Risk

Management
Lecture 1 of 2
• RISK?
 • Risk is the net negative impact of a vulnerability/weakness.

• The objective of the Risk management is identifying risk, assessing

risk, and taking steps to reduce risk to an acceptable level.

• This guide provides a foundation for the development of an

effective risk management, containing both the definitions and the
practical guidance necessary for assessing and mitigating risks
identified within IT systems. The ultimate goal is to help
organizations to better manage IT-related mission risks.

RISK
• Risk is the potential of losing something of value

Risk
Risk Assessment

Risk Management Guide for Information Technology Systems

Recommendations of the National Institute of Standards
and Technology, USA
 • A risk assessment is simply a careful examination of
what, in your work, could cause harm, so that you can
weigh up and determine appropriate ways to control the
cause.

• Risk assessment is the process where you: Identify

hazards. Analyze the risk associated with that hazard.
Determine appropriate ways to eliminate or control the
hazard.

Risk Assessment
• Risk is the intersection of assets, threats, and
vulnerabilities

• A vulnerability is a weakness or gap in our protection

efforts.
• A threat is what we’re trying to protect against.
• An asset is what we’re trying to protect.

Risk =
Asset + Threat + Vulnerability
• The risk assessment methodology encompasses nine primary steps,
which are described below:
•
• • Step 1: System Characterization
• • Step 2: Threat Identification
• • Step 3: Vulnerability Identification
• • Step 4: Control Analysis
• • Step 5: Likelihood Determination
• • Step 6: Impact Analysis
• • Step 7: Risk Determination
• • Step 8: Control Recommendations
• • Step 9: Results Documentation

Risk Assessment Methodology

In this step, the boundaries of the IT system, resources and the information that constitute
the system are identified.

Identifying risk for an IT system requires a strong understanding of the system’s processing
environment. The person or persons who conduct the risk assessment must therefore first
collect system-related information, which is usually classified as follows:
• Hardware
• Software
• System interfaces (e.g., internal and external connectivity)
• Data and information
• Persons who support and use the IT system
• System and data criticality (e.g., the system’s value or importance to an organization)
• System and data sensitivity.

STEP 1: SYSTEM
CHARACTERIZATION
• Output from Step 1

• A good picture of the IT system environment, and description of system

boundary.

STEP 1: SYSTEM CHARACTERIZATION

• A threat is the potential for a particular threat-source to successfully exercise a
particular vulnerability.

STEP 2:
THREAT IDENTIFICATION
 • Common Threat-Sources
• Natural Threats—Floods, earthquakes, tornadoes,
landslides, avalanches, electrical storms and other such
events.
• Human Threats—Events that are either enabled by or
caused by human beings, such as unintentional acts
(unintentional data entry) or deliberate actions (network
based attacks, malicious software upload, unauthorized
access to confidential information).
• Environmental Threats—Long-term power failure,
pollution, chemicals, liquid leakage.
STEP 2:
THREAT IDENTIFICATION
 Human Threats: Threat-Source, Motivation, and Threat Actions

Threat Source Motivation

Hacker, cracker Challenge
Ego
Rebellion
Computer criminal Destruction of information
Illegal information disclosure
Financial gain
Unauthorized data alteration

Terrorist Blackmail
Destruction
Exploitation

STEP 2: THREAT Revenge

IDENTIFICATION
• Output from Step 2
• A list of threat-sources that could exploit system vulnerabilities

STEP 2: THREAT IDENTIFICATION

• Vulnerability: A flaw or weakness in system security
procedures, design, implementation, or internal controls that
could be exercised (accidentally triggered or intentionally
exploited) and result in a security breach or a violation of the
system’s security policy.
•
• The goal of this step is to develop a list of system
vulnerabilities (flaws or weaknesses)
• Recommended methods for identifying system vulnerabilities
are the use of vulnerability sources and the development of a
security requirements checklist.

STEP 3:
VULNERABILITY IDENTIFICATION
 Vulnerability/Threat Pairs
Vulnerability Threat-Source Threat Action
Terminated employees’ system Terminated employees Dialing into the company’s
identifiers (ID) are not removed from network and accessing
the system company proprietary data

Company firewall allows inbound Unauthorized users Using telnet to XYZ server
telnet, and guest ID is enabled on XYZ (e.g. hackers, and browsing system files
server terminated with the guest ID
employees, computer
criminals, terrorists)
Data center uses water sprinklers to Fire, negligent persons Water sprinklers being
suppress fire. turned on in the data center

STEP 3: VULNERABILITY
IDENTIFICATION
• Output from Step 3
• A list of the system vulnerabilities that could be exercised by the potential
threat-sources

STEP 3: VULNERABILITY
IDENTIFICATION
 • The goal of this step is to analyze the controls that have
been implemented, or are planned for implementation, by
the organization to minimize or eliminate the likelihood (or
probability) of a threat.

STEP 4: CONTROL ANALYSIS

 • Control Methods
• Security controls include the use of technical and
nontechnical methods.
• Technical controls are safeguards that are incorporated into
computer hardware, software, or firmware (e.g., access
control mechanisms, identification and authentication
mechanisms, encryption methods).
• Nontechnical controls are management and operational
controls, such as security policies; operational procedures; and
personnel, physical, and environmental security.

STEP 4: CONTROL ANALYSIS

• Output from Step 4
• List of current or planned controls used for the IT system to lessen the
likelihood of vulnerability

STEP 4: CONTROL ANALYSIS

Likelihood Likelihood Definition
Level
High The threat-source is highly motivated and sufficiently
capable, and controls to prevent the vulnerability from
being exercised are ineffective.

Medium The threat-source is motivated and capable, but

controls are in place that may block successful exercise
of the vulnerability.

Low The threat-source lacks motivation or capability, or

controls are in place to prevent, or at least
significantly block, the vulnerability from being
exercised.

STEP 5: LIKELIHOOD
DETERMINATION
 Magnitude of Impact Definition
Impact
High Exercise of the vulnerability
(1) may result in the highly costly loss of major tangible assets or resources;
(2) may significantly violate, harm, or block an organization’s mission,
reputation, or interest;
(3) may result in human death or serious injury.

Medium Exercise of the vulnerability

(1) may result in the costly loss of tangible assets or resources;
(2) may violate, harm, or impede an organization’s mission, reputation, or interest;
(3) may result in human injury.

Low Exercise of the vulnerability

(1) may result in the loss of some tangible assets or resources
(2) may noticeably affect an organization’s mission, reputation, or interest.

STEP 6: IMPACT ANALYSIS

 Risk-Level Matrix
Threat Impact
Likelihood Low Medium High
(10) (50) (100)
High (1.0) Low Medium High
10 X 1.0 = 10 50 X 1.0 = 50 100 X 1.0 = 100
Medium (0.5) Low Medium Medium
10 X 0.5 = 5 50 X 0.5 = 25 100 X 0.5 = 50
Low (0.1) Low Low Medium
10 X 0.1 = 1 50 X 0.1 = 5 100 X 0.1 = 10
Risk Scale: High ( >50 to 100); Medium ( >10 to 50); Low (1 to 10)

STEP 7: RISK DETERMINATION

 Risk Scale and Necessary Actions
Risk Level Risk Description and Necessary Actions
High If an observation or finding is evaluated as a high risk,
there is a strong need for corrective measures. An existing
system may continue to operate, but a corrective action plan
must be put in place as soon as possible.
Medium If an observation is rated as medium risk, corrective actions
are needed and a plan must be developed to incorporate
these actions within a reasonable period of time.
Low If an observation is described as low risk, the top
management determine whether corrective actions are still
required or decide to accept the risk.

STEP 7: RISK DETERMINATION

 The control recommendations are the results of the
risk assessment process and provide input to the risk
mitigation process, during which the recommended
procedural and technical security controls are
evaluated, prioritized, and implemented.

Output from Step 8

Recommendation of control(s) and alternative
solutions to mitigate risk

STEP 8: CONTROL
RECOMMENDATIONS
 • Once the risk assessment has been completed (threat-
sources and vulnerabilities identified, risks assessed, and
recommended controls provided), the results should be
documented in an official report or briefing.

STEP 9: RESULTS DOCUMENTATION

 • SAMPLE RISK ASSESSMENT REPORT OUTLINE
• EXECUTIVE SUMMARY
• I. Introduction
• • Purpose
• • Scope of this risk assessment
• Describe the system components, elements, users, field site locations (if any), and any other details about the system to be
considered in the assessment.
•
• II. Risk Assessment Approach
• Briefly describe the approach used to conduct the risk assessment, such as—
• • The participants (e.g., risk assessment team members)
• • The technique used to gather information (e.g., the use of tools, questionnaires)
• • The development and description of risk scale (e.g., a 3 x 3, 4 x 4 , or 5 x 5 risk-level matrix).
•
• III. System Characterization
• Characterize the system, including hardware (server, router, switch), software (e.g., application, operating system, protocol),
system interfaces (e.g., communication link), data, and users.
• Provide connectivity diagram or system input and output flowchart to delineate the scope of this risk assessment effort.
•

STEP 9: RESULTS DOCUMENTATION

 • SAMPLE RISK ASSESSMENT REPORT OUTLINE
•
• IV. Threat Statement
• Compile and list the potential threat-sources and associated threat actions applicable to the system assessed.
•
• V. Risk Assessment Results
• List the observations (vulnerability/threat pairs). Each observation must include—
• • Observation number and brief description of observation (e.g., Observation 1: User system passwords can be guessed or
cracked)
• • A discussion of the threat-source and vulnerability pair
• • Identification of existing mitigating security controls
• • Likelihood discussion and evaluation (e.g., High, Medium, or Low likelihood)
• • Impact analysis discussion and evaluation (e.g., High, Medium, or Low impact)
• • Risk rating based on the risk-level matrix (e.g., High, Medium, or Low risk level)
• • Recommended controls or alternative options for reducing the risk.
•
• VI. Summary
• Total the number of observations. Summarize the observations, the associated risk levels, the recommendations, and any
comments in a table format to facilitate the implementation of recommended controls during the risk mitigation process

STEP 9: RESULTS DOCUMENTATION

Risk Mitigation
Risk Management Guide for Information Technology Systems
Recommendations of the National Institute of Standards
and Technology, USA
• Risk mitigation, the second process of risk management, involves
• Ranking
• Evaluating
• Implementing
• the appropriate risk-reducing controls recommended from the risk assessment
process.

Risk Mitigation
• Risk mitigation methodology describes the approach to control
implementation

• As elimination of all risk is usually impractical or close to impossible, it is the

responsibility of top management to use the least-cost approach and
implement the most appropriate controls to decrease risk to an acceptable
level.

APPROACH FOR CONTROL

IMPLEMENTATION
 • Based on the risk levels presented in the risk
assessment report, the implementation actions are
ranked. In allocating resources, top priority should be
given to risk items with unacceptably high risk
rankings. These vulnerability/threat will require
immediate corrective action to protect an
organization’s interest and mission.
• Output from Step 1 Actions ranking from High to
Low

Step 1-Ranked Actions

 • The controls recommended in the risk assessment process may not be the most
appropriate and feasible options for a specific organization and IT system.
• During this step, the feasibility and effectiveness (e.g., compatibility, user
acceptance) of the recommended control options are analyzed.
• The objective is to select the most appropriate control option for minimizing
risk.
• Output from Step 2-List of feasible controls

Step 2-Evaluate Recommended

Control Options
• To help management in decision making and to identify
cost-effective controls, a cost benefit analysis is conducted.

• Output from Step 3-Cost-benefit analysis describing the

cost and benefits of implementing or not implementing the
controls

Step 3-Conduct Cost-Benefit

Analysis
Example-Conduct Cost-Benefit Analysis
• On the basis of the results of the cost-benefit analysis,
management determines the most cost-effective control(s) for
reducing risk to the organization’s mission.
• The controls selected should combine technical, operational,
and management control elements to ensure adequate
security for the IT system and the organization.
• Output from Step 4-Selected control(s)

• Step 4-Select Control

• • Appropriate persons (in-house personnel or external contracting staff) who
have the appropriate expertise and skill-sets to implement the selected control
are identified, and responsibility is assigned.

• Output from Step 5-List of responsible persons

Step 5-Assign Responsibility

 • During this step, a safeguard implementation / action plan is developed. The
plan should, at a minimum, contain the following information:
• Ranked Actions
• Recommended Controls
• Selected Planned Controls
• Responsible Persons
• Start Date
• Target Completion Date

Step 6. Develop Safeguard

Implementation Plan
• Depending on situations, the
implemented controls may lower the risk
level but not eliminate the risk.

Step 7-Implement Selected Control(s)

• In most organizations, the network itself will continually be expanded and
updated, its components changed, and its software applications replaced or
updated with newer versions.
• In addition, personnel changes will occur and security policies are likely to
change over time.
• These changes mean that new risks will surface and risks previously
mitigated may again become a concern.
• Thus, the risk management process is ongoing and evolving.

3. EVALUATION AND ASSESSMENT