what are intrinsic. residual and target risks?
By Tony Badsey-Ellis
When you start using RiskTree, a powerful risk assessment tool, it’s important to grasp the nuances of different risk types: intrinsic, residual, and target. These terms sometimes spark confusion, as their meanings aren’t always universally clear. Let’s demystify these concepts for a clearer understanding.
In a nutshell, intrinsic risk is the risk to your system or assets without any countermeasures (sometimes called ‘mitigations’) in place. The residual risk includes your current countermeasures, and the target risk includes additional countermeasures to further reduce your risk.
Types of risks in more detail:
Residual Risk: What’s Currently at Stake
Residual risk is the most straightforward to understand of the three. Simply put, this refers to the existing risk associated with an asset. Including all the countermeasures currently in place. In essence, it reflects the risk level you’re currently running with.
Target Risk: Aiming for Enhanced Security
Target risk presents the potential risk reduction achievable by implementing additional countermeasures, called ‘target countermeasures’ in RiskTree. This helps to identify areas that can be further mitigated, and perhaps more importantly, those that can’t. Enabling you to focus time and efforts for risk reduction more effectively.
Intrinsic Risk: Exploring the Unshielded Scenario
Intrinsic risk, sometimes referred to as inherent or native risk, is more complex to understand. It quantifies the risk exposure when no countermeasures are in place. This sounds simple in practice but is more complicated when you think about it. Imagine what your asset would look like without any countermeasures. Does that mean you would have no locks on the doors, no passwords for accounts, or trustworthy staff? Just how far should you strip back the countermeasures? And what is the benefit of modelling such an unrealistic scenario?
It’s not always necessary. For rapid risk assessments, focusing on residual risk suffices. In RiskTree, establish assessment values for each risk, incorporating current countermeasures. Document these measures in the notes to aid anyone else who looks at the assessments.
So, why consider intrinsic risk if it’s not always necessary?
Creating an intrinsic assessment compels explicit definition and documentation of countermeasures in your attack tree. This practice makes them easier to review and assess, unlike implicit inclusion within risks. Also, it’s efficient for reusing in RiskTree. While not all countermeasures need explicit inclusion, highlighting ones you might be interested in, mean you can assess their impact. Trying to do this for all countermeasures that are essential is going too far. For example, assessing the value of having locks on the doors explicitly is not sensible, as you’d never have an unsecure building hosting your systems. However, showing your audit system as an explicit countermeasure is probably sensible; after all there are systems out there that do not have effective audit capabilities.
An Illustrative Example of Intrinsic Risk
Imagine a system hosted on a high-cost cloud platform. A new head of IT proposes shifting to a cheaper alternative. One of his friends runs their own ‘cloud’ system which could do a similar job for about half the cost. A dive back into the risk assessment and check the countermeasures provided by the incumbent cloud provider. Does his friend implement segregation of duty? No – they don’t have enough staff for this. Are the audit logs immutably recorded? No – the administrator has database access to the records. But it’s OK – they trust their (non-vetted) staff.
We turn off these countermeasures in the RiskTree assessment, and the risks from the cloud provider have suddenly become much higher, and so we can demonstrate to the new head of IT what value the current cloud provider brings, and why we pay more for them.
You’ll always want to understand your residual risk. You’ll often want to know your target risk. And sometimes, knowledge of your intrinsic risk will be useful. Deciding which types to assess is all part of planning your risk assessment.
To learn more or seek risk-related advice, feel free to contact us.
Interested in delving deeper into RiskTree? Read more about it here.