Information Asset Protection Infrastructure: Risk Database
A risk database is one way to easily accumulate and store quantities of information on risk. The data base should minimally contain the following tables:
Threats – As there are only five classes of threats, humans inside and outside the security perimeter, human error, malicious code, and environmental threats separate columns for each class may prove the easiest solution.
Assets including components of meta-assets.
Vulnerabilities linked to assets.
Business processes linked to components to show dependencies.
Risks linking threats and vulnerabilities.
Attacks and consequences linked to risks and assets.
Queries should easily provide lists of assets at risk, likely consequences of attacks and predictions related to annual loss. Reliable vulnerability information used to populate the table is readily available from a number of sources and the security team should be capable of finding credible threat information from formal and informal sources. An important use of the database is to gain insight into risks arising from component vulnerabilities associated with the use of components in new systems. Attacks targeting specific vulnerabilities and the risk inherited when the new system is implemented is a very powerful tool that few organizations have today.
Risk assessments tend to be expensive and time consuming exercises, a risk database allows the process to be optimized and the results to be enhanced.
Management and regulators often have risk-related questions, having the database available enables quickly answering those questions. An important consideration is management’s perceptions regarding specific threats, the likelihood of attacks and risk tolerance. All of this can be integrated into the appropriate tables and will then be available for queries.
Exercising the security team’s curiosity and dynamic what if-ing theories related to attack scenarios and potential damage is an important use of the database as a research tool.
Effective risk management is entirely dependent upon understanding the risks and their consequences, having a knowledge-base to support establishing and evolving that understanding is a very useful tool to enable success.