Risk Prioritization
As discussed in the previous section, the facilitated data gathering step
defines the tasks to produce a list of impact statements for identifying
organizational assets and their potential impacts. This section addresses the
next step in the Assessing Risk phase: risk prioritization. The prioritization
process adds the element of probability to the impact statement. Recall that a
well formed risk statement requires both the impact to the organization
and the probability of that impact occurring. The prioritization process
can be characterized as the last step in "defining which risks are most
important to the organization." Its end result is a prioritized list of risks
that will be used as the inputs in the decision support process that Chapter 5,
"Conducting Decision Support," discusses.
The Information Security Group is the sole owner of the prioritization
process. The team may consult technical and non – technical stakeholders, but it
is accountable for determining the probability of potential impacts to the
organization.
By applying the Microsoft security risk management process, the level of
probability has the potential to raise the awareness of a risk to the highest
levels of the organization, or it can drop awareness so low that the risk may be
accepted without further discussion. Estimating risk probability requires the
Security Risk Management Team to invest significant time in order to thoroughly
evaluate each priority threat and vulnerability combination. Each combination is
assessed against current controls to consider the effectiveness of those
controls influencing the probability of impact to the organization. This process
can be overwhelming for large organizations and may challenge the initial
decision to invest in a formal risk management program. To reduce the amount of
time invested in prioritizing risks, you may consider separating the process
into two tasks: a summary level process and a detailed level process.
The summary level process produces a list of prioritized risks very quickly,
analogous to the triage procedures that hospital emergency rooms use to ensure
that they help the patients in greatest need first. However, the drawback is
that it yields a list containing only high-level comparisons between risks. A
long, summary level list of risks in which each risk is categorized as high does
not provide sufficient guidance to the Security Risk Management Team or allow
the team to prioritize mitigation strategies. Nevertheless, it allows teams to
quickly triage risks in order to identify the high and moderate risks, which
enables the Security Risk Management Team to focus its efforts on only the risks
deemed most important.
The detailed level process produces a list with more detail, more easily
distinguishing risks one from another. The detailed risk view enables
stack-ranking of risks and also includes a more detailed view of the potential
financial impact from the risk. This quantitative element facilitates cost of
control discussions in the decision support process, which the next chapter
details.
Some organizations may choose not to produce a summary level risk list at
all. Without consideration, it may seem that this strategy would save time up
front, but this is not the case. Minimizing the number of risks in the detailed
level list ultimately makes the risk assessment process more efficient. A
primary goal of the Microsoft security risk management process is to simplify
the risk assessment process by striking a balance between added granularity for
risk analysis and the amount of effort required to calculate risk.
Simultaneously, it endeavors to promote and preserve clarity regarding the logic
involved so that stakeholders possess a clear understanding of risks to the
organization.
Some risks may have the same risk ranking in both the summary list and the
detailed list; however, the rankings still provide sufficient details to
determine whether the risk is important to the organization and if it should
proceed to the decision support process.
Note The ultimate goal of the Assessing Risk phase is to define the
most important risks to the organization. The goal of the Conducting
Decision Support phase is then to determine what should be done to address
them.
Teams often become stalled at this stage while stakeholders debate the
importance of various risks. To minimize possible delays, apply the following
tasks as appropriate for your organization:
- In non – technical terms, define high and medium level risks for your
organization before starting the prioritization process.
- Focus attention on risks that are on the border between medium and high
levels.
- Avoid discussing how to address risks before you have decided whether
the risk is important. Be watchful for stakeholders who may have
preconceived solutions in mind and are looking for risk findings to provide
project justification.
The remainder of this section discusses success factors and tasks for
creating summary and detailed level risk rankings. The following tasks and
Figure 4.6 below provide an overview of the section and key deliverables
throughout the risk prioritization process.
Primary Tasks and Deliverables
- Task one — Build the summary level list using broad
categorizations to estimate probability of impact to the organization.
- Output — Summary level list to quickly identify priority risks to
the organization.
- Task two — Review summary level list with stakeholders to begin
building consensus on priority risks and to select the risks for the
detailed level list.
- Task three — Build the detailed level list by examining detailed
attributes of the risk in the current business environment. This includes
guidance to determine a quantitative estimate for each risk.
- Output — Detailed level list providing a close look at the top
risks to the organization.
|