Jaewon Lee, CISA, CGEIT, CRISC, CIA, CRMA
There is no doubt that the importance of IT risk management is increasing at this very moment. Across various industries, customers demand for a high availability of Internet services and products is increasing.
At the same time, cybercrime is getting more and more complicated, e.g., advanced persistent threats (APT). In addition, recent IT trends necessitate expanding the current IT threat horizon to areas such as big data, cloud computing, mobile banking, zero trust networks and agile . In conjunction with this, I see that lots of enterprises tend to perform intensive and comprehensive risk assessments to evaluate their IT environment.
However, any IT risk assessment thus far is based on the current risk formula (Risk = Likelihood x Impact). It typically does not consider ITs nature and characteristics, such as IT software architectural aspects (i.e., complexity), various security requirements (i.e., confidentiality, integrity and availability), and the availability of solutions to respond to risk.
To account for these factors, I present an enhanced risk formula (Risk = Criticality [Likelihood x Vulnerability Scores (CVSS)] x Impact) in my recent
Journal article in order to calculate more effective and accurate risk ratings, particularly for software security vulnerabilities.
The benefits of using the enhanced formula, by using the CVSS calculation logic, are clear. They include criticality and risk ratings for software security vulnerabilities are calculated separately. Both IT characteristics and software architectural aspects are more clearly included. The method to estimate both criticality and risk ratings is consistent and repeatable. The enhanced risk formula is more objective. The availability of the solution to address software security vulnerabilities is considered.
These benefits help to estimate the criticality of software security vulnerabilities in the development environment, as the criticality is assessed before the potential impact is calculated.