INFORMATION SECURITY
MANAGEMENT
LECTURE 8: RISK MANAGEMENT
CONTROLLING RISK
You got to be careful if you don’t know where you’re going,
because you might not get there. – Yogi Berra
Introduction
• To keep up with the competition, organizations
must design and create a safe environment in
which business processes and procedures can
function
Risk Control Strategies
• Choose one of four basic strategies:
 Avoidance
 Transference
 Mitigation
 Acceptance
Avoidance
• The risk control strategy that attempts to
prevent the exploitation of the vulnerability
• Examples
Transference
• The control approach that attempts to shift
the risk to other assets, other processes, or
other organizations
• Examples
Mitigation
• The control approach that attempts to reduce the
damage caused by exploitation of vulnerability
–
–
Using planning and preparation
Depends upon the ability to detect and respond
to an attack as quickly as possible
• Types of Mitigation Plans
Acceptance
• Do nothing to protect an information asset
–
To accept the loss when it occurs
Managing Risk
• Risk appetite (also known as risk tolerance)
• The reasoned approach to risk is one that
balances the expense (in terms of finance
and the usability of information assets)
against the possible losses if exploited
Managing Risk – Residual Risk
• Residual Risk is a combined function of:
–
Threats, vulnerabilities and assets, less the
effects of the safeguards in place
• Goal of information security is not to bring
residual risk to zero
Managing Risk – Residual Risk
• Once a control strategy has been selected
and implemented:
–
The effectiveness of controls should be
monitored and measured on an ongoing basis

determines effectiveness and accuracy of the
residual risk estimate
Managing Risk (cont’d.)
Figure 9-1 Residual risk
Source: Course Technology/Cengage Learning
Managing Risk – Risk Control
• Risk control involves selecting one of the four
risk control strategies
Should the organization ever
accept the risk?
Risk Acceptance
Figure 9-2 Risk-handling action points
Source: Course Technology/Cengage Learning
Risk Control Cycle
Figure 9-3 Risk control cycle
Source: Course Technology/Cengage Learning
Feasibility and Cost-Benefit Analysis
• There are a number of ways to determine the
advantage or disadvantage of a specific control
•
The primary means are based on the value of
the information assets that it is designed to
protect
• Economic feasibility
–
Evaluating the worth of the information assets to
be protected and the loss in value if those
information assets are compromised
Cost-Benefit Analysis:
Cost
• Factors that affect the cost of a safeguard
–
–
–
–
Cost of development or acquisition of
hardware, software, and services
Training fees
Cost of implementation
Service and maintenance costs
Cost-Benefit Analysis:
Benefit
The value to the organization of using controls to
prevent losses associated with a specific
vulnerability
Cost-Benefit Analysis:
Asset Valuation
The process of assigning financial value or
worth to each information asset
Involves estimation of real and perceived costs
associated with the design, development,
installation, maintenance, protection, recovery,
and defense against loss and litigation
Cost-Benefit Analysis:
Asset Valuation
• An organization must be able to place a dollar
value on each information asset it owns
• Potential loss is that which could occur from
the exploitation of vulnerability or a threat
occurrence
Cost-Benefit Analysis Calculation
• CBA determines whether or not a control
alternative is worth its associated cost
• CBAs may be calculated before a control or
safeguard is implemented Or calculated after
controls have been implemented and have
been functioning for a time
Cost-Benefit Analysis Calculation
CBA = ALE(prior) – ALE(post) – ACS
–
ALE (prior to control) is the annualized loss
expectancy of the risk before the implementation
of the control
–
ALE (post-control) is the ALE examined after the
control has been in place for a period of time
–
ACS is the annual cost of the safeguard
Example of Cost-Benefit Analysis
Calculation
 Dropping an iPad and breaking the screen
 Asset value: $700

Exposure factor: 50%
SLE = $700 x 50% = $350
ARO = 25% chance of damaging
ALE (prior) = 25% x $350 = $87.50

ALE (post) = 5% x $350 = $17.50



 CBA (cost of case = $30)


CBA = ALE(prior) – ALE(post) – ACS
CBA = 87.50 – 17.50 – 30.00 = $40
Example of Cost-Benefit Analysis
Calculation
 Unprotected customer database
 Asset value: $200,000





Exposure factor: 50%
SLE = $200,000 x 50% = $50,000
ARO = 75% chance of occurring
ALE (prior) = 75% x $200,000 = $50,000
ALE (post) = 10% x $200,000 = $20,000
 CBA (ACS = $5,000)

CBA = ALE(prior) – ALE(post) – ACS

CBA = $50,000 – $20,000 – $5,000 = $25,000
Other Methods of Establishing
Feasibility
•
•
•
•
Organizational feasibility analysis
Operational feasibility
Technical feasibility
Political feasibility
Alternatives to Feasibility Analysis
• Benchmarking
• Due care and due diligence
• Best business practices
• Gold standard
• Government recommendations
• Baseline
Risk Management and Employees
“Only two things are finite, the universe and
human stupidity, and I’m not sure about the
former.”
- Albert Einstein
Types of Employees and Security Knowledge



Those who know
Those who don’t
Those who think they know but don’t
Recommended Risk Control Practices
• Organizations typically look for a more
straightforward method of implementing controls
• This preference has prompted an ongoing
search for ways to design security architectures
that go beyond the direct application of specific
controls for specific information asset
vulnerability
Recommended Risk Control Practices
• Qualitative/Quantitative Approach
• Octave Methods
• Microsoft Risk Management Approach
• FAIR
Qualitative and Hybrid Measures
• Quantitative assessment
• Qualitative assessment
• Hybrid assessment
OCTAVE Method
• The Operationally Critical Threat, Asset, and
Vulnerability Evaluation (OCTAVE) Method
• Variations of the OCTAVE method
–
–
–
The original OCTAVE method
OCTAVE-S
OCTAVE-Allegro
www.cert.org/octave/
Microsoft Risk Management Approach
• Four phases in the Microsoft InfoSec risk
management process:
–
–
–
–
Assessing risk
Conducting decision support
Implementing controls
Measuring program effectiveness
www.microsoft.com/technet/security/topics/complianceandpolicies/secrisk/default.mspx
Microsoft Risk Management Approach
Figure A-1 Security Risk Management Guide
Source: Course Technology/Cengage Learning
Factor analysis of Information Risk
(FAIR)
• Basic FAIR analysis is comprised of four stages:
•
•
•
•
Stage 1 - Identify scenario components
Stage 2 - Evaluate loss event frequency
Stage 3 - Evaluate probable loss magnitude(PLM)
Stage 4 - Derive and articulate Risk
• Unlike other risk management frameworks, FAIR
relies on the qualitative assessment of many risk
components using scales with value ranges, for
example very high to very low
http://fairwiki.riskmanagementinsight.com
FAIR (cont’d.)
Figure 9-4 Factor analysis of information risk (FAIR)
Management of Information Security, 3rd ed.
Source: Course Technology/Cengage Learning
(Based on concepts from Jack A. Jones)