Tuesday 9 October 2012

Threat: The Missing Component.

Threat: The Missing Component.

It is now widely acknowledged that risk management is the best way to manage security and security risks are beginning to be integrated into organisations’ business risk management structures so that they are managed alongside other business risks.  This is a significant step forward but a component is frequently missing from the security risk equation, threat. While there is no easy fix to this, the following blog is about setting the scene, and 'why' threat is an integral part to the overall risk management approach.

What is Threat?

There are many definitions of a threat, but within the context of security risks we will use the following:

An actor that has the intent and capability to carry out an act that could cause harm to an organisation.  

In some instances this is referred to as the cause of a risk. A threat must possess both the intent and capability to carry out the act and these two elements can be used to assess the size of a threat to an organisation.

In this context, the threat is a wilful actor that chooses to undertake the threat.

Threats are not the only cause of risks though.  Some risks may be caused by circumstances or events that do not possess intent or capability, such as adverse weather.  These are referred to as hazards.

Hazards are rarely, if ever, a direct cause of a security risk and as such will not be covered in this blog.

Where does Threat fit into the risk equation?

Again, there are many definitions of a risk but we will use the following:

Any uncertain event that could have an impact on an organisation’s ability to achieve its business objectives.  

These overarching definitions of risk clearly demonstrate the link between the risk and a business’s objectives but they don’t describe what factors come together to make a risk. The following formula lays out the series of key factors required to cause a security risk. Threat is key component of this.

A THREAT exploits a VULNERABILITY that causes an EVENT that has an IMPACT on the business. 

The terms used above are all standard entities used in risk and whilst real life is never that simple most security risks follow the above formula in theory.

Why Threat is important?   

A threat initiates a risk.  It is not until a threat exploits a vulnerability that an event that impacts a business will occur.  Without the threat, the other sequence of events will not be triggered and the consequences would not occur.

Organisations do not need to have knowledge of a defined threat to identify and manage a risk.  The fact that a vulnerability exists, which a threat could exploit, is normally sufficient for an organisation and the threat element is ignored.  The threat though contains a large number of variables that will determine the evolution of the event and its subsequent impact.  The threat determines the timing, nature, size and velocity of an event.

It is these variables that give rise to the uncertainties of the event and therefore its subsequent impact.  A defined and understood threat therefore provides additional information on the security risk that can be used to refine and target controls.

Why is Threat frequently not taken into account?

Despite its clearly important role, threat is often missed out from organisations’ risk management processes.  Threats are difficult to define.  They exist outside of an organisation and therefore the information is difficult to obtain.  In addition, organisations can rarely influence or control a threat, without great cost.

Organisations therefore focus on the internal picture, identifying and managing vulnerabilities, which given the premise that vulnerabilities that could be exploited by a threat should be protected, they have to do anyway.

Whilst understandable, for me this misses a key part out of risk management.  So, how do we take into account threat in the risk management process?

Threat Led Risk Management

The point of risk management is to understand the things that might prevent you from achieving your objectives, and managing them.  It is about information and truly understanding the context in which you operate to enable you to prevent the unforeseen things, which exist outside of your plan, preventing you from achieving your goals.  In this context, the threat is a vital part of the jigsaw puzzle as it provides much greater clarity on the likelihood of a risk occurring and the potential impact.  Whilst risks can therefore be defined using the organisation’s vulnerability and potential impact, a risk cannot be truly quantified without taking into account the threat.  We have termed this Threat Led Risk Management.

Threat Led Risk Management enables organisations to truly undertake risk management.   This of course leaves organisations with a real problem, how do they get the information on threat that they need at a reasonable cost?

Threat Information

Gathering current and accurate information on the threats to a business or organisation is a difficult task.  The information is not easily obtained and in respects of security risks and the likely perpetrators, information on the threat is naturally guarded.  For an organisation to gather information on the threats it faces and keep that information up to date, it would need to develop an effective intelligence network with sufficient sources of information to meet its needs as well as have the capacity to analyse that information. For the majority of organisations this is unachievable.

The resource implications alone are likely to act as a barrier but in addition, the time it would take to establish an effective intelligence network is likely to prevent organisations from going down this route.  In addition, organisations in similar sectors will be replicating work, in effect all seeking the same information and applying it to their businesses.

From a UK plc point of view this is a huge waste of resource to protect our businesses.

A Possible Way Forward

Organisations can obtain threat information from private companies that provide bespoke threat products but there is no guarantee on quality and those with good reputations are expensive.  However, rather than individual organisations undertaking essentially the same intelligence gathering exercises on the same threats, a central  non-competitive system that produces an industry sector specific threat report would provide a cost effective solution to enable organisations to undertake Threat Led Risk Management.   Perhaps this is a role that could be undertaken by the UK Government.

The UK Government is currently seeking to strengthen the business sector’s resilience to attack, particularly in the area of what it calls cyber threats, and has also asked for innovative ideas on identifying and tackling the threat.  (Summarised by the BBC)  The Government’s current focus though appears to be on attaining the information to enable them to act, rather than sharing threat information. Whilst the Centre for the Protection of the National Infrastructure (CPNI) does work with private organisations, and provide security advice, no formal industry specific threat product exists.

The UK Government already has a system and structure in place able to gather intelligence on threats.  It is acknowledged that the UK Government will not be able to share the majority of information on threats and it is not suggested that private companies are given access to all the information.  However, the information could be used to provide a centralised industry sector specific threat product that would enable organisations to better manage their security risks.