is somewhat higher than an externally trigger event.
So armed with some history from your IT environment, a bit of knowledge about the business processes you support, and some data on external threats you would be able to make an estimate to quantify the risk for the upcoming year from this event occurring. In the upcoming article “What is IT Risk management?” we will explore how quantified IT Risk management can be performed.
Different consulting companies refer to the potential plurality of risk in your IT environment with different terms, some call it “risk landscape”, some call it “risk universe” others call it the “risk catalog”.
Because many of today’s IT Risk organizations in large corporations grew out of an IT security function most assessed risks, and most mitigation actions, are in the area of security. However it is essential to understand that in most industries, IT triggered business interruptions are most often caused by human errors, rather than spectacularly malicious attackers and organized crime, this is particularly true for IT project related risks. Therefore traditional IT Security Risks (which largely tend to be discovered for Confidentiality rather than Integrity and particularly Availability (why this is, is in itself an interesting topic and may be covered in a future article)) comprise a relatively small part of the IT Risk Landscape by value, and an even smaller part of the overall corporate risk landscape when compared to operating or credit risks.
Typically you would divide the risk landscape either along the categories of exposed assets like “project goals”, “service continuity”, “bottom line results”, “reputation”, or you would divide along the nature of the threats, like “external”, “internal”, “deliberate”, “unintentional”. In our experience it is very difficult to define an orthogonal space, even more so as different organizational units in IT (like architecture, risk management, operations, finance) have different goals and hence tend to classify differently.
Risk, just a question of perception?
While we acknowledge that having insight into recent loss data is very important to quantify the risks correctly, it can be somewhat misleading to be guided during the identification of risks just by recent perceptions. Bruce Schneier has an excellent column on how perception can misguide us during risk identification. In short he states that:
- We over-react to intentional actions, and under-react to accidents, abstract events, and natural phenomena
- We over-react to things that offend our morals (rather than the business values at risk)
- We over-react to immediate threats and under-react to long-term threats.
- We under-react to changes that occur slowly and over time (also referred to as “drifting into failure”)
You can actually check whether your risk management is subject to the above problems. See how many crystallized risks (a risk that happened and loss occurred) were actually predicted by your risk management and see whether you can find a positive trend over time (i.e. less unpredicted but crystallized risks).
Risk Management Guide for Information Technology Systems
Schneier on perceived risks vs. actual risks
FAIR: Factor Analysis for Information Risks