When we discuss risk in IT security, what comes to mind? Is a “critical” vulnerability on a Windows system a risk? Is risk a high, medium, or low measurement? What does risk tell us?
The critical Windows vulnerability example contains no context by itself. What if the vulnerability exists on a system containing patient data? What if the same system is located on the internal network behind several controls? What if the vulnerability allows an attacker to escalate their privileges locally, but maintains the current exposure to the outside network?
Each of the above questions changes an intuition we may feel about the “risk” of the system. The word “critical” suggests that we should take immediate action to correct the Windows vulnerability, but is this really necessary? How do we make a determination on this?
At HealthGuard, we borrow the definition of risk from the FAIR risk management framework.
FAIR Definition of “Risk”: The probable frequency and probable magnitude of future loss.
We want our customers to be able to quantify their IT security risks. By using the FAIR definition, we present risk in terms of future loss. In other words, we can understand the financial impact to the organization for specific IT security events.
In this way, our customers will be able to communicate and ultimately control their risks. If the aforementioned Windows vulnerability has a 1% – 2% probability over the next 3 years of causing a $100 loss, we have a far greater understanding of its true impact to the organization – in this case, very little. Understanding the impact in these terms is far more definitive than a word such as “critical”.
