RM Studio: A tool for threat identification and analysis
How much time does it take to get ISO Certified?
Spreadsheet Program Manual Risk Management: Masked Nemesis of Risk Management
We talk a lot about the risk management processes and utilizing RM Studio for a holistic approach to your risk management and business continuity management needs throughout our website. For this post we felt it would be useful to provide an example of how RM Studio can assist in more specific ways and as a tool with other uses in regards to risk assessment.
Before I started working as a consultant here at Stiki, I utilized RM Studio as a research tool for my Master Thesis, Risk analysis on VoIP systems. The goal of the thesis was to find and analyze the greatest threats to voice over internet protocol (VoIP) systems. The purpose of the thesis was not to complete an overall risk assessment, but to hone in on, and identify threats to VoIP systems. In the process of finding the threats, I defined assets I felt were common for all VoIP and public switched telephone networks (PSTN) communication. A few examples of these assets include privacy, financial assets, communication service, and reputation.
RM Studio helped me assign threats to each asset and define the impact, likelihood and vulnerability values that each threat had on the various assets. This allowed me to calculate the average security risk of each threat providing an indicator of which threats should be considered “biggest” threats to VoIP. The same assets were used to find the “Security Risk” of threats in the PSTN system which gave me a basis for comparison.
RM Studio proved to be most useful during my work. It offered a productive and efficient way to categorize threats, link them to assets, provided an overview and the option to pick out the information needed. RM Studio was able to display the threats that bore the largest risk factor, average risk to assets and risk distribution between threat categories.
As mentioned, I was not performing a risk assessment, so I did not utilize all of the functionalities of RM Studio, such as the Gap Analysis, or release one of the embedded standards into the software. However, RM Studio provided me with an analytical tool that allowed for repeatability, a vital feature for research.
Often, our users utilize RM Studio for their risk management needs, especially when pursuing ISO 27001 certification. What I discovered in my research, is that RM Studio can also serve as a decision making tool. Users can analyze threats and risk to specific assets which they plan to implement into the organization. This allows users to make a business decision on which asset to move forward with in regards to the risks it may or may not add to the organization. This is an option that can assist decision makers in investments that goes beyond the financial decision making process and adds a new dimension of decision making, a risk analysis.
