While risk assessment may be qualitative, quantitative, estimating “control strength” is an important part of calculating overall risk (especially in qualitative and quantitative methods). To improve consistency and to decrease subjectivity in estimating control strength, I am providing some examples of how to estimate control strength in this article.
What is a Control and Control Strength?
A “control” is something that reduces the potential of a loss. Controls can be implemented in many forms. It could be a technical control (e.g. a firewall), a process control (e.g. change management process), an administrative control (e.g. a visitor log), or in some cases a person (like a security guard).
Simply put, control strength is the ability of a control to stop/resist cyber attacks from threat actors, resist compromise and protect an asset’s confidentiality, availability and integrity.
Categorizing Control Strength
Control strength can be categorized in different levels. Using five levels for control strength is very common. Following is one way to describe these levels but there could be other ways to do so.
- Very High (VH) – The control will protect against top threats
- High (H) – The control will protect against majority of threats
- Moderate (M) – The control protects against average threats
- Low (L) – The control protects only very low .level attacks
- Very Low (VL) – The controls is not effective at all and would rarely protect against any threats
Having these categories at hand, a risk analyst can determine control strength during the process of risk analysis in a more consistent manner.
Estimating Control Strength
Risk analysts need to make an estimate about control strength during the risk assessment process. This estimate could be based upon data (which is difficult to acquire in the information security field) or it could be based upon experience and knowledge of the analyst. Following are some examples of how to estimate control strength in different scenarios. These could be used for education purposes.
Scenario 1 – Protecting data in a web application with help of user authentication and making it available to only authorized users.
Following can be one way of estimating control strength levels:
- Very High (VH) – A user has to use a combination of username and password along with two factor authentication. The password must be strong with a minimum length of 10 characters and a combination of alphabets, numbers and special characters. Passwords expire after a certain time forcing the user to change it. A user is notified via email when password change occurs.
- High (H) – A user has to use a combination of username and password. The password must be strong with a minimum length of 10 characters and a combination of alphabets, numbers and special characters. Passwords expire after a certain time forcing the user to change it. A user is notified via email when password change occurs.
- Moderate (M) – A user has to use a combination of username and password. The password must be strong with a minimum length of 10 characters and combination of alphabets, numbers and special characters.
- Low (L) – A user has to use a combination of username and password but is able to use a password of any length and no requirement of special characters.
- Very Low (VL) – No username and password is required. A user can get to data as long as the user has a specific URL.
Scenario 2 – Protect physical security of a data center
- Very High (VH) – Boundary wall with locked gates, presence of 24×7, surveillance cameras, security guard on duty, visitor log register, keycard access to datacenter room with biometric retina scan, camera inside the data center with face recognition technology that can identify unknown people.
- High (H) – Boundary wall with locked gates, presence of 24×7, surveillance cameras, security guard on duty, visitor log register, keycard access to datacenter room.
- Moderate (M) – Boundary wall with locked gates, security guard on duty, visitor log.
- Low (L) – Boundary wall with locked gates. Visitors with a key can enter the building.
- Very Low (VL) – Room inside a building with no locks.
Other Considerations
Here are few other considerations while dealing with control strength estimation.
- We don’t need all five levels of controls for each scenario. In some cases, we may have three or four levels of controls, e.g. Very High, Moderate, and Low.
- The exact definition of each level of controls can vary from one organization to another but should comply with and be consistent with a single standard inside that organization.
- The risk management leadership should train risk analysts on a continuous basis. The training should be about how to measure control strength by walking them through new scenarios each time. An example could be a monthly open meeting to pick one scenario and explain rationale for control levels.