Risk Management

Once we know our weaknesses, they cease to do us any harm

G.C. (GEORG CHRISTOPH) LICHTENBERG (1742-1799)
GERMAN PHYSICIST, PHILOSOPHER
Learning Objectives
Upon completion of this material, you should be able to:

Define risk management: risk identification, and risk control

Understand how risk is identified and assessed

Describe the risk mitigation strategy options for

controlling risks

Evaluate risk controls and formulate a cost benefit analysis

Understand how to maintain and perpetuate risk controls

2
Introduction
Risk management: process of identifying and
controlling risks facing an organization

Risk identification: process of examining an

organization’s current information technology
security situation

Risk control: applying controls to reduce risks to an

organizations data and information systems

3
 Components of Risk
Management
Risk Management

Risk Identification Risk Control

Risk Assessment
is the documented result
of the risk identification
process Selecting Strategy
Inventorying Assets
Justifying Controls
Classifying Assets
Identifying Threats
& Vulnerabilities
Competitiveness
Information Technology Role
◦ Began as a advantage
◦ Now falling behind is a disadvantage
Availability is a necessity

5
 An Overview of Risk
Management
Know yourself
◦ Understand the technology and systems in your organization

Know the enemy

◦ Identify, examine, understand threats

Role of Communities of Interest

◦ Information Security
◦ Management and Users
◦ Information Technology

6
 The Roles of the Communities of
Interest
1) Information security, 2) management and users, 3) information
technology all must work together

Management review:
◦ Verify completeness/accuracy of asset inventory

◦ Review and verify threats as well as controls and mitigation strategies

◦ Review cost effectiveness of each control

◦ Verify effectiveness of controls deployed

7
Risk Identification
Assets are targets of various threats and threat
agents

Risk management involves identifying organization’s

assets and identifying threats/vulnerabilities

Risk identification begins with identifying

organization’s assets and assessing their value

8
9
 Asset Identification and
Valuation
Iterative process; begins with identification of assets,
including all elements of an organization’s system (people,
procedures, data and information, software, hardware,
networking)

Assets are then classified and categorized

10
 Table 4-1 - Categorizing
Components
Asset Identification & Valuation
Traditional System SecSDLC and risk management system components
Components

People Employee Trusted employees

Other staff
Non-employees People at trusted organizations / Strangers

Procedures Procedures IT & business standards procedures

IT & business standards procedures
Data Information Transmission, Processing, Storage

Software Software Applications, Operating systems, Security

components
Hardware System devices and Systems and peripherals
peripherals Security devices
Networking components Intranet components
Internet or DMZ components

11
 People, Procedures, and Data Asset
Identification
Human resources, documentation, and data information
assets are more difficult to identify

People with knowledge, experience, and good judgment

should be assigned this task

These assets should be recorded using reliable data-handling

process

12
 People, Procedures, and Data Asset
Identification

Asset attributes for people: position name/number/ID;

supervisor; security clearance level; special skills
◦ Try to avoid names

Asset attributes for procedures

◦ Intended purpose
◦ Relationship to software, hardware, network elements
◦ Storage location

Asset attributes for data

◦ classification; owner/creator/manager; data structure size; data
structure used; online/offline; location; backup procedures employed

13
 Hardware, Software, and Network Asset
Identification

What information attributes to track depends on:

◦ Needs of organization/risk management efforts
◦ Management needs of information security/information
technology communities
Asset attributes to be considered are:
◦ Name (device or program name)
◦ IP address
◦ Media access control (MAC) address
◦ Element type – server, desktop, etc. Device Class, Device
OS, Device Capacity

14
 Hardware, Software, and Network Asset
Identification
serial number
manufacturer name; model/part number
software versions
physical or logical location
Software version, update revision
Physical location
Logical location
◦ Where on network
Controlling entity
◦ Organization unit to which it belongs

15
Information Asset Classification
Many organizations have data classification schemes (e.g.,
confidential, internal, public data)
Classification must be specific enough to allow determination
of priority
Comprehensive – all info fits in list somewhere
Mutually exclusive – fits in one place

16
 Information Asset Valuation
Questions help develop criteria for asset valuation: which
information asset

◦ is most critical to organization’s success?

◦ generates the most revenue?
◦ generates the most profit?
◦ would be most expensive to replace?

17
Information Asset Valuation
Questions help develop criteria for asset
valuation: which information asset
◦ would be most expensive to protect?
◦ would be most embarrassing or cause the
greatest liability is revealed?

18
Figure 4-3 – Example
Worksheet

19
 Listing Assets in Order of
Importance
Weighted factor analysis
◦ Calculate the relative importance of each asset

Each info asset assigned score for each critical factor (0.1 to
1.0)
◦ Impact to revenue
◦ Impact to profitability
◦ Impact to public image

Each critical factor is assigned a weight (1-100)

Multiply and add

20
Table 4-2 – Example Weighted
Factor Analysis

21
Data Classification and Management
Variety of classification schemes used by corporate and military
organizations
Georgia-Pacific Corporation (G-P) scheme
◦ Confidential, sensitive or proprietary
◦ Internal, G-P employee, authorized contractors
◦ External, public
U.S. military classification scheme
◦ Unclassified Data
◦ Sensitive by unclassified data
◦ Confidential data
◦ Secret data
◦ Top secret data

22
Data Classification and Management
Information owners responsible for classifying their
information assets
Information classifications must be reviewed
periodically
Most organizations do not need detailed level of
classification used by military or federal agencies.

23
 Data Classification and
Management
Organizations may need to classify data to
provide protection
◦ Public
◦ For official use only
◦ Sensitive
◦ classified

24
Data Classification and Management
Assign classification to all data
Grant access to data based on classification
and need
Devise some method of managing data
relative to classification

25
 Security Clearances
Security clearance structure: each data user
assigned a single level of authorization indicating
classification level

Before accessing specific set of data, employee

must meet need-to-know requirement

Extra level of protection ensures information

confidentiality is maintained

26
Management of Classified Data
Storage, distribution, portability, and destruction of
classified data

Information not unclassified or public must be clearly

marked as such

Clean desk policy requires all information be stored in

appropriate storage container daily; unneeded copies of
classified information are destroyed

Dumpster diving can compromise information security

27
 Threat and Prioritize Threats & Threat
Agents
Threat Example
Acts of human error or failure Accidents, employee mistakes
Compromises to intellectual Piracy, copyright infringement
property
Deliberate acts of espionage or Unauthorized access and/or data
trespass collection
Deliberate acts of information Blackmail or information
extortion disclosure
Deliberate acts of theft Illegal confiscation of equipment
or information

Deliberate acts of sabotage or Destruction of systems or

vandalism information

28
 Threat and Prioritize Threats & Threat
Agents

Categories of Threat Examples

Deliberate acts of software attacks Viruses, worms, macros, denial-of-
service
Forces of nature Fire, flood, earthquake, lightning

Deviations in quality of service ISP, power, WAN service issues from

service providers
Technical hardware failures or errors Equipment failure

Technical software failures or errors Bugs, code problems, unknown

loopholes
Technological obsolescence Antiquated or outdated technologies

29
Threat Assessment
Realistic threats need investigation; unimportant
threats are set aside
◦ Each of the treats must be examined to assess potential
damage
◦ Which threats present a danger to an organization’s
assets?
◦ Which threats represent the most danger -probability of
attack
◦ How much would it cost to recover
◦ Which treat requires the greatest expenditure to
prevent?

30
 Vulnerability Identification
Identify each asset and each threat it faces
Create a list of vulnerabilities
Examine how each of the threats are likely to be
perpetrated

31
Risk Assessment
Risk assessment evaluates the relative risk for
each vulnerability

Assigns a risk rating or score to each

information asset

32
Risk Assessment
Risk =
likelihood of occurrence of vulnerability
*
value of the information asset
-
% of risk mitigated by current controls
+
uncertainty of current knowledge of vulnerability.

33
Likelihood
Probability that a specific vulnerability within an
organization will be successfully attacked
Assign number between 0.1 – 1
Data is available for some factors
◦ Likelihood of fire
◦ Likelihood of receiving infected email
◦ Number of network attacks

34
Valuation of Information Assets
Using info from asset identification assign weighted
score for the value
◦ 1 -100
◦ 100 – stop company operations
◦ May use broad categories
◦ NIST has some predefined

35
 Identify Possible Controls
For each threat and associated vulnerabilities that
have residual risk, create preliminary list of control
ideas

Residual risk – risk remaining after controls are

applied

CPSC375@UTC/CS 36
Access Controls
Mandatory
◦ Gives user and data owners limited control over access to
information
◦ Lattice-based
◦ Users are assigned a matrix of authorizations for particular areas of access

Nondiscretionary
◦ Role or task based controls
◦ Centralized

Discretionary
◦ Option of the user

37
Problem
Information asset A has a value score of 50 and has
one vulnerability. Vulnerability 1 has a likelihood of
1.0 with no current controls, & you estimate the
assumptions and data are 90% accurate
Information asset B has a value score of 100 and
has 2 vulnerability. Vulnerability 2 has a likelihood
of 0.5 with current controls address 50% of its risk,
vulnerability 3 has a likelihood of 0.1 with no
current controls, & you estimate the assumptions
and data are 80% accurate

38
Solutions
likelihood of occurrence of vulnerability * value of the information asset -
% of risk mitigated by current controls + uncertainty of current knowledge of
vulnerability
Asset A= (50 X 1.0)–(50 X 1.0) X0% + (50 X 1.0) X10%
= (50 X 1.0)– ((50 X 1.0)X0) +((50 X 1.0)+.1)
= 50 – 0 + 5
= 55
Asset B (V2)= (100 X .5)– (100 X .5) X50% + (100 X .5) X20%
= 50- 25 + 10 = 35
Asset B (V3)= (100 X .1)– 0% + (100 X .1) X20%
= 10 – 0 + 2
= 12

39
Documenting Results of Risk Assessment
Final summary comprised in ranked vulnerability risk
worksheet. Table 4-8, relate to table 4-2.

Worksheet details asset, asset impact, vulnerability,

vulnerability likelihood, and risk-rating factor.
Order by risk-rating factor

Ranked vulnerability risk worksheet is initial working

document for next step in risk management process:
assessing and controlling risk

40
 Risk Identification and Assessment Deliverables

Deliverables Purpose

Information assess Assembles information about information assets and

classification worksheet their impact on or value to the organization

Weighted criteria analysis Assigns ranked value or impact weight to each

worksheet information asset

Ranked vulnerability risk Assigns ranked value of risk rating for each
worksheet uncontrolled asset-vulnerability pair

41
Risk Control Strategies

42
Risk Control Strategies
Once ranked vulnerability risk worksheet complete,
must choose one of four strategies to control each
risk:
◦ Apply safeguards that eliminate or reduce residual risks
(avoidance)
◦ Transfer the risk to other areas or outside entities
(transference)
◦ Reduce the impact should the vulnerability be exploited
(mitigation)
◦ Understand the consequences and accept the risk
without control or mitigation (acceptance)

43
Avoidance
Attempts to prevent exploitation of the vulnerability

Preferred approach; accomplished through countering

threats, removing asset vulnerabilities, limiting asset
access, and adding protective safeguards

Three common methods of risk avoidance:

◦ Application of policy

◦ Training and education

◦ Applying technology

44
Transference
Control approach that attempts to shift risk to other assets,
processes, or organizations
◦ Rethinking how services are offered
◦ Revising deployment models
◦ Outsourcing
◦ Purchasing insurance
◦ Implementing service contracts

In Search of Excellence
◦ Concentrate on what you do best

45
Mitigation
Attempts to reduce impact of vulnerability exploitation through
planning and preparation

Approach includes three types of plans:

◦ Incident response plan (IRP)

◦ Disaster recovery plan (DRP)

◦ Business continuity plan (BCP)

46
Mitigation (continued)
Disaster recovery plan (DRP) is most common mitigation
procedure

The actions to take while incident is in progress is defined in

Incident response plan (IRP)

Business continuity plan (BCP) encompasses continuation of

business activities if catastrophic event occurs

CPSC375@UTC/CS 47
Acceptance
Doing nothing to protect a vulnerability and accepting the
outcome of its exploitation

Valid only when the particular function, service,

information, or asset does not justify cost of protection

Risk appetite describes the degree to which organization is

willing to accept risk as trade-off to the expense of applying
controls

CPSC375@UTC/CS 48
 Selecting a Risk Control
Strategy
Level of threat and value of asset play major role in
selection of strategy
◦ When a vulnerability exists--implement security control to reduce
likelihood

◦ When a vulnerability can be exploited -- apply layered protections,

architectural designs, and administrative controls

◦ When attacker’s cost is less than potential gain -- apply protection

to increase attackers costs

◦ When potential loss is substantial -- redesign, new architecture,

controls

49
50
Categories of Controls
1. Control function
◦ Preventive & detective

2. Architectural layer
◦ Organizational policy, external networks, intranets, network devices,
systems

3. Strategy layer
◦ Avoidance, mitigation, or transference

4. Information security principle

◦ Classified by characteristics: Confidentiality, integrity, availability,
authentication, authorization, accountability, privacy

51
Feasibility Studies
Compare cost to potential loss
Cost avoidance is the process of avoiding the financial
impact of an incident

52
Cost Benefit Analysis
Evaluate worth of asset
Loss of value if asset compromised
Items affecting cost of control
◦ Cost of development or acquisition
◦ Cost of implementation
◦ Services costs
◦ Cost of maintenance

Benefits – value gained by using controls

53
Cost Benefit Analysis
Assess worth of asset
Calculate the single loss expectance
◦ SLE = asset value * exposure factor
◦ Exposure factor = % loss from exploitation
Calculate Annualized loss expectancy
◦ ALE = SLE * ARO (annualized rate of occurrence)

54
 Cost Benefit Analysis Formula
CBA determines whether or not control alternative being
evaluated is worth cost incurred to control vulnerability
CBA = ALE (prior) – ALE (post) – ACS
ALE(prior) is annualized loss expectancy of risk before
implementation of control
ALE(post) is estimated ALE based on control being in place
for a period of time
ACS is the annualized cost of the safeguard

55
Benchmarking
An alternative approach to risk management

Benchmarking is process of seeking out and studying

practices in other organizations that one’s own organization
desires to duplicate

One of two measures typically used to compare practices:

◦ Metrics-based measures

◦ Process-based measures

56
Benchmarking --Metrics-based
measures
Metrics-based measures are comparisons based on
numerical standards:
◦ Number of successful attacks,
◦ staff-hours spent of systems protection,
◦ dollars spent on protection,
◦ number of security personnel,
◦ estimated value of info lost in attacks,
◦ loss in productivity hours
Performance gap is the difference between an
organization’s measures and those of others.

57
Benchmarking -- Process-based measures
Less focus on numbers
More strategic than metrics-based measures
Examine activities an individual company performs
Focus on methods to accomplish a particular
process
Rather than the outcome

58
Benchmarking
Standard of due care: when adopting levels of security for a
legal defense, organization shows it has done what any
prudent organization would do in similar circumstances

Due diligence: demonstration that organization is diligent in

ensuring that implemented standards continue to provide
required level of protection

Failure to support standard of due care or due diligence can

leave organization open to legal liability

59
Benchmarking – Best Practices
Best business practices: security efforts that provide a superior level
protection of information

Available Resources
◦ Federal Agency Security Project: http://fasp.nist.gov

◦ CERT web site: www.cert.org/security-improvement/

60
 Seven Key Areas of Best Practice from
Microsoft
1. Use antivirus software
2. Use strong passwords
3. Verify your software security settings
4. Update product security
5. Build personal firewalls
6. Back up early and often
7. Protect against power surges and loss

61
 Problems with Applying
Benchmarking and Best Practices
Organizations don’t talk to each other (biggest problem)

No two organizations are identical

Best practices are a moving target

Knowing what was going on in information security industry in recent

years through benchmarking doesn’t necessarily prepare for what’s next

62
Baselining
Analysis of measures against established standards

In information security, baselining is comparison of security activities

and events against an organization’s future performance.

The information gathered for an organization’s first risk assessment

becomes the baseline for future comparison.

63
KEY
“the goal of information security is not to
bring residual risk to zero; it is to bring
residual risk into line with an organization’s
comfort zone or risk appetite”

64
Documenting Results
At minimum, each information asset-threat pair
should have documented control strategy clearly
identifying any remaining residual risk, and
feasibility studies to justify the findings.

Another option: document outcome of control

strategy for each information asset-vulnerability
pair as an action plan

65
Summary
Risk identification: formal process of examining and
documenting risk present in information systems
Risk control: process of taking carefully reasoned steps to
ensure the confidentiality, integrity, and availability of
components in organization’s information system
Risk identification
◦ A risk management strategy enables identification, classification,
and prioritization of organization’s information assets
◦ Residual risk: risk that remains to the information asset even after
the existing control is applied

66
Summary
Risk control: four strategies are used to control risks that
result from vulnerabilities:

◦ Apply safeguards (avoidance)

◦ Transfer the risk (transference)

◦ Reduce impact (mitigation)

◦ Understand consequences and accept risk (acceptance)

67
Components of Risk
Management
Risk Management

Risk Identification Risk Control

Risk Assessment
is the documented result
of the risk identification
process Selecting Strategy
Inventorying Assets
Justifying Controls
Classifying Assets
Identifying Threats
& Vulnerabilities