Elementary Risks: Bridging Operational and Strategic Security Realms

Risk management is widely used in order to evaluate and treat prominent risks for organizations. Such models are rather organizational (business-aware) than technical, and enable security officers to manage risks on the long run. However, both ICT systems and threat landscape do not cease to evolve, and dynamic cyber security management becomes paramount to address potential breaches. The operational security management is based on technical processes, executed by administrators who are not necessarily aware of organization´s business and strategic aspects. This gap between technical and organizational levels renders traditional risks assessment methods cumbersome and obsolete. In this paper, we propose a novel concept of Elementary Risk (ER) that represents a quantum of risk for an organization. Composite Risks (CRs) are then calculated and presented for the security officer. CR enables dynamic calculation of organizational risk posture while considering the system´s state. Moreover, ER and CR enable capture the contribution of technical elements (e.g. vulnerability, server) or security measures (e.g. patch, firewall rule) to the overall risk profile of the organization.