A presentation I made for the ISACA Belgium open forum of June 2015 in Brussels on Reporting relevant IT risks to stakeholders. This presentation served as starter for the discussions in the open forum.

1. REPORTING RELEVANT IT
RISKS TO STAKEHOLDERS
Marc Vael, Brussels, 24 June 2015

2. WHO ARE THE STAKEHOLDERS?
Stakeholders can affect or be affected by the
organization's actions, objectives and policies.
Examples of key stakeholders are creditors, directors,
employees, government (and its agencies), owners
(shareholders), suppliers, unions, and the community
from which the business draws its resources.

3. WHO ARE THE STAKEHOLDERS?

4. WHO ARE THE STAKEHOLDERS?

5. WHO ARE THE STAKEHOLDERS?

6. WHO ARE THE STAKEHOLDERS?

7. WHO ARE THE STAKEHOLDERS?
Big problem #1:
Stakeholders all speak different
“languages

8. WHAT ARE RELEVANT IT RISKS?
Information technology risk / IT risk / IT-related risk is the business risk
associated with the use, ownership, operation, involvement, influence and
adoption of IT within an enterprise.
Assessing the probability of likelihood of various types of event/incident with their
predicted impacts or consequences should they occur is a common way to assess and
measure IT risks.
Alternative methods of measuring IT risk typically involve assessing other contributory
factors such as the threats, vulnerabilities, exposures, and asset values.
IT risk has a broader meaning: it encompasses not just only the negative impact of
operations and service delivery which can bring destruction or reduction of the value of
the organization, but also the benefitvalue enabling risk associated to missing
opportunities to use technology to enable or enhance business or the IT project
management for aspects like overspending or late delivery with adverse business
impact.

9. WHO ARE THE STAKEHOLDERS?
Big problem #2:
“Risk” is inherently subjective
(qualitative)

10. MEASURING IT RISKS?
Information security event: identified occurrence of a system, service
or network state indicating a possible breach of information security
policy or failure of safeguards, or a previously unknown situation that may
be security relevant.
Occurrence of a particular set of circumstances.
The event can be certain or uncertain.
The event can be a single occurrence or a series of occurrences.
Information security incident: single or series of unwanted information
security events that have a significant probability of compromising
business operations and threatening information security
An event that has been assessed as having an actual or potentially
adverse effect on the security or performance of a system.

11. MEASURING IT RISKS?
Impact: result of an unwanted incident
Consequence: Outcome of an event
There can be more than one consequence from one event.
Consequences can range from positive to negative.
Consequences can be expressed qualitatively or quantitatively
R = L × I
Likelihood of a security incident occurrence is a function of the likelihood that a threat appears
and likelihood that the threat can successfully exploit the relevant system vulnerabilities.
Consequence of the occurrence of a security incident is a function of likely impact that the
incident will have on the organization as a result of the harm the organization assets will
sustain. Harm is related to the value of the assets to the organization; the same asset can
have different values to different organizations.

12. MEASURING IT RISKS?
R can be function of four factors:
A = Value of the assets
T = Likelihood of the threat
V = Nature of vulnerability i.e. the likelihood that can be exploited
(proportional to the potential benefit for the attacker and inversely
proportional to the cost of exploitation)
I = the likely impact, the extent of the harm

19. MEASURING IT RISKS?
OWASP approach to IT risk
Estimation of Likelihood in a 0 to 9 scale:
Threat agent factors
Vulnerability Factors
Estimation of Impact in a 0 to 9 scale
Technical Impact Factors
Business Impact Factors

20. MEASURING IT RISKS?
OWASP approach to IT risk
Threat agent factors
Skill level: How technically skilled is this group of threat agents? No technical skills (1),
some technical skills (3), advanced computer user (4), network and programming skills
(6), security penetration skills (9)
Motive: How motivated is this group of threat agents to find and exploit this vulnerability?
Low or no reward (1), possible reward (4), high reward (9)
Opportunity: What resources and opportunity are required for this group of threat agents
to find and exploit this vulnerability? full access or expensive resources required (0),
special access or resources required (4), some access or resources required (7), no
access or resources required (9)
Size: How large is this group of threat agents? Developers (2), system administrators (2),
intranet users (4), partners (5), authenticated users (6), anonymous Internet users (9)

21. MEASURING IT RISKS?
OWASP approach to IT risk
Vulnerability Factors: estimate the likelihood of the particular
vulnerability involved being discovered and exploited. Assume the
threat agent selected above.
Ease of discovery: How easy is it for this group of threat agents to discover this
vulnerability? Practically impossible (1), difficult (3), easy (7), automated tools available (9)
Ease of exploit: How easy is it for this group of threat agents to actually exploit this
vulnerability? Theoretical (1), difficult (3), easy (5), automated tools available (9)
Awareness: How well known is this vulnerability to this group of threat agents? Unknown
(1), hidden (4), obvious (6), public knowledge (9)
Intrusion detection: How likely is an exploit to be detected? Active detection in application
(1), logged and reviewed (3), logged without review (8), not logged (9)

22. MEASURING IT RISKS?
OWASP approach to IT risk
Technical Impact Factors; estimate the magnitude of the impact on the
system if the vulnerability were to be exploited.
Loss of confidentiality: How much data could be disclosed and how sensitive is it? Minimal non-
sensitive data disclosed (2), minimal critical data disclosed (6), extensive non-sensitive data disclosed
(6), extensive critical data disclosed (7), all data disclosed (9)
Loss of integrity: How much data could be corrupted and how damaged is it? Minimal slightly corrupt
data (1), minimal seriously corrupt data (3), extensive slightly corrupt data (5), extensive seriously
corrupt data (7), all data totally corrupt (9)
Loss of availability How much service could be lost and how vital is it? Minimal secondary services
interrupted (1), minimal primary services interrupted (5), extensive secondary services interrupted (5),
extensive primary services interrupted (7), all services completely lost (9)
Loss of accountability: Are the threat agents' actions traceable to an individual? Fully traceable (1),
possibly traceable (7), completely anonymous (9)

23. MEASURING IT RISKS?
OWASP approach to IT risk
Business Impact Factors: requires a deep understanding of what is
important to the company running the application. Aiming to support risks
with business impact, particularly if the audience is executive level. The
business risk is what justifies investment in fixing security problems.
Financial damage: How much financial damage will result from an exploit? Less than the cost to fix the
vulnerability (1), minor effect on annual profit (3), significant effect on annual profit (7), bankruptcy (9)
Reputation damage: Would an exploit result in reputation damage that would harm the business?
Minimal damage (1), Loss of major accounts (4), loss of goodwill (5), brand damage (9)
Non-compliance: How much exposure does non-compliance introduce? Minor violation (2), clear
violation (5), high profile violation (7)
Privacy violation: How much personally identifiable information could be disclosed? One individual (3),
hundreds of people (5), thousands of people (7), millions of people (9)

24. 24

25. MEASURING IT RISKS?

26. MEASURING IT RISKS?

27. MEASURING IT RISKS?

28. MEASURING IT RISKS?

31. WHO ARE THE STAKEHOLDERS?
Big problem #3:
The risks that frighten people
are not the same ones that “kill”
them.

32. WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT
RISKS TO STAKEHOLDERS?
?

33. WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT
RISKS TO STAKEHOLDERS?

34. WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT
RISKS TO STAKEHOLDERS?

35. WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT
RISKS TO STAKEHOLDERS?

36. WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT
RISKS TO STAKEHOLDERS?

37. WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT
RISKS TO STAKEHOLDERS?

38. WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT
RISKS TO STAKEHOLDERS?

39. WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT
RISKS TO STAKEHOLDERS?

40. WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT
RISKS TO STAKEHOLDERS?

41. WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT
RISKS TO STAKEHOLDERS?

42. WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT
RISKS TO STAKEHOLDERS?

43. WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT
RISKS TO STAKEHOLDERS?

44. WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT
RISKS TO STAKEHOLDERS?

45. WHO ARE THE STAKEHOLDERS?
Big problem #4:
Risks are difficult to compare across
the board

46. WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT
RISKS TO STAKEHOLDERS?

47. WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT
RISKS TO STAKEHOLDERS?

48. WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT
RISKS TO STAKEHOLDERS?

49. WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT
RISKS TO STAKEHOLDERS?

50. WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT
RISKS TO STAKEHOLDERS?

51. WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT
RISKS TO STAKEHOLDERS?

52. WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT
RISKS TO STAKEHOLDERS?

53. WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT
RISKS TO STAKEHOLDERS?

54. WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT
RISKS TO STAKEHOLDERS?

55. WHAT ARE EFFECTIVE WAYS TO COMMUNICATE / REPORT RELEVANT IT
RISKS TO STAKEHOLDERS?