Utilizing a
Quantitative
Risk Approach
TO DRIVE STRATEGIC IT COMPLIANCE
VA SCAN
OCTOBER 3, 2013
Glenn R. Wilson
Classifying IT Risk
 Data risk
• Breach, loss, corruption, unavailability
 Operational risk
• Performance degradation, denial of service, outages
 Non-compliance risk
Common IT Risks
 Unauthorized data access and changes
 Data loss, corruption, unavailability
 Denial of service attacks, malware
 Physical device failure, theft or destruction
 Inadequate system capacity, network architecture
 Poor application coding, failed implementations
 Inadequate change management controls
 Regulatory compliance violations
Common IT Risk Impacts
 Reduced customer satisfaction  permanent customer loss
 Business process interruption  lost productivity / revenues
 Penalties, fines, sanctions, reputational damage, personal liability
 Fraud, identity theft, loss of financial assets
 Failure to achieve core business objectives
 What are the common themes?
 Mission risk
 Monetary loss
 Legal liability
Why Comply?
 Compliance reduces exposure to penalties and litigation
 Compliance provides a baseline for risk management
 Compliance is integral to proper corporate governance
 Compliance requires a business to adopt best practices
 Compliance promotes organizational effectiveness
In Compliance
 What does it mean to be “in compliance”?
 How do you know when you have achieved it?
 How do you sustain a state of compliance?
 What do we have to comply with?
FERPA, HIPAA, HITECH, GLBA, SOX, PCI DSS, FISMA, ECPA,
COPPA, EFTA, Bank Secrecy Act, USA Patriot Act, Basel II Accord …
The short answer: “industry standards, federal, state and local laws”
How many organizations put this statement into their policies
and aren’t exactly sure what they are obligating themselves to?
Approaching Compliance
 “Compliance should be the floor, not the ceiling, of your efforts” “It’s the
fundamental layer for every security program.” (Rafael Diaz, CISO of the State of Illinois,
quoted by Security Magazine from a Nov 2012 Chicago SC Congress event of SC Magazine)
 Other speakers warned against using compliance as the be-all-end-all of an
information security program.
 “Compliance is a great hammer – if you have a nail”. “Don’t use a hammer if
you have a screw”. “Using a FAIR report (Factor Analysis of Information
Risk), which can translate the risk into real dollar amounts, making it easier to
sell to the C-suite”. (Ward Spangenberg, CISO of Pearl.com, formerly of online gaming giant
Zynga, quoted by Security Magazine from a Nov 2012 Chicago SC Congress event of SC Magazine)
Source: http://www.securitymagazine.com/blogs/14-security-blog/post/83788-cisos-look-past-compliance-for-new-solutions-to-old-problems
Successfully Achieving Compliance
 Know your organization’s specific compliance exposure
 Know the processes by which its objectives are achieved
 Gain executive level support
 Obtain managerial and staff commitment
Where do you start?
The invariable starting point is…
Business Impact Assessment
Realities of Compliance
 Compliance is not equal to Risk Management
(although achieving compliance does mitigate risk)
 Can achieving compliance create risk?
Yes. What kinds? Operational, Financial, Legal
 Failure to achieve compliance is itself a risk category
Drivers of Compliance
 What is the primary driver of organizational compliance?
Non-compliance risk – Penalties, sanctions, liabilities
 Other risk drivers: Financial, Reputational, Operational & Individual risk
 Who primarily drives organizational compliance?





Board?
Executive Management?
Compliance Officers?
Internal Auditors?
Middle Management?
Effective programs are driven by a
culture of compliance and align with
the organization’s strategic planning
Degrees of Compliance
 To what extent should an organization ‘be in compliance’
with a given regulatory requirement or industry standard?
 100%?  80%?  50%?
 0%?
 How fast should an organization achieve compliance?
 How long should an organization be in compliance?
How far? How fast? How long?
Risk Versus Compliance
Risk
How does risk vary with compliance?
Compliance
Greater compliance can decrease risk at many levels
Greater compliance may increase risk at many levels
Risk Mitigation Versus Cost
Risk
Diminishing
Return
Cost
What costs may be associated with risk mitigation?
 Financial resources
 Human resources
 Competitive advantage loss
“Selling” Compliance
 The need for compliance sells itself
 The degree of compliance needs to be driven to
levels appropriate for the organization.
 Compliance costs can be expensive at many levels
 Risks are well known but often not well understood
 Do not overstate the merits or consequences
 Do determine and promote impact awareness
Quantifying Risk To Drive Compliance
Are numbers persuasive?
 Join now for only $19.95 per month
 4 out of 5 dentists recommend sugarless gum
 More doctors smoke Camels than any other cigarette (133,597 surveyed)
 Gartner Group says that 43 percent of companies were immediately put
out of business by a “major loss” of computer records, and another 51
percent permanently closed their doors within two years — leaving a
mere six percent “survival” rate; (homelandsecuritynewswire.com Feb 19, 2010)
Qualitative vs Quantitative Analysis
Qualitative
•
•
•
•
•
Faster, not data intensive
More cost-effective or is it? It does not provide numerical impact making cost benefit analysis difficult
Analysis based on likelihood and impact
Results stated in terms of low, med, high or similar numerical scale
Good for prioritizing risk and identifying high risks that need immediate mitigation
Quantitative
•
•
•
•
Data intensive simulation and decision analysis
Results stated in terms of probabilities and costs
Primary advantage is the cost benefit analysis for efficient use of resources
Results that are not clear will be qualitatively determined
Not every risk requires or is suited to quantitative analysis
 Define a criteria for meaningful quantitative analysis of your organization’s risks
 Identify technique(s) to be utilized and develop methods for consistent application
 Define the expected outputs of the chosen quantitative analysis methods
Med High
Which Likelihood - Impact
pairs should be analyzed?
Low
Likelihood
Risk / Impact Models
Low
Med High
Impact
Risk / Impact Assessments
 Inherent risk = high (9/10), Residual risk = medium (6/10)
 Risk = (Probability) x (Impact)
 More scientific ‘closed form’ methods exist using Convolution and
Fourier Transforms which require large amounts of data to calculate
frequency and severity distributions to obtain an aggregate losses
(expected, unexpected, confidence levels)
 ‘Open form’ solutions such as Monte Carlo simulation and Latin
Hypercube sampling that evaluate scenarios for frequency and severity
of losses by generating random numbers using each type of distribution
(identified using actual loss data).
Risk / Impact Distribution Calculations
Events
and
Losses
Risk
Loss
Matrix
Frequency &
Loss Impact
Distributions
Value
At Risk
Calculation
Periodic
Aggregate Loss
Distribution
∞
PROB
20%
3%
10%
7%
35%
Pn%
IMPACT
RISK
$5,000.00 $1,000.00
$25,000.00
$750.00
$12,000.00 $1,200.00
$9,000.00
$630.00
$75,000.00 $26,250.00
$In
$Rn
𝑓 𝑥 = 𝑎0 +
𝑎𝑛 cos
𝑛=1
𝑛𝜋𝑥
𝑛𝜋𝑥
+ 𝑏𝑛 sin
𝐿
𝐿
VaR = VaR12 + VaR22 + 2 * C2* VaR1 * VaR2
Periodic
Aggregate
Loss
Risk / Impact Calculation Models
EF = (((TP×(C/E))×(VF×AP))/100)
EF: Exposure factor (% loss of asset)
TP: Threat probability
C: Criticality factor
E: Effort requited to exploit the threat
Adrian Munteanu, Alexandru Ioan Cuza University, Iasi, Romania
Information Security Risk Assessment: The Qualitative Versus Quantitative Dilemma
Managing Information in the Digital Economy: Issues & Solutions 228
Risk = Σan (Σram (Cm*(Vm*Om)))
Σan: Sum of the asset risk
Σram: Risk sum for each combination of criterion,
vulnerability and threat per asset
Cm: Criterion value for the current combination
Vm: Vulnerability risk level for current combination
Om: Threat occurrence for current combination
Abbas Asosheh, Bijan Dehmoubed, Amir Khani
Tarbiat Modares University Tehran, Iran
A New Quantitative Approach for Information Security Risk Assessment
2009 IEEE
Risk Exposure = ALE = SLE * ARO
ALE: Annualized Loss Expectancy
SLE: Single Loss Expectancy
ARO: Annual Rate of Occurrence
Return On Security Investment (ROSI) – A Practical Quantitative Model
Wes Sonnenreich, Jason Albanese and Bruce Stout
SageSecure, LLC 116 W. 23rd St., 5th Floor, NY, NY 10011 USA
Journal of Research and Practice in Information Technology, Vol. 38, No. 1, February 2006
Risk Score = log(10Risk Score1+10Risk Score2)
Likelihood Score =
log(10Likelihood Score1 + 10Likelihood Score2)
Consequence Score =
Risk Score – Likelihood Score
Xun Guo Lin & Richard Jarrett
Division of Mathematical and Information Sciences
A Practical Approach to Quantitative Risk Assessment
Canberra & Melbourne
Risk Conference, Wellington, 2009
Practical Considerations
What are the primary objectives of quantifying risk to drive compliance?
 To quantify in whole or in part losses, expenses and liability
(Some quantification is better than none)
 To use the methods and results to inform executive decision makers
What are the most useful numbers to consider?





Loss Expectancies (single and recurring)
Occurrence (actual or estimated)
Asset Value (tangible and intangible)
Recovery Costs
Long Term Costs
Establishing Impact Scales
 Risk appetite is organization specific
with dependencies on:
-
Industry
Business Mission
Capitalization and Cash Flow
Board and Executive Management
 Define risk / loss levels in terms of:
- Monetary value
- Liabilities / penalties
- Mission specific factors
IMPACT
Insignificant
Minor
Moderate
Severe
Disastrous
LOSS $
$10,000
$100,000
$500,000
$1,000,000
$10,000,000
SCORE
1
2
3
4
5
IMPACT
Insignificant
Minor
Moderate
Severe
Disastrous
LOSS (Units)
500
1,000
2,500
5,000
10,000
SCORE
1
2
3
4
5
Case Specific Factors
Is this a valid quantitative analysis?
Annual threat probability
Incident cost
Weighted cost
Annual counter cost
Cost benefit
75%
$1,000,000
$750,000
$600,000
$150,000
What are the case specific factors?
 Risk type and nature
 Basis for numeric values
 Cost types considered
Compliance Checklists
Strengths
 Identifying gaps and deficiencies (a very necessary activity)
Weaknesses
× Prioritizing remediation of deficiencies
× Tracking corrective actions
× Cost management
× Resource deployment
× May not result in value to the organization
× Does not ensure adequate security or risk mitigation
× May lead to an overburden of overlapping / unnecessary controls
Making The Case
 How related or specific is the compliance type to your business?
 Exactly what are the associated compliance risks?
 What are the expected costs and impacts to comply?
 How much return will be realized in reduction of risk or increased effectiveness?
 Numbers are most persuasive when they are validly derived, understandable and
relevant to a given situation. They can be mixed with qualitative factors.
Example – XYZ Act Compliance
The new XYZ federal ecommerce regulatory act will go into effect in 3 months. Even though your organization
derives significant revenue from ecommerce activities, the new act is not on the radar of executive management
even though you first brought the need to comply to their attention 18 months ago and again 3 months ago. You
are not directly responsible for ecommerce revenues but are responsible for operating the organization’s
ecommerce system within ‘industry standards, applicable federal, state and local laws. Major infrastructure
reconfiguration and architectural changes are needed to comply. How can you re-approach the subject with
executive management to gain the necessary support?
! According to the last quarter financials, $6k per hour or 46% of revenues come from ecommerce activities.
! There is a new threat vector that we have never faced before and there is a high probability that within
months our system will be exploited if it is not hardened to the new standard. The IDS upgrade will cost
$200k, and to comply within 3 months it will require 300 staff hours and $240k off peak ecommerce downtime.
! If we do not act and an incident occurs, it will likely be viewed as “willful negligence” and we would incur the
maximum fine of $10k a day plus average clean up costs of $80 per affected record of which we have 2
million. Our ecommerce operation could be disrupted or suspended by an external investigation for 7-10 days.
! Every week that this project is delayed will cost an additional $20k in peak downtime and $10k in shift
differential compensation.
Case 1 – PCI DSS
 Essential Elements of Compliance: Secure collection, handling, storage and transmission of cardholder data, quarterly system scan by a PCI SSC Approved Scanning Vendor (ASV), annual SAQ
 Non-Compliance Risk: The payment brands may, at their discretion, fine an acquiring bank
$5,000 to $100,000 per month for PCI compliance violations which will pass to the merchant. Bank
will also most likely either terminate your relationship or increase transaction fees. PCI is not a law.
 Compliance Risk: Potential adverse effects on business processes and IT workload
 Added Value: Mitigate risk of cardholder data breach, improved IT vendor contractual relations
Quantifying Risk Factors





Payment card revenue (gross and relative amounts)
Payment card transactions (gross and relative amounts)
Current transaction and processing fees
Cost to achieve compliance
Recurring costs
Case 2 – Sarbanes Oxley (SOX)
 Essential Elements of Compliance: Publicly traded companies must maintain all controls needed
for accurate financial reporting. Financial reports require an internal controls report.
 Non-Compliance Risk: Exchange de-listing, loss of investor confidence, loss of liability insurance.
Incorrect submissions carry up to a $1 million fine and 10 years in imprisonment.
Willful incorrect violations allow for up to $5 million fine and 20 years imprisonment.
 Compliance Risk: Drain on available resources, business process changes, IT requirements
are not well defined and attempts to comply may not pass an external audit.
 Added Value: More reliable financial and asset controls, increased market capitalization
Quantifying Risk Factors
 Stock ownership
 Current market capitalization
 Industry sector volatility
Case 3 – E911
 Essential Elements of Compliance (Virginia): All PBX/MLTS installed after July 1, 2009 must
provide ANI and ALI to the local PSAP for 911 calls unless alternate methods of notification have been
approved. (Article 8. Emergency Calls on Multiline Telephone Systems.§ 56-484.23)
 Non-Compliance Risk: (Varies by state) Fines, OSHA sanctions, worker’s compensation claims
caused by safety violation, common law liability, reputational damage
 Compliance Risk: Significant cost to upgrade or replace existing phone system, business interruption,
transient risk of media relation issues
 Added Value: Employee trust, increased productivity, public goodwill, decreased liability
Quantifying Risk Factors




Age of the existing phone system
Cost to upgrade versus replace
Number of facilities, geographic distribution and occupancy habits
Case law
Case 4 – Gramm Leach Bliley (GLBA)
 Essential Elements of Compliance: Protect consumers’ personal financial information held by financial
institutions. There are three principal parts to the privacy requirements: the Financial Privacy Rule,
the Safeguards Rule and pretexting provisions. The safeguard rule requires a plan that “contains
administrative, technical, and physical safeguards” to “insure the security and confidentiality of customer
information; protect against any anticipated threats or hazards to the security or integrity of such
information; and protect against unauthorized access to or use of such information that could result in
substantial harm or inconvenience to any customer.
 Risk of Non-Compliance Risk: Fines up to $100,000 for each violation, Personal liability to officers and
directors of up to $10,000 for each violation, Criminal penalties include imprisonment for up to 5 years.
More serious willful violations call for the fine will be doubled and imprisonment for up to 10 years.
(Monetary losses (immediate and future), reputational damage, personal liability)
 Risk of Compliance: Business process and operational change management
 Added Value: Customer relations, decreased legal liability
Quantifying Risk Factors
 Implementation / recurrent costs versus volume / revenue associated with qualifying financial activities
Comments? Questions?
Glenn R. Wilson, IT Audit Manager
Old Dominion University, Norfolk, VA
gwilson@odu.edu
757-683-3202
Thank you!