Risk Decisions

Han Solo, captain of the Millennium Falcon, is trying to decide if he should smuggle two strangers and their droids to the planet Alderaan from the planet Tatooine. He knows that the Empire’s fleet is looking for these strangers, so making the trip could be risky. Since Han is well versed in Information Security risk decision-making, he uses a tiered approach when considering risks, meaning he breaks risks down into high risk, moderate risk, and low risk. The strangers are paying well, but Han values his own well-being and only takes jobs that are low or moderate risk, refusing any work that he deems as high risk. This is Han’s risk appetite, or the amount of risk that is acceptable to him.


 But how does he know what risk level to assign to this trip? First he identifies what threat actors he could encounter during the trip. A threat actor is anyone that could cause harm to the asset needed for this journey: his ship the Millennium Falcon. Since the Empire is searching for these strangers, there is a chance Han will encounter small scout ships known as TIE fighters or large battleships known as Star Destroyers. He also knows that there is a bounty on his own head, meaning there is a chance that he may encounter bounty hunters who have been searching for him.

Now that Han has identified possible threat actors he may encounter, he has to decide if the Falcon has any vulnerabilities, or characteristics able to exploited for these threat actors to achieve their goal of causing harm. Han knows the reflector shields on his ship are limited and taking frequent shots from other ships could blow him out of the sky.

Now that Han knows how he is vulnerable, he needs to decide how much risk each of these threat actors poses to the Falcon. He is going to evaluate the likelihood, or the chance of encountering the threat actor, as well as the impact, the negative result of an encounter with, each of these threat actors. Using this information, he will assign an overall risk to each threat actor.

Han knows that space is littered with TIE fighters and contact with them is almost inevitable. Thus, he assigns a high likelihood to a TIE fighter encounter. These ships are small and lightly armed and will most likely not penetrate the Falcon’s reflector shields before being able to be taken out so Han assigns a low impact to a TIE fighter encounter. High likelihood x low impact = low risk, so a TIE fighter encounter is low risk. (There is a formula for combining likelihood x impact. It is included at the end of the post).

Bounty hunter’s are more rare than TIE fighters, but are not unheard of. Han knows there is a moderate likelihood he will encounter a bounty hunter. Bounty hunter ships are lightly armed with a few special gadgets so an encounter with one would have moderate impact. Moderate likelihood x moderate impact = moderate risk. A bounty hunter encounter is medium risk.

The Empire has a limited supply of Star Destroyers so encountering one is rare. Han assigns the likelihood of encountering one to low. Han knows that Destroyers are ridiculously well armed and capable of blowing up the Falcon in just a few shots. The impact of an encounter is high. Low likelihood x high impact = low risk. A Star Destroyer encounter is low risk.

Because there were no high-risk threats, this job is within Han’s risk appetite and he decides to take the passengers.

Do note, however, this is just based off of overall risk. Han can choose to make the decision that he is most concerned with high likelihood threats, regardless of the impact. This would cause TIE fighters to be of high concern for him. He could also choose to value the highest impact encounters more than anything else, making him most concerned with Star Destroyers. These are all considerations that must be made when making risk decisions.

As Information Security professionals, we have limited resources, limited time, and endless vulnerabilities. Attempting to remedy every single vulnerability and implement controls against every possible threat actor would be nearly impossible and not at all cost effective. Being able to assign a risk rating to the threats we face gives us an idea of which vulnerabilities need our immediate attention, which need to be addressed at some point, and which can be accepted as low enough risk to not be of concern (based on the organization’s risk appetite). This also helps us identify which threat actors are worth noting and implementing controls against and which are too unlikely or too low impact to expend resources on combating. In short, being able to identify and analyze risks allows us to make educated decisions in regards to Information Security strategies.

Details for risk analysis:

For each vulnerability on a system, determine if there is a threat actor that could exploit that vulnerability.

Determine the likelihood that a threat actor could exploit that vulnerability. Then determine the impact that would be caused if the vulnerability were to be exploited.

There is a simple formula for determining overall risk rating:

Likelihood x Impact = Risk Rating

High likelihood receives a value of 1.0, medium a value of .5, and low a value of .1

High impact receives a value of 100, medium a value of 50, and low a value of 10

So for example high likelihood x low impact = 1.0 x 10 = 10.

Risk ratings of 51-100 are high, 11-50 are medium, and 1-10 are low. This means in the above example of 1.0 x 10 = 10 the overall risk rating is low.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s