With all businesses, at the end of the day survival is the name of the game. All organizations pray that they continue to sustain a high profit and that no attacks ever occur. But should an attack occur, it is imperative that the company be able to survive and continue to operate in the aftermath of an attack. While operating at 30% revenue is not as ideal as operating at 100%, it is better than going out of business.
When talking about survivability a key point to start with is risk. Risk is the possibility for suffering harm or loss, and survivability is making sure that that an organization never has complete loss. The key with risk is to determine the areas where the organization can suffer from loss. Once these areas have been determined, the proper countermeasures or controls must be put into place in order to prevent these areas from being completely destroyed. Critical intellectual property (IP) is what gives an organization net worth. If that IP can be destroyed then the company could also be destroyed. Once the IP has been identified, the next step is looking at what damage could potentially happen to the IP and what are the weaknesses of the organization that would allow it to happen. There is a simple formula which can be used to calculate risk:
Risk = (threat x vulnerabilities x probability x impact)/countermeasures
Understanding and calculating risk allows an organization to better understand their points of exposure. If an organization is going to survive, it is critical that they are able to protect and limit the damage that exposure points may sustain.
Threats represent possible danger and come in many different shapes and sizes. When you are putting together the risk formula, threat is what drives the train. Threat is the starting point that is used to calculate all of the other variables that are needed to come up with a formula for risk. All organizations have different threats based on their type of organization. Therefore there is no way to generate a generic list of threats. For organizations to assess threats, they must focus on their specific vertical of business and their specific intellectual property. If you think about it, the threats that a major defense contractor faces are much different from the threats that an online store faces. Threat tells an organization what to worry about in the risk formula. While threat allows us to focus our effort, in many cases there is nothing you can do about a particular threat. In order to reduce the overall risk, one of the risk formula variables other than threat must be lowered, which is vulnerabilities. In the risk formula, threat is used to calculate the risk and vulnerabilities are used to reduce the risk.