Information security risk assessments are vital to the health and longevity of every organization, but they can often be a confusing process with terms that vary across industries and organizations. One of the major gaps within information security risk assessments is the lack of information regarding threat actors and threat events. Without these two key pieces of information corporations and enterprises are wasting valuable time, money, and other resources on extensive information security risk assessments and walk away without knowing any details about the very real threats to their business.
Important Terms in Information Security Risk Assessments
Risk: The chance of an event occurring that negatively impacts business decisions, goals, and objectives combined with the impact it would have on the business.
Risk = threat X vulnerability
Threat Event: A negative event that can lead to an undesired outcome.
Threat Actor: The person, organization, or entity responsible for the threat.
Vulnerability: A weakness that can be exploited in order to attack your company.
Information Security Risk Assessment Gaps
Information Security Risk Assessment practices vary among industries and disciplines, which results in multiple approaches and methods for risk assessments. A recent study by Guate Wangen et al. in the International Journal of Information Security titled “A Framework for estimating information security risk assessment method completeness” discovers and analyzes several gaps in the surveyed methods. One of their findings was, “that there is little conformity on how to conduct a threat assessment and what it should contain.” Many Risk Management companies are negating the largest piece of the information security assessment puzzle when they don’t address the threat events and threat actors.
The Importance of Knowing the Threat Event in Your Information Security Risk Assessment
In order to have a fully completed information security risk assessment that will allow your company to create effective policy and procedures you must first have an awareness of the threat events putting your business at risk. The only way to mitigate against upcoming threats and prepare for future risks is to know where your business is vulnerable. Threat events vary greatly depending upon your specific industry and business, but the most common threat events according to The Department of Public Safety and Emergency Preparedness of Canada are:
- Natural disasters
- Hacking
- Botnets
- Malware
- Spam
- Viruses
The Importance of Knowing the Threat Actors in Your Information Security Risk Assessment
Crucial information to your information security risk assessment is knowing your potential threat actors. Many information security risk assessments do not include the threat actor in the assessment, which makes protecting your business with an accurate risk management process impossible. There are numerous threat actor categories, but a few of the most common to put your business at risk are:
- Insider Threat
- Nature
- Hacktivist
- Government Sponsored
- Internal User Error
A robust information security risk assessment is the only way for a corporation to rest assured that their risk management plan is functional and not just theoretical. Without information concerning the company's specific threat events and threat actors the company is left vulnerable to vicious and costly attacks.
Manage Your Information Risk With LogicGate
With LogicGate's Cyber Risk & Controls Compliance solution you'll have access to a repository of control frameworks to ensure compliance with industry best practice standards. You’ll be able to map controls to business processes, assets, and risks and identify deficiencies versus standard frameworks. Ultimately, you’ll be able to easily identify gaps in controls, pinpoint your vulnerability exposure, and send updates through remediation workflows to improve control effectiveness.