Compliance and accreditation infer the ability to provide security for everything. In preparing a rubric for emergency response, compliance, and accreditation, there are generally two schools of thought. risk based planning and vulnerability based planning. According to the CNSS, a “Vulnerability Assessment” is the systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation. [1] In short, vulnerability focused verification intends to find a leak and patch the hole, regardless of its location. Conversely, NIST defines “Risk Assessment” as the process of identifying risks to organizational operations (including mission, functions, image, reputation risks), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. NIST considers Risk Assessment synonymous with Risk Analysis. [1] To continue with the leak analogy, risk focused verification focuses on which leak will cause the most structural damage, and patching that hole, while ignoring the other leaks, for the time being.
The general difference between these two philosophies can be broken down into possibility versus probability. While no system can provide complete information safety and security, when deciding between risk based or vulnerability based accreditation and certification, a system owner should factor cost, threats, and consequences. Arguably, vulnerability based contingencies are more thorough than risk based security systems, as they analyze and account for every known threat, and in a situation where time and budget are not an option, there is no question that vulnerability based assessments are superior to risk based assessments, but we do not live in this mythical utopia, and time and budgets are factors in our system security strategies.
By assessing the weight of the potential threats to a computer network and prioritizing accordingly, a system assuror drifts from the realm of vulnerability focused verification to the realm of risk based verification. Risk verification enforces a hierarchy of importance on assets, and allocates a commensurate amount of resources to the most impending threat. A useful formula for calculating risk is taking the likelihood of a threat happening, then multiplying that likelihood by the consequence of that threat. So if a data breach could result in a 20,000 dollar fine, and there are five obvious methods by which that data could be leaked, the risk associated with a data breach could be factored at 100,000 dollars. In a vulnerability based compliance system, the potential threats would be rectified, regardless of the cost. However, in a risk based compliance system, the cost concerning defending the known threats would not exceed 100,000 dollars, and in most instances, would likely consider a budget of over 75% to be cost prohibitive. This pragmatic approach would, in effect, be gambling against the likelihood of these five threats, in the hope that 75,000 would be sufficient to prevent this 100,000 dollar catastrophe.
Every organization is prohibited by funds available, time, or knowledge of their own system and the potential threats that exist in the wild. The role of a security adviser is to make the best decisions with the resources available. Vulnerability Accreditation and Risk Accreditation are both viable options, in the appropriate circumstances, but I believe that nine times out of ten, the most practical answer will remain Risk Based Analysis.
[1] Gantz, S. D., Philpott, D. R., & Windham, D. (2013). FISMA and the risk management framework the new practice of federal cyber security. Amsterdam: Elsevier/Syngress.
https://www.csoonline.com/article/3211443/security/vulnerability-vs-risk-knowing-the-difference-improves-security.html
https://lockheedmartin.com/content/dam/lockheed/data/isgs/documents/Threat-Driven%20Approach%20whitepaper.pdf