Finding The Hidden InfoSec Story

The Leaky Bucket

Photo Credit: Resa1671 via Compfight cc
Photo Credit: Resa1671 via Compfight cc

Whichever way you look at risk, you need to consider three components: Threats, Vulnerabilities and Impact.

Threats can be grouped into three categories: forces of nature, human accidental and human deliberate (someone drills a hole in the bucket just “because”). The latter is both likely and dangerous. There is little you can do to completely remove a threat.

Vulnerabilities are largely under your control, as long as you know they exist, e.g. the bucket is old and rusty. In Information Risk Management, vulnerabilities can be found in the area of governance (e.g. making resources available and using a holistic approach), technology (e.g. malware management and monitoring products), process (e.g. change control, configuration management, identity management, etc.), and people: e.g. knowledge, dedication at one extreme and apathy and disengagement at the other

Impact is what happens when a threat and vulnerability meet. It can range from “insignificant” to “catastrophic” with various intermediate levels. It is often possible to estimate the monetary value of several aspects of impact (loss or revenue, additional costs) as is done in preparing Business Continuity Plans. Other impacts, e.g. legal and reputational, are hard or impossible to estimate prior to an incident.

Despite such apparent limitations, a well conducted and recurring Information Risk Management programme can have considerable value just by being more aware of the various threats and by identifying and ranking vulnerabilities. These outcomes can be turned into a Risk Register ranked by assessed impact. The lack of numerical data leads to risk maps with boxes coloured red, yellow and green and this alone should facilitate communications with people less familiar with Information Risk Management.

There are several frameworks and standards in use, such as:

NIST SP800-30 Risk Management Framework and NIST SP 800-37 “Guide to applying the Risk Management Framework.” (Both documents are available as free downloads from

“Cobit 5 for Risk”, issued by the Information Systems Audit and Control Association ( Issued in September 2013, replaces the 2009 Risk IT Framework and has been extended to include governance issues.

Author: Ed Gelbstein

Share This Post On