MCITP MCSE Boot Camp

Risk Prioritization

As discussed in the previous section, the facilitated data gathering step defines the tasks to produce a list of impact statements for identifying organizational assets and their potential impacts. This section addresses the next step in the Assessing Risk phase: risk prioritization. The prioritization process adds the element of probability to the impact statement. Recall that a well formed risk statement requires both the impact to the organization and the probability of that impact occurring. The prioritization process can be characterized as the last step in "defining which risks are most important to the organization." Its end result is a prioritized list of risks that will be used as the inputs in the decision support process that Chapter 5, "Conducting Decision Support," discusses.

The Information Security Group is the sole owner of the prioritization process. The team may consult technical and non – technical stakeholders, but it is accountable for determining the probability of potential impacts to the organization.

By applying the Microsoft security risk management process, the level of probability has the potential to raise the awareness of a risk to the highest levels of the organization, or it can drop awareness so low that the risk may be accepted without further discussion. Estimating risk probability requires the Security Risk Management Team to invest significant time in order to thoroughly evaluate each priority threat and vulnerability combination. Each combination is assessed against current controls to consider the effectiveness of those controls influencing the probability of impact to the organization. This process can be overwhelming for large organizations and may challenge the initial decision to invest in a formal risk management program. To reduce the amount of time invested in prioritizing risks, you may consider separating the process into two tasks: a summary level process and a detailed level process.

The summary level process produces a list of prioritized risks very quickly, analogous to the triage procedures that hospital emergency rooms use to ensure that they help the patients in greatest need first. However, the drawback is that it yields a list containing only high-level comparisons between risks. A long, summary level list of risks in which each risk is categorized as high does not provide sufficient guidance to the Security Risk Management Team or allow the team to prioritize mitigation strategies. Nevertheless, it allows teams to quickly triage risks in order to identify the high and moderate risks, which enables the Security Risk Management Team to focus its efforts on only the risks deemed most important.

The detailed level process produces a list with more detail, more easily distinguishing risks one from another. The detailed risk view enables stack-ranking of risks and also includes a more detailed view of the potential financial impact from the risk. This quantitative element facilitates cost of control discussions in the decision support process, which the next chapter details.

Some organizations may choose not to produce a summary level risk list at all. Without consideration, it may seem that this strategy would save time up front, but this is not the case. Minimizing the number of risks in the detailed level list ultimately makes the risk assessment process more efficient. A primary goal of the Microsoft security risk management process is to simplify the risk assessment process by striking a balance between added granularity for risk analysis and the amount of effort required to calculate risk. Simultaneously, it endeavors to promote and preserve clarity regarding the logic involved so that stakeholders possess a clear understanding of risks to the organization.

Some risks may have the same risk ranking in both the summary list and the detailed list; however, the rankings still provide sufficient details to determine whether the risk is important to the organization and if it should proceed to the decision support process.

Note   The ultimate goal of the Assessing Risk phase is to define the most important risks to the organization. The goal of the Conducting Decision Support phase is then to determine what should be done to address them.

Teams often become stalled at this stage while stakeholders debate the importance of various risks. To minimize possible delays, apply the following tasks as appropriate for your organization:

1. In non – technical terms, define high and medium level risks for your organization before starting the prioritization process.
2. Focus attention on risks that are on the border between medium and high levels.
3. Avoid discussing how to address risks before you have decided whether the risk is important. Be watchful for stakeholders who may have preconceived solutions in mind and are looking for risk findings to provide project justification.

The remainder of this section discusses success factors and tasks for creating summary and detailed level risk rankings. The following tasks and Figure 4.6 below provide an overview of the section and key deliverables throughout the risk prioritization process.

Primary Tasks and Deliverables

• Task one — Build the summary level list using broad categorizations to estimate probability of impact to the organization.  
• Output — Summary level list to quickly identify priority risks to the organization.
• Task two — Review summary level list with stakeholders to begin building consensus on priority risks and to select the risks for the detailed level list.
• Task three — Build the detailed level list by examining detailed attributes of the risk in the current business environment. This includes guidance to determine a quantitative estimate for each risk.
• Output — Detailed level list providing a close look at the top risks to the organization.