Cybersecurity Essentials course

Lec. 9
Detailed Security Risk assessment

Dr. Eman zahran

 Detailed Security Risk assessment

Risk:
the potential that a given threat will exploit vulnerabilities of
of assets to cause loss or damage to the system.

The detailed security risk analysis is the formal approach.

• provides the most accurate evaluation of an organization’s IT
system’s security risks.
• but at the highest cost.
 System Characterization
1- Determining security objectives and the broad risk
exposure related to:
– Wider political and social environment
– Legal and regulatory constraints

2- defining the organization’s risk appetite

– The acceptable level of risk
3- Specifying the boundaries of risk assessment
• depends on the risk assessment approach

4- Deciding the risk assessment criteria to be used

 Asset Identification
• Identify assets
valuable to organization to help achieve objectives
May be tangible or intangible
practically identify more important assets
• Also use experience of in relevant areas of
organization
 identify and interview people
see checklists in various standards

Outcome: list of assets, with descriptions of their use

by, and value to, the organization
 Threat Identification
Threat: a potential cause of an unwanted incident
which may result in harm to a system

• to identify threats or risks to assets consider:

who or what could cause it harm?
how could this occur?
• threats prevent assets from achieving:
confidentiality, integrity, availability, accountability,
authenticity and reliability
• assets may have multiple threats
 Threat Sources
• threats are either:
 Natural (fire, flood, storm, earthquake)
 Human-made (accidental or intentional)
– an insider retrieving and selling information for personal gain
– a hacker targeting the organization’s server over the Internet; releasing
a
worm that infects the organization’s systems
• should consider human attackers
 motivation
 capability
 resources
 probability of attack
• Consider previous attacks to the organization
 Vulnerability Identification
Vulnerability: a weakness in an asset which can
be exploited by a threat
• identify weaknesses in organization’s IT
systems or processes in order to:
 determine applicability and significance of threat to
organization
 can be identified from standard lists of potential
vulnerabilities
 Analyze Risks
• specifying the likelihood of occurrence of identified threat
 controls include management, operational, technical processes and
procedures to reduce exposure of organization to some risks

• Specifying the consequence to the organization

• Derive overall risk rating for each threat

risk = probability threat occurs x cost to organization

• in practice very hard to determine exactly

• use qualitative not quantitative, ratings for each
• aim to order resulting risks in order to treat them
 Likelihood Determination
Rating Likelihood Expanded Definition
Description
1 Rare May occur only in exceptional circumstances and may
deemed as “unlucky” or very unlikely.
2 Unlikely Could occur at some time but not expected given current
controls, circumstances, and recent events.
3 Possible Might occur at some time, but just as likely as not. It may be
difficult to control its occurrence due to external influences.
4 Likely Will probably occur in some circumstance and one should
not be surprised if it occurred.
5 Almost Is expected to occur in most circumstances and certainly
Certain sooner or later.
1 Insignificant Generally a result of a minor security breach in a single area.
Impact is likely to last less than several days and requires only

2
Consequences
Minor
Determination
minor expenditure to rectify.
Result of a security breach in one or two areas. Impact is likely to
last less than a week, but can be dealt with at the segment or project
level without management intervention. Can generally be rectified
within project or team resources.
3 Moderate Limited systemic (and possibly ongoing) security breaches. Impact
is likely to last up to 2 weeks and generally requires management
intervention. Will have ongoing compliance costs to overcome.
4 Major Ongoing systemic security breach. Impact will likely last 4-8 weeks
and require significant management intervention and resources to
overcome, and compliance costs are expected to be substantial.
Loss of business or organizational outcomes is possible, but not
expected, especially if this is a once off.
5 Catastrophic Major systemic security breach. Impact will last for 3 months or
more and senior management will be required to intervene for the
duration of the event to overcome shortcomings. Compliance costs
are expected to be very substantial. Substantial public or political
debate about, and loss of confidence in, the organization is likely.
Possible criminal or disciplinary action is likely.
6 Doomsday Multiple instances of major systemic security breaches. Impact
duration cannot be determined and senior management will be
required to place the company under voluntary administration or
other form of major restructuring. Criminal proceedings against
senior management is expected, and substantial loss of business and
 Determine Resultant Risk
Consequences
Likelihood Doomsday Catastrophic Major Moderate Minor Insignificant

Almost E E E E H H
Certain
Likely E E E H H M
Possible E E E H M L
Unlikely E E H M L L
Rare E H H M L L

Risk Level Description

Extreme (E) Will require detailed r esearch and management planning at an
executive/director level. Ongoing planning and monitoring will be required
with regular reviews. Substantial adjustment of controls to manage the
risk are expected, with costs possibly exceeding original forecasts.
High (H) Requires management attention, but management and planning can be left
to senior project or team leaders. Ongoing planning and monitoring with
regular reviews are likely, though adjustment of controls are likely to be
met from within existing resources
Medium (M) Can be managed by existing specific monitoring and response procedures.
Management by employees is suitable with appropriate monitoring and
reviews.
Low (L) Can be managed through routine procedures.
 Documentation
Document in Risk Register
and Evaluate Risks

Asset Threat/ Existing Likelihood Consequence Level of Risk

Vulnerability Controls Risk Priority
Internet Router Outside Hacker Admin Possible Moderate High 1
attack password only
Destruction of Data Accidental Fire or None (no Unlikely Major High 2
Center Flood disaster
recovery plan)

provide senior management with the information needed to make appropriate decisions
as how to best manage the identified risks

The risks with the higher ratings are those that need action most urgently.
Risk Treatment
 Risk Treatment Alternatives
• Risk acceptance: accept risk (perhaps because of
excessive cost of risk treatment)
• Risk avoidance: do not proceed with the activity that
causes the risk (loss of convenience)
• Risk transfer: buy insurance; outsource
• Reduce consequence: modify the uses of an asset to
reduce risk impact (e.g., offsite backup)
• Reduce likelihood: implement suitable controls
 Case Study: Silver Star Mines
• Global mining company
• large IT infrastructure
– Common application software
– Some Applications relates to health & safety
– Isolated systems now networked
• Decided on using combined approach
• Mining industry is a less risky sector
• Management accepts moderate or low risk
 Assets
• Reliability and integrity of SCADA nodes and net
Supervisory Control and Data Acquisition (SCADA)
• Integrity of stored file and database information
• Availability, integrity of financial system
• Availability, integrity of procurement system
• Availability, integrity of maintenance/production system
• Availability, integrity and confidentiality of mail services
 ‫االصول‬
‫موثوقية وسالمة عقد ‪SCADA‬والشبكة‬
‫سالمة الملفات المخزنة ومعلومات قاعدة البيانات‬
‫توافر وسالمة النظام المالي توافر وسالمة نظام المشتريات‬
‫توافر وسالمة نظام الصيانة ‪ /‬اإلنتاج‬
‫توافر ونزاهة وسرية الخدمات البريدية‬
 Threats & Vulnerabilities
• unauthorized modification of control system
• corruption, theft, loss of information
• attacks/errors affecting procurement system
• attacks/errors affecting financial system
• attacks/errors affecting mail system
• attacks/errors maintenance/production system
 Risk Register
Asset Threat/ Existing Likelihood Consequence Level of Risk Priority
Vulnerability Controls Risk
Reliability and integrity Unauthorized layered Rare Major High 1
of the SCADA nodes and modification of firewalls
network control system & servers
Integrity of stored file Corruption, firewall, Possible Major Extreme 2
and database theft, loss of policies
information info
Availability and Attacks/errors firewall, Possible Moderate High 3
integrity of Financial affecting system policies
System
Availability and Attacks/errors firewall, Possible Moderate High 4
integrity of affecting system policies
Procurement System
Availability and Attacks/errors firewall, Possible Minor Medium 5
integrity of affecting system policies
Maintenance/
Production System
Availability, integrity Attacks/errors firewall, Almost Minor High 6
and confidentiality of affecting system ext mail Certain
mail services gateway