INFORMATION ASSURANCE AND SECURITY 1 38

Chapter 4: Risk Management

Overview
This chapter describes how to conduct a fundamental information security assessment by describing the
procedures for identifying and prioritizing threats and assets, and the procedures for identifying what
controls are in place to protect these assets from threats. The chapter also provides a discussion of the
various types of control mechanisms and identifies the steps involved in performing the initial risk
assessment. The chapter continues by defining risk management as the process of identifying, assessing,
and reducing risk to an acceptable level and implementing effective control measures to maintain that level
of risk. The chapter concludes with a discussion of risk analysis and the various types of feasibility analyses.

Learning Objectives
Upon completion of this material, you should be able to:
 Define risk management, risk identification, and risk control
 Describe how risk is identified and assessed
 Assess risk based on probability of occurrence and likely impact
 Explain the fundamental aspects of documenting risk via the process of risk assessment
 Describe the various risk mitigation strategy options
 Identify the categories that can be used to classify controls
 Recognize the existing conceptual frameworks for evaluating risk controls and formulate a cost
benefit analysis
 Describe how to maintain and perpetuate risk controls

An Overview of Risk Management

Risk management is the process of identifying risk, as represented by vulnerabilities, to an organization’s

information assets and infrastructure, and taking steps to reduce this risk to an acceptable level. Each of the
three elements in the C.I.A. triangle, is an essential part of every IT organization’s ability to sustain long-
term competitiveness. When an organization depends on IT-based systems to remain viable, information
security and the discipline of risk management must become an integral part of the economic basis for
making business decisions. These decisions are based on trade-offs between the costs of applying
information systems controls and the benefits realized from the operation of secured, available systems.

Risk management involves three major undertakings:

 Risk identification is the examination and documentation of the security posture of an

organization’s information technology and the risks it faces.
 Risk assessment is the determination of the extent to which the organization’s information assets
are exposed or at risk.
 Risk control is the application of controls to reduce the risks to an organization’s data and
information systems.
 INFORMATION ASSURANCE AND SECURITY 1 39

Figure 4.1: Components of Risk Management

Consider for a moment the similarities between information security and warfare. Information security
managers and technicians are the defenders of information. The many threats discussed in Chapter 2 are
constantly attacking the defenses surrounding information assets. Defenses are built in layers, by placing
safeguard upon safeguard. The defenders attempt to prevent, protect, detect, and recover from a seemingly
endless series of attacks. Moreover, those defenders are legally prohibited from deploying offensive tactics,
so the attackers have no need to expend resources on defense. In order to be victorious, you, a defender,
must know yourself and know the enemy.

Know Yourself
First, you must identify, examine, and understand the information and systems currently in place within
your organization. This is self-evident. To protect assets, which are defined here as information and the
systems that use, store, and transmit information, you must know what they are, how they add value to the
organization, and to which vulnerabilities they are susceptible. Once you know what you have, you can
identify what you are already doing to protect it. Just because a control is in place does not necessarily mean
that the asset is protected. Frequently, organizations implement control mechanisms but then neglect the
necessary periodic review, revision, and maintenance. The policies, education and training programs, and
technologies that protect information must be carefully maintained and administered to ensure that they
remain effective.

Know the Enemy

Having identified your organization’s assets and weaknesses, you move on to Sun Tzu’s second step: Know
the enemy. This means identifying, examining, and understanding the threats facing the organization. You
must determine which threat aspects most directly affect the security of the organization and its information
assets, and then use this information to create a list of threats, each one ranked according to the importance
of the information assets that it threatens.
 INFORMATION ASSURANCE AND SECURITY 1 40

The Roles of the Communities of Interest

Each community of interest has a role to play in managing the risks that an organization encounters. Because
the members of the information security community best understand the threats and attacks that introduce
risk into the organization, they often take a leadership role in addressing risk.

All of the communities of interest must work together to address all levels of risk, which range from
disasters that can devastate the whole organization to the smallest employee mistakes. The three
communities of interest are also responsible for the following:

 Evaluating the risk controls

 Determining which control options are cost effective for the organization
 Acquiring or installing the needed controls
 Ensuring that the controls remain effective

Risk Identification

A risk management strategy requires that information security professionals know their organizations’
information assets—that is, identify, classify, and prioritize them. Once the organizational assets have been
identified, a threat assessment process identifies and quantifies the risks facing each asset.

Figure 4.2: Components of Risk Identification

Plan and Organize the Process

Just as with any major information security undertaking, the first step in the Risk Identification process is
to follow your project management principles. You begin by organizing a team, typically consisting of
representatives of all affected groups. With risk identification, since risk can exist everywhere in the
 INFORMATION ASSURANCE AND SECURITY 1 41

organization, representatives will come from every department from users, to managers, to IT and InfoSec
groups. The process must then be planned out, with periodic deliverables, reviews, and presentations to
management.

Asset Identification and Inventory

This iterative process begins with the enumeration of assets, including all of the elements of an
organization’s system, such as people, procedures, data and information, software, hardware, and
networking elements. Then, you classify and categorize the assets, adding details as you dig deeper into the
analysis. The objective of this process is to establish the relative priority of the assets to the success of the
organization.

Table 4.1: Categorizing the Components of an Information System

The table above compares the categorizations found within a standard information system (people,
procedures, data and information, software, and hardware) with those found in an enhanced version, which
incorporates risk management and the SecSDLC approach. As you can see, the SecSDLC/risk management
categorization introduces a number of new subdivisions:

 People comprise employees and nonemployees. There are two subcategories of employees: those
who hold trusted roles and have correspondingly greater authority and accountability, and other
staff who have assignments without special privileges. Nonemployees include contractors and
consultants, members of other organizations with which the organization has a trust relationship,
and strangers.

 Procedures fall into two categories: IT and business standard procedures, and IT and business
sensitive procedures. The business sensitive procedures are those that may enable a threat agent to
 INFORMATION ASSURANCE AND SECURITY 1 42

craft an attack against the organization or that have some other content or feature that may introduce
risk to the organization.

 Data components account for the management of information in all its states: transmission,
processing, and storage. These expanded categories solve the problem posed by the term data,
which is usually associated with databases and not the full range of modalities of data and
information used by a modern organization.

 Software components are assigned to one of three categories: applications, operating systems, or
security components. Security components can be applications or operating systems, but are
categorized as part of the information security control environment and must be protected more
thoroughly than other systems components.

 Hardware is assigned to one of two categories: the usual systems devices and their peripherals, and
those devices that are part of information security control systems. The latter must be protected
more thoroughly than the former, since networking subsystems are often the focal point of attacks
against the system; they should be considered as special cases rather than combined with general
hardware and software components.

1. People, Procedures, and Data Asset Identification

Identifying human resources, documentation, and data assets is more difficult than identifying hardware
and software assets. People with knowledge, experience, and judgment should be assigned the task. As the
people, procedures, and data assets are identified, they should be recorded using a reliable data-handling
process. Whatever record keeping mechanism you use, be sure it has the flexibility to allow the specification
of attributes particular to the type of asset. Some attributes are unique to a class of elements. When deciding
which information assets to track, consider the following asset attributes:

 People: Position name/number/ID (avoid names and stick to identifying positions, roles, or
functions); supervisor; security clearance level; special skills
 Procedures: Description; intended purpose; relationship to software, hardware, and networking
elements; storage location for reference; storage location for update
 Data: Classification; owner, creator, and manager; size of data structure; data structure used
(sequential or relational); online or offline; location; backup procedures employed

2. Hardware, Software, and Network Asset Identification

Which attributes of hardware, software, and network assets should be tracked? It depends on the needs of
the organization and its risk management efforts, as well as the preferences and needs of the information
security and information technology communities. You may want to consider including the following asset
attributes:

 Name: Use the most common device or program name. Organizations may have several names for
the same product. For example, a software product might have a nickname within the company use
while it is in development, as well as a formal name used by marketing and vendors. Make sure
that the names you choose are meaningful to all the groups that use the information. You should
adopt naming standards that do not convey information to potential system attackers. For instance,
a server named CASH1 or HQ_FINANCE may entice attackers to take a shortcut to those systems.

 IP address: This can be a useful identifier for network devices and servers, but does not usually
apply to software. You can, however, use a relational database and track software instances on
 INFORMATION ASSURANCE AND SECURITY 1 43

specific servers or networking devices. Also note that many organizations use the dynamic host
control protocol (DHCP) within TCP/IP that reassigns IP numbers to devices as needed, making
the use of IP numbers as part of the asset identification process problematic. IP address use in
inventory is usually limited to those devices that use static IP addresses.

 Media access control (MAC) address: MAC addresses are sometimes called electronic serial
numbers or hardware addresses. As part of the TCP/IP standard, all network interface hardware
devices have a unique number. The MAC address number is used by the network operating system
to identify a specific network device. It is used by the client’s network software to recognize traffic
that it must process. In most settings, MAC addresses can be a useful way to track connectivity.
They can, however, be spoofed by some hardware and software combinations.

 Element type: For hardware, you can develop a list of element types, such as servers, desktops,
networking devices, or test equipment, to whatever degree of detail you require. For software
elements, you may choose to develop a list of types that includes operating systems, custom
applications by type (accounting, HR, or payroll to name a few), packaged applications, and
specialty applications, such as firewall programs. The needs of the organization determine the
degree of specificity. Types may, in fact, be recorded at two or more levels of specificity. Record
one attribute that classifies the asset at a high level and then add attributes for more detail.

 Serial number: For hardware devices, the serial number can uniquely identify a specific device.
Some software vendors also assign a software serial number to each instance of the program
licensed by the organization.

 Manufacturer name: Record the manufacturer of the device or software component. This can be
useful when responding to incidents that involve these devices or when certain manufacturers
announce specific vulnerabilities.

 Manufacturer’s model number or part number: Record the model or part number of the
element. This record of exactly what the element is can be very useful in later analysis of
vulnerabilities, because some vulnerability instances only apply to specific models of certain
devices and software components.

 Software version, update revision, or FCO number: Whenever possible, document the specific
software or firmware revision number and, for hardware devices, the current field change order
(FCO) number. An FCO is an authorization issued by an organization for the repair, modification,
or update of a piece of equipment. The equipment is not returned to the manufacturer, but is usually
repaired at the customer’s location, often by a third party. Documenting the revision number and
FCO is particularly important for networking devices that function mainly by means of the software
running on them. For example, firewall devices often have three versions: an operating system (OS)
version, a software version, and a basic input/output system (BIOS) firmware version. Depending
on your needs, you may have to track all three of those version numbers.

 Physical location: Note where this element is located physically. This may not apply to software
elements, but some organizations have license terms that specify where software can be used.

 Logical location: Note where this element can be found on the organization’s network. The logical
location is most useful for networking devices and indicates the logical network where the device
is connected.
 INFORMATION ASSURANCE AND SECURITY 1 44

 Controlling entity: Identify which organizational unit controls the element. Sometimes a remote
location’s onsite staff controls a networking device, and at other times the central networks team
controls other devices of the same make and model.

3. Automated Asset Inventory Tools

Automated tools can sometimes identify the system elements that make up hardware, software, and network
components. For example, many organizations use automated asset inventory systems. The inventory
listing is usually available in a database or can be exported to a database for custom information on security
assets. Once stored, the inventory listing must be kept current, often by means of a tool that periodically
refreshes the data.

4. Data Classification and Management

Corporate and military organizations use a variety of classification schemes. Many corporations use a data
classification scheme to help secure the confidentiality and integrity of information.

The typical information classification scheme has three categories: confidential, internal, and external.
Information owners are responsible for classifying the information assets for which they are responsible.
At least once a year, information owners must review information classifications to ensure the information
is still classified correctly and the appropriate access controls are in place.

The information classifications are as follows:

 Confidential: Used for the most sensitive corporate information that must be tightly controlled,
even within the company. Access to information with this classification is strictly on a need-to-
know basis or as required by the terms of a contract. Information with this classification may also
be referred to as “sensitive” or “proprietary.”

 Internal: Used for all internal information that does not meet the criteria for the confidential
category and is to be viewed only by corporate employees, authorized contractors, and other third
parties.

 External: All information that has been approved by management for public release.

The U.S. military classification scheme has a more complex categorization system than that of most
corporations. The military is perhaps the best-known user of data classification schemes. In order to
maintain the protection of the confidentiality of information, the military has invested heavily in INFOSEC
(information security), OPSEC (operations security), and COMSEC (communications security). In fact,
many of the developments in data communications and information security are the result of military-
sponsored research and development. For most information, the military uses a five-level classification
scheme: Unclassified, Sensitive but Unclassified (i.e., For Official Use Only), Confidential, Secret, and
Top Secret. Each of these is defined below:

 Unclassified data: Information that can generally be distributed to the public without any threat to
U.S. national interests.

 Sensitive But Unclassified data (SBU): “Any information of which the loss, misuse, or
unauthorized access to, or modification of might adversely affect U.S. national interests, the
conduct of Department of Defense (DoD) programs, or the privacy of DoD personnel.” Common
SBU categories include For Official Use Only, Not for Public Release, or For Internal Use Only.
 INFORMATION ASSURANCE AND SECURITY 1 45

 Confidential data: “Any information or material the unauthorized disclosure of which reasonably
could be expected to cause damage to the national security. Examples of damage include the
compromise of information that indicates strength of ground, air, and naval forces in the United
States and overseas areas; disclosure of technical information used for training, maintenance, and
inspection of classified munitions of war; revelation of performance characteristics, test data,
design, and production data on munitions of war.”

 Secret data: “Any information or material the unauthorized disclosure of which reasonably could
be expected to cause serious damage to the national security. Examples of serious damage include
disruption of foreign relations significantly affecting the national security; significant impairment
of a program or policy directly related to the national security; revelation of significant military
plans or intelligence operations; compromise of significant military plans or intelligence
operations; and compromise of significant scientific or technological developments relating to
national security.”

 Top Secret data: “Any information or material the unauthorized disclosure of which reasonably
could be expected to cause exceptionally grave damage to the national security. Examples of
exceptionally grave damage include armed hostilities against the United States or its allies;
disruption of foreign relations vitally affecting the national security; the compromise of vital
national defense plans or complex cryptologic and communications intelligence systems; the
revelation of sensitive intelligence operations; and the disclosure of scientific or technological
developments vital to national security.” This classification comes with the general expectation of
“crib-to-grave” protection, meaning that any individual entrusted with top-secret information is
expected to retain this level of confidence for his or her lifetime.

Most organizations do not need the detailed level of classification used by the military or federal agencies.
However, a simple scheme, such as the following, can allow an organization to protect such sensitive
information as marketing or research data, personnel data, customer data, and general internal
communications.

 Public: Information for general public dissemination, such as an advertisement or public release.

 For Official Use Only: Information that is not particularly sensitive, but not for public release,
such as internal communications.

 Sensitive: Information important to the business that could embarrass the company or cause loss
of market share if revealed.

 Classified: Information of the utmost secrecy to the organization, disclosure of which could
severely impact the well-being of the organization.

Classifying and Prioritizing Information Assets

Some organizations further subdivide the categories listed in Table 4.1. For example, the category “Internet
components” can be subdivided into servers, networking devices (routers, hubs, switches), protection
devices (firewalls, proxies), and cabling. Each of the other categories can be similarly subdivided as needed
by the organization.

You should also include a dimension to represent the sensitivity and security priority of the data and the
devices that store, transmit, and process the data—that is, a data classification scheme. Examples of data
 INFORMATION ASSURANCE AND SECURITY 1 46

classification categories are confidential, internal, and public. A data classification scheme generally
requires a corresponding personnel security clearance structure, which determines the level of information
individuals are authorized to view, based on what they need to know.

Information Asset Valuation

To assign value to information assets for risk assessment purposes, you can pose a number of questions and
collect your answers on a worksheet for later analysis. Before beginning the inventory process, the
organization should determine which criteria can best establish the value of the information assets. Among
the criteria to be considered are:

 Which information asset is the most critical to the success of the organization?
 Which information asset generates the most revenue?
 Which information asset generates the most profitability?
 Which information asset would be the most expensive to replace?
 Which information asset would be the most expensive to protect?
 Which information asset would most expose the company to liability or embarrassment if revealed?

When it is necessary to calculate, estimate, or derive values for information assets, consideration might be
given to the following:

 Value retained from the cost of creating the information asset: Information is created or acquired
at some cost to the organization. The cost can be calculated or estimated. One category of this cost
is software development, and another is data collection and processing. Many organizations have
developed extensive cost accounting practices to capture the costs associated with the collection
and processing of data, as well as the costs of the software development and maintenance activities.

 Value retained from past maintenance of the information asset: It is estimated that for every dollar
spent developing an application or acquiring and processing data, many more dollars are spent on
maintenance over the useful life of the data or software. Such costs can be estimated by quantifying
the human resources used to continually update, support, modify, and service the applications and
systems associated with a particular information asset.

 Value implied by the cost of replacing the information: Another important cost associated with the
loss or damage to information is the cost associated with replacing or restoring the information.
This includes the human resource time needed to reconstruct, restore, or regenerate the information
from backups, independent transactions logs, or even hard copies of data sources. Most
organizations rely on routine media backups to protect their information, but lost real-time
information may not be recoverable from a tape backup, unless journaling capabilities are built into
the system process. To replace information in the system, the information may have to be
reconstructed, and the data reentered into the system and validated. This restoration can take longer
than it took to create the data.

 Value from providing the information: Different from the cost of developing or maintaining the
information is the cost of providing the information to the users who need it. This includes the value
associated with the delivery of the information via databases, networks, and hardware and software
systems. It also includes the cost of the infrastructure necessary to provide access and control of
the information.

 Value incurred from the cost of protecting the information: Here is a recursive dilemma: the value
of an asset is based in part on the cost of protecting it, while the amount of money spent to protect
 INFORMATION ASSURANCE AND SECURITY 1 47

an asset is based in part on the value of the asset. While this is a seemingly unsolvable circle of
logic, it is possible to estimate the value of the protection for an information asset to better
understand the value associated with its potential loss. The values listed previously are easy to
calculate. This and the following values are more likely to be estimates of cost.

 Value to owners: How much is your Social Security number worth to you? Or your telephone
number? It can be quite a daunting task to place a value on information. A market researcher
collects data from a company’s sales figures and determines that there is a strong market potential
for a certain age group with a certain demographic value for a new product offering. The cost
associated with the creation of this new information may be small, so how much is it actually
worth? It could be worth millions if it successfully defines a new market. The value of information
to an organization, or how much of the organization’s bottom line is directly attributable to the
information, may be impossible to estimate. However, it is vital to understand the overall cost of
protecting this information in order to understand its value. Here again, estimating value may be
the only method.

 Value of intellectual property: Related to the value of information is the specific consideration of
the value of intellectual property. The value of a new product or service to a customer may be
unknowable. How much would a cancer patient pay for a cure? How much would a shopper pay
for a new type of cheese? What is the value of an advertising jingle? All of these could represent
the intellectual property of an organization, yet their valuation is complex. A related but separate
consideration is intellectual properties known as trade secrets. These intellectual information assets
are so valuable that they are literally the primary assets of some organizations.

 Value to adversaries: How much would it be worth to an organization to know what the competition
is up to? Many organizations have departments that deal in competitive intelligence and that assess
and estimate the activities of their competition. Even organizations in traditionally not-for-profit
sectors can benefit from understanding what is going on in political, business, and competing
organizations.

There are likely to be company-specific criteria that may add value to the asset evaluation process. They
should be identified, documented, and added to the process. To finalize this step of the information asset
identification process, each organization should assign a weight to each asset based on the answers to the
chosen questions.

Information Asset Prioritization

Once the inventory and value assessment are complete, you can prioritize each asset using a straightforward
process known as weighted factor analysis, as shown in Table 4.2. In this process, each information asset
is assigned a score for each of a set of assigned critical factor. In the example shown in Table 4-2, there are
three assigned critical factors and each asset is assessed a score for each of the critical factors. In the
example, the scores range from 0.1 to 1.0, which is the range of values recommended by NIST SP800-30,
Risk Management for Information Technology Systems, a document published by the National Institute of
Standards and Technology. In addition, each of the critical factors is also assigned a weight (ranging from
1 to 100) to show that criteria’s assigned importance for the organization.

A quick review of Table 4-2 shows that the customer order via SSL (inbound) data flow is the most
important asset on this worksheet with a weighted score of 100, and that the EDI document set 2—supplier
fulfillment advice (inbound) is the least critical, with a score of 41.
 INFORMATION ASSURANCE AND SECURITY 1 48

Table 4.2: Example of a Weighted Factor Analysis Worksheet

Identifying and Prioritizing Threats

After identifying and performing the preliminary classification of an organization’s information assets, the
analysis phase moves on to an examination of the threats facing the organization. As you discovered in
Chapter 2, a wide variety of threats face an organization and its information and information systems. The
realistic threats must be investigated further while the unimportant threats are set aside. If you assume every
threat can and will attack every information asset, the project scope quickly becomes so complex it
overwhelms the ability to plan.

The threats to information security that you learned about in Chapter 2 are shown here in Table 4.3.

Table 4.3: Threats to Information Security

 INFORMATION ASSURANCE AND SECURITY 1 49

Table 4.4: Sample Vulnerability Assessment

Each of the threats from Table 4.3 must be examined to assess its potential to endanger the organization.
This examination is known as a threat assessment. You can begin a threat assessment by answering a few
basic questions, as follows:

 Which threats present a danger to an organization’s assets in the given environment?

 Which threats represent the most danger to the organization’s information?
 How much would it cost to recover from a successful attack?
 Which of the threats would require the greatest expenditure to prevent?

By answering these questions, you establish a framework for the discussion of threat assessment. This list
of questions may not cover everything that affects the information security threat assessment. If an
 INFORMATION ASSURANCE AND SECURITY 1 50

organization has specific guidelines or policies, these should influence the process and require additional
questions. This list can be easily expanded to include additional requirements.

Vulnerability Identification
Once you have identified the organization’s information assets and documented some criteria for beginning
to assess the threats it faces, you then review each information asset for each threat it faces and create a list
of vulnerabilities.

Now you examine how each of the threats that are possible or likely could be perpetrated, and list the
organization’s assets and their vulnerabilities. The list is usually long and shows all the vulnerabilities of
the information asset. Some threats manifest themselves in multiple ways, yielding multiple vulnerabilities
for that threat. The process of listing vulnerabilities is somewhat subjective and depends upon the
experience and knowledge of the people creating the list. Therefore, the process works best when groups
of people with diverse backgrounds within the organization work iteratively in a series of brainstorming
sessions. For instance, the team that reviews the vulnerabilities of networking equipment should include
the networking specialists, the systems management team that operates the network, the information
security risk specialist, and technically proficient users of the system.

Risk Assessment

Now that you have identified the organization’s information assets and the threats and vulnerabilities, you
can evaluate the relative risk for each of the vulnerabilities. This process is called risk assessment. Risk
assessment assigns a risk rating or score to each information asset. While this number does not mean
anything in absolute terms, it is useful in gauging the relative risk to each vulnerable information asset and
facilitates the development of comparative ratings later in the risk control process. The major stages of risk
assessment are shown in Figure 4.3.

Figure 4.3: Major Stages of Risk Assessment

 INFORMATION ASSURANCE AND SECURITY 1 51

Likelihood
Likelihood is the probability that a specific vulnerability will be the object of a successful attack. In risk
assessment, you assign a numeric value to likelihood. The National Institute of Standards and Technology
recommends in Special Publication 800-30 assigning a number between 0.1 (low) and 1.0 (high). For
example, the likelihood of an asset being struck by a meteorite while indoors would be rated 0.1. At the
other extreme, receiving at least one e-mail containing a virus or worm in the next year would be rated 1.0.
You could also choose to use a number between 1 and 100 (zero is not used, since vulnerabilities with a
zero likelihood have been removed from the asset/vulnerability list). Whichever rating system you choose,
use professionalism, experience, and judgment—and use the rating model you select consistently.
Whenever possible, use external references for likelihood values that have been reviewed and adjusted for
your specific circumstances. Many asset/vulnerability combinations have sources for likelihood, for
example:

 The likelihood of a fire has been estimated actuarially for each type of structure.
 The likelihood that any given e-mail contains a virus or worm has been researched.
 The number of network attacks can be forecast based on how many assigned network addresses the
organization has.

Risk Determination
For the purpose of relative risk assessment, risk equals likelihood of vulnerability occurrence times value
(or impact) minus percentage risk already controlled plus an element of uncertainty, as illustrated in Figure
4.4. For example:

 Information asset A has a value score of 50 and has one vulnerability. Vulnerability 1 has a
likelihood of 1.0 with no current controls. You estimate that assumptions and data are 90 percent
accurate.

 Information asset B has a value score of 100 and has two vulnerabilities: Vulnerability 2 has a
likelihood of 0.5 with a current control that addresses 50 percent of its risk; vulnerability 3 has a
likelihood of 0.1 with no current controls. You estimate that assumptions and data are 80 percent
accurate.

The resulting ranked list of risk ratings for the three vulnerabilities is:

 Asset A: Vulnerability 1 rated as 55 = (50 x 1.0) - 0% + 10% where

55 = (50 x 1.0) – ((50 x 1.0) x 0.0) + ((50 x 0.0) x 0.1)
55 = 50 – 0 + 5

 Asset B: Vulnerability 2 rated as 35 = (100 x 0.5) - 50% + 20% where

35 = (100 x 0.5) – ((100 x 0.5) x 0.5) + ((100 x 0.5) x 0.2)
35 = 50 – 25 + 10

 Asset B: Vulnerability 3 rated as 12 = (100 x 0.1) - 0% + 20% where

12 = (100 x 0.1) – ((100 x 0.1) x 0.0) + ((100 x 0.1) x 0.2)
12 = 10 – 0 + 2
 INFORMATION ASSURANCE AND SECURITY 1 52

Identify Possible Controls

For each threat and its associated vulnerabilities that have residual risk, you must create a preliminary list
of potential controls. Residual risk is the risk to the information asset that remains even after the application
of controls.

There are three general categories of controls: policies, programs, and technologies.

 Policies are documents that specify an organization’s approach to security. There are four types of
security policies: general security policies, program security policies, issue-specific policies, and
systems-specific policies.
o The general security policy is an executive-level document that outlines the organization’s
approach and attitude toward information security and relates the strategic value of
information security within the organization. This document, typically created by the CIO
in conjunction with the CEO and CISO, sets the tone for all subsequent security activities.
o The program security policy is a planning document that outlines the process of
implementing security in the organization. This policy is the blueprint for the analysis,
design, and implementation of security.
o Issue-specific policies address the specific implementations or applications of which users
should be aware. These policies are typically developed to provide detailed instructions
and restrictions associated with security issues. Examples include policies for Internet use,
e-mail, and access to the building.
o Systems-specific policies address the particular use of certain systems. This could include
firewall configuration policies, systems access policies, and other technical configuration
areas.
 Programs are activities performed within the organization to improve security. These include
security education, training, and awareness programs.
 Security technologies are the technical implementations of the policies defined by the
organization.

Risk Control Strategies

When organizational management determines that risks from information security threats are creating a
competitive disadvantage, they empower the information technology and information security communities
of interest to control the risks. Once the project team for information security development has created the
ranked vulnerability worksheet, the team must choose one of five basic strategies to control each of the
risks that result from these vulnerabilities. The five strategies are defend, transfer, mitigate, accept, and
terminate.

Defend
The defend control strategy attempts to prevent the exploitation of the vulnerability. This is the preferred
approach and is accomplished by means of countering threats, removing vulnerabilities from assets, limiting
access to assets, and adding protective safeguards. There are three common methods used to defend:

 Application of policy
 Education and training
 Application of technology
 INFORMATION ASSURANCE AND SECURITY 1 53

Implementing the Defend Strategy

Organizations can mitigate risk to an asset by countering the threats it faces or by eliminating its exposure.
It is difficult, but possible, to eliminate a threat. For example, in 2002 McDonald’s Corporation, which had
been subject to attacks by animal rights cyberactivists, sought to reduce risks by imposing stricter conditions
on egg suppliers regarding the health and welfare of chickens. This strategy was consistent with other
changes made by McDonald’s to meet demands from animal rights activists and improve relationships with
these groups.

Another defend strategy is the implementation of security controls and safeguards to deflect attacks on
systems and therefore minimize the probability that an attack will be successful. An organization with dial-
in access vulnerability, for example, may choose to implement a control or safeguard for that service. An
authentication procedure based on a cryptographic technology, such as RADIUS (Remote Authentication
Dial-In User Service), or another protocol or product, would provide sufficient control. On the other hand,
the organization may choose to eliminate the dial-in system and service to avoid the potential risk

Transfer
The transfer control strategy attempts to shift risk to other assets, other processes, or other organizations.
This can be accomplished by rethinking how services are offered, revising deployment models, outsourcing
to other organizations, purchasing insurance, or implementing service contracts with providers.

This principle should be considered whenever an organization begins to expand its operations, including
information and systems management and even information security. If an organization does not already
have quality security management and administration experience, it should hire individuals or firms that
provide such expertise.

Mitigate
The mitigate control strategy attempts to reduce the impact caused by the exploitation of vulnerability
through planning and preparation. This approach requires the creation of three types of plans: the incident
response plan, the disaster recovery plan, and the business continuity plan. Each of these plans depends on
the ability to detect and respond to an attack as quickly as possible and relies on the quality of the other
plans. Mitigation begins with the early detection that an attack is in progress and a quick, efficient, and
effective response.

1. Incident Response Plan

The actions an organization can and perhaps should take while an incident is in progress should be specified
in a document called the incident response (IR) plan. The IR plan provides answers to questions victims
might pose in the midst of an incident, such as “What do I do now?” For example, a systems administrator
may notice that someone is copying information from the server without authorization, signaling violation
of policy by a potential hacker or an unauthorized employee. What should the administrator do first? Whom
should he or she contact? What should he or she document? The IR plan supplies the answers. In the event
of a serious virus or worm outbreak, the IR plan can be used to assess the likelihood of imminent damage
and to inform key decision makers in the various communities of interest (IT, information security,
organization management, and users). The IR plan also enables the organization to take coordinated action
that is either predefined and specific, or ad hoc and reactive.

2. Disaster Recovery Plan

The most common of the mitigation procedures is the disaster recovery (DR) plan. Although media backup
strategies are an integral part of the DR plan, the overall program includes the entire spectrum of activities
used to recover from an incident. The DR plan can include strategies to limit losses before and during the
 INFORMATION ASSURANCE AND SECURITY 1 54

disaster. These strategies are fully deployed once the disaster has stopped. DR plans usually include all
preparations for the recovery process, strategies to limit losses during the disaster, and detailed steps to
follow when the smoke clears, the dust settles, or the floodwaters recede. The DR plan and the IR plan
overlap to a degree. In many respects, the DR plan is the subsection of the IR plan that covers disastrous
events. The IR plan is also flexible enough to be useful in situations that are near disasters, but that still
require coordinated, planned actions. While some DR plan and IR plan decisions and actions are the same,
their urgency and outcomes can differ dramatically. The DR plan focuses more on preparations completed
before and actions taken after the incident, whereas the IR plan focuses on intelligence gathering,
information analysis, coordinated decision making, and urgent, concrete actions.

3. Business Continuity Plan

The business continuity (BC) plan is the most strategic and long term of the three plans. It encompasses the
continuation of business activities if a catastrophic event occurs, such as the loss of an entire database,
building, or operations center. The BC plan includes planning the steps necessary to ensure the continuation
of the organization when the scope or scale of a disaster exceeds the ability of the DR plan to restore
operations. This can include preparation steps for activation of secondary data centers, hot sites, or business
recovery sites, which you will learn about in detail in Chapter 5. These systems enable the organization to
continue operations with minimal disruption of service. Many companies offer DR services as a
contingency against disastrous events such as fires, floods, earthquakes, and most natural disasters.

Accept
The accept control strategy is the choice to do nothing to protect a vulnerability and to accept the outcome
of its exploitation. This may or may not be a conscious business decision. The only industry-recognized
valid use of this strategy occurs when the organization has done the following:

 Determined the level of risk

 Assessed the probability of attack
 Estimated the potential damage that could occur from attacks
 Performed a thorough cost benefit analysis
 Evaluated controls using each appropriate type of feasibility
 Decided that the particular function, service, information, or asset did not justify the cost of
protection

Terminate
The terminate control strategy directs the organization to avoid those business activities that introduce
uncontrollable risks. If an organization studies the risks from implementing business-to-consumer e-
commerce operations and determines that the risks are not sufficiently offset by the potential benefits, the
organization may seek an alternate mechanism to meet customer needs—perhaps developing new channels
for product distribution or new partnership opportunities. By terminating the questionable activity, the
organization reduces the risk exposure.

Selecting a Risk Control Strategy

Risk control involves selecting one of the five risk control strategies for each vulnerability. The flowchart
in Figure 4.4 guides you through the process of deciding how to proceed with one of the five strategies. As
shown in the diagram, after the information system is designed, you query as to whether the protected
system has vulnerabilities that can be exploited. If the answer is yes and a viable threat exists, you begin to
 INFORMATION ASSURANCE AND SECURITY 1 55

examine what the attacker would gain from a successful attack. To determine if the risk is acceptable or
not, you estimate the expected loss the organization will incur if the risk is exploited. Some rules of thumb
on strategy selection are presented below. When weighing the benefits of the different strategies, keep in
mind that the level of threat and value of the asset should play a major role in strategy selection.

 When a vulnerability (flaw or weakness) exists: Implement security controls to reduce the
likelihood of a vulnerability being exercised.

 When a vulnerability can be exploited: Apply layered protections, architectural designs, and
administrative controls to minimize the risk or prevent occurrence.

 When the attacker’s cost is less than his or her potential gain: Apply protections to increase the
attacker’s cost (e.g., use system controls to limit what a system user can access and do, thereby
significantly reducing an attacker’s gain).

 When potential loss is substantial: Apply design principles, architectural designs, and technical and
nontechnical protections to limit the extent of the attack, thereby reducing the potential for loss.

Figure 4.4: Risk Handling Decision Points

Feasibility Studies
Before deciding on the strategy (defend, transfer, mitigate, accept, or terminate) for a specific vulnerability,
the organization must explore all the economic and noneconomic consequences of the vulnerability facing
the information asset. This is an attempt to answer the question, “What are the actual and perceived
 INFORMATION ASSURANCE AND SECURITY 1 56

advantages of implementing a control as opposed to the actual and perceived disadvantages of

implementing the control?”

There are a number of ways to determine the advantage of a specific control. There are also many methods
an organization can use to identify the disadvantages of specific controls. The following sections discuss
some of the more commonly used techniques for making these choices. Note that some of these techniques
use dollar expenses and savings implied from economic cost avoidance, and others use noneconomic
feasibility criteria. Cost avoidance is the process of preventing the financial impact of an incident by
implementing a control.

Cost Benefit Analysis (CBA)

Organizations must consider the economic feasibility of implementing information security controls and
safeguards. While a number of alternatives for solving a problem may exist, they may not all have the same
economic feasibility. Most organizations can spend only a reasonable amount of time and money on
information security, and the definition of reasonable differs from organization to organization and even
from manager to manager. Organizations are urged to begin the cost benefit analysis by evaluating the
worth of the information assets to be protected and the loss in value if those information assets were
compromised by the exploitation of a specific vulnerability. It is only common sense that an organization
should not spend more to protect an asset than the asset is worth. The formal decision-making process is
called a cost benefit analysis or an economic feasibility study.

Just as it is difficult to determine the value of information, it is also difficult to determine the cost of
safeguards. Some of the items that affect the cost of a control or safeguard include the following:

 Cost of development or acquisition (purchase cost) of hardware, software, and services

 Training fees (cost to train personnel)
 Cost of implementation (cost to install, configure, and test hardware, software, and services)
 Service costs (vendor fees for maintenance and upgrades)
 Cost of maintenance (labor expense to verify and continually test, maintain, and update)

Benefit is the value that an organization realizes by using controls to prevent losses associated with a
specific vulnerability. The amount of the benefit is usually determined by valuing the information asset or
assets exposed by the vulnerability and then determining how much of that value is at risk and how much
risk there is for the asset.

Asset valuation is the process of assigning financial value or worth to each information asset. Some argue
that it is virtually impossible to determine the true value of information and information-bearing assets. The
valuation of assets involves estimation of real and perceived costs associated with design, development,
installation, maintenance, protection, recovery, and defense against loss and litigation. These estimates are
calculated for every set of information-bearing systems or information assets. Some component costs are
easy to determine, such as the cost to replace a network switch or the hardware needed for a specific class
of server. Other costs are almost impossible to determine accurately,

Evaluation, Assessment, and Maintenance of Risk Controls

The selection and implementation of a control strategy is not the end of a process; the strategy, and its
accompanying controls, must be monitored and re-evaluated on an ongoing basis to determine their
effectiveness and to calculate more accurately the estimated residual risk. Figure 4.4 shows how this
cyclical process is used to ensure that risks are controlled. Note that there is no exit from this cycle; it is a
process that continues for as long as the organization continues to function.
 INFORMATION ASSURANCE AND SECURITY 1 57

Figure 4.4: Risk Control Cycle

Risk Management Discussion Points

Not every organization has the collective will or budget to manage each vulnerability by applying controls;
therefore, each organization must define the level of risk it is willing to live with.

Risk Appetite
Risk appetite defines the quantity and nature of risk that organizations are willing to accept as they evaluate
the tradeoffs between perfect security and unlimited accessibility. For instance, a financial services
company, regulated by government and conservative by nature, may seek to apply every reasonable control
and even some invasive controls to protect its information assets. Other, nonregulated organizations may
also be conservative by nature, seeking to avoid the negative publicity associated with the perceived loss
of integrity from the exploitation of a vulnerability. Thus, a firewall vendor may install a set of firewall
rules that are far stricter than normal because the negative consequence of being hacked would be
catastrophic in the eyes of its customers. Other organizations may take on dangerous risks through
ignorance. The reasoned approach to risk is one that balances the expense (in terms of finance and the
usability of information assets) of controlling vulnerabilities against the losses possible if these
vulnerabilities were exploited.

Residual Risk
Even when vulnerabilities have been controlled as much as possible, there is often still some risk that has
not been completely removed, shifted, or planned for. This remainder is called residual risk. To express it
another way, “residual risk is a combined function of (1) a threat less the effect of threat-reducing
 INFORMATION ASSURANCE AND SECURITY 1 58

safeguards, (2) a vulnerability less the effect of vulnerability-reducing safeguards, and (3) an asset less the
effect of asset value-reducing safeguards.”

Documenting Results
The results of risk assessment activities can be delivered in a number of ways: a report on a systematic
approach to risk control, a project-based risk assessment, or a topic-specific risk assessment.

When the organization is pursuing an overall risk management program, it requires a systematic report that
enumerates the opportunities for controlling risk. This report documents a series of proposed controls, each
of which has been justified by one or more feasibility or rationalization approaches. At a minimum, each
information asset-threat pair should have a documented control strategy that clearly identifies any residual
risk remaining after the proposed strategy has been executed. Furthermore, each control strategy should
articulate which of the four fundamental risk-reducing approaches will be used or how they might be
combined, and how that should justify the findings by referencing the feasibility studies. Additional
preparatory work for project management should be included where available.
 INFORMATION ASSURANCE AND SECURITY 1 59

Assessment

1. What is risk management? Why is the identification of risks, by listing assets and their
vulnerabilities, so important to the risk management process?
2. According to Sun Tzu, what two key understandings must you achieve to be successful in battle?
3. Who is responsible for risk management in an organization? Which community of interest usually
takes the lead in information security risk management?
4. In risk management strategies, why must periodic review be a part of the process?
5. Why do networking components need more examination from an information security perspective
than from a systems development perspective?
6. What value does an automated asset inventory system have for the risk identification process?
7. What are vulnerabilities? How do you identify them?
8. Describe the “defend” strategy. List and describe the three common methods.
9. Describe the “transfer” strategy. Describe how outsourcing can be used for this purpose.
10. Describe the “mitigate” strategy. What three planning approaches are discussed in the text as
opportunities to mitigate risk?

References
1. Whitman, Michael, Principles of Information Security, 6th Ed., 2018
2. What is vulnerability? - IFRC. (2021). Ifrc.org. https://www.ifrc.org/en/what-we-do/disaster-
management/about-disasters/what-is-a-disaster/what-is-vulnerability/
3. Cost Benefit Analysis: An Expert Guide | Smartsheet. (2019). Smartsheet.
https://www.smartsheet.com/expert-guide-cost-benefit-analysis
4. https://www.isms.online/author/mark-darby. (2019, December 6). ISO 27001 Help from
ISMS.online. ISMS.Online. https://www.isms.online/iso-27001/information-security-risk-
management-
explained/#:~:text=Information%20security%20risk%20management%20(ISRM,desired%20busi
ness%20outcomes%20are%20achieved.