Assessing identification risk

• Internal fraud — when staff deliberately undermine the system and its processes.
• Collusion — when a person deliberately gives away their information or access.
• System attacks — when skilled people circumvent a (computer) system’s security to access networks and records (this usually involves information about multiple individuals).
• Information loss — when identifying information has been lost (accidentally or otherwise) but is not used for fraudulent purposes.

You will need other strategies in place to deal with the risks associated with these activities.

• Giving non-sensitive information — Example: giving someone an application form.
• Giving non-sensitive advice — Example: giving someone information on how to access services and transactions.
• Collecting a payment — Example: collecting a parking fine.

Depending on the service or transaction, the consequences of incorrect information or identity theft fall into 1 or more of the following categories:

• Financial loss or liability — for example, a person uses stolen or fictitious information to receive a financial benefit they are not entitled to and causes a direct financial loss to the source of the funds.
• Unauthorised release of sensitive information — for example, a person releases someone else’s personal information to an unauthorised party.
• Qualification, identification or reputation loss or damage — for example, a person uses a stolen qualification, identification or reputation which results in them representing themselves as falsely having certain skills or characteristics. If they use it to fraudulently receive services, this causes an organisation to lose credibility with the public.
• Other loss or liability — for example:
  • the service provider is in breach of legislation or policy
  • a person is prevented from gaining medical treatment, undertaking training or accessing a facility
  • a person avoids obligations.

For each risk and its category(s), consider:

• the information that can be viewed and updated in the service, especially where it’s relied on for decision making
• which affected party/parties will be impacted
• how each party will be impacted (for example, monetary amounts, type of information, regulatory compliance, nature of inconvenience, media coverage, degree of reputational damage) to put a value on or to describe the nature of the impact.

Next, think about the severity within each category if the consequence were to happen, and assign 1 of the following impact levels to each:

• Minimal
• Minor
• Moderate
• Significant
• Severe

To do this, use your own risk framework to describe what each of the levels means and select an appropriate impact level for each category of consequences.

Impacts that should not be considered

Take care not to assign any consequences to events that happen indirectly as a result of incorrect information or identity theft, as this will overly exaggerate the impact levels you assign a service or transaction.

This is particularly true if the consequences flow on to events that may be related to but do not concern the service or transaction.

Examples

• As the result of a transaction, a driver licence is issued to someone other than the entitled person.
  
  A consequence of this transaction might be that the licence is used as identification to receive a benefit elsewhere.
  
  However, as the initial intent of the licence is not to provide verification of someone’s identifying information but rather to certify that the person is authorised to drive, the impact of using the licence to receive a benefit elsewhere is not an identification risk of the actual transaction (to get a driver licence); it’s an identification risk of the other organisation's process.
• As the result of a transaction, an unauthorised party gets access to someone’s sensitive information. Consequences of this transaction might be:

• • the unauthorised party uses the information to blackmail the person or to find them and cause them bodily harm
  • the unauthorised party publishes the information causing distress to the person. Because of other people reading the information, the person is dismissed from their job.

The distress the person feels is a consequence of this transaction. However, the person losing their job is not a consequence of the transaction; it’s a consequence of the employer’s use of the disclosed information.

After you’ve assessed the possible consequences of an event happening, and the impact levels these could have, identify the controls that are in place and assess how effective these controls are.

Controls are only effective if they are applied consistently across all the steps of a service or transaction. If a control can only be applied to 1 or some steps of the service or transaction, you’ll need to assess each step separately.

Types of controls

There are 4 types of controls.

• Preventative — Stop the event or the consequence from happening.
• Corrective or Reductive — Do not stop an event or a consequence from happening but reduce the degree of impact.
• Detective — Identify events so you can put corrective measures in place to prevent these from happening in the future.
• Directive or Disincentive — Implement rules, policies or training, or assess the value of the service as being of too little consequence to make it a target.

What is not counted as a control

The strengths of the identification management processes are determined later so the following processes are not counted as controls:

• identification processes for when someone is requesting a service or completing a transaction
• authentication processes for when someone returns to a service or to complete a transaction.

Once you’ve determined which controls are in place for each risk, establish the degree to which each control is applied (its effectiveness), in other words, how often or how comprehensively it’s applied.

For each risk and its consequence categories, assess all the controls that are in place and then assess the likelihood that the consequences could still occur.

Note: You can only assess the likelihood of a consequence occurring once you’ve chosen what controls to put in place for it.

The levels of likelihood are:

• Rare — robust controls are in place that prevent or remove the impact of a consequence in all but the most exceptional circumstances.
• Unlikely — many controls are in place with some minor ineffectiveness that may allow a consequence to occur in limited circumstances.
• Possible — several controls are in place with such ineffectiveness that a consequence should occur in some circumstances.
• Likely — minimal controls are in place and/or controls lack effectiveness such that it’s highly probable a consequence will occur.
• Almost certain — there are no effective controls in place to prevent a consequence from occurring.

Help with assessing the level of likelihood

Sometimes it may be difficult to accurately establish the likelihood of a consequence occurring. The following methods may help:

• Check other services offered by the organisation with similar identification risk exposures.
• Check other organisations’ services with similar identification risk exposures.
• Read relevant published data on the likelihood of a particular identification consequence occurring for particular service types.
• Get specialist and expert advice.

Plot the impact and likelihood for each risk and consequence category using a matrix such as in Figure 1. This results in 1 of 25 possible outcomes or levels for that risk. In general, the highest number associated with each risk represents the remaining identification risk level for that risk.

Figure 1: Risk matrix

Using level of risk to calculate strength of identification processes

You can then convert the 2 levels of remaining identification risk for a service or transaction into a value that represents the strength (or assurance level) of the identification processes needed to reduce the adverse effects of this risk.

That is, the greater the level of identification risk for a transaction, the stronger (more comprehensive and stringent) your identification processes need to be, as shown in table 2.

There are 3 risk identification processes and they match the risks in the following way:

1. Verify the accuracy of information — Risk 1
2. Bind an entity to information and/or an authenticator — Risk 2
3. Ensure an authenticator is still being used by its owner — Risk 2

Risk treatment options for identification risk are:

• avoid the consequences of risk entirely by deciding not to start or continue the activity that gives rise to the risk
• modify 1 or more controls
  Note: 
  Modifying controls may alter the level of risk and therefore the strength of the identification management processes. If this happens, it’s important to reassess the risks, consequences, controls and likelihood to make sure the identification management processes are at the right level.
• modify the strength (assurance level) of identification processes
• share or transfer the consequence liability to another party (not recommended as accountability for the risk remains and the transfer will often not hold)
• retain the risk of consequences occurring by formally accepting them.

Choosing the appropriate risk treatment options involves balancing the cost and effort of implementation against the benefits.

A variety of risk treatment options can be implemented either individually or in combination with each other.

It’s important to identify and agree on an appropriate person to be responsible for and maintain the risk treatments that have been implemented for a service or transaction. This person must have the authority and ability to:

• get resources to effectively manage the risk treatment
• change the design of the service
• be accountable for the decision regarding the appropriate identification management assurance levels for each identification process.
• accept the untreated risk associated with the service.