Chapter 4 - Risk Management
Chapter 4 - Risk Management
Overview
This chapter describes how to conduct a fundamental information security assessment by describing the
procedures for identifying and prioritizing threats and assets, and the procedures for identifying what
controls are in place to protect these assets from threats. The chapter also provides a discussion of the
various types of control mechanisms and identifies the steps involved in performing the initial risk
assessment. The chapter continues by defining risk management as the process of identifying, assessing,
and reducing risk to an acceptable level and implementing effective control measures to maintain that level
of risk. The chapter concludes with a discussion of risk analysis and the various types of feasibility analyses.
Learning Objectives
Upon completion of this material, you should be able to:
Define risk management, risk identification, and risk control
Describe how risk is identified and assessed
Assess risk based on probability of occurrence and likely impact
Explain the fundamental aspects of documenting risk via the process of risk assessment
Describe the various risk mitigation strategy options
Identify the categories that can be used to classify controls
Recognize the existing conceptual frameworks for evaluating risk controls and formulate a cost
benefit analysis
Describe how to maintain and perpetuate risk controls
Consider for a moment the similarities between information security and warfare. Information security
managers and technicians are the defenders of information. The many threats discussed in Chapter 2 are
constantly attacking the defenses surrounding information assets. Defenses are built in layers, by placing
safeguard upon safeguard. The defenders attempt to prevent, protect, detect, and recover from a seemingly
endless series of attacks. Moreover, those defenders are legally prohibited from deploying offensive tactics,
so the attackers have no need to expend resources on defense. In order to be victorious, you, a defender,
must know yourself and know the enemy.
Know Yourself
First, you must identify, examine, and understand the information and systems currently in place within
your organization. This is self-evident. To protect assets, which are defined here as information and the
systems that use, store, and transmit information, you must know what they are, how they add value to the
organization, and to which vulnerabilities they are susceptible. Once you know what you have, you can
identify what you are already doing to protect it. Just because a control is in place does not necessarily mean
that the asset is protected. Frequently, organizations implement control mechanisms but then neglect the
necessary periodic review, revision, and maintenance. The policies, education and training programs, and
technologies that protect information must be carefully maintained and administered to ensure that they
remain effective.
All of the communities of interest must work together to address all levels of risk, which range from
disasters that can devastate the whole organization to the smallest employee mistakes. The three
communities of interest are also responsible for the following:
Risk Identification
A risk management strategy requires that information security professionals know their organizations’
information assets—that is, identify, classify, and prioritize them. Once the organizational assets have been
identified, a threat assessment process identifies and quantifies the risks facing each asset.
organization, representatives will come from every department from users, to managers, to IT and InfoSec
groups. The process must then be planned out, with periodic deliverables, reviews, and presentations to
management.
The table above compares the categorizations found within a standard information system (people,
procedures, data and information, software, and hardware) with those found in an enhanced version, which
incorporates risk management and the SecSDLC approach. As you can see, the SecSDLC/risk management
categorization introduces a number of new subdivisions:
People comprise employees and nonemployees. There are two subcategories of employees: those
who hold trusted roles and have correspondingly greater authority and accountability, and other
staff who have assignments without special privileges. Nonemployees include contractors and
consultants, members of other organizations with which the organization has a trust relationship,
and strangers.
Procedures fall into two categories: IT and business standard procedures, and IT and business
sensitive procedures. The business sensitive procedures are those that may enable a threat agent to
INFORMATION ASSURANCE AND SECURITY 1 42
craft an attack against the organization or that have some other content or feature that may introduce
risk to the organization.
Data components account for the management of information in all its states: transmission,
processing, and storage. These expanded categories solve the problem posed by the term data,
which is usually associated with databases and not the full range of modalities of data and
information used by a modern organization.
Software components are assigned to one of three categories: applications, operating systems, or
security components. Security components can be applications or operating systems, but are
categorized as part of the information security control environment and must be protected more
thoroughly than other systems components.
Hardware is assigned to one of two categories: the usual systems devices and their peripherals, and
those devices that are part of information security control systems. The latter must be protected
more thoroughly than the former, since networking subsystems are often the focal point of attacks
against the system; they should be considered as special cases rather than combined with general
hardware and software components.
People: Position name/number/ID (avoid names and stick to identifying positions, roles, or
functions); supervisor; security clearance level; special skills
Procedures: Description; intended purpose; relationship to software, hardware, and networking
elements; storage location for reference; storage location for update
Data: Classification; owner, creator, and manager; size of data structure; data structure used
(sequential or relational); online or offline; location; backup procedures employed
Name: Use the most common device or program name. Organizations may have several names for
the same product. For example, a software product might have a nickname within the company use
while it is in development, as well as a formal name used by marketing and vendors. Make sure
that the names you choose are meaningful to all the groups that use the information. You should
adopt naming standards that do not convey information to potential system attackers. For instance,
a server named CASH1 or HQ_FINANCE may entice attackers to take a shortcut to those systems.
IP address: This can be a useful identifier for network devices and servers, but does not usually
apply to software. You can, however, use a relational database and track software instances on
INFORMATION ASSURANCE AND SECURITY 1 43
specific servers or networking devices. Also note that many organizations use the dynamic host
control protocol (DHCP) within TCP/IP that reassigns IP numbers to devices as needed, making
the use of IP numbers as part of the asset identification process problematic. IP address use in
inventory is usually limited to those devices that use static IP addresses.
Media access control (MAC) address: MAC addresses are sometimes called electronic serial
numbers or hardware addresses. As part of the TCP/IP standard, all network interface hardware
devices have a unique number. The MAC address number is used by the network operating system
to identify a specific network device. It is used by the client’s network software to recognize traffic
that it must process. In most settings, MAC addresses can be a useful way to track connectivity.
They can, however, be spoofed by some hardware and software combinations.
Element type: For hardware, you can develop a list of element types, such as servers, desktops,
networking devices, or test equipment, to whatever degree of detail you require. For software
elements, you may choose to develop a list of types that includes operating systems, custom
applications by type (accounting, HR, or payroll to name a few), packaged applications, and
specialty applications, such as firewall programs. The needs of the organization determine the
degree of specificity. Types may, in fact, be recorded at two or more levels of specificity. Record
one attribute that classifies the asset at a high level and then add attributes for more detail.
Serial number: For hardware devices, the serial number can uniquely identify a specific device.
Some software vendors also assign a software serial number to each instance of the program
licensed by the organization.
Manufacturer name: Record the manufacturer of the device or software component. This can be
useful when responding to incidents that involve these devices or when certain manufacturers
announce specific vulnerabilities.
Manufacturer’s model number or part number: Record the model or part number of the
element. This record of exactly what the element is can be very useful in later analysis of
vulnerabilities, because some vulnerability instances only apply to specific models of certain
devices and software components.
Software version, update revision, or FCO number: Whenever possible, document the specific
software or firmware revision number and, for hardware devices, the current field change order
(FCO) number. An FCO is an authorization issued by an organization for the repair, modification,
or update of a piece of equipment. The equipment is not returned to the manufacturer, but is usually
repaired at the customer’s location, often by a third party. Documenting the revision number and
FCO is particularly important for networking devices that function mainly by means of the software
running on them. For example, firewall devices often have three versions: an operating system (OS)
version, a software version, and a basic input/output system (BIOS) firmware version. Depending
on your needs, you may have to track all three of those version numbers.
Physical location: Note where this element is located physically. This may not apply to software
elements, but some organizations have license terms that specify where software can be used.
Logical location: Note where this element can be found on the organization’s network. The logical
location is most useful for networking devices and indicates the logical network where the device
is connected.
INFORMATION ASSURANCE AND SECURITY 1 44
Controlling entity: Identify which organizational unit controls the element. Sometimes a remote
location’s onsite staff controls a networking device, and at other times the central networks team
controls other devices of the same make and model.
The typical information classification scheme has three categories: confidential, internal, and external.
Information owners are responsible for classifying the information assets for which they are responsible.
At least once a year, information owners must review information classifications to ensure the information
is still classified correctly and the appropriate access controls are in place.
Confidential: Used for the most sensitive corporate information that must be tightly controlled,
even within the company. Access to information with this classification is strictly on a need-to-
know basis or as required by the terms of a contract. Information with this classification may also
be referred to as “sensitive” or “proprietary.”
Internal: Used for all internal information that does not meet the criteria for the confidential
category and is to be viewed only by corporate employees, authorized contractors, and other third
parties.
External: All information that has been approved by management for public release.
The U.S. military classification scheme has a more complex categorization system than that of most
corporations. The military is perhaps the best-known user of data classification schemes. In order to
maintain the protection of the confidentiality of information, the military has invested heavily in INFOSEC
(information security), OPSEC (operations security), and COMSEC (communications security). In fact,
many of the developments in data communications and information security are the result of military-
sponsored research and development. For most information, the military uses a five-level classification
scheme: Unclassified, Sensitive but Unclassified (i.e., For Official Use Only), Confidential, Secret, and
Top Secret. Each of these is defined below:
Unclassified data: Information that can generally be distributed to the public without any threat to
U.S. national interests.
Sensitive But Unclassified data (SBU): “Any information of which the loss, misuse, or
unauthorized access to, or modification of might adversely affect U.S. national interests, the
conduct of Department of Defense (DoD) programs, or the privacy of DoD personnel.” Common
SBU categories include For Official Use Only, Not for Public Release, or For Internal Use Only.
INFORMATION ASSURANCE AND SECURITY 1 45
Confidential data: “Any information or material the unauthorized disclosure of which reasonably
could be expected to cause damage to the national security. Examples of damage include the
compromise of information that indicates strength of ground, air, and naval forces in the United
States and overseas areas; disclosure of technical information used for training, maintenance, and
inspection of classified munitions of war; revelation of performance characteristics, test data,
design, and production data on munitions of war.”
Secret data: “Any information or material the unauthorized disclosure of which reasonably could
be expected to cause serious damage to the national security. Examples of serious damage include
disruption of foreign relations significantly affecting the national security; significant impairment
of a program or policy directly related to the national security; revelation of significant military
plans or intelligence operations; compromise of significant military plans or intelligence
operations; and compromise of significant scientific or technological developments relating to
national security.”
Top Secret data: “Any information or material the unauthorized disclosure of which reasonably
could be expected to cause exceptionally grave damage to the national security. Examples of
exceptionally grave damage include armed hostilities against the United States or its allies;
disruption of foreign relations vitally affecting the national security; the compromise of vital
national defense plans or complex cryptologic and communications intelligence systems; the
revelation of sensitive intelligence operations; and the disclosure of scientific or technological
developments vital to national security.” This classification comes with the general expectation of
“crib-to-grave” protection, meaning that any individual entrusted with top-secret information is
expected to retain this level of confidence for his or her lifetime.
Most organizations do not need the detailed level of classification used by the military or federal agencies.
However, a simple scheme, such as the following, can allow an organization to protect such sensitive
information as marketing or research data, personnel data, customer data, and general internal
communications.
Public: Information for general public dissemination, such as an advertisement or public release.
For Official Use Only: Information that is not particularly sensitive, but not for public release,
such as internal communications.
Sensitive: Information important to the business that could embarrass the company or cause loss
of market share if revealed.
Classified: Information of the utmost secrecy to the organization, disclosure of which could
severely impact the well-being of the organization.
You should also include a dimension to represent the sensitivity and security priority of the data and the
devices that store, transmit, and process the data—that is, a data classification scheme. Examples of data
INFORMATION ASSURANCE AND SECURITY 1 46
classification categories are confidential, internal, and public. A data classification scheme generally
requires a corresponding personnel security clearance structure, which determines the level of information
individuals are authorized to view, based on what they need to know.
Which information asset is the most critical to the success of the organization?
Which information asset generates the most revenue?
Which information asset generates the most profitability?
Which information asset would be the most expensive to replace?
Which information asset would be the most expensive to protect?
Which information asset would most expose the company to liability or embarrassment if revealed?
When it is necessary to calculate, estimate, or derive values for information assets, consideration might be
given to the following:
Value retained from the cost of creating the information asset: Information is created or acquired
at some cost to the organization. The cost can be calculated or estimated. One category of this cost
is software development, and another is data collection and processing. Many organizations have
developed extensive cost accounting practices to capture the costs associated with the collection
and processing of data, as well as the costs of the software development and maintenance activities.
Value retained from past maintenance of the information asset: It is estimated that for every dollar
spent developing an application or acquiring and processing data, many more dollars are spent on
maintenance over the useful life of the data or software. Such costs can be estimated by quantifying
the human resources used to continually update, support, modify, and service the applications and
systems associated with a particular information asset.
Value implied by the cost of replacing the information: Another important cost associated with the
loss or damage to information is the cost associated with replacing or restoring the information.
This includes the human resource time needed to reconstruct, restore, or regenerate the information
from backups, independent transactions logs, or even hard copies of data sources. Most
organizations rely on routine media backups to protect their information, but lost real-time
information may not be recoverable from a tape backup, unless journaling capabilities are built into
the system process. To replace information in the system, the information may have to be
reconstructed, and the data reentered into the system and validated. This restoration can take longer
than it took to create the data.
Value from providing the information: Different from the cost of developing or maintaining the
information is the cost of providing the information to the users who need it. This includes the value
associated with the delivery of the information via databases, networks, and hardware and software
systems. It also includes the cost of the infrastructure necessary to provide access and control of
the information.
Value incurred from the cost of protecting the information: Here is a recursive dilemma: the value
of an asset is based in part on the cost of protecting it, while the amount of money spent to protect
INFORMATION ASSURANCE AND SECURITY 1 47
an asset is based in part on the value of the asset. While this is a seemingly unsolvable circle of
logic, it is possible to estimate the value of the protection for an information asset to better
understand the value associated with its potential loss. The values listed previously are easy to
calculate. This and the following values are more likely to be estimates of cost.
Value to owners: How much is your Social Security number worth to you? Or your telephone
number? It can be quite a daunting task to place a value on information. A market researcher
collects data from a company’s sales figures and determines that there is a strong market potential
for a certain age group with a certain demographic value for a new product offering. The cost
associated with the creation of this new information may be small, so how much is it actually
worth? It could be worth millions if it successfully defines a new market. The value of information
to an organization, or how much of the organization’s bottom line is directly attributable to the
information, may be impossible to estimate. However, it is vital to understand the overall cost of
protecting this information in order to understand its value. Here again, estimating value may be
the only method.
Value of intellectual property: Related to the value of information is the specific consideration of
the value of intellectual property. The value of a new product or service to a customer may be
unknowable. How much would a cancer patient pay for a cure? How much would a shopper pay
for a new type of cheese? What is the value of an advertising jingle? All of these could represent
the intellectual property of an organization, yet their valuation is complex. A related but separate
consideration is intellectual properties known as trade secrets. These intellectual information assets
are so valuable that they are literally the primary assets of some organizations.
Value to adversaries: How much would it be worth to an organization to know what the competition
is up to? Many organizations have departments that deal in competitive intelligence and that assess
and estimate the activities of their competition. Even organizations in traditionally not-for-profit
sectors can benefit from understanding what is going on in political, business, and competing
organizations.
There are likely to be company-specific criteria that may add value to the asset evaluation process. They
should be identified, documented, and added to the process. To finalize this step of the information asset
identification process, each organization should assign a weight to each asset based on the answers to the
chosen questions.
A quick review of Table 4-2 shows that the customer order via SSL (inbound) data flow is the most
important asset on this worksheet with a weighted score of 100, and that the EDI document set 2—supplier
fulfillment advice (inbound) is the least critical, with a score of 41.
INFORMATION ASSURANCE AND SECURITY 1 48
The threats to information security that you learned about in Chapter 2 are shown here in Table 4.3.
Each of the threats from Table 4.3 must be examined to assess its potential to endanger the organization.
This examination is known as a threat assessment. You can begin a threat assessment by answering a few
basic questions, as follows:
By answering these questions, you establish a framework for the discussion of threat assessment. This list
of questions may not cover everything that affects the information security threat assessment. If an
INFORMATION ASSURANCE AND SECURITY 1 50
organization has specific guidelines or policies, these should influence the process and require additional
questions. This list can be easily expanded to include additional requirements.
Vulnerability Identification
Once you have identified the organization’s information assets and documented some criteria for beginning
to assess the threats it faces, you then review each information asset for each threat it faces and create a list
of vulnerabilities.
Now you examine how each of the threats that are possible or likely could be perpetrated, and list the
organization’s assets and their vulnerabilities. The list is usually long and shows all the vulnerabilities of
the information asset. Some threats manifest themselves in multiple ways, yielding multiple vulnerabilities
for that threat. The process of listing vulnerabilities is somewhat subjective and depends upon the
experience and knowledge of the people creating the list. Therefore, the process works best when groups
of people with diverse backgrounds within the organization work iteratively in a series of brainstorming
sessions. For instance, the team that reviews the vulnerabilities of networking equipment should include
the networking specialists, the systems management team that operates the network, the information
security risk specialist, and technically proficient users of the system.
Risk Assessment
Now that you have identified the organization’s information assets and the threats and vulnerabilities, you
can evaluate the relative risk for each of the vulnerabilities. This process is called risk assessment. Risk
assessment assigns a risk rating or score to each information asset. While this number does not mean
anything in absolute terms, it is useful in gauging the relative risk to each vulnerable information asset and
facilitates the development of comparative ratings later in the risk control process. The major stages of risk
assessment are shown in Figure 4.3.
Likelihood
Likelihood is the probability that a specific vulnerability will be the object of a successful attack. In risk
assessment, you assign a numeric value to likelihood. The National Institute of Standards and Technology
recommends in Special Publication 800-30 assigning a number between 0.1 (low) and 1.0 (high). For
example, the likelihood of an asset being struck by a meteorite while indoors would be rated 0.1. At the
other extreme, receiving at least one e-mail containing a virus or worm in the next year would be rated 1.0.
You could also choose to use a number between 1 and 100 (zero is not used, since vulnerabilities with a
zero likelihood have been removed from the asset/vulnerability list). Whichever rating system you choose,
use professionalism, experience, and judgment—and use the rating model you select consistently.
Whenever possible, use external references for likelihood values that have been reviewed and adjusted for
your specific circumstances. Many asset/vulnerability combinations have sources for likelihood, for
example:
The likelihood of a fire has been estimated actuarially for each type of structure.
The likelihood that any given e-mail contains a virus or worm has been researched.
The number of network attacks can be forecast based on how many assigned network addresses the
organization has.
Risk Determination
For the purpose of relative risk assessment, risk equals likelihood of vulnerability occurrence times value
(or impact) minus percentage risk already controlled plus an element of uncertainty, as illustrated in Figure
4.4. For example:
Information asset A has a value score of 50 and has one vulnerability. Vulnerability 1 has a
likelihood of 1.0 with no current controls. You estimate that assumptions and data are 90 percent
accurate.
Information asset B has a value score of 100 and has two vulnerabilities: Vulnerability 2 has a
likelihood of 0.5 with a current control that addresses 50 percent of its risk; vulnerability 3 has a
likelihood of 0.1 with no current controls. You estimate that assumptions and data are 80 percent
accurate.
The resulting ranked list of risk ratings for the three vulnerabilities is:
There are three general categories of controls: policies, programs, and technologies.
Policies are documents that specify an organization’s approach to security. There are four types of
security policies: general security policies, program security policies, issue-specific policies, and
systems-specific policies.
o The general security policy is an executive-level document that outlines the organization’s
approach and attitude toward information security and relates the strategic value of
information security within the organization. This document, typically created by the CIO
in conjunction with the CEO and CISO, sets the tone for all subsequent security activities.
o The program security policy is a planning document that outlines the process of
implementing security in the organization. This policy is the blueprint for the analysis,
design, and implementation of security.
o Issue-specific policies address the specific implementations or applications of which users
should be aware. These policies are typically developed to provide detailed instructions
and restrictions associated with security issues. Examples include policies for Internet use,
e-mail, and access to the building.
o Systems-specific policies address the particular use of certain systems. This could include
firewall configuration policies, systems access policies, and other technical configuration
areas.
Programs are activities performed within the organization to improve security. These include
security education, training, and awareness programs.
Security technologies are the technical implementations of the policies defined by the
organization.
Defend
The defend control strategy attempts to prevent the exploitation of the vulnerability. This is the preferred
approach and is accomplished by means of countering threats, removing vulnerabilities from assets, limiting
access to assets, and adding protective safeguards. There are three common methods used to defend:
Application of policy
Education and training
Application of technology
INFORMATION ASSURANCE AND SECURITY 1 53
Another defend strategy is the implementation of security controls and safeguards to deflect attacks on
systems and therefore minimize the probability that an attack will be successful. An organization with dial-
in access vulnerability, for example, may choose to implement a control or safeguard for that service. An
authentication procedure based on a cryptographic technology, such as RADIUS (Remote Authentication
Dial-In User Service), or another protocol or product, would provide sufficient control. On the other hand,
the organization may choose to eliminate the dial-in system and service to avoid the potential risk
Transfer
The transfer control strategy attempts to shift risk to other assets, other processes, or other organizations.
This can be accomplished by rethinking how services are offered, revising deployment models, outsourcing
to other organizations, purchasing insurance, or implementing service contracts with providers.
This principle should be considered whenever an organization begins to expand its operations, including
information and systems management and even information security. If an organization does not already
have quality security management and administration experience, it should hire individuals or firms that
provide such expertise.
Mitigate
The mitigate control strategy attempts to reduce the impact caused by the exploitation of vulnerability
through planning and preparation. This approach requires the creation of three types of plans: the incident
response plan, the disaster recovery plan, and the business continuity plan. Each of these plans depends on
the ability to detect and respond to an attack as quickly as possible and relies on the quality of the other
plans. Mitigation begins with the early detection that an attack is in progress and a quick, efficient, and
effective response.
disaster. These strategies are fully deployed once the disaster has stopped. DR plans usually include all
preparations for the recovery process, strategies to limit losses during the disaster, and detailed steps to
follow when the smoke clears, the dust settles, or the floodwaters recede. The DR plan and the IR plan
overlap to a degree. In many respects, the DR plan is the subsection of the IR plan that covers disastrous
events. The IR plan is also flexible enough to be useful in situations that are near disasters, but that still
require coordinated, planned actions. While some DR plan and IR plan decisions and actions are the same,
their urgency and outcomes can differ dramatically. The DR plan focuses more on preparations completed
before and actions taken after the incident, whereas the IR plan focuses on intelligence gathering,
information analysis, coordinated decision making, and urgent, concrete actions.
Accept
The accept control strategy is the choice to do nothing to protect a vulnerability and to accept the outcome
of its exploitation. This may or may not be a conscious business decision. The only industry-recognized
valid use of this strategy occurs when the organization has done the following:
Terminate
The terminate control strategy directs the organization to avoid those business activities that introduce
uncontrollable risks. If an organization studies the risks from implementing business-to-consumer e-
commerce operations and determines that the risks are not sufficiently offset by the potential benefits, the
organization may seek an alternate mechanism to meet customer needs—perhaps developing new channels
for product distribution or new partnership opportunities. By terminating the questionable activity, the
organization reduces the risk exposure.
Risk control involves selecting one of the five risk control strategies for each vulnerability. The flowchart
in Figure 4.4 guides you through the process of deciding how to proceed with one of the five strategies. As
shown in the diagram, after the information system is designed, you query as to whether the protected
system has vulnerabilities that can be exploited. If the answer is yes and a viable threat exists, you begin to
INFORMATION ASSURANCE AND SECURITY 1 55
examine what the attacker would gain from a successful attack. To determine if the risk is acceptable or
not, you estimate the expected loss the organization will incur if the risk is exploited. Some rules of thumb
on strategy selection are presented below. When weighing the benefits of the different strategies, keep in
mind that the level of threat and value of the asset should play a major role in strategy selection.
When a vulnerability (flaw or weakness) exists: Implement security controls to reduce the
likelihood of a vulnerability being exercised.
When a vulnerability can be exploited: Apply layered protections, architectural designs, and
administrative controls to minimize the risk or prevent occurrence.
When the attacker’s cost is less than his or her potential gain: Apply protections to increase the
attacker’s cost (e.g., use system controls to limit what a system user can access and do, thereby
significantly reducing an attacker’s gain).
When potential loss is substantial: Apply design principles, architectural designs, and technical and
nontechnical protections to limit the extent of the attack, thereby reducing the potential for loss.
Feasibility Studies
Before deciding on the strategy (defend, transfer, mitigate, accept, or terminate) for a specific vulnerability,
the organization must explore all the economic and noneconomic consequences of the vulnerability facing
the information asset. This is an attempt to answer the question, “What are the actual and perceived
INFORMATION ASSURANCE AND SECURITY 1 56
There are a number of ways to determine the advantage of a specific control. There are also many methods
an organization can use to identify the disadvantages of specific controls. The following sections discuss
some of the more commonly used techniques for making these choices. Note that some of these techniques
use dollar expenses and savings implied from economic cost avoidance, and others use noneconomic
feasibility criteria. Cost avoidance is the process of preventing the financial impact of an incident by
implementing a control.
Just as it is difficult to determine the value of information, it is also difficult to determine the cost of
safeguards. Some of the items that affect the cost of a control or safeguard include the following:
Benefit is the value that an organization realizes by using controls to prevent losses associated with a
specific vulnerability. The amount of the benefit is usually determined by valuing the information asset or
assets exposed by the vulnerability and then determining how much of that value is at risk and how much
risk there is for the asset.
Asset valuation is the process of assigning financial value or worth to each information asset. Some argue
that it is virtually impossible to determine the true value of information and information-bearing assets. The
valuation of assets involves estimation of real and perceived costs associated with design, development,
installation, maintenance, protection, recovery, and defense against loss and litigation. These estimates are
calculated for every set of information-bearing systems or information assets. Some component costs are
easy to determine, such as the cost to replace a network switch or the hardware needed for a specific class
of server. Other costs are almost impossible to determine accurately,
Not every organization has the collective will or budget to manage each vulnerability by applying controls;
therefore, each organization must define the level of risk it is willing to live with.
Risk Appetite
Risk appetite defines the quantity and nature of risk that organizations are willing to accept as they evaluate
the tradeoffs between perfect security and unlimited accessibility. For instance, a financial services
company, regulated by government and conservative by nature, may seek to apply every reasonable control
and even some invasive controls to protect its information assets. Other, nonregulated organizations may
also be conservative by nature, seeking to avoid the negative publicity associated with the perceived loss
of integrity from the exploitation of a vulnerability. Thus, a firewall vendor may install a set of firewall
rules that are far stricter than normal because the negative consequence of being hacked would be
catastrophic in the eyes of its customers. Other organizations may take on dangerous risks through
ignorance. The reasoned approach to risk is one that balances the expense (in terms of finance and the
usability of information assets) of controlling vulnerabilities against the losses possible if these
vulnerabilities were exploited.
Residual Risk
Even when vulnerabilities have been controlled as much as possible, there is often still some risk that has
not been completely removed, shifted, or planned for. This remainder is called residual risk. To express it
another way, “residual risk is a combined function of (1) a threat less the effect of threat-reducing
INFORMATION ASSURANCE AND SECURITY 1 58
safeguards, (2) a vulnerability less the effect of vulnerability-reducing safeguards, and (3) an asset less the
effect of asset value-reducing safeguards.”
Documenting Results
The results of risk assessment activities can be delivered in a number of ways: a report on a systematic
approach to risk control, a project-based risk assessment, or a topic-specific risk assessment.
When the organization is pursuing an overall risk management program, it requires a systematic report that
enumerates the opportunities for controlling risk. This report documents a series of proposed controls, each
of which has been justified by one or more feasibility or rationalization approaches. At a minimum, each
information asset-threat pair should have a documented control strategy that clearly identifies any residual
risk remaining after the proposed strategy has been executed. Furthermore, each control strategy should
articulate which of the four fundamental risk-reducing approaches will be used or how they might be
combined, and how that should justify the findings by referencing the feasibility studies. Additional
preparatory work for project management should be included where available.
INFORMATION ASSURANCE AND SECURITY 1 59
Assessment
1. What is risk management? Why is the identification of risks, by listing assets and their
vulnerabilities, so important to the risk management process?
2. According to Sun Tzu, what two key understandings must you achieve to be successful in battle?
3. Who is responsible for risk management in an organization? Which community of interest usually
takes the lead in information security risk management?
4. In risk management strategies, why must periodic review be a part of the process?
5. Why do networking components need more examination from an information security perspective
than from a systems development perspective?
6. What value does an automated asset inventory system have for the risk identification process?
7. What are vulnerabilities? How do you identify them?
8. Describe the “defend” strategy. List and describe the three common methods.
9. Describe the “transfer” strategy. Describe how outsourcing can be used for this purpose.
10. Describe the “mitigate” strategy. What three planning approaches are discussed in the text as
opportunities to mitigate risk?
References
1. Whitman, Michael, Principles of Information Security, 6th Ed., 2018
2. What is vulnerability? - IFRC. (2021). Ifrc.org. https://www.ifrc.org/en/what-we-do/disaster-
management/about-disasters/what-is-a-disaster/what-is-vulnerability/
3. Cost Benefit Analysis: An Expert Guide | Smartsheet. (2019). Smartsheet.
https://www.smartsheet.com/expert-guide-cost-benefit-analysis
4. https://www.isms.online/author/mark-darby. (2019, December 6). ISO 27001 Help from
ISMS.online. ISMS.Online. https://www.isms.online/iso-27001/information-security-risk-
management-
explained/#:~:text=Information%20security%20risk%20management%20(ISRM,desired%20busi
ness%20outcomes%20are%20achieved.