Risk Assessment: Guiding Responsible Information Security Spending

27 02 2012

by Saad Noman

What assets do we protect? What do we need to protect the asset from? How much do we spend on protecting the asset? These are some of the questions that form the basis of information security and it is a domain covered under risk assessment. The risk assessment program is an on-going process that allows organizations to continually identify critical infrastructure/data, discover vulnerabilities and threats and develop associated treatment plans.  The aim of this process to have a clear roadmap of what needs to be done to mitigate risks and thus move towards building a secure environment in a budget friendly way. As United States General Accounting Office highlights– “risk assessments provide a basis for establishing appropriate policies and selecting cost-effective techniques” [1].

Just like in Software Development Life Cycle where you spend time on designing the application before coding/implementing, in information security too we need to first understand what environment is our organization operating in i.e. what the culture is, what are the mission critical processes/applications, and what are the threats. Only then can we establish an effective information security program that will address realistic scenarios that are likely to occur and have high business impact consequences.

Without having risk assessment, organizations are likely to overspend on security controls and yet completely miss out on the easiest penetration scenarios. For example, I’ve seen in my organization where we focus on protecting the infrastructure from outside threats (with DMZ, network penetration etc.), but there is no policy of protecting critical databases from internal employees. Currently, someone from development team can easily access a production machine using the application login id from their desktop – there is actually no security control around this.

Having a proper risk assessment framework yields valuable information and action-driven tasks that helps guide an organization how to approach security spending by understanding the magnitude of how risks can potentially harm the business. Risk assessment results provide a solid basis for building strong quantitative business case for security initiatives that otherwise may be difficult to justify to a Finance team that often say “we want to optimize budget” and “why is this necessary? we are doing just fine without it”.

To conclude, I think Sun Tzu perfectly stated in The Art of War that directly refers to the importance of proactive risk management:

“The art of war teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.” [2]


[1] United States General Accounting Office. “Information Security Risk Assessment.” November 1999.


[2] Sun Tzu, The Art of War quotation – http://thinkexist.com/quotation/the_art_of_war_teaches_us_to_rely_not_on_the/149712.html




Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: