Risk management
Our experienced security specialists help you identify, prioritize and manage risks for your systems, processes, networks or information.
By managing your risks in an organized and standardized way, you can both minimize the risk of incidents of various kinds, but also minimize the potential consequences in advance, and be ready to handle the unexpected and unwanted situations that may arise.
Service description
The service includes a set of workshops to identify and classify assets, identify and describe threats and vulnerabilities, document the associated risks, and identify and plan measures to mitigate both risk and consequence.
Our experienced cybersecurity consultants can act in different roles for these workshops, to lead or support the process in all steps to the extent required, to ensure that your risk management is adequate.
You can choose to use your own models, risk scales, security level definitions and prioritization systems, or let us help you develop suitable ones, based on industry standards and what suits your particular organization.
General Method
Threats arise continuously, and risk management must therefore be an iterative work, whose methods and results are carefully documented. In general, risks are managed in three steps (which in turn are often broken down into sub-steps):
Risk analysis
Action planning
Decisions and documentation
All steps can and should be carried out as group workshops. It is of great importance for efficiency that these groups include the right people. The group must include individuals with technical and organizational knowledge of the object in question, but at the same time it must be taken into account that a smaller group is often significantly more time-efficient. Too small a group of participants runs the risk of lacking relevant skills or knowledge, and limiting the opportunity for valuable discussion. An excessively large group instead risks leading to a very inefficient assessment process, in which the opinions and views of too many individuals must be taken into account.
Definitions:
Threat / Risk - An event with a negative impact (if it occurs)
Probability - The probability that a threat is realized
Consequence - Result of a realized threat
Risk value - A value added to a risk, to enable prioritization
Object / Review object - The system, process or amount of information the risks in question concern
Risk assessment
During the risk assessment, risks must be identified and assessed. This involves formally noting the risks and threats that can be observed against the system, assessing their consequences and the probability that they will occur, and then prioritizing them using a calculated risk value. Risk value R = P*C is often used where P & C is the assessed probability and consequence, normally on a scale of 1–4 or 1–5.
It is of great importance that the scale is well defined and understood by all participants, and that it is in consistent between the risk assessment of different objects. The scale should always be anchored in the business as a whole, rather than the system or process being analyzed. A risk that is catastrophic for a specific system does not have to be catastrophic for the business as a whole.
Action Planning, Decisions & Documentation
The management of risks consists of the identification of safety measures that can be implemented to either prevent the occurrence of the risk, or minimize the consequences thereof. Each identified risk can be expected to have several potential actions, with different expected effects, and different expected costs.
An assessment must be made of the cost of the measures against the value of the reduced probability or consequence of the risk.
All decisions must be justified and documented, in particular risks that are not addressed (a so-called "accepted risks")
