A lot of computer security deals with risk – what are the risks of doing or not doing something? However, risk is not exclusive to computer security, and there are many papers and treatises on how to determine and how to manage risk – you’ll generally find papers on risk in management literature, most often project management. Project managers have to deal with risk all of the time – what if the weather is bad, what if a key employee quits on the project? There has to be a plan in place for these eventualities. The same is true in computer security.

Risk is generally considered (in a mathematical sense) to be probability * impact, with the higher values indicating higher risk. Determining probabilities and impact is quite difficult, and where the value of “experts” comes in handy. If you don’t know what an exploit is capable of doing, how can you create a value for impact or probability? And each “expert” is going to disagree on the probability and impact! The risk “value” is only a valuable number for comparison if all of the probabilities and impacts are determined by one person or one group to maintain consistency. The key point to remember is that these values are relative and not absolute.

Impact is typically calculated using monetary values. For example, if this particular event (risk) occurred, how much will it cost? Don’t forget to include time spent fixing the problem and public relations work, as well as actual cost. Sometimes, the value is obvious. If a laptop with no sensitive data on it is lost, the cost of the laptop is the impact. If a laptop with sensitive information on it is lost, you have to count the cost of the laptop, the cost of notifying all of the individuals, the cost of handling all public relations questions and problems, and the “hidden” cost of the loss of trust in your company. Some risk managers prefer to use a scale for impact. Your company probably has a precedent for managing risk – use it. If there is no precedent, then I suggest starting with monetary values.

Probability is the likelihood that the event (risk) will happen. Some things are practically inevitable – like viruses. Others, like thermonuclear war, are almost impossible. The risk manager has to assign a value to the probability of something happening. Other measures in place may lower the probability of something happening – such as an anti-virus product. You’ll have to look at the measures in place as well as the raw probability to come up with a value. Most security experts tend to assign one of four probabilities – critical, high, medium, and low. These values are based upon our experience with the risk, what the current state of affairs “in the wild” is, and what mitigating factors the system/network has.

Multiply the two values and you have a relative scale of risk; you can then focus on managing the risks. There are four main ways to do that: acceptance, transference, avoidance, and reduction. Acceptance means doing nothing – noting that there is a risk, and yet choosing to accept the impact. Transference is transferring the risk to someone else – i.e. buying insurance. Avoidance is doing what can be done to avoid the risk entirely – such as taking a machine off the network completely. Reduction is doing something to either reduce the probability of a risk, or reduce the impact of a risk.

I hope I’ve given you a few things to think about the next time you see that a patch is marked “critical” or “high.” It’s just the vendor determining what they think the risk is to not applying that patch relative to all other patches. There are a few rules of thumb though: anything that is remotely exploitable tends to fall under the critical category – especially if it allows administrator level access. Local privilege escalation vulnerabilities tend to fall under high and medium, depending on the specifics, and denial of service vulnerabilities tend to fall in the medium to low range.

Each Tuesday, Security Musings features a topic to help educate our readers about security. For more information about Gemini Security Solutions’ security education capabilities, contact us!

This entry was posted on Tuesday, September 1st, 2009 at 7:25 am by Laura Raderman and is filed under Tutorial Tuesday. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.