ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > Risk Analysis Inputs Critical in Assessing Vulnerabilities

Risk Analysis Inputs Critical in Assessing Vulnerabilities

Dominic Sellitto, Cybersecurity Consultant
| Posted at 3:05 PM by ISACA News | Category: Risk Management | Permalink | Email this Post | Comments (3)

Dominic SellittoThe fact is, new vulnerabilities come to light every day. Unfortunately, staying ahead of these new vulnerabilities, or otherwise addressing them promptly, has proven to be incredibly difficult (not to mention costly). The good news is, not all vulnerabilities impact every organization. But, for vulnerabilities that do apply, it often is difficult to make risk-based decisions to address them – do we mitigate, avoid, transfer, or accept them?

These decisions become a great deal easier when organizations include the likelihood of an exploit along with a vulnerability's impact as risk analysis inputs. In these cases, impact is often relatively straightforward. For example, we might consider legal, strategic, financial, operational, or reputational impacts or, as Common Vulnerability Scoring System (CVSS) does, we might consider impact to classic objectives like confidentiality, integrity and availability.

Likelihood seems softer than impact and, as a result, we might think it is harder to determine. To get there, we have to think about the threats that could take advantage of a vulnerability. To exploit a vulnerability, there first must be a related threat. As it turns out, CVSS has sorted out quantifying likelihood by prompting for easier-to-answer questions like the origin of a threat, the difficulty of an exploit and the need for a victim's involvement. One of the common shortcomings with vulnerability management processes is in their often-limited understanding of applicable threats.

So, what is a threat?

We think of a threat scenario as a threat agent acting against a target to accomplish an objective. For example, a hacker targeting an e-commerce website to steal credit card data. A vulnerability creates a point of entry through which the attacker can reach the target. In a more complex attack, a hacker might work through a series of layers, exploiting various vulnerabilities along the way.

We worry about threats from thieves, hackers, malware and ransomware, social engineers and phishers, and natural disaster. However, the definition of a threat can encompass more than just these common actors. For example, an organization might view regulatory compliance as a threat. After all, an audit can have a significant impact – fines and penalties.

Why does understanding threats matter?

Regardless of your organization, addressing vulnerabilities is a business decision. As with any other business decision, risk and cost are a factor. Understanding a vulnerability in the context of the threats that might exploit it makes it easier to plan a course of action and prioritize your response.

Editor’s note: For more on this topic, download ISACA’s new white paper on vulnerability assessment.

Comments

Good Insight

Thank Dominic for such good insights on how an organization should approach its vulnerability management program. Most of the time, the technical experts tends to plan vulnerability remediation just of the basis of vendor based rating criteria. Even if some mature processes covers the aspect of Threat evaluation, few consider actual business risk created due to that vulnerability on your business technology assets.
Soumitro Mandal at 12/13/2017 9:28 AM

Risk Analysis and Vulnerabilities

Well, it is quite difficult to remain updated with every emerging vulnerability. And it is more complex to seek business decision and hence prioritize the response. Oftenly mitigation is imposed or expected after some good incident which has the impact on cost or performance.
Tassawar at 12/13/2017 10:22 AM

Risk Analysis and Vulnerabilities

Well, it is quite difficult to remain updated with every emerging vulnerability. And it is more complex to seek business decision and hence prioritize the response. Oftenly mitigation is imposed or expected after some good incident which has the impact on cost or performance.
Tassawar at 12/13/2017 10:22 AM
You must be logged in and a member to post a comment to this blog.
Email