9.1 Overview of Process 7

One of the evaluation attributes presented in Chapter 2 was the focus on risk. This attribute requires you to look beyond the immediate consequences (outcome) of the threat to a critical asset and place it in the context of what is important to your organization (impact). Up to this point in OCTAVE, you have collected data that will help you examine the security threats that affect your organization's mission and business objectives. In process 7 the focus shifts to risk identification and analysis.

Process 7 Workshop

The workshop for process 7 includes the core analysis team members as well as supplemental personnel, if needed. Your team, including supplemental members, should have the following skills:

• Understanding of the organization's business environment

• Understanding of the organization's information technology environment

• Good communication skills

• Good analytical skills

If you decide to supplement the skills of your analysis team, you should consider including people who understand the specific context of your business environment (e.g., people from the legal department, strategic planners, people from the business continuity office, policy managers). Your team needs these skills, because process 7 requires you to examine how threats to critical assets affect the business objectives and mission of your organization.

An experienced analysis team can complete the activities in about 4½ to 6 hours. The activities of process 7 are summarized in Table 9-1.

Table 9-1. Process 7 Activities

Activity	Description
Identify the impact of threats to critical assets	The analysis team defines impact descriptions for threat outcomes (disclosure, modification, loss, destruction, interruption). The impact description is a narrative statement that describes how a threat ultimately affects the organization's mission.
Create risk evaluation criteria	The analysis team creates evaluation criteria that will be used to evaluate the risks to the organization. Evaluation criteria define what constitutes a high, medium, and low impact.
Evaluate the impact of threats to critical assets	The combination of a threat and the resulting impact to the organization defines the risk to the organization. The analysis team reviews each risk and assigns it an impact value (high, medium, or low).

Risk

Risk is the possibility of suffering harm or loss. It is the potential for realizing unwanted negative consequences of an event [Rowe 88]. It refers to a situation in which a person could do something undesirable or a natural occurrence could cause an undesirable outcome, resulting in a negative impact or consequence.

A risk comprises an event, uncertainty, and a consequence. In information security, the basic event in which we are interested is a threat. Uncertainty is embodied in much of the information you have gathered during the evaluation. The uncertainty concerns whether a threat will develop as well as whether your organization is sufficiently protected against the threat actor. In many risk methodologies, uncertainty is represented using likelihood of occurrence, or probability. As Section 9.3 explains, there is a lack of objective data for certain types of information security threats, making it difficult to use a forecasting approach based on probability. To handle the uncertainty inherent in risk, we propose an analysis technique based on scenario planning.

Finally, the consequence that ultimately matters in information security risk is the resulting impact on the organization due to a threat. Impact describes how the organization would be affected based on the following threat outcomes:

• Disclosure of a critical asset

• Modification of a critical asset

• Loss/destruction of a critical asset

• Interruption of a critical asset

The outcomes listed above are directly related to assets and describe the effect of the threat on an asset. However, the impact is focused on the organization; it is the direct link back to the organization's mission and business objectives. This chapter shows you how to explicitly identify the risks to your organization's critical assets. We begin looking at risk in the next section, as we present an approach for describing the organizational impact of threats to critical assets.