0% found this document useful (0 votes)
53 views22 pages

3 - Security Risk Analysis and Management

Uploaded by

Warrior Zen
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
53 views22 pages

3 - Security Risk Analysis and Management

Uploaded by

Warrior Zen
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 22

Security Risk Analysis and Management

RISK MANAGEMENT:
CONTROLLING RISK IN
INFORMATION SECURITY
THE PURPOSE OF RISK MANAGEMENT

 Ensure overall business and business assets are safe


 Protect against competitive disadvantage
 Compliance with laws and best business practices
 Maintain a good public reputation
STEPS OF A RISK MANAGEMENT PLAN

Step 1: Identify Risk


Step 2: Assess Risk
Step 3: Control Risk
Steps are similar regardless of context (InfoSec, Physical Security, Financial,
etc.)
This presentation will focus on controlling risk within an InfoSec context
Asset Asset Type Asset Function Priority Level
RISK IDENTIFICATION and
Subcategory
(Low,
Medium,
High, Critical)
Bob Worker Personnel: • Secure Low
InfoSec Networks
The steps to risk identification are: • Penetration
Testing
 Identify your organization’s • Make coffee
information assets
Cisco UCS Hardware: • Database High
 Classify and categorize said assets B460 M4 Blade Networking Server
into useful groups Server
Customer Data: • Provide Critical
 Rank assets necessity to the Personally Confidential information
organization Identifiable Information for all
Information business
To the right is a simplified example (PII) transactions
of how a company may identify Windows 7 Software: • Employee Medium
risks Operating access to
System enterprise
software
Threat Targeted Threat Possible Risk (Scale
Agent and Asset Level Exploits of 1-5)
Threat
RISK ASSESSMENT
The steps to risk assessment are:
 Identify threats and threat agents Disgruntled Company High Access 4.16
 Prioritize threats and threat agents Insider: data (i.e. control
Steal Customer credentials,
 Assess vulnerabilities in current InfoSec company PII) knowledge
plan information of InfoSec
to sell policies,
 Determine risk of each threat etc.
R=P*V–M+U Fire: Burn Company Critical Mishandled 2.78
the facility Facility, equipment
R = Risk down or Personnel,
P = Probability of threat attack cause major Equipment
damage
V = Value of Information Asset
Hacktivists: Company Low Lack of 1.39
M = Mitigation by current controls Quality of Hardware/S effective
U = Uncertainty of vulnerability service oftware filtering
deviation
The table to the right combines elements of
all of these in a highly simplified format
RISK CONTROL
The steps to risk control are:
•Cost-Benefit Analysis (CBA)
• Single Loss Expectancy (SLE)
• Annualized Rate of Occurrence (ARO)
• Annual Loss Expectancy (ALE)
• Annual Cost of the Safeguard (ASG)
•Feasibility Analysis
• Organizational Feasibility
• Operational Feasibility
• Technical Feasibility
• Political Feasibility
•Risk Control Strategy Implementation
VULNERABILITY
ASSESSMENT (CONT’D.)
Single loss expectancy (SLE)
 Expected monetary loss each time a risk occurs
 Calculated by multiplying the asset value by exposure factor
 Exposure factor: percentage of asset value likely to be destroyed by a particular risk

SECURITY+ GUIDE TO NETWORK SECURITY FUNDAMENTALS, FOURTH EDITION 8


VULNERABILITY
ASSESSMENT (CONT’D.)
Annualized loss expectancy (ALE)
 Expected monetary loss over a one year period
 Multiply SLE by annualized rate of occurrence
 Annualized rate of occurrence (ARO) : probability that a risk will occur in a particular year
 It can be calculated by multiplying the annual rate of occurrence (ARO) by single loss expectancy (SLE).

SECURITY+ GUIDE TO NETWORK SECURITY FUNDAMENTALS, FOURTH EDITION 9


Suppose that an asset is valued at $100,000, and the Exposure Factor (EF) for this
asset is 25%.
 The single loss expectancy (SLE) then, is 25% * $100,000, or $25,000.
 For an annual rate of occurrence of one, the annualized loss expectancy is 1 * $25,000, or $25,000.

SECURITY+ GUIDE TO NETWORK SECURITY FUNDAMENTALS, FOURTH EDITION 10


SECURITY+ GUIDE TO NETWORK SECURITY FUNDAMENTALS, FOURTH EDITION 11
COST-BENEFIT ANALYSIS

Determine what risk control strategies are


cost effective
Below are some common formulas used to
calculate cost-benefit analysis
SLE = AV * EF
 AV = Asset Value, EF = Exposure factor
(% of asset affected)
ALE = SLE * ARO
CBA = ALE (pre-control) – ALE (post-
control) – ASG
FEASIBILITY ANALYSIS

Organizational: Does the plan correspond to the organization’s objectives? What is in it for
the organization? Does it limit the organization’s capabilities in any way?
Operational: Will shareholders (users, managers, etc.) be able/willing to accept the plan? Is
the system compatible with the new changes? Have the possible changes been communicated
to the employees?
Technical: Is the necessary technology owned or obtainable? Are our employees trained and
if not can we afford to train them? Should we hire new employees?
Political: Can InfoSec acquire the necessary budget and approval to implement the plan? Is
the budget required justifiable? Does InfoSec have to compete with other departments to
acquire the desired budget?
RISK CONTROL STRATEGIES

Defense
Transferal
Mitigation
Acceptance (Abandonment)
Termination
RISK CONTROL STRATEGY: DEFENSE

Defense: Prevent the exploitation of the


system via application of policy,
training/education, and technology.
Preferably layered security (defense in
depth)
Counter threats
Remove vulnerabilities from assess
Limit access to assets
Add protective safeguards
RISK CONTROL STRATEGY: TRANSFERAL

Transferal: Shift risks to other areas or


outside entities to handle
Can include:
Purchasing insurance
Outsourcing to other organizations
Implementing service contracts with
providers
Revising deployment models
RISK CONTROL STRATEGY: MITIGATION

Mitigation: Creating plans and


preparations to reduce the damage of
threat actualization
Preparation should include a:
Incidence Response Plan
Disaster Recovery Plan
Business Continuity Plan
RISK CONTROL STRATEGY: ACCEPTANCE

Acceptance: Properly identifying and


acknowledging risks, and choosing to
not control them
Appropriate when:
The cost to protect an asset or assets
exceeds the cost to replace it/them
When the probability of risk is very
low and the asset is of low priority
Otherwise acceptance = negligence
RISK CONTROL STRATEGY: TERMINATION

Termination: Removing or discontinuing


the information asset from the
organization
Examples include:
Equipment disposal
Discontinuing a provided service
Firing an employee
PROS AND CONS OF EACH STRATEGY

Pros Cons
Defense: Preferred all round approach Defense: Expensive and laborious
Transferal: Easy and effective Transferal: Dependence on external
entities
Mitigation: Effective when all else fails
Mitigation: Guarantees company loss
Acceptance: Cheap and easy
Acceptance: Rarely appropriate, unsafe
Termination: Relatively cheap and safe
Termination: Rarely appropriate,
requires company loss
STANDARD APPROACHES TO RISK
MANAGEMENT
U.S CERT’s Operationally Critical Threat Assessment Vulnerability Evaluation
(OCTAVE) Methods (Original, OCTAVE-S, OCTAVE-Allegro)
ISO 27005 Standard for InfoSec Risk Management
NIST Risk Management Model
Microsoft Risk Management Approach
Jack A. Jones’ Factor Analysis of Information Risk (FAIR)
Delphi Technique
RISK MANAGEMENT SOFTWARE

https://www.youtube.com/watch?v=lUZy7je-nMY

You might also like