Step 3 – Do a Risk Assessment & Identify Risks

Hello All! As we run into the final laps of the year, we realise the importance of CyberSecurity for all of us. As we round up an exciting year and one in which Arrka is growing; we sincerely thank all of you out there who have supported us and had faith in our abilities to deliver. We look forward to a truly more exciting 2018 – and a very secure and safe one. Our quest for enabling security for our stakeholders, customers, partners continue and we remain focused in getting this together. This series is a way to spread the awareness.

Thank you for reading through this. This article is the next in the series. Your feedback means a lot and I appreciate the comments coming my way. In case you have missed the earlier articles, the links are below.

Article 1 –
Article 2 –
Article 3 –
Article 4 –

So now, we have defined policies, created a security architecture in line with the policy. Most security practitioners at this point will say, “we should have assessed risks first. Why do this after the policies are defined?” This is actually a very valid question. However, there are some advantages of doing this later. I will explain as we move forward.

Let us understand Risk first. The layman answer is risk is like a dare, and it is a catalyst for making a decision on whether the challenge/dare should be accepted or not. Everyone has a threshold, in risk terms this is called a Risk Appetite. We tend to take risks (or as we called earlier challenges) based on our understanding and perception of risk appetite. I use the words understanding and perception because risk is always subjective. We have all tried to make this scientific, objective, numbers driven; however, there are exceptions that are made when decisions are taken on basis of your gut and instinct. These are feel behaviours which are tough to justify and are more prone to belief in yourself than anything else. E.g. Instinct is what drives innovation and should we choose to ignore this, we will never get a new idea conceptualised and created. Hence some subjective behaviour patterns are expected during a risk exercise.

Now the semantics of risk. All of us speak of assessing risk, this is ancient. The risk profile has become so dynamic that we cannot think of this as a static once in time work. Risk now needs to be managed and assessed for damage while managing and containing risk. To ensure this happens, we always need a company baseline. The world baseline will throw us in a tizzy and there are more 200 types of threats emanating into risk exposure for an organization in information security. If we look for technical vulnerabilities, it is 30000+ and growing everyday! All of these are not applicable to us and so the approach advocated here is, “Make policy statements which you require and then apply the risk principles for the ones applicable so we know what kind of risk exposure we are working with.”

So as part of risk management, the following comes through

• Identify Risk Appetite (am I ok to live with medium threat risks or low threat risks, you cannot have zero risk)
• Conduct initial assessment vis-à-vis policies to identify threats that are applicable
• Conduct a more thorough assessment for the applicable threats. We will also identify the probability of someone exploiting this threat exposure/ vulnerability. Usually, if incidents have happened before, that means we are at high risk. At times, there is an actual assessment carried out (as a part of Penetration Test, Social Engineering, Testing for Security etc.) to determine the probability of success
• Once we have identified all risk (essentially a product of threat and probability applied on all information processing assets – like people, technology, facilities, applications etc.); we will get into a selection process. The selection will decide if risk is in one of the below stages

-Reduce – our exposure is high and we need to reduce this by fixing some issues
-Avoid – We will replace the particular item causing risk with another set so that the risk is avoided completely.
-Transfer – We will transfer our risk exposure to others. E.g. insurance
-Accept – This risk exposure is below my risk appetite. So we will let it be and monitor to make sure this does not go above my appetite

• We need to decide on one of the above for each risk area. Depending on what we select, we will go ahead with additional actions. Some may require expense and some may not. Some could be as easy as changing policy controls.
• Now we have identified risk, we need to monitor the risk and threats to ensure they are in line with our requirements. This is possible via a combination of real-time technology monitoring and process audits. Many of the staff contribute also by reporting incidents. Another major input comes from external sources (experts sending out newsletters), focus groups on security, our awareness of the sorroundings, e.g. next door company data was stolen implies we are at risk as well.

Considering the above, we have a more effective way of managing risk and also having quick wins. Getting into risk assessment first will take time and that is the time we are not protected at all. While running an organization, we cannot remain unprotected for long and so this needs to come after some semblance of policy is defined and is already being rolled out.

Next we will explode Step 4 – Rollout of policies, procedures, awareness for users
Till then, stay safe and if you need emergency response/ help, shout out to

In case you have missed the earlier part of the series, it is at

Article 1 –

Article 2 –

Article 3 –

Article 4 –