June 4, 2008, Annapolis, Maryland
Threat Assessments are one of the key areas of a security risk assessment. Whether it’s information technology or physical security — having good threat information is a major component of any risk assessment.
Threat data is also very difficult to get and to keep updated. Part of the problem is that if you look at ‘current’ threat data — you will find that this year, for example, we have had an unusual amount of rain and an unusually high number of storms and ‘conditions that are favorable for tornado (tornadic sp?) activity in Maryland.
Take yesterday for example. I had to take one of my beagles to the vet. As I got into my car, my son called to say there was a very severe storm with a possible tornado heading toward us. (He is in Virginia so he gets the storms first). I actually saw the storm in my rear view mirror as I headed across the 4 mile Bay Bridge and rode out the storm in the vet’s office. All my power was out when I finally got home and hundreds of trees were down. There was so much flooding that I had to take off my shoes and pull up my dress to get to my car in the parking lot of the vet’s office.
So with these storms, tornados, rain and flooding, should I increase my threat of storms, flooding and water damage? NO. In this case, as in others (like hurricanes), as a risk analyst, you are looking at long term trends. Remember 2005? It was the busiest hurricane season on record, with 27 named storms and 11 federal disaster declarations and the unforgettable trio – Katrina, Wilma and Rita? Everyone thought this was the signal of a new problem with hurricanes, but 2006 was quiet. In fact, no hurricanes made landfall in the U.S. in 2006; and in 2007 there was only 15 named storms.
What insurance companies have known for years is that these things occur in cycles, and if you change your disaster plans to focus on hurricanes, next year you may instead get wind, or wildfires. So the smart risk assessor will look at 20 or even 50 year cycles, and will normalize those cycles into an annual number and that annual number will be a better predictor of what actually happens year by year.
For a risk assessment, I always look at what is called an “All-Hazards” threat approach. Even for an IT risk assessment, you need to look at the statistics for natural disasters, and related crime stats, as well as IT threats such as disclosure, viruses, malware, phishing, etc. The impact of a hurricane or flood on a data center is just as damaging, if not more damaging, than a virus brought in by an employee.
There are several threat sources you can refer to, if you are attempting to create your own threat matrix for a risk assessment. In the U.S., the National Weather Service (www.noaa.gov), has good threat data for natural phenomena, and the FBI publishes good crime data — the uniform crime reports (http://www.fbi.gov/ucr/ucr.htm). For looking at IT threat data, there is a wide variety of sources including the CERT at Carnegie Mellon (www.cert.org).
Of course, the best, and most localized is either from your internal data, or from industry data. This includes incident response tracking, incident reports, penetration and scanning test results which can be combined to give a good overall threat profile for your organization to in the risk assessment. The threat assessment probabilities are going to contribute to the risk calculation by seeing what level of protection different assets need according the threats that can impact them.
Caroline R. Hamilton is the Founder of RiskWatch, Inc., the original top-rated risk assessment software. Hamilton served on the NIST Model-Builder’s Workshop on Risk Management from 1988-1995 and on the National Security Agency’s Network Rating Workshop. In addition, she was a member of the U.S. Department of Defense’s Defensive Information Warfare Risk Management Model and has worked on a variety of risk assessment and risk management groups, including the ASIS Information Technology Security Council and the IBM Data Governance Council, created by Steven Adler. Hamilton also received the Maritime Security Council’s Distinguished Service Award and has written for a variety of books and magazines including the CSI Alert, the Computer Security Journal, the ISSA Newsletter, The HIPAA Compliance Handbook, Defense News, Security & Design, Cargo Security and many other publications. Based in Annapolis, Maryland, Hamilton is a graduate of the University of California.