Describe the risk scenarios
Find out what risk scenarios are, and how to write clear risk scenarios that will help you to analyse them during the risk assessment.
Working out risk scenarios
A risk scenario is a way to find out if any risks exist to an information system — leaking its confidential information, or harming its integrity or availability. If they exist, list the causes of each risk and the effects if they happen.
Be clear when describing risk scenarios
The key here is to be specific, using the structure of risk scenarios to help you in writing them. With more detailed information, you’ll be able to properly assess the likelihood and impact of each risk during the analysis phase.
Structure of risk scenarios
- Because [risk cause],
- [risk event] happens,
- causing [risk impact].
Tips for writing clear risk scenarios
The business and technical contexts normally inform what the possible causes of risks are.
Make sure that you and the stakeholders discuss all possibilities — there can be more than one cause of a risk.
Example 1 — Writing clear risk scenarios
- Because a system does not enforce strong passwords or account lockout policies and does not log failed login attempts,
- a hacker gains unauthorised access to information stored in the system by performing a brute-force-password-guessing attack.
- The hacker uses the information to commit identity fraud that leads to an investigation by the Privacy Commissioner and reputational damage to the Minister and government organisation.
Example 2 — Writing clear risk scenarios
- Because disk encryption has not been enabled on all of the organisation’s laptop devices,
- when an employee loses their laptop,
- this leads to official information being disclosed to an unauthorised party and reputational damage to the Minister and government organisation.
Example of a badly written risk scenario
This shows why it’s important to write risk scenarios clearly.
Example 1 — A poorly written risk scenario
Fraud may occur.
When moving on to assess the likelihood and impact of this poorly written risk scenario, it will be difficult if not impossible to do so. It’s too vague to allow for any meaningful discussion about the risk.
Example 2 — Improving the poorly written risk scenario
- Because an organisation’s processes for fraud detection are not robust,
- when an employee commits fraud,
- this leads to financial loss and damage to reputation of the government organisation.
This improved risk scenario will be much more useful during the risk analysis phase of the risk assessment. Remember, if you do not properly explain or become aware of risks in the identification phase, then you’ll likely miss them entirely.
Your chances of catching risks later in the assessment process are low, which is why it’s important to put the work in here.
List the causes and impacts of risks
Identifying all of the risks to an information system helps you and your team in finding and selecting controls to manage each risk.
With this goal in mind, it’s also useful to write out separate lists for the causes and impacts of risks. Even though the risk scenarios have this information, these lists provide a clear idea of:
- where risks are coming from
- how they could harm your organisation.