Table of Contents
Risk management is a term of art used to describe complex activities where an institution identifies and assesses its risks and then creates a plan for addressing those risks. While information security practitioners use risk management practices to address information security risks, risk management practices can be applied to address any institutional activity that introduces some sort of business uncertainty.
At its most basic, risk management involves four steps:
Risk management is not a “one and done” activity. It must be done as part of a continual institutional process to make sure that changing circumstances, processes, and technology don’t introduce new risk into institutional activities.
Top of page
Every good higher education information security program relies heavily on risk management practices. These practices are used to identify the assets the institution must protect, understand the threats and vulnerabilities to those assets, and create a plan for protecting those assets so that the institution can best meet its primary goals like teaching, research, and community outreach. Almost every discipline uses risk management to identify and prioritize risks. Information security risk management is a major subset of the enterprise risk management process, which includes both the assessment of information security risks to the institution, as well as the determination of appropriate management actions and established priorities for managing and implementing controls to protect against those risks.
This chapter is not meant to be an all-inclusive guide to all things risk management. There are many excellent resources available to help you learn risk management fundamentals. This chapter focuses on information security risk management from an institutional perspective to help “fill in the gap” between industry resources and information security risk management practices in higher education.
There are a number of good industry references for effective information security risk management programs, including the NIST Risk Management Framework (NIST SP 800-37, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy) and ISO/IEC 27005:2018, Information technology — Security techniques — Information security risk management. In addition, a number of risk management frameworks exist that are not information security specific, but nonetheless are quite usable. These frameworks can be excellent building blocks to consider in developing your information security risk management capability. This chapter supplements such resources by providing a high-level overview of information security risk management activities from an institutional perspective, a list of recommended tools for information security risk management activities, links to example practices at selected institutions, and other helpful guidance.
- Learn more about security risk management in the EDUCAUSE Library.
Basic Risk Management Terminology
Risk management is made up of all the ongoing and coordinated activities to direct and control how an institution responds to the risks that it faces. The Glossary section of this Guide contains resources that will provide more depth on risk management terms, but these are the terms that you really need to know as you get started with information security risk management activities:
- Risk: The chance, or probability, that a threat can exploit a vulnerability and cause damage.
- Risk assessment: A process for identifying, assessing, and prioritizing a response to institutional risks. The assessment results guide the determination of appropriate management action and priorities for managing information security risks and for implementing controls to protect against these risks.
- Risk appetite: The amount of risk that an institution is willing to accept as a cost of “doing business.”
- Threat: Any intentional or unintentional danger that takes advantage of a vulnerability.
- Vulnerability: A weakness or flaw in a process (automated or manual) or in an IT system.
- Risk response: How an institution chooses to respond to a risk. Usually they can accept it, avoid it, mitigate it, or transfer it. No matter how an institution responds to risks, there is always some risk left over (called residual risk).
Top of page
Types of Risk Assessments
You should also know that there are two main types of risk assessments: quantitative and qualitative. Quantitative risk assessments attempt to assign a monetary value to the assets being assessed, a monetary cost to the impact of an adverse event, and percentages to the frequency of threats and the likelihood of events. Qualitative risk assessments, on the other hand, are scenario driven and do not attempt to assign a monetary value to the assets being assessed, or to the impact of an adverse event. They aim to rank the impacts of threats and criticality of assets into categories such as low, medium, and high.
Both types of risk assessments have their place in an information security program. The table below summarizes some of the pros and cons of each type of assessment in a higher education environment:
Quantitative Risk Assessment
Allows risks to be categorized in monetary terms.
Facilitates costs and benefits analysis during selection of mitigating controls.
It is very difficult (sometimes impossible) to assign a dollar value to assets being assessed and to the impact to those assets by all types of threats.
Requires substantial time and staff resources.
The final risk assessment values and costs are only as good as the underlying data.
Results of the assessment may be not precise and may be confusing.
Qualitative Risk Assessment
Allows for ordering risks according to priority.
Does not require substantial time and staff resources.
Can identify areas of greater risk in a short time and without significant expense.
Results are approximate and subjective.
Does not allow for probabilities and results using monetary measures.
Cost-benefit analysis during selection of mitigating controls is subjective.
Many of the risk assessment examples that you will find in this chapter are qualitative risk assessments. There are a number of reasons for that, not the least of which is the time and effort required to complete a quantitative risk assessment. In addition, many institutions simply do not have a good sense of the monetary value of their assets (both in terms of cost and utility to the institutions). As a result, it seems that qualitative risk assessments are more likely to be used in higher education.
For more reading, here are a few well-known risk management frameworks that you may use for information security risk assessments.
- ISO/IEC 27005:2018, Information technology — Security techniques — Information security risk management
- NIST SP 800-37, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy
Basic Risk Management Activities
This section briefly outlines the steps to follow in planning and conducting a qualitative risk assessment, aligned according to the four basic steps (identification, assessment, response, monitoring).
Getting Ready and Assembling Your Team
Some institutions have policies that require information security assessments. In addition, some state and federal laws require a risk assessment and specify the scope of the assessment. For example, the Health Insurance Portability and Accountability Act (HIPAA) requires a risk assessment to protect protected health information (PHI) and defines the risk assessment scope as the assessment of the potential risks and vulnerabilities of PHI that is electronically transmitted and stored by the covered entity.
It is very important to carefully consider the scope of your risk assessment. Risk assessments that are too large in scope can become unwieldy, resource intensive, and difficult to finish. One way to make sure that you scope your assessment properly is by inventorying your IT assets and the business processes that rely on those assets (don’t forget personnel, data, hardware and software, and physical facilities in your inventory). Risk assessment scope can often be defined/refined by how information is accessed, processed, and/or transmitted in business processes. They can also often be scoped according to specific technical components such as software, hardware, databases, and network technology. Regardless of how you define scope, having a correct and current asset inventory will be invaluable.
You will also want to consider forming a team to conduct the assessment. Even when a risk assessment focuses on IT or cybersecurity, the importance of including non-IT people on the team cannot be stressed enough. It is important for the risk assessment team to represent all end users who take part in a particular business process or workflow, or use a particular IT system. As you form your risk assessment team, consider members from the following areas:
- Business units (administrative or academic)
- IT units (administrative or academic)
- Information security managers
- Executive management
Once you have assembled your team and determined the scope of the assessment, the next step is to get to work! First you will want to determine your vulnerabilities and threats. Vulnerabilities are weaknesses in your IT systems or processes that rely on those systems. Threats are any dangers that could take advantage of a vulnerability. For example, if your data center is located in a flood plain, that is a vulnerability. A threat would be large amounts of rainfall that flood the geographic area and render the data center inoperable.
Vulnerabilities fall into 4 main categories:
- Human (both intentional and unintentional actions)
- Process (lack of regular business continuity plans, poor hiring practices)
- Technology (susceptibility to environmental threats, insecure network design)
- Facility (unreliable power sources, poor geographic location, etc.)
Similarly, threats fall into 4 main categories:
- Human (both intentional and unintentional actions)
- Natural (floods, tornados, earthquakes, etc.)
- Technical and operational (equipment malfunction, process breakdowns, capacity saturation, etc.)
- Physical and environmental (loss of power, air conditioning)
As you discuss threats and vulnerabilities at this stage, it is also a good idea to document the controls or safeguards that you already have in place to protect against those threats and vulnerabilities. This will come in handy later.
The next step is the actual assessment. The goal of the risk assessment it to set you up for prioritizing your response to institutional risks. Essentially the assessment results serve as your guide for how to address the risks that you identified.
Remember that a risk is the likelihood that a threat will exploit a vulnerability and cause some sort of impact. Most qualitative risk assessments then attempt to measure risk according to probability (likelihood of an event happening at the institution within a prescribed period) and impact (likelihood of an event having an undesirable effect on the institution).
Probability and impact can be scored in any way. Some assessments use a low-medium-high scale and assign scores of 1, 2, 3 to each level. See the below table for an example of low-medium-high qualitative scoring.
|1||Low||Events that are unlikely to happen within a year.||Little or no effect on the institution; low costs/reputational damage.|
|2||Medium||Events that are somewhat likely to happen within a year.||Moderate effect on the institution; moderate costs/reputational damage.|
|3||High||Events that are likely to happen within a year.||Significant effect on the institution; severe costs/reputational damage.|
Then the probability and impact scores are multiplied (risk = vulnerability x threat) to create a risk score. The table below shows an example of a risk matrix using the scoring methodology shown above. Higher scores are more indicative of a larger risk.
(Score = 3)
(Score = 6)
(Score = 9)
(Score = 2)
(Score = 4)
(Score = 6)
|1||Very Minor Risk
(Score = 1)
(Score = 2)
(Score = 3)
As institutions consider how to address their information security risk, those items with a higher risk score should usually be addressed before items with a lower risk score (as institutional resources and capability permit).
- The EDUCAUSE IT Risk Register includes a template for a qualitative risk assessment using a similar scoring scheme.
Top of page
Risk response is how an institution chooses to respond to its identified risks. Executive management, in consultation with IT and business units, usually determines the institution’s risk response. There are four basic risk responses:
- Avoidance: The institution adopts controls to try to eliminate an identified risk.
- Mitigation: The institution adopts controls to partially eliminate or reduce an identified risk.
- Transfer: The institution passes its risk to another entity (e.g., purchasing cyber liability insurance is a common way of transferring risk).
- Acceptance: The institution intentionally and affirmatively takes no action against a potential risk. An institution may pursue this strategy when the cost of mitigating or transferring a risk is more than the anticipated loss of the risk actually occurring.
- Learn more about cyber liability insurance with this EDUCAUSE FAQ.
During this phase you will want to also evaluate the controls that you currently have in place and identify any gaps. Most institutions have already implemented numerous countermeasures to address security threats. When gaps in those controls are identified, there are two possible courses of action. If there are additional controls that are feasible and can be implemented in a reasonable time, then recommendations for addressing those gaps are developed (a risk avoidance or mitigation response). Otherwise, executive management must consider accepting or transferring the risk exposure.
You may want to consider developing an action plan at this point to review institutional risks, their severity level, and the proposed institutional response. The action plan will prioritize your actions in response to the risk assessment and may contain the following information:
- Selected controls (determined on the basis of feasibility, effectiveness, benefit to the institution, and cost)
- Required resources for implementing the selected controls
- Responsible party
- Start date for implementation
- Target completion date for implementation
- Operations and maintenance requirements
One thing to keep in mind as you finish your risk assessment and response action plan is the concept of residual risk. Residual risk is the risk remaining after the implementation of the selected controls. In practice, no information technology system or business process involving information handling is risk-free, and even with additional controls, it may not be possible to completely mitigate levels of risk. This is a normal condition. You may wish to make note of the residual risk in your action plan for documentation purposes so that it can be reviewed from time to time and make sure it is still acceptable to the institution.
A risk assessment is not merely a project or one-time event. Continuous monitoring refers to the actions that an institution must take to continuously assess and address its risk. Since technology, operating, and business conditions change rapidly, monitoring is a key part of any risk assessment process. Institutions must always be mindful of the changing nature of the risks that it faces and must be willing to change its risk response as those circumstances change.
Top of page
Risk Management resources in the Information Security Guide
- Cyber Insurance (EDUCAUSE Library)
- Higher Education Cloud Vendor Assessment Tool (HECVAT)
- IT Risk Register
- Risk Management (EDUCAUSE Library)
- Security Risk Management (EDUCAUSE Library)
Top of page
800-30: Risk Management Guide for Information Technology Systems
800-37: Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy)
800-53: Recommended Security Controls for Federal Information Systems and Organizations
PCI DSS, v3.2.1, is a standard for assisting with compliance with the Payment Card Industry Data Security Standard (PCI DSS).
45 CFR 164.308(a)
Top of page
Questions or comments? Contact us.
Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).