Risk Statements

Now that you understand what risk is, it's important to understand how we express risk. Expressing risk carefully will help guide you and the organization as to what is actually being assessed. Take, for instance, a firewall or rather not having a firewall. It's very easy to make a quantum leap that not having a firewall is a risk. We know that organizations require firewalls to keep bad traffic out of their networks. But, not having a firewall is not a risk in and of itself.

Risk statements should be:

• Concise
• Specific
• And focused on an action that is or is not being performed

The Department of Defense created a Risk, Issue and Management guide in 2017 that defined a proper risk statement. They said:

“The risk statement contains the potential event or condition, the consequences and, if known, the cause of the event.”

Looking back at our example of not having a firewall, does that meet the Department of Defense (DoD) definition? No. It doesn’t express any consequence and is not really specific to an event.

But what if we said, “Firewalls are not configured to block unnecessary inbound traffic which may allow attackers to gain access to internal resources unnoticed.” This is certainly closer to the DoD. It states a condition (that firewalls are not configured to block unnecessary inbound traffic) and the consequence (that attackers gain access to internal resources).

The idea being that risk managers should be weighing existing security controls against specific anticipated risks and helping the organization decide on a course of action should the controls not mitigate the risk appropriately. We’ll discuss additional parts of the risk management process throughout this lesson.
For now, let’s turn our attention to Risk Management Frameworks. The term can be somewhat confusing as it has a couple of meanings. Risk Management Framework might mean the process that your organization uses to ensure risk management is ingrained in the organization or the concepts the organization follows, or it might mean the actual documentation that you use to perform risk assessment. We’ll now turn to a couple of examples of the former.