The risk formula
Risk is what your organization has to lose. Depending on your industry, risk can be a probability or a value.
To better understand how risk is defined, consider the visual relationship shown in the structure of the following formula, which I call the risk formula.
As shown in the formula, Risk is the value you have to lose times the probability that loss will occur — which makes intuitive sense. For example, if your organization has a value of $100 million and the probability of loss is 75 percent, your risk is $75 million.
Value is essentially what you have to lose. The probability that you will lose that value is a function of your Threats combined with the Vulnerabilities that allow the Threats to exploit you. If you have no threat, you have no risk. If you have no vulnerabilities, you have no risk. The reality is that you always have threats and vulnerabilities, so unless you have no value, which is inconceivable, you have risk.
When you consider the formula, the only thing offsetting your risk are Countermeasures. Your countermeasures mitigate threats. You won’t mitigate value, because you don’t want your security program decreasing the value of your organization.
Value
Value is what your organization considers an asset. It can be a monetary asset, a reputational value, an intangible value (such as morale), or an operational efficiency, for example. It doesn’t have to equate to money specifically, but there will be a distinct asset that your organization wants to protect.
From an awareness perspective, you have to ensure that you clearly identify your organization’s assets so that your user population knows what they need to protect. This is one of the motivations to promote to your users to encourage them to more likely enact behaviors.
Threat
Threat is essentially the Who or What that can cause harm, if given the opportunity. Most people think of threats as malicious people. They are clearly threats. However, your awareness program is useful only if you believe that providing guidance to well-meaning users is valuable. And it is valuable, as well-meaning users are a more prominent threat. These people lack malicious intent but take actions that are nonetheless harmful because of ignorance, carelessness, or human error, all of which can be reduced by way of awareness. Well-meaning users cause exponentially more loss in aggregate than the malicious actors. The incidents can be significant, but more frequently the losses involve many small-but-frequent incidents that add up. For example, compromised credentials and lost devices result in losses that aren’t significant individually. However, in aggregate, they add up to major losses.
Do you remember the old term “death by a thousand cuts,” which refers to many small and seemingly inconsequential losses adding up to a major incident? It’s easy to ignore the small losses, but preventing small losses can frequently save an organization more money than preventing a large incident. When you create a security awareness program, you must consider all threats and determine whether the frequency of a small loss becomes worthy of expending limited awareness resources (Chapter 8 discusses this process in greater detail).
DEALING WITH NATURAL DISASTERS
The types of threats that represent incidents resulting from non-human-related occurrences are events such as hurricanes, earthquakes, floods, and power outages. At the time I wrote this chapter, fires were ravaging California while two hurricanes bore down on the US Gulf Coast. These disasters will cost organizations billions of dollars. Even those organizations not directly affected by such disasters minimally suffer increased gasoline prices, which result in increased shipping costs.
Just as well-meaning people cause more damage than malicious actors, some threats result in more damage than most humans can imagine. Many of these threats are relatively small and localized, but more than enough are massive and have disastrous effects.
You probably can’t provide any awareness of value regarding the existence of natural disasters, but you can use these occurrences to motivate people to implement basic countermeasures. For example, data backups and the use of uninterruptible power supplies are critical to mitigate the damage from natural disasters.
Vulnerabilities
Vulnerabilities are an organization’s weaknesses — they allow a threat to exploit your organization. Someone may want to harm your organization, but they can’t act on their intentions unless you provide vulnerabilities that they can exploit. Awareness is a countermeasure that addresses relevant vulnerabilities.
Here are the categories of vulnerabilities as I identify them:
Technical vulnerabilities: Weaknesses in technology that create loss.
Physical vulnerabilities: Allow physical access or otherwise allow for damage of physical resources to occur. For example, you can spill water on your computer and cause damage, or someone can walk into your office and steal the computer.
Personnel vulnerabilities: Involved in the hiring, maintaining, and separation of people. For example, you might hire people who are incapable of performing the job, or who may be criminals. Similarly, if you don’t have the right legal documents in place, you’re placing your organization at risk. Personnel vulnerabilities can involve direct employees or anyone with access to your information. Edward Snowden, for example, was not an NSA employee — but rather an employee of Booz-Allen, which was a contractor to NSA. His access allowed him to steal classified information and download that information onto USB drives that he carried out of the NSA facility.
Operational vulnerabilities: Involve weaknesses in how processes are designed and implemented. Do people do things that are secure or insecure? Are processes inherently secure or insecure? For example, some companies have posted too much information on websites. The now infamous Twitter hack of July 2020 involved a wide variety of operational weaknesses, where too many employees had access to the administrator tools, where employees gave up their credentials, and where it required only a single employee to reset passwords on accounts with more than 100 million subscribers, among a variety of other weaknesses.
Countermeasures
In the risk formula (see the earlier section “The risk formula”), countermeasures are what you do or implement to mitigate threats or vulnerabilities. Most organizations cannot mitigate threats, however. Unless you’re a nation-state, you cannot
