IT Risk Management Process: Risk vs. Threat

Every day seems to bring another story of a cybersecurity attack, stemming from a growing range of IT security threats. Everything from new malware strains to new, active phishing attacks. Managing all these challenges to security is daunting for even the most security-conscious organizations. It’s hard to keep up with these IT security threats, especially when there are only so many information security dollars to invest in protection.

How do you keep up with the changing threat landscape? The answer lies in risk management. An effective IT risk management process can help companies understand where to spend those dollars. Companies that understand the concept of risk vs threat along with how vulnerabilities and consequences fit into the picture can better prepare themselves against information security attacks.

What are the different types of security threats?

There are various cybersecurity threats that can lead to attacks. Malware is one of the biggest threat vectors. It compromises endpoint computers and servers alike, and has evolved dramatically in the past few years. Aside from giving an attacker full control over a computer, malware in the form of ransomware can also lock up files, only releasing them upon payment of a ransom.

Malware is often a component of another common security threat: hacking. Hackers gain access to a company’s internal computers, either for a one-off attack or for a sustained campaign in which they lurk for an extended period, gathering information at their leisure. The latter is known as an Advanced Persistent Threat (APT).

Other attacks, like distributed denial of service (DDoS), affect an organization’s ability to operate online by choking off resources. These attacks often come from millions of compromised computers in the form of botnets.

Companies have no choice but to take these seriously, which means perfecting their IT risk management process.

What is risk vs. threat?

While we talk about specific classes of IT security threats, the act of protecting against them is known as risk management. Risks and threats are related, but it is important to understand their key differences.

A threat is easier to explain, as it refers to the bad thing that could happen to your organization. Risk on the other hand can be a tough concept to grasp – it is the likelihood that something could happen, along with the impact should it occur. It doesn’t mean that it will necessarily happen.

What is helpful to admins and managed service providers (MSPs) is to be able to quantify just how much risk a company has and where. Understanding that level of risk will help you establish priority around what to protect within the organization, and help you decide where to apportion security budgets.

To help get to a specific figure, some security professionals use a security risk formula to sum this up:

Risk = Threat x Vulnerability x Consequence

It probably wouldn’t stand up to scrutiny in a math class, but it gives you a basic idea of how people evaluate risk likelihood and impact.

In this security risk formula, the vulnerability is the weakness in an organization that would allow an attacker to use the threat. For example, if a company failed to properly configure a firewall, it might make it easier for a hacking threat to succeed. Running a company on copies of Windows XP, which is now unsupported and therefore difficult to patch, could make it easier for an attacker to launch a malware-related threat.

Some vulnerabilities will yield more easily to attacks than others. Some may be easier than others to discover and exploit, lowering the barrier for attackers.

Some vulnerabilities may also be less damaging to the organization than others if exploited. Each exploit carries a potential technical impact on the confidentiality, integrity, and availability of data. These three factors are known as the CIA triangle.

For example, a DDoS attack may make data unavailable for a while, but probably wouldn’t allow an attacker to alter or steal that data. Malware, on the other hand, could let an attacker do all three.

The technical impact in turn leads to a business impact. Depending on the nature of the vulnerability and the threat, the business impact can range from inconsequential to crippling.

For example, an attack that denies service to a little-used and isolated part of a system for a few minutes may barely even be noticed. Conversely, an attack that manages to steal sensitive customer data could have massive legal and financial consequences for an organization and its reputation. Regulators and class action lawyers will take a keen interest if customers’ social security numbers and health records show up on Pastebin.

Sometimes, significant consequences are far from obvious. For example, what havoc could an attacker possibly wreak by snooping on obscure robotic process data in a manufacturing plant? Plenty, if they can alter that data to make the robots produce defective products.

The process of establishing the level of risk a company faces can also be automated, for example SolarWinds^® Risk Intelligence enables you to put an actual dollar value on that risk. It does this by scanning for unsecured data across a network—even in persistent storage—and providing an estimated financial figure for an organization’s potential liability in the event of a data breach.

Managing risk vs. threat

Looking at the plethora of cybersecurity threats without any context can be both bewildering and daunting. Instead, companies can evaluate risk likelihood and impact by classifying and scoring threats. This involves putting an IT risk management process in place to help you evaluate cybersecurity risks across the entire organization.

When making this analysis, admins and MSPs should start by looking at the high-impact things, such as ransomware. You need to consider what would happen if the organization was breached in this way—would it be little more than a minor inconvenience as they simply restore everything from a backup or would it be a major disaster? Thinking about attacks scenarios in this way provides a powerful reference point, and allows you to create a risk threat vulnerability matrix based on this evaluation, and further help prioritize investments.

Coping with cybersecurity threats may be complex, but it needn’t be as costly as you think. By thinking carefully about how different threats affect your risk, you can focus your efforts on protecting the most important aspects of the company first and keep one step ahead of attackers.

This does have important implications for MSPs as it gives them an important starting point when it comes to having security conversations with potential customers, by looking at the real business impact of having systems go down or data stolen—and even whether the business could be used as a conduit to get into other partners’ systems.

By shifting the conversation in this way from security to risk, MSPs put themselves in the position of being able to have a much more valuable and powerful conversation with their prospects.

If you’re looking to help your customers quantify their risk and locate sensitive data across their network, click here to find out how SolarWinds Risk Intelligence can help you.