Risk
Management
Acknowledgments
Material is sourced from:
 CISM® Review Manual 2012, © 2011, ISACA. All rights reserved.
Used by permission.
 All-in-One CISSP Exam Guide, 4th Ed. / Shon Harris, McGraw Hill,
2008
Author: Susan J Lincke, PhD
Univ. of Wisconsin-Parkside
Reviewers/Contributors: Todd Burri, Kahili Cheng
Funded by National Science Foundation (NSF) Course, Curriculum and
Laboratory Improvement (CCLI) grant 0837574: Information
Security: Audit, Case Study, and Service Learning.
Any opinions, findings, and conclusions or recommendations
expressed in this material are those of the author(s) and/or
source(s) and do not necessarily reflect the views of the National
Science Foundation.
Objectives
Students should be able to:
 Define risk management process: risk management, risk assessment, risk
analysis, risk appetite, risk treatment, accept residual risk
 Define treat risk terms: risk acceptance/risk retention, risk avoidance, risk
mitigation/risk reduction, risk transference
 Describe threat types: natural, unintentional, intentional, intentional (nonphysical)
 Define threat agent types: hacker/crackers, criminals, terrorists, industry
spies, insiders
 Perform risk analysis using techniques: qualitative, quantitative
 Define vulnerability, SLE, ARO, ALE, due diligence, due care
How Much to Invest in Security?
How much is too much?
 Firewall
 Intrusion Detection/Prevention
 Guard
 Biometrics
 Virtual Private Network
 Encrypted Data &
Transmission
 Card Readers
 Policies & Procedures
 Audit & Control Testing
 Antivirus / Spyware
 Wireless Security
How much is too little?
 Hacker attack
 Internal Fraud
 Loss of Confidentiality
 Stolen data
 Loss of Reputation
 Loss of Business
 Penalties
 Legal liability
 Theft & Misappropriation
Security is a Balancing Act between Security Costs & Losses
Risk Management
Structure
Internal Factors
External Factors
Risk Mgmt Strategies are determined by both internal & external factors
Risk Tolerance or Appetite: The level of risk that management is comfortable with
Risk Management Process
What to investigate?
What to consider?
Identification
What assets & risks exist?
Analysis
What does this risk cost?
What priorities shall we set?
Evaluation
What controls can we use?
Avoid
Reduce
Transfer
Accept Residual Risk
Retain
Risk Communication
& Monitoring
Risk
Risk Assessment
Treatment
Establish
Scope &
Boundaries
Risk Appetite




Do you operate your computer with or without antivirus
software?
Do you have antispyware?
Do you open emails with forwarded attachments from
friends or follow questionable web links?
Have you ever given your bank account information to a
foreign emailer to make $$$?
What is your risk appetite?
If liberal, is it due to risk acceptance or ignorance?
Companies too have risk appetites, decided after
evaluating risk
Continuous Risk Mgmt Process
Risk
Appetite
Risks change with time as
business & environment changes
Controls degrade over time
and are subject to failure
Countermeasures may open
new risks
Identify &
Assess Risks
Develop Risk
Mgmt Plan
Proactive
Monitoring
Implement Risk
Mgmt Plan
Security Evaluation:
Risk Assessment
Five Steps include:
1. Assign Values to Assets:

2.
Determine Loss due to Threats & Vulnerabilities

3.
Weekly, monthly, 1 year, 10 years?
Compute Expected Loss


5.
Confidentiality, Integrity, Availability
Estimate Likelihood of Exploitation

4.
Where are the Crown Jewels?
Loss = Downtime + Recovery + Liability + Replacement
Risk Exposure = ProbabilityOfVulnerability * $Loss
Treat Risk



Survey & Select New Controls
Reduce, Transfer, Avoid or Accept Risk
Risk Leverage = (Risk exposure before reduction) – (risk
exposure after reduction) / (cost of risk reduction)
Step 1:
Determine Value of Assets
Identify & Determine Value of Assets (Crown Jewels):
 Assets include:







IT-Related: Information/data, hardware, software, services,
documents, personnel
Other: Buildings, inventory, cash, reputation, sales opportunities
What is the value of this asset to the company?
How much of our income can we attribute to this asset?
How much would it cost to recover this?
How much liability would we be subject to if the asset
were compromised?
Helpful websites: www.attrition.org
Determine Cost of Assets
Costs
Tangible $
Sales
Risk:
Product A
Risk:
Product B
Product C
Risk:
Intangible: High/Med/Low
Replacement Cost=
Cost of loss of integrity=
Cost of loss of availability=
Cost of loss of confidentiality=
Replacement Cost=
Cost of loss of integrity=
Cost of loss of availability=
Cost of loss of confidentiality=
Replacement Cost=
Cost of loss of integrity=
Cost of loss of availability=
Cost of loss of confidentiality=
Matrix of Loss Scenario
(taken from CISM Exhibit 2.16)
Size
of
Loss
Repu- Lawtation suit
Loss
Fines/
Reg.
Loss
Market
Loss
Exp.
Yearly
Loss
Hacker steals customer
data; publicly blackmails
company
1-10K
Recor
ds
$1M$20M
$1M$10M
$1M$35M
$1M$5M
$10M
Employee steals strategic
plan; sells data to
competitor
3-year Min.
Min.
Min.
$20M $2M
Backup tapes and Cust.
data found in garbage;
makes front-page news
10M
Recor
ds
$20M
$20M
$10M
$5M
$200K
Contractor steals employee
data; sells data to hackers
10K
Recor
ds
$5M
$10M
Min.
Min.
$200K
Step 1:
Determine Value of Assets
Asset Name
Laptop
$ Value
Direct Loss:
Replacement
$1,000
Equipment $10,000
$ Value
Consequential
Financial Loss
Mailings=
$130 x #Cust
Reputation
= $9,000
$2k per day
in income
Work
book
Confidentiality,
Integrity, and
Availability Notes
Conf., Avail.
Breach
Notification
Law
Availability
(e.g., due to
fire or theft)
Step 2: Determine Loss
Due to Threats
Natural: Flood, fire, cyclones,
rain/hail/snow, plagues and
earthquakes
Unintentional: Fire, water,
building damage/collapse, loss
of utility services, and
equipment failure
Intentional: Fire, water, theft,
vandalism
Intentional, non-physical:
Fraud, espionage, hacking,
identity theft, malicious code,
social engineering, phishing,
denial of service
Threat Agent Types
Hackers/
Crackers
Criminals
Terrorists
Industry
Spies
Insiders
Challenge, rebellion
Financial gain,
Disclosure/ destruction
of info.
Destruction/ revenge/
extortion
Competitive advantage
Opportunity, personal
issues
Unauthorized
access
Fraud, computer
crimes
DOS, info warfare
Info theft, econ.
exploitation
Fraud/ theft,
malware, abuse
Step 2: Determine Threats
Due to Vulnerabilities
System
Vulnerabilities
Misinterpretation:
Behavioral:
Poorly-defined
procedures,
Disgruntled employee,
employee error,
uncontrolled processes,
Insufficient staff,
poor network design,
Inadequate mgmt,
improperly configured
Inadequate compliance
equipment
enforcement
Coding
Problems:
Security ignorance,
poorly-defined
requirements,
defective software,
unprotected
communication
Physical
Vulnerabilities:
Fire, flood,
negligence, theft,
kicked terminals,
no redundancy
Step 3:
Estimate Likelihood of Exploitation
Best sources:
 Past experience
 National & international standards & guidelines:
NIPC, OIG, FedCIRC, mass media
 Specialists and expert advice
 Economic, engineering, or other models
 Market research & analysis
 Experiments & prototypes
If no good numbers emerge, estimates can be
used, if management is notified of guesswork
Likelihood of Exploitation:
Sources of Losses
Lost laptop/device 35%
Third party or outsourcer 21%
Electronic backup 19%
Paper records 9%
Malicious insider or code 9%
Hacked system 7%
Source: 2006 Annual Study: Cost of a Data Breach, PGP/Vontu
Evaluation of 31 organizations
Step 4: Compute Expected Loss
Risk Analysis Strategies
Qualitative: Prioritizes risks so that highest risks
can be addressed first
 Based on judgment, intuition, and experience
 May factor in reputation, goodwill, nontangibles
Quantitative: Measures approximate cost of
impact in financial terms
Semiquantitative: Combination of Qualitative &
Quantitative techniques
Step 4: Compute Loss Using
Qualitative Analysis
Qualitative Analysis is used:
 As a preliminary look at risk
 With non-tangibles, such as reputation,
image -> market share, share value
 When there is insufficient information to
perform a more quantified analysis
Vulnerability Assessment
Quadrant Map
Snow emergency
Intruder
Work
book
Threat
(Probability)
Hacker/Criminal
Malware
Disgruntled Employee
Vulnerability
(Severity)
Flood
Spy
Fire
Terrorist
Step 4: Compute Loss Using
Semi-Quantitative Analysis
1.
2.
3.
4.
5.
Impact
Insignificant: No
meaningful impact
Minor: Impacts a small
part of the business, <
$1M
Major: Impacts company
brand, >$1M
Material: Requires
external reporting,
>$200M
Catastrophic: Failure or
downsizing of company
Likelihood
1.
2.
3.
4.
5.
Rare
Unlikely: Not seen
within the last 5 years
Moderate: Occurred in
last 5 years, but not in
last year
Likely: Occurred in last
year
Frequent: Occurs on a
regular basis
Risk = Impact * Likelihood
SemiQuantitative Impact Matrix
Catastrophic
(5)
Impact
Material
(4)
Major
(3)
Minor
(2)
Insignificant
(1)
Rare(1)
Unlikely(2)
Moderate(3)
Likelihood
Likely (4)
Frequent(5)
Step 4: Compute Loss Using
Quantitative Analysis
Single Loss Expectancy (SLE): The cost to the
organization if one threat occurs once

Eg. Stolen laptop=




Replacement cost +
Cost of installation of special software and data
Assumes no liability
SLE = Asset Value (AV) x Exposure Factor (EF)

With Stolen Laptop EF > 1.0
Annualized Rate of Occurrence (ARO): Probability or
frequency of the threat occurring in one year

If a fire occurs once every 25 years, ARO=1/25
Annual Loss Expectancy (ALE): The annual expected
financial loss to an asset, resulting from a specific threat

ALE = SLE x ARO
Risk Assessment Using
Quantitative Analysis
Quantitative:
 Cost of HIPAA accident with insufficient
protections
 SLE
= $50K + (1 year in jail:) $100K = $150K
 Plus loss of reputation…
Estimate of Time = 10 years or less = 0.1
 Annualized Loss Expectancy (ALE)=

 $150
x .1 =$15K
Annualized Loss Expectancy
Asset
Value->
1 Yr
5 Yrs
10 Yrs
20 Yrs
$1K
$10K
$100K
$1M
1K
200
100
50
10K
2K
1K
1K
100K
20K
10K
5K
1000K
200K
100K
50K
Asset Costs $10K
Risk of Loss 20% per Year
Over 5 years, average loss = $10K
Spend up to $2K each year to prevent loss
Quantitative
Risk
Work
book
Asset Threat Single Loss
Expectancy
(SLE)
Buildi
ng
Fire
Laptop Stolen
$1M
$1K + $9K
(breach
notif)
Annualized
Rate of
Occurrence
(ARO)
.05
(20 years)
Annual Loss
Expectancy
(ALE)
0.2
(5 years)
$1K
$50K
Step 5: Treat Risk
Risk Acceptance: Handle attack when necessary
 E.g.: Comet hits
 Ignore risk if risk exposure is negligible
Risk Avoidance: Stop doing risky behavior
 E.g.: Do not use Social Security Numbers
Risk Mitigation: Implement control to minimize
vulnerability
 E.g. Purchase & configure a firewall
Risk Transference: Pay someone to assume risk for you
 E.g., Buy malpractice insurance (doctor)
 While financial impact can be transferred, legal
responsibility cannot
Risk Planning: Implement a set of controls
Input
Hardware, software
Company history
Intelligence agency
data: NIPC, OIG
Audit &
test results
Current and Planned
Controls
Threat motivation/
capacity
Business Impact
Analysis
Data Criticality &
Sensitivity analysis
Likelihood of threat
exploitation
Magnitude of impact
Plan for risk
NIST Risk
Assessment
Methodology
Activity
System Characterization
Identify Threats
Output
System boundary
System functions
System/data criticality
System/data sensitivity
Identify Vulnerabilities
List of threats
& vulnerabilities
Analyze Controls
List of current &
planned controls
Determine Likelihood
Likelihood Rating
Analyze Impact
Impact Rating
Determine Risk
Documented Risks
Recommend Controls
Recommended Controls
Document Results
Risk Assessment
Report
Control Types
Compensating
Control
Threat
Creates
Deterrent
Control
Reduces
likelihood of
Reduces
likelihood of
Corrective
Control
Attack
Vulnerability
Detective
Control
Decreases
Preventive
Control
Results
in
Impact
THREAT
Deterrent
control
R
i
s
k
P
r
o
b
a
b
i
l
i
t
y
Mitigating
control
Detective
control
Preventive
control
V
U
L
N
E
R
A
B
I
L
I
T
Y
Corrective
control
I
M
P
A
C
T
Residual
risk
Controls & Countermeasures
Cost of control should never exceed the
expected loss assuming no control
 Countermeasure = Targeted Control

 Aimed
at a specific threat or vulnerability
 Problem: Firewall cannot process packets fast
enough due to IP packet attacks
 Solution: Add border router to eliminate
invalid accesses
Analysis of Risk vs. Controls
Workbook
Risk
ALE or
Score
Control
Cost of
Control
Stolen
Laptop
$1K
Encryption
($9K Breach
Notif. Law)
Disk Failure $3K per day
RAID
Hacker
$9K Breach
Notif. Law
Firewall
Cost of Some Controls is shown in Case Study Appendix
$60
$750
$1K
Extra Step:
Step 6: Risk Monitoring
Stolen Laptop
In investigation
$2k, legal issues
HIPAA Incident
Response
Procedure being defined –
incident response
$200K
Cost overruns
Internal audit investigation
$400K
HIPAA: Physical
security
Training occurred
$200K
Security Dashboard, Heat chart or Stoplight Chart
Report to Mgmt status of security
 Metrics showing current performance
 Outstanding issues
 Newly arising issues
 How handled – when resolution is expected
Training







Importance of following policies & procedures
Clean desk policy
Incident or emergency response
Authentication & access control
Privacy and confidentiality
Recognizing and reporting security incidents
Recognizing and dealing with social engineering
Security Control Baselines &
Metrics
Baseline: A measurement
of performance
 Metrics are regularly and
consistently measured,
quantifiable,
inexpensively collected
 Leads to subsequent
performance evaluation
 E.g. How many viruses is
help desk reporting?
90
80
70
Stolen Laptop
Virus/Worm
% Misuse
60
50
40
30
20
10
0
Year 1 Year 2 Year 3 Year 4
(Company data - Not real)
Risk Management
Risk Management is aligned with business
strategy & direction
 Risk mgmt must be a joint effort between
all key business units & IS
 Business-Driven (not Technology-Driven)

Steering Committee:
• Sets risk management priorities
• Define Risk management objectives to
achieve business strategy
Risk Management Roles
Governance & Sr Mgmt:
Info. Security Mgr
Allocate resources, assess
Develops, collaborates, and
& use risk assessment results manages IS risk mgmt process
Business Managers
(Process Owners)
Make difficult decisions
relating to priority to
achieve business goals
System / Info Owners
Responsible to ensure
controls in place to
address CIA.
Sign off on changes
Chief Info Officer
IT planning, budget,
performance incl. risk
IT Security Practitioners
Implement security requirem
into IT systems: network,
system, DB, app, admin.
Security Trainers
Develop appropriate
training materials, including
risk assessment, to
educate end users.
Due Diligence
Due Diligence = Did careful risk assessment (RA)
Due Care = Implemented recommended controls from RA
Liability minimized if reasonable precautions taken
Senior Mgmt Support
Question
Risk Assessment includes:
1. The steps: risk analysis, risk treatment, risk
acceptance, and risk monitoring
2. Answers the question: What risks are we
prone to, and what is the financial costs of
these risks?
3. Assesses controls after implementation
4. The identification, financial analysis, and
prioritization of risks, and evaluation of controls
Question
Risk Management includes:
1. The steps: risk analysis, risk treatment, risk
acceptance, and risk monitoring
2. Answers the question: What risks are we
prone to, and what is the financial costs of
these risks?
3. Assesses controls after implementation
4. The identification, financial analysis, and
prioritization of risks, and evaluation of controls
Question
The FIRST step in Security Risk
Assessment is:
1. Determine threats and vulnerabilities
2. Determine values of key assets
3. Estimate likelihood of exploitation
4. Analyze existing controls
Question
1.
2.
3.
4.
Single Loss Expectancy refers to:
The probability that an attack will occur in one
year
The duration of time where a loss is expected
to occur (e.g., one month, one year, one
decade)
The cost of losing an asset once
The average cost of loss of this asset per year
Question
1.
2.
3.
4.
The role(s) responsible for deciding whether
risks should be accepted, transferred, or
mitigated is:
The Chief Information Officer
The Chief Risk Officer
The Chief Information Security Officer
Enterprise governance and senior business
management
Question
1.
2.
3.
4.
Which of these risks is best measured using a
qualitative process?
Temporary power outage in an office building
Loss of consumer confidence due to a
malfunctioning website
Theft of an employee’s laptop while traveling
Disruption of supply deliveries due to flooding
Question
1.
2.
3.
4.
The risk that is assumed after
implementing controls is known as:
Accepted Risk
Annualized Loss Expectancy
Quantitative risk
Residual risk
Question
1.
2.
3.
4.
The primary purpose of risk management
is to:
Eliminate all risk
Find the most cost-effective controls
Reduce risk to an acceptable level
Determine budget for residual risk
Question
1.
2.
3.
4.
Due Diligence ensures that
An organization has exercised the best possible
security practices according to best practices
An organization has exercised acceptably reasonable
security practices addressing all major security areas
An organization has implemented risk management and
established the necessary controls
An organization has allocated a Chief Information
Security Officer who is responsible for securing the
organization’s information assets
Question
1.
2.
3.
4.
ALE is:
The average cost of loss of this asset, for a
single incident
An estimate using quantitative risk
management of the frequency of asset loss due
to a threat
An estimate using qualitative risk management
of the priority of the vulnerability
ALE = SLE x ARO
Jamie Ramon MD
Doctor
Chris Ramon RD
Dietician
Terry
Pat
Licensed
Software Consultant
Practicing Nurse
HEALTH FIRST CASE STUDY
Analyzing Risk
Step 1: Define Assets
Step 1: Define Assets
Consider Consequential Financial Loss
Asset Name
Medical DB
Daily Operation (DO)
Medical Malpractice (M)
HIPAA Liability (H)
Notification Law Liability (NL)
$ Value
$ Value
Confidentiality, Integrity,
Direct Loss: Consequentia and Availability Notes
l Financial
Replacement
Loss
C? I? A?
Step 1: Define Assets
Consider Consequential Financial Loss
Asset Name
$ Value
$ Value
Confidentiality, Integrity,
Direct Loss: Consequentia and Availability Notes
l Financial
Replacement
Loss
Medical DB
DO+M_H+NL
Daily Operation (DO)
$
Medical Malpractice (M)
$
HIPAA Liability (H)
$
Notification Law Liability (NL)
$
C IA
HIPAA Criminal Penalties
$ Penalty Imprisonment
Up to $50K
Up to one
year
Up to
$100K
Up to 5
years
Up to
$500K
Up to 10
years
Offense
Wrongful disclosure of
individually identifiable health
information
…committed under false
pretenses
… with intent to sell, achieve
personal gain, or cause
malicious harm
Then consider bad press, state audit, state law penalties, civil lawsuits, lost claims, …
Step 2: Estimate Potential Loss for Threats
Step 3: Estimate Likelihood of Exploitation
Normal threats: Threats common to all
organizations
 Inherent threats: Threats particular to your
specific industry
 Known vulnerabilities: Previous audit
reports indicate deficiencies.

Step 2: Estimate Potential Loss for Threats
Step 3: Estimate Likelihood of Exploitation
Slow Down Business
1 week
2
1 year
Temp. Shut Down Business
Threaten Business
Threat
(Probability)
Hacker/Criminal
Loss of Electricity
Snow Emergency
1
Malware
Pandemic
Failed Disk
Tornado/Wind Storm
Stolen Laptop
5 years
(.2)
Stolen Backup Tape(s)
10 years
(.1)
Vulnerability
(Severity)
Flood
20 years
(.05)
4
50 years
(.02)
Earthquake
Social Engineering
Intruder
Fire
3
Step 4: Compute Expected Loss
Step 5: Treat Risk
Step 4: Compute E(Loss)
ALE = SLE * ARO
Asset
Threat
Single Annual Annual
Loss
ized
Loss
Expect Rate of Expect
ancy Occurr ancy
(ALE)
ence
(SLE)
Step 5: Treat Risk



(ARO)


Risk Acceptance: Handle
attack when necessary
Risk Avoidance: Stop doing
risky behavior
Risk Mitigation: Implement
control to minimize
vulnerability
Risk Transference: Pay
someone to assume risk for
you
Risk Planning: Implement a
set of controls
Reference
Slide #
Slide Title
Source of Information
6
Risk Management Process
CISM: page 97 Exhibit 2.2
8
Continuous Risk Mgmt Process
CISM: page 97 Exhibit 2.3
9
Security Evaluation: Risk Assessment
CISM: page 100
12
Matric of Loss Scenario
CISM: page 114 Exhibit 2.15
14
Step 2: Determine Loss Due to Threats
CISM: page 105
16
Step 2: Determine Threats Due to Vulnerabilities
CISM: page 105
17
Step 3: Estimate Likelihood of Exploitation
CISM: page 107-110
18
Likelihood of Exploitation Sources of Losses
CISM: page 118 Exhibit 2.11
19
Step 4; Compute Expected Loss Risk Analysis Strategies
CISM: page 108- 110
20
Step 4: Compute Loss Using Qualitative Analysis
CISM: page 108
22
Step 4: Compute Loss Using Semi- Quantitative Analysis
CISM: page 108,109
23
SemiQuantitative Impact Matrix
CISM: page 109 Exhibit 2.12
24
Step 4: Compute Loss Using Quantitative Analysis
CISM: page 109, 110
26
Annualized Loss Expectancy
CISM: page 110
28
Step 5: Treat Risk
CISM: page 110, 111
29
NIST Risk Assessment Methodology
CISM: page 102 Exhibit 2.7
30
Control Types
CISM: page 186 Exhibit 3.18
32
Controls & Countermeasures
CISM: page 184, 185
36
Security Control Baselines & Metrics
CISM: page 191-193
37
Risk Management
CISM: page 91, 92
38
Risk Management Roles
CISM: page 94