PCI 30 seconds newsletter # 23 – Introduction to Risk Assessment

Blog Post created by dgodart on Oct 4, 2012




If you went to work this morning, you took a risk. If you rode your bicycle, walked, or drove a car, you took a risk. If you put your money in a bank, or in stocks, or under a mattress, you took other types of risk. If you bought a lottery ticket at the newsstand or gambled at a casino over the weekend, you were engaging in activities that involve an element of chance – something intimately connected with risk.


PCI DSS Requirement 12.1.2 requires organizations to establish an annual process that identifies threats and vulnerabilities, and results in a formal risk assessment. In this newsletter I would like to address this notion of risk assessment.





The beginnings


The term risk seems to take its source from a navigation term used by the Greek sailors, “Rhizikon” which meant ‘root, stone, cut of the firm land” and was a metaphor for “difficulty to avoid in the sea." The Chinese added the notion of “opportunity”. Indeed, the word for risk in Chinese is constructed from two symbols. “Danger” and “Opportunity” which is more in line with our modern understanding of risk assessment: “Identification and evaluation of dangers that could prevent us to reach our objectives.” Italians add a layer with the word “risicare” which means “to dare”. In this sense, risk is a choice rather than a fate, a decision to take action to avoid/prevent the dangers along our way. This latest notion completes this picture: Identifying, Evaluating + Decision = Risk management.



If this ability to define what may happen in the future and to choose among alternatives lies at the heart of contemporary societies, back in old time the notion of risk didn't exist. All cause (positive or negative) was a direct consequence of God's decision. People left their fate within the hands of God and if something wrong occurred it was undeniably not due to a lack of careless or preparation but just the sign of God's anger. Nothing could have been done to prevent this misfortune or could be done to prevent it in the future except maybe some bloody sacrifices on the altar, and even nowadays, some organizations seem to continue a head-to-head against the fates.


We had to wait until the Renaissance when people broke loose from the constraints of the past and subjected long held beliefs to open challenge to see the first attempts to take our destiny within our hands. We did this by calculating the probability of certain events in order to find the risk behind certain actions. From then until today, the story of risk has been marked by persistent tension between those who assert that the best decisions are based on quantification and numbers, determined by the patterns of the past, and those who base their decisions on more subjective degrees of belief about the uncertain future.




Here is how NIST defines Risk, Information Security Risk, and Risk assessment in its Guide for Conducting Risk Assessment – Sept 2012.


Risk is a measure of the extent to which an entity is threatened by a potential circumstance or event, and is typically a function of: the adverse impacts that would arise if the circumstance or event occurs; and the likelihood of occurrence.


Information security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations, organizational assets, individuals, other organizations, and the Nation.


Risk assessment is the process of identifying, estimating, and prioritizing information security risks. Assessing risk requires the careful analysis of threat and vulnerability information to determine the extent to which circumstances or events could adversely impact an organization and the likelihood that such circumstances or events will occur.


Let me illustrate this notion by sharing with you what the scientist who developed the rocket that launched the first Apollo mission to the moon said: You want a valve that doesn't leak and you try everything possible to develop one. But the real world provides you with a leaky valve. You have to determine how much leaking you can then tolerate. Without a command of risk assessment, engineers could never have designed the great bridges that span our widest rivers, homes would still be heated by fireplaces, electric power utilities would not exist, no airplane would fly and space travel would be just a dream.


The importance of Time


Risk and time are opposite sides of the same coin, for if there were no tomorrow there would be no risk. Time transforms risk, and the nature of risk is shaped by the time horizon: the future is the playing field.

Periodic review and monitoring of risk assessments allows organizations to keep up to date with business changes and provides a mechanism to evaluate those changes against the evolving threat landscape, emerging trends, and new technologies along the timeline.


Guidelines & Methodologies


A number of risk assessment guidelines and methodologies in the context of IT and Security are available on the field including:


The ISO Risk assessment Guideline - 27005

NIST Guide for conducting Risk assessment – Sept 2012

The Factor Analysis of Information Risk (FAIR)

The Australian/New Zealand Standard AS/NZS 4360

The french Guideline MEHARI

The Operationally Critical Threat, Asset, and Vulnerability Evaluation - OCTAVE

The PCI DSS Risk Assessment Guidelines – Now available on PCI Security Standards Website.


Core activities


In the context of PCI, organizations are free to select any of those methodologies or establish their own as long as it incorporates the following core activities:


  • Definition of the purpose of the risk assessment in terms of the information that the assessment is intended to produce and the decisions the assessment is intended to support.
  • Definition of the risk assessment in terms of organizational applicability, time frame supported, and architectural/technology considerations.
  • Determination of specific assumptions and constraints under which the risk assessment is conducted.
  • Identification of critical cyber assets supporting business operations. A cyber asset could: network components, servers, applications & software, data and individuals. In the context of PCI, cyber assets are any system component used to store, process or transmit cardholder data.
  • Identification of the threat events to those assets. A threat event is any circumstance or event with the potential to adversely impact business operations and assets, individuals, other organizations, or the nation through an information system via unauthorized access, destruction, disclosure, or modification of information, and/or denial of service.
  • Identification of the vulnerabilities. A vulnerability is a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source. A threat source is characterized as: the intent and method targeted at the exploitation of a vulnerability; or a situation and method that may accidentally exploit a vulnerability.
  • Evaluation of the likelihood. The likelihood of occurrence is a weighted risk factor based on an analysis of the probability that a given threat event is capable of exploiting a given vulnerability (or set of vulnerabilities).
  • Evaluation of the impact. The level of impact from a threat event is the magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability. Examples of impact are: damage to image or reputation; financial loss; inability to successfully execute a specific mission/business; loss of current or future mission/business effectiveness due to the loss of data confidentiality; loss of confidence in critical information due to loss of data or system integrity; or unavailability or degradation of information or information systems.
  • Determination of the Risk level. The risk level is a function of the likelihood of a threat event’s occurrence and potential adverse impact should the event occur.
  • Determination of the Risk tolerance. Organizations determine risk that are acceptable  or residual risk and those that are not acceptable.
  • Development of a risk mitigation plan to address unacceptable identified risks.
  • Communication of risk assessment results to designated organizational stakeholders to support risk acceptation and mitigation plan.
  • Maintenance of the assessment. Review and Update existing risk assessment using the results from ongoing monitoring of risk factors.





NIST Guide for conducting Risk assessment

Againt the Gods – Peter L Berstein



Have you read our previous newsletter - #22 Don't get lost in translation with Executives.