Risk Management 101
Risk Management 101
Risk Management 101
MANAGEMENT
101
Purpose
Risk is the net negative impact of the exercise of vulnerability, considering both the probability and the
impact of occurrence. Risk management is the process of identifying risk, assessing risk, and taking steps
to reduce risk to an acceptable level.
Guide Structure
The remaining sections of this guide discuss the following:
Section 2 provides an overview of risk management, how it fits into the system development life
cycle (SDLC), and the roles of individuals who support and use this process.
Section 3 describes the risk assessment methodology and the nine primary steps in conducting a
risk assessment of an IT system.
Section 4 describes the risk mitigation process, including risk mitigation options and strategy,
approach for control implementation, control categories, cost-benefit analysis, and residual risk.
Section 5 discusses the good practice and need for an ongoing risk evaluation and assessment
and the factors that will lead to a successful risk management program.
Risk Assessment
Risk assessment is the first process in the risk management methodology. Organizations use risk
assessment to determine the extent of the potential threat and the risk associated with an IT system.
The risk assessment methodology encompasses nine primary steps, which are
System-Related Information
Identifying risk for an IT system requires a keen understanding of the system’s processing environment.
The person or persons who conduct the risk assessment must therefore first collect system-related
information, which is usually classified as follows:
Hardware
Software
System interfaces (e.g., internal and external connectivity)
Data and information
Persons who support and use the IT system
System mission (e.g., the processes performed by the IT system)
System and data criticality (e.g., the system’s value or importance to an organization)
System and data sensitivity.
Additional information related to the operational environmental of the IT system and its data includes,
but is not limited to, the following:
Output from Step 1 - Characterization of the IT system assessed, a good picture of the IT system
environment, and delineation of system boundary
Threat-Source Identification
The goal of this step is to identify the potential threat-sources and compile a threat statement listing
potential threat-sources that are applicable to the IT system being evaluated. A threat-source is defined
as any circumstance or event with the potential to cause harm to an IT system. The common threat-
sources can be natural, human, or environmental.
Motivation and Threat Action
Output from Step 2 - A threat statement containing a list of threat-sources that could exploit system
vulnerabilities
The NIST SP 800-26, Security Self-Assessment Guide for Information Technology Systems, provides an
extensive questionnaire containing specific control objectives against which a system or group of
interconnected systems can be tested and measured. The control objectives are abstracted directly from
long-standing requirements found in statute, policy, and guidance on security and privacy.
The results of the checklist (or questionnaire) can be used as input for an evaluation of compliance and
noncompliance. This process identifies system, process, and procedural weaknesses that represent
potential vulnerabilities.
Output from Step 3 - A list of the system vulnerabilities (observations) that could be exercised by the
potential threat-sources
Controls Methods
Security controls encompass the use of technical and nontechnical methods. Technical controls are
access control mechanisms, identification and authentication mechanisms, encryption methods,
intrusion detection software. Nontechnical controls are management and operational controls, such as
security policies; operational procedures; and personnel, physical, and environmental security.
Control Categories
The control categories for both technical and nontechnical control methods can be further classified as
either preventive or detective.
Output from Step 4 - List of current or planned controls used for the IT system to mitigate the
likelihood of a vulnerability’s being exercised and reduce the impact of such an adverse event
This information can be obtained from existing organizational documentation, such as the mission
impact analysis report (business impact analysis [BIA]) or asset criticality assessment report. If this
documentation does not exist or such assessments for the organization’s IT assets have not been
performed, the system and data sensitivity can be determined based on the level of protection required
to maintain the system and data’s availability, integrity, and confidentiality. Regardless of the method
used to determine how sensitive an IT system and its data are, the system and information owners are
the ones responsible for determining the impact level for their own system and information.
The following list provides a brief description of each security goal and the consequence (or impact) of
its not being met:
Loss of Integrity: System and data integrity refers to the requirement that information be
protected from improper modification.
Loss of Availability: If a mission-critical IT system is unavailable to its end users, the
organization’s mission may be affected.
Loss of Confidentiality: System and data confidentiality refers to the protection of information
from unauthorized disclosure.
Some tangible impacts can be measured quantitatively in lost revenue, the cost of repairing the system,
or the level of effort required to correct problems caused by a successful threat action. Other impacts
(e.g., loss of public confidence, loss of credibility, damage to an organization’s interest) cannot be
measured in specific units but can be qualified or described in terms of high, medium, and low impacts.
Quantitative versus Qualitative Assessment
Quantitative risk assessment takes a more rigorous approach, using numeric data to perform risk
calculations in terms of financial value. This requires the use of several factors and formulas:
Organizations must first identify the asset value (AV) for each asset covered by the risk
assessment. AV is normally expressed in terms of dollar value. This can be done by using a
variety of valuation techniques, such as purchase price, replacement cost, or depreciated value.
For each risk facing an asset, the risk assessment process next identifies the exposure factor
(EF). The exposure factor is the amount of damage that would occur to an asset if the risk was to
materialize; this is normally expressed as a percentage. For example, if the risk of fire is likely to
destroy half of a data center, the EF is 50 percent.
The last input into the quantitative risk assessment process is the annualized rate of occurrence
(ARO). This is the likelihood that the risk will materialize. It is expressed as the number of times
the risk is expected to occur in a typical year. The value may be less than one if the risk is
expected less than once per year.
Next, the risk assessment process calculates the single loss expectancy (SLE). This is the impact
of the risk, expressed as the financial loss that occurs each time the risk materializes; it is
calculated by using this formula:
SLE = AV × EF
Finally, the risk is calculated as the product of likelihood (ARO) and impact (SLE) by using this
formula:
ALE = SLE × ARO
This formula provides the annualized loss expectancy (ALE), or the expected financial loss that
will occur due to the risk in a typical year.
1. Identify the asset value (AV). They might do this by consulting data center construction experts
and determining that the replacement cost of the data center would be $20 million. (AV = $20
million)
2. Determine the exposure factor (EF). Consulting with those same experts might identify that the
data center would be half destroyed by a significant earthquake. (EF = 50 percent)
3. Identify the annualized rate of occurrence (ARO). This is the likelihood of an earthquake
occurring in a particular year. The US Geological Survey estimates that the Bay Area is likely to
suffer an earthquake causing extensive damage once every 30 years. (ARO = 0.03)
4. Calculate the single loss expectancy (SLE). This is the impact of an earthquake, expressed as the
financial loss that a single earthquake would create, and is calculated as the product of the asset
value and exposure factor:
SLE = AV × EF SLE => $20 million × 50 percent SLE = $10 million
5. Calculate the annualized loss expectancy (ALE). This is the risk, expressed as the financial loss
from earthquakes expected in a typical year:
ALE = SLE × ARO ALE = $10 million × 0.03 ALE = $300,000
A risk manager can now use the annualized loss expectancy to make risk-based decisions. For example,
an earthquake insurance policy with a $50,000 annual premium would be a good investment!
Risk-Level Matrix
The final determination of mission risk is derived by multiplying the ratings assigned for threat likelihood
(e.g., probability) and threat impact.
For example,
The probability assigned for each threat likelihood level is 1.0 for High, 0.5 for Medium, 0.1 for
Low
The value assigned for each impact level is 100 for High, 50 for Medium, and 10 for Low.
The control recommendations are the results of the risk assessment process and provide input to the
risk mitigation process, during which the recommended procedural and technical security controls are
evaluated, prioritized, and implemented.
Output from Step 8 - Recommendation of control(s) and alternative solutions to mitigate risk
Output from Step 9 - Risk assessment report that describes the threats and vulnerabilities, measures
the risk, and provides recommendations for control implementation
Risk Mitigation
Risk mitigation, the second process of risk management, involves prioritizing, evaluating, and
implementing the appropriate risk-reducing controls recommended from the risk assessment process.
Because the elimination of all risk is usually impractical or close to impossible, it is the responsibility of
senior management and functional and business managers to use the least-cost approach and
implement the most appropriate controls to decrease mission risk to an acceptable level, with minimal
adverse impact on the organization’s resources and mission.
Risk Assumption / Acceptance: To accept the potential risk and continue operating the IT system or to
implement controls to lower the risk to an acceptable level
Risk Avoidance: To avoid the risk by eliminating the risk cause and/or consequence (e.g., forgo certain
functions of the system or shut down the system when risks are identified)
Risk Limitation: To limit the risk by implementing controls that minimize the adverse impact of a
threat’s exercising a vulnerability (e.g., use of supporting, preventive, detective controls)
Risk Planning: To manage risk by developing a risk mitigation plan that prioritizes, implements, and
maintains controls
Research and Acknowledgment: To lower the risk of loss by acknowledging the vulnerability or flaw and
researching controls to correct the vulnerability
Risk Transference: To transfer the risk by using other options to compensate for the loss, such as
purchasing insurance.
It may not be practical to address all identified risks, so priority should be given to the threat and
vulnerability pairs that have the potential to cause significant mission impact or harm.
Address the greatest risks and strive for sufficient risk mitigation at the lowest cost, with minimal
impact on other mission capabilities.
The following risk mitigation methodology describes the approach to control implementation:
Support: Supporting controls are generic and underlie most IT security capabilities. These
controls must be in place in order to implement other controls.
Prevent: Preventive controls focus on preventing security breaches from occurring in the first
place.
Detect and Recover: These controls focus on detecting and recovering from a security breach.
Following figure depicts the primary technical controls and the relationships between them.
Management Security Controls
Management security controls, in conjunction with technical and operational controls, are implemented
to manage and reduce the risk of loss and to protect an organization’s mission. Management security
control further divided into preventive, detection, and recovery controls.
Preventive Management Assign security responsibility
Security Controls Develop and maintain system security plans
Implement personnel security controls, including separation of
duties, least privilege, and user computer access registration
and termination
Conduct security awareness and technical training
Detection Management Implement personnel security controls, including personnel
Security Controls clearance, background investigations, rotation of duties
Conduct periodic review of security controls
Perform periodic system audits
Conduct ongoing risk management to assess and mitigate risk
Authorize IT systems to address and accept residual risk.
Recovery Management Provide continuity of support
Security Controls Establish an incident response capability
Its purpose is to demonstrate that the costs of implementing the controls can be justified by the
reduction in the level of risk. For example, the organization may not want to spend $1,000 on a control
to reduce a $200 risk.
A cost-benefit analysis for proposed new controls or enhanced controls encompasses the following:
Residual Risk
The risk remaining after the implementation of new or enhanced controls is the residual risk. Practically
no IT system is risk free, and not all implemented controls can eliminate the risk they are intended to
address or reduce the risk level to zero.
Risk Register
A risk register is a document used as a risk management tool and to fulfill regulatory compliance
acting as a repository for all risks identified and includes additional information about each risk, e.g.
nature of the risk, reference and owner, mitigation measures. It can be displayed as a scatterplot or
as a table.
Practical Example
As we have learned that Risk management encompasses three processes: risk assessment, risk
mitigation, and evaluation and assessment. In the following example we will perform a practical risk
management process excluding evaluation & assessment phase which is the last phase and is mostly
about monitoring and control assessment status.
Problem
Given a scenario perform risk management for a XYZ insurance firm that handles and process sensitive
information and is subjected to privacy regulations in country.
Risk Assessment
Starting with risk assessment phase.
2 - Implement
a phishing
prevention
technology
that should
prevent
phishing
attacks.
Risk Mitigation
Control Implementation
In this phase further analysis on risk is performed and certain decisions are finalized. The most
important part of this phase is Implementation Plan Table.
Risk Risk Recommended Action Selected Responsible Start Maintenance
(Vulnerability Level Controls Priority Controls Team/ Date/ / Comments
/ Threat Pair) Persons End
Date
Hackers can Medium 1 - It is highly High Create Information 02-02- Create a
run social recommended cyber- Security 2020 training plain
engineering that there security Team To and inform
campaign to should be an awareness 02-05- board on
obtain effective program 2020 progress on
sensitive cybersecurity and every second
information awareness educate week.
or program that employees
unauthorized should address
acces phishing, social
engineering
and other
human attacks
and
vulnerabilities.
2 - Implement
a phishing
prevention
technology
that should
prevent
phishing
attacks.
Resources
https://www.smartsheet.com/free-risk-management-plan-templates