During last weeks we have seen all kinds of analyses and theories around Covid-19. However probably many may have not realized that we can apply the methodology of risk analysis, a methodology so well-known by us hackers and by those professionals working in the field of cybersecurity. In the first season of our webinars #11PathsTalks we already discussed this topic, especially because of the importance of understanding this process in order to perform an appropriate technological risk management within our companies, but also to understand well how to face the new cyberthreats.
This process is increasingly recognized within the industry, there are many methodologies, ISO (ISO 27005) and it’s increasingly required in international certification processes, such as the case of PCI DSS that includes it as a requirement in the process of Ethical Hacking.
The current situation of confinement, quarantine, tension, overexposure to information, the challenge of proper time management at home, etc. have increased my levels of paranoia and scepticism so I question everything twice over.
Among those issues, and discussing with colleagues and non-colleagues, I realized that most of them found it difficult to understand how to protect themselves in an adequate way to face this new COVID-19 pandemic. Also, I realized in the weekly call with my CSA colleagues about the many analogies present in the risk analysis process that we regularly perform (I hope) to analyze the risks present within our organization.
Qualitative Risk Analysis Applied to COVID-19
Risk (Macmillan Dictionary):
1. The possibility that something unpleasant or dangerous might happen.
Risk analysis is a process that seeks to identify the security risk of an asset, determining its probability of occurrence, its impact on the business and the controls that mitigate the impact (or the probability of occurrence).
Approach based on: Probability – Impact
As we would do traditionally, but in this case focusing only on COVID-19 as the threat we wish to analyze. We will identify the asset(s) that could be affected by such threat; the vulnerabilities that could allow that threat to affect the asset; the probability of occurrence of that threat (considering the vulnerabilities) affecting the asset, and the impact associated with that threat (through vulnerabilities) affecting the asset. As always, one of the objectives is to define which controls minimize the probability of occurrence or impact. Let’s see the general context:
- Threat: Event that can adversely affect the confidentiality, integrity or availability of information assets. In this case it is an event that can affect our health (integrity), the COVID-19.
- Asset: Anything of value to the organization. In our case, the asset to be protected is the people.
- Vulnerability: A weakness that makes it easier the materialization of a threat. In our case they would be:
- Being over 80 years old
- Being in poor health or physical condition
- Suffering from chronic diseases
- Having special needs (disability)
- Having bad habits (not washing hands, coughing without covering mouth)
- Not following the recommendations (mask, quarantine)
- Probability of risk: Frequency with which the risk could occur in a given period of time. Levels of probability of occurrence (of infection in this case):
- Impact: Consequences if a particular asset is affected in terms of confidentiality, integrity or availability. In our case they are the consequences that would occur if an asset (person)’s health is affected. Potential impact:
- Low: to be infected with COVID-19 and have no after-effects.
- Medium: to be infected with COVID-19 and have after-effects.
- High: to die from COVID-19.
Simplified Risk Analysis Matrix – COVID-19 – Inherent Risk
Absolute or inherent risk is the risk that does not consider controls.
Simplified Risk Analysis Matrix – COVID-19 – Residual Risk
The residual risk is the risk resulting from the application of controls.
Risk Analysis Result
Results of the Risk Analysis to COVID-19 – Inherent Risk
Results of the Risk Analysis to COVID-19 – Residual Risk
As it can be seen, the process of risk analysis aims to identify and apply controls to reduce the probability of occurrence or the associated impact, or both at best.
Figure 3 shows that the risks are all at medium and high levels, so they must be managed by applying the controls identified. This way, Figure 4 shows how control application decreased the probability of occurrence or associated impact and thus risks decreased.
The most important point to understand in this case of COVID-19 is that by applying all these controls or expert recommendations we are not killing the virus, just decreasing its probability of infection. However, by applying these recommendations we are also decreasing the impact: if we don’t get infected, we are not at risk of dying from the virus (highest impact of this threat).