Risk Assessment

Overview
 Risk Management Life Cycle

IT Risk Identification

Risk and Control Monitoring and

IT Risk Assessment
Reporting

Risk Response and Mitigation

IT Risk Assessment Objective
Analyze and evaluate IT risk to determine the
likelihood and impact on business objectives to
enable risk-based decision making
 Key Topics
1. Analyze risk scenarios based on organizational
criteria (e.g., organizational structure, policies,
standards, technology, architecture, controls) to
determine the likelihood and impact of an
identified risk.
2. Identify the current state of existing controls and
evaluate their effectiveness for IT risk
mitigation.
3. Review the results of risk and control analysis to
assess any gaps between current and desired
states of the IT risk environment.
 Key Topics
4. Ensure that risk ownership is assigned at the
appropriate level to establish clear lines of
accountability.
5. Communicate the results of risk assessments to
senior management and appropriate
stakeholders to enable risk-based decision
making.
6. Update the risk register with the results of the
risk assessment.
IT Risk Identification Objective
Identify and assess risk assessment
techniques
Analyze risk scenarios
Identify current state of controls
Assess gaps between current and
desired state of the IT risk
environment
Communicate IT risk assessment
results to relevant stakeholders
The Objective
Based on the results of the Risk Identification step,
the IT Risk Assessment step calculates the level of
risk that the organization faces, to be used in the
next step - Risk Response and Mitigation.
Risk Identification vs. Risk Assessment
Risk Identification vs. Risk Assessment

Risk Identification Risk Assessment

Recognition of threats, Evaluates potential effect
vulnerabilities, assets of risk
and controls Evaluates probabilities of
Documenting risk an adverse event
Documents critical
business operations
 Risk Assessment Techniques
Bayesian Analysis Hazard and Operational Studies
Bow Tie Analysis Human Reliability Analysis
Brainstorming/ Structured Layers of Protection Analysis
Interview
Market Analysis
Business Impact Analysis
Preliminary Hazard Analysis
Cause and Consequence Analysis
Reliability-centered Maintenance
Cause-and-effect Analysis
Root Cause Analysis
Checklists
Scenario Analysis
Delphi Method
Sneak Circuit Analysis
Event Tree Analysis
Structured “What if” Technique
Fault Tree Analysis (SWIFT)
 RPN (Risk Priority Number)
• The Risk Priority Number, or RPN, is a numeric
assessment of risk assigned to a process, or steps
in a process, as part of Failure Modes and Effects
Analysis (FMEA), in which a team assigns each
failure mode numeric values that quantify
likelihood of occurrence, likelihood of detection,
and severity of impact.
• The RPN is calculated by multiplying the three
scoring columns: Severity, Occurrence and
Detection
• RPN = Severity x Occurrence x Detection
 FTA (Fault Tree Analysis)
• Fault tree analysis (FTA) is a top down,
deductive failure analysis in which an
undesired state of a system is analyzed using
Boolean logic to combine a series of lower-
level events.
 Ishikawa Diagram
• A fishbone diagram, also called a cause and
effect diagram or Ishikawa diagram, is a
visualization tool for categorizing the potential
causes of a problem in order to identify its
root causes.
 Influence Diagram
• An influence diagram (ID) (also called a
relevance diagram, decision diagram or a
decision network) is a compact graphical and
mathematical representation of a decision
situation.
 The Delphi Techniques
• The Delphi method is a structured communication technique or
method, originally developed as a systematic, interactive
forecasting method which relies on a panel of experts.
– The experts answer questionnaires in two or more rounds.
– After each round, a facilitator or change agent provides an
anonymised summary of the experts' forecasts from the previous
round as well as the reasons they provided for their judgments.
– Thus, experts are encouraged to revise their earlier answers in light of
the replies of other members of their panel
– Finally, the process is stopped after a predefined stop criterion (e.g.
number of rounds, achievement of consensus, stability of results) and
the mean or median scores of the final rounds determine the results.
• Delphi is based on the principle that forecasts (or decisions) from a
structured group of individuals are more accurate than those from
unstructured groups
 Decision Tree Analysis
• A decision tree is a decision support tool
that uses a tree-like graph or model of
decisions and their possible consequences,
including chance event outcomes, resource
costs, and utility.
• It is one way to display an algorithm.
Risk Assessment Techniques

Inaccurate risk scenarios due to:

• Difficulty in calculating impact
Impact may be affected by:
- Response time
- Skill of staff
- Maturity of response process
- Effectiveness of controls
• Organizational culture
Impact of Culture on Risk
Effect of Organizational Culture on Risk

Mature Organizational processes

- Presence of policies and procedures
- Relationship between management
and employees
- Relationship between organization and
community
- Effectiveness of monitoring
- Proactive, preventative procedures
 Blame Culture
Is the first approach of management to hide events or seek to
allocate blame?

Discourages Prohibits honest Poor Loss of trust

openness and feedback and communication
truthfulness continuous between
about incidents improvement stakeholders
 Policy

Policies are the foundation of the

organization.
Declare managements’ priorities and
support
Outline boundaries of behavior and
compliance are interpreted through:
Policies
- Standards, procedures, baselines,
guidelines
 Hierarchy of Policy

High level policy Functional policies

Non technical Technical
Changes rarely (Remote access, wireless, BYOD, etc.)
May change frequently
Interpret intent of high level policy
Impact of Architecture on Risk

Hazard and Operational Studies

Human Reliability Analysis
Layers of Protection Analysis
Market Analysis
Preliminary Hazard Analysis
Controls and Controls Gap
 Controls

The risk practitioner must assess the

effectiveness of controls;
- Misconfigured controls
- Lack of monitoring
- Wrong control
- Ability to bypass a control
- Lack of documentation
 Types of Controls

Managerial / Technical / Physical /

Administrative Logical Operational

Effe c t i ve controls are a co mb i n at i on of all three t y p e s

Control Gap

Compensating controls
• Address a gap or weakness in the
controls
• Inability to enact a more desirable
control
- i.e., additional monitoring, dual
control
Control Gap
Audits
Penetration Tests, Vulnerability
Assessments
Observation
Incident reports
User feedback
Logs
Vendor reports
 Audit

Audit may identify a risk due Assess the level of risk

to missing, ineffective, or associated with the audit
improperly managed controls recommendation
 Testing Controls

Ensure that controls Ensure that the Ensure that the

were installed controls are controls are
/implemented as working producing the
designed correctly desired result
Mitigating risk
Testing Controls

Test both the technical and non-

technical aspects of the control
- Configuration
- Documentation
- Monitoring
- Staff training
- Architecture placement
Third Party Assurance

SSAE 16 (formerly SAS 70)

- SOC 1 - financial reviews
- SOC 2 – non-financial reviews – detailed
internal report
- SOC 3 – like a SOC2 but used for
external distribution
ISAE 3402 – International standard
 Vulnerability Assessments

Insecure physical Application Unpatched

access vulnerabilities systems

Unprotected Open ports or

Exposed cabling
sensitive data services
Current vs. Desired State of Risk

Desired state is reflective of:

- Management’s risk appetite
- International standards of good practice
Determining Riskes
 Controls

Dependent on quality of data received

for assessment
- Complete
- Accurate
- Biased
- Format
- Relevant
Identifying Risk Trends

Emerging risk
Changes in risk
- New threats
- Newly discovered vulnerabilities
- Bypass of controls
- Erosion of control effectiveness
Likelihood of risk levels exceeding KPIs
 Gap Assessment

Threat modeling Root cause Gap Analysis

analysis
Discover the severity of The true, underlying Delta between desired
the risk cause for the risk and current state
 Measuring Risk Levels

KPIs KRIs KGIs

Key Performance Key Risk Indicators Key Goal Indicators
Indicators

Measuring risk and providing comparable reports to

indicate trends, levels of compliance, etc.
Risk Assessment Methodologies

Quantitative Risk
• Monetary value of risk
Qualitative Risk
• Scenario-based
• Range of risk levels
- Very Low, Low, moderate, High, Very
High
 Qualitative vs Quantitative

Qualitative Risk Assessment Quantitative Risk Assessment

• Use subjective ratings to • Use objective numeric
evaluate risk likelihood and ratings to evaluate risk
impact likelihood and impact
Quantitative Risk

Cost of single risk event

Frequency of risk events
(usually calculated annually)
Cost of risk averaged per year
Justifies cost of controls
Qualitative Risk
Non-monetary elements of risk
Morale, reputation, customer
confidence
Risk levels by comparing likelihood with
impact
Semi-Quantitative Risk Assessment
- Combination of Quantitative and
Qualitative risk methods – associates
money with range of risk levels
 Qualitative Risk Assessment

Probability
Low Medium High
High Medium High High
Impact

Medium Low Medium High

Low Low Low Medium
 Quantitative Risk Assessment
• Perform quantitative risk assessment for a
single risk and asset pair
• Asset Value (AV)
– The dollar value of an asset
• Exposure Factor (EF)
– Expected % of damage to an asset
 AV Techniques
• Original cost
• Depreciated cost
• Replacement cost
 Single-Loss Expectancy (SLE)
• Expected dollar loss if a risk occurs one time
• SLE = AV * EF
• $10M = $20M * 50%
Annualized Rate of Occurrence (ARO)
• Number of times a risk is expected to occur
each year
 Annualized Loss Expectancy (ALE)
• Expected dollar loss from a risk in any given
year
• ALE = SLE * AR0
• $100,000 = $10M * 0.01
OCTAVE
Operationally Critical Threat and Vulnerability Evaluation
Explores risk relationship between IT and operation
processes
Evaluates:
• Organization
• Technology
• Strategy and plan development
Measuring Risk Management Capabilities
Measure maturity of risk m a n a g e m e n t function

Reflects managements’
Proactive
priorities

Policies, standards and

Aligned with risk appetite
procedures
 Key Elements to Measure Risk
Management
• Management support • Testing of BCP/DRP
• Communication Staff training
Current BIA • Involvement of risk in IT
• Logging and Monitoring projects
Scheduled risk • Feedback from users
assessments Time to detect incidents
Validate Risk Appetite

Validate the risk appetite of

management to ensure that:
- Management understands the
significance of accepting risk
- Documentation of risk acceptance level
- Sign off by management
- Alignment with laws and international
standards
Risk Assessment and Incident Response
The way an organization handles
incidents is a clear indicator of the
maturity of their risk management
program
- Prepared
- Prevention
- Rapid Detection
- Effective Response
- Containment
- Recovery/restoration
- Feedback
Risk Areas to Consider
Risks Related to IT Management
Hardware
Software
- Operating Systems
- Utilities, Drivers, APIs (Application
Program Interfaces)
- Applications
Database
 Network Based Risk

Network architecture Network devices

Repeaters, switches, firewalls, routers,
LAN, WAN, DMZ
proxy, gateways
Bus, Ring, Star, Tree, Mesh
Domain name system (DNS)
Wireless
Virtual Private Networks (VPNs)

Secure communications
- Confidentiality
- Integrity
- Authentication
Transport Layer Security (TLS/SSL)
IPsec
 SDLC (Software Development Life Cycle)

• Methodology for systems and software

development
• Project management
• Security must be integrated into each phase:
– Initiation,
– Development/Acquisition,
– Implementation,
– Operation and Maintenance,
– Disposal
Risk Awareness

Awareness affects:
• Culture
• Ethics
• Direction and guidance
Risk Ownership

Management owns the risk

The Risk Practitioner must advise
management of risk levels
Update the risk register with the
results of the risk assessment
 Summary
• The risk practitioner must assess and
determine the severity of each risk facing the
organization
• All risk must be identified, assessed, and
reported to senior management