Skip to content ↓ | Skip to navigation ↓

I’ve been talking with a lot of companies lately about risk.  Many of them want to formalize their approach to classifying systems, data, business processes, people, etc. using a more formal risk program, such as FAIR, OCTAVE, and the like.  These models often seem fairly complex, and the net effect I’m seeing is that lots of people are talking about them but most of them are not doing anything because they feel like daunting projects.

One method I’ve seen that is starting to work is a lot simpler.  In the vein of “just start something” some of the organizations I’m working with are doing some quick & dirty risk classification (high/medium/low, red/orange/yellow, etc.) to help them segregate their infrastructure, applications, data, and roles into meaningful buckets that can be used to drive security rigor, investment, and response.

While simple, I think this approach works very well.  After all, if you think of it in terms of your personal life, you probably own some things you’d feel comfortable leaving out on the front lawn all night, but you have other things (your grandmother’s ring, your big-screen TV, etc.) that you would never leave unprotected and you’d want to make sure you knew those things were safely locked up every night.

You probably have a pretty good sense for the relative importance of this components of your IT infrastructure, data, and related processes.  If you don’t have  risk model in place, don’t wait – start doing some basic categorization to help you align what you’re doing with the importance of the things you’re securing.

What’s your experience?  Are there any lightweight models you’ve seen that work for you and your business?

Hacking Point of Sale
  • Jake Evans

    Qualitative risk assessment, which is what you're talking about here, is a useful and valid way to score risk.  This is especially the case for organizations with little to no risk scoring capability (lack of organizational maturity) or organizations that don't have the budget for a full-scale quantitative assessment (quantitative risk assessment is typically much more expensive to carry out).  The simpler approach gets the risk assessment ball rolling which may, down the road, lead to more rigorous quantitative risk assessment using one of the methodologies you mention above or others.  The real key in carrying out a qualitative risk assessment (and quantitative, really) is being sure you have the right folks doing the high/med/low or 1-10 scoring.  If you have that then there is enormous value in these types of activities.