Security Risk Analysis and Management

RISK MANAGEMENT:
CONTROLLING RISK IN
INFORMATION SECURITY
THE PURPOSE OF RISK MANAGEMENT

 Ensure overall business and business assets are safe

 Protect against competitive disadvantage
 Compliance with laws and best business practices
 Maintain a good public reputation
STEPS OF A RISK MANAGEMENT PLAN

Step 1: Identify Risk

Step 2: Assess Risk
Step 3: Control Risk
Steps are similar regardless of context (InfoSec, Physical Security, Financial,
etc.)
This presentation will focus on controlling risk within an InfoSec context
 Asset Asset Type Asset Function Priority Level
RISK IDENTIFICATION and
Subcategory
(Low,
Medium,
High, Critical)
Bob Worker Personnel: • Secure Low
InfoSec Networks
The steps to risk identification are: • Penetration
Testing
 Identify your organization’s • Make coffee
information assets
Cisco UCS Hardware: • Database High
 Classify and categorize said assets B460 M4 Blade Networking Server
into useful groups Server
Customer Data: • Provide Critical
 Rank assets necessity to the Personally Confidential information
organization Identifiable Information for all
Information business
To the right is a simplified example (PII) transactions
of how a company may identify Windows 7 Software: • Employee Medium
risks Operating access to
System enterprise
software
 Threat Targeted Threat Possible Risk (Scale
Agent and Asset Level Exploits of 1-5)
Threat
RISK ASSESSMENT
The steps to risk assessment are:
 Identify threats and threat agents Disgruntled Company High Access 4.16
 Prioritize threats and threat agents Insider: data (i.e. control
Steal Customer credentials,
 Assess vulnerabilities in current InfoSec company PII) knowledge
plan information of InfoSec
to sell policies,
 Determine risk of each threat etc.
R=P*V–M+U Fire: Burn Company Critical Mishandled 2.78
the facility Facility, equipment
R = Risk down or Personnel,
P = Probability of threat attack cause major Equipment
damage
V = Value of Information Asset
Hacktivists: Company Low Lack of 1.39
M = Mitigation by current controls Quality of Hardware/S effective
U = Uncertainty of vulnerability service oftware filtering
deviation
The table to the right combines elements of
all of these in a highly simplified format
RISK CONTROL
The steps to risk control are:
•Cost-Benefit Analysis (CBA)
• Single Loss Expectancy (SLE)
• Annualized Rate of Occurrence (ARO)
• Annual Loss Expectancy (ALE)
• Annual Cost of the Safeguard (ASG)
•Feasibility Analysis
• Organizational Feasibility
• Operational Feasibility
• Technical Feasibility
• Political Feasibility
•Risk Control Strategy Implementation
 VULNERABILITY
ASSESSMENT (CONT’D.)
Single loss expectancy (SLE)
 Expected monetary loss each time a risk occurs
 Calculated by multiplying the asset value by exposure factor
 Exposure factor: percentage of asset value likely to be destroyed by a particular risk

SECURITY+ GUIDE TO NETWORK SECURITY FUNDAMENTALS, FOURTH EDITION 8

 VULNERABILITY
ASSESSMENT (CONT’D.)
Annualized loss expectancy (ALE)
 Expected monetary loss over a one year period
 Multiply SLE by annualized rate of occurrence
 Annualized rate of occurrence (ARO) : probability that a risk will occur in a particular year
 It can be calculated by multiplying the annual rate of occurrence (ARO) by single loss expectancy (SLE).

SECURITY+ GUIDE TO NETWORK SECURITY FUNDAMENTALS, FOURTH EDITION 9

Suppose that an asset is valued at $100,000, and the Exposure Factor (EF) for this
asset is 25%.
 The single loss expectancy (SLE) then, is 25% * $100,000, or $25,000.
 For an annual rate of occurrence of one, the annualized loss expectancy is 1 * $25,000, or $25,000.

SECURITY+ GUIDE TO NETWORK SECURITY FUNDAMENTALS, FOURTH EDITION 10

SECURITY+ GUIDE TO NETWORK SECURITY FUNDAMENTALS, FOURTH EDITION 11
COST-BENEFIT ANALYSIS

Determine what risk control strategies are

cost effective
Below are some common formulas used to
calculate cost-benefit analysis
SLE = AV * EF
 AV = Asset Value, EF = Exposure factor
(% of asset affected)
ALE = SLE * ARO
CBA = ALE (pre-control) – ALE (post-
control) – ASG
FEASIBILITY ANALYSIS

Organizational: Does the plan correspond to the organization’s objectives? What is in it for
the organization? Does it limit the organization’s capabilities in any way?
Operational: Will shareholders (users, managers, etc.) be able/willing to accept the plan? Is
the system compatible with the new changes? Have the possible changes been communicated
to the employees?
Technical: Is the necessary technology owned or obtainable? Are our employees trained and
if not can we afford to train them? Should we hire new employees?
Political: Can InfoSec acquire the necessary budget and approval to implement the plan? Is
the budget required justifiable? Does InfoSec have to compete with other departments to
acquire the desired budget?
RISK CONTROL STRATEGIES

Defense
Transferal
Mitigation
Acceptance (Abandonment)
Termination
RISK CONTROL STRATEGY: DEFENSE

Defense: Prevent the exploitation of the

system via application of policy,
training/education, and technology.
Preferably layered security (defense in
depth)
Counter threats
Remove vulnerabilities from assess
Limit access to assets
Add protective safeguards
RISK CONTROL STRATEGY: TRANSFERAL

Transferal: Shift risks to other areas or

outside entities to handle
Can include:
Purchasing insurance
Outsourcing to other organizations
Implementing service contracts with
providers
Revising deployment models
RISK CONTROL STRATEGY: MITIGATION

Mitigation: Creating plans and

preparations to reduce the damage of
threat actualization
Preparation should include a:
Incidence Response Plan
Disaster Recovery Plan
Business Continuity Plan
RISK CONTROL STRATEGY: ACCEPTANCE

Acceptance: Properly identifying and

acknowledging risks, and choosing to
not control them
Appropriate when:
The cost to protect an asset or assets
exceeds the cost to replace it/them
When the probability of risk is very
low and the asset is of low priority
Otherwise acceptance = negligence
RISK CONTROL STRATEGY: TERMINATION

Termination: Removing or discontinuing

the information asset from the
organization
Examples include:
Equipment disposal
Discontinuing a provided service
Firing an employee
PROS AND CONS OF EACH STRATEGY
Pros
Defense: Preferred all round approach
Transferal: Easy and effective
Mitigation: Effective when all else fails
Acceptance: Cheap and easy
Termination: Relatively cheap and safe
Cons
Defense: Expensive and laborious
Transferal: Dependence on external
entities
Mitigation: Guarantees company loss
Acceptance: Rarely appropriate, unsafe
Termination: Rarely appropriate,
requires company loss
STANDARD APPROACHES TO RISK
MANAGEMENT
U.S CERT’s Operationally Critical Threat Assessment Vulnerability Evaluation
(OCTAVE) Methods (Original, OCTAVE-S, OCTAVE-Allegro)
ISO 27005 Standard for InfoSec Risk Management
NIST Risk Management Model
Microsoft Risk Management Approach
Jack A. Jones’ Factor Analysis of Information Risk (FAIR)
Delphi Technique
RISK MANAGEMENT SOFTWARE

https://www.youtube.com/watch?v=lUZy7je-nMY