TDDD36 Secure Mobile Systems Risk Analysis and Risk Assessment Process Leonardo Martucci Security and Networks Group, ADIT Department of Computer and Information Science In this lecture What is Risk Analysis? describe risk Risk Assessment Process What? Who? How? Risk Analysis Risk Analysis Methods 2/43 What is Risk? Risk is related to a future events and their consequences we don’t know much about this or that UNCERTAINTY understanding RISK ANALYSIS 3/43 Example: Bow-tie Diagram Future events and Consequences Barriers and Mitigation Causes that lead to A Mitigation of consequences A: Hazard or Threat Consequences of A 4/43 Example: Bow-tie diagram A real case scenario I really like my teachers pay attention not doing your project work not attending the tests NOT passing this course one more year in Linköping ... ... the chairs are too confortable redo the project being grounded by parents 5/43 Risk Analysis in the Big Picture Security Management Process Security Risk Assessment Process Risk Analysis Operational Security Testing Auditing 6/43 Who is the responsible? Information Security Manager prevent loss, fraud and data breaches demonstrate regulation compliance manage security policies ensure business continuity + disaster response prioritize security initiatives 7/43 ? Information Security Manager FAQ ! Given your limited resources, are you confident that your initiatives are addressing the largest security risks to your organizations assets? How do you demonstrate to management that your initiatives are addressing the largest security risks to your organizations assets? Risk Assessment basis for making security decisions 8/43 What is Risk Assessment? The determination of the probability asset losses based on asset valuation, threat analysis, and a review of current security controls effectiveness Risk Assessment Risk Analysis *or Risk Evaluation more at NIST 800-30 Risk Management Guide and ISO 27001/2 9/43 Risk Assessment and the Big Picture Security Management Process process of insuring that risk is within acceptable bounds Security Risk Assessment Test and Review Operational Security Risk Mitigation 10/43 Risk Assessment and the Big Picture Security Risk Assessment scanning audit of controls threats / likelihood vulnerabilities / exploits assets / impacts risks / countermesuares Test and Review Operational Security Risk Mitigation patches incident handling training safeguard implement. additional controls 11/43 Risk Assessment and the Big Picture Security Management Process process of insuring that risk is within acceptable bounds Security Risk Assessment Test and Review Operational Security Risk Mitigation 12/43 The 6 Phases of the Security Risk Assessment Process Project Definition Administrative Risk Analysis Project Preparation Technical Risk Mitigation Risk Evaluation Physical Risk Reporting and Resolution Data Gathering Risk Assessment 13/43 The 6 Phases of the Security Risk Assessment Process Project Definition Administrative Risk Analysis Project Preparation Technical Risk Mitigation Risk Evaluation Physical Risk Reporting and Resolution Data Gathering Risk Assessment 14/43 Phase 1: Project Definition Objective: define scope and content of deliverables Cost and Time (budget time constraints) Divide the Project Manageable Tasks Resources Security Risk Assessment Objective 15/43 Phase 2: Project Preparation Team Preparation AND Selection Objectivity Expertise Experience Project Preparation Pre-arrangements Understand the Organization Objectives Identify Critical Systems Assets Threats Security Expectations 16/43 Phase 3: Data Gathering Determine the status of existing Administrative Physical Technical Security Controls ? ! How ? A combination of data collection testing analysis 17/43 The 6 Phases of the Risk Assessment Process Planning Project Definition Administrative Risk Analysis Project Preparation Technical Risk Mitigation Risk Evaluation Physical Risk Reporting and Resolution Data Gathering Risk Assessment 18/43 The 6 Phases of the Security Risk Assessment Process Project Definition Administrative Risk Analysis Project Preparation Technical Risk Mitigation Risk Evaluation Physical Risk Reporting and Resolution Planning Risk Assessment 19/43 Phase 4: Risk Analysis and Evaluation Review all the information collected analyze the security risk RISK ANALYSIS METHODS 20/43 The 6 Phases of the Security Risk Assessment Process Project Definition Administrative Risk Analysis Project Preparation Technical Risk Mitigation Risk Evaluation Physical Risk Reporting and Resolution Planning Risk Assessment 21/43 Phase 5: Risk Mitigation Reduce the risks to an acceptable level Recommendation for Safeguards Threats Vulnerabilities Cost Safeguards Define and compare solution sets Risk Reduction A C B 22/43 Phase 6: Risk Reporting and Resolution Report and presentation of recommendations Target audience Decision-taking Risks are Executive Management Technical personnel Information Security Manager Avoided or Mitigated Delegated Accepted 23/43 The 6 Phases of the Security Risk Assessment Process Project Definition Administrative Risk Analysis Project Preparation Technical Risk Mitigation Risk Evaluation Physical Risk Reporting and Resolution Planning Risk Assessment 24/43 an introduction to RISK ANALYSIS AND RISK ANALYSIS METHODS 25/43 Recapitulating Risk is related to a future events and their consequences UNCERTAINTY how to express UNCERTAINTY? 26/43 Recapitulating Risk is related to a future events and their consequences Barriers and Mitigation Causes that lead to A Mitigation of consequences A: Hazard or Threat Consequences of A causes, countermeasures and mitigators 27/43 How To Express Uncertainty? Based on knowledge ( K ) associate event ( A ) to a probability ( P ) P(A|K) A NOT passing this course P ( A | K ) = 0.05 B being grounded by parents P ( B | A, K ) = 0.01 consequence 28/43 Defining Risk in Terms of Probabilities A set of probabilities P associated to a set of consequences C in relation to the severity of C BUT NOT a perfect tool Knowledge base ( K ) contains uncertainties and assumptions being grounded by parents ( !!! ) 29/43 Events, Causes and Consequences Identification of Initial Events Different systems different sets of events Requires a structured, systematic strategy different techniques usually based on brainstorming checklists, guides Other Analyses Experience Data Gathering Assumptions ... Event Identification Process List of Events Risk Analysis Method 30/43 Events, Causes and Consequences Cause Analysis Identify event triggers Requires in-depth understanding of the system different methods brainstorming, fault-trees, etc... Cause Causes that lead to A A: Hazar d or Threat Consequences of A Event Cause 31/43 Events, Causes and Consequences Consequence Analysis Evaluate possible consequences of an event A analysis of barriers and barrier failures different methods for barrier analsyis Consequence Event Trees Event Consequence 32/43 Risk Analysis Methods They differ on: level of detail and required effort target system Coarse Risk Analysis Job Safety Analysis FMEA Fault Tree Analysis Event Tree Analysis HAZOP SWIFT Ishikawa Diagrams Bayesian Networks Monte Carlo Simulation CORAS (this list is not comprehensive!) 33/43 Coarse Risk Analysis (Preliminary Risk Analysis) Provides: a crude risk picture with a modest effort It covers: How it works: often with forms Initial events, cause and consequences Divide the system into sub-elements and carry a risk analysis for each sub-element Classify risks under categories attribute probabilities and consequences Identifies the most important risk contributors 34/43 Job Safety Analysis Risks associated to a work assignment usually based on checklists How it works: Classify the activity: standard or not Identify conflicts between activities Paint Station Weld Station Evaluate work steps and possible risks 35/43 Failure Modes and Effects Analysis (FMEA) Simple analysis that reveals possible failures and predict effects on the system How it works: systematic inductive method For each system component investigate what happens if it fails Considers one component fail at time not suitable for critical combinations of components FMEA forms One of the most renowned risk analysis models 36/43 FMEA Advantages and Disadvantages Advantages include: Systematic view of important failures Good basis for more comprehensive analysis Disadvantages include: Focus on technical failures human failures overlooked Can be unsuitable for systems with much redundancy Resource demanding all components are analyzed ( ! ) 37/43 Fault Tree Analysis One of the most used risk analysis methods Aerospace industry to nuclear power plants Minuteman How it works: deductive logical tree Describes relations between system failures (events) and failures of components of a system Undesirable event at the top Event and component failures or human errors at the bottom (basic events) Connected with logical gates 38/43 Fault Tree Analysis Deductive analysis starting from the top event, ask: How can this happen ? or What are the causes ? STOP when the desired level of detail is reached Can identify failure combinations Probabilities can be estimated Event Occurrence of the top event Importance of basic events 39/43 Event Tree Analysis Used to study the consequences of an event Event Provide a picture of possible scenarios Provide probabilities linked to event sequences A An event tree with YES or NO answers _ B B _ C C Best and worst scenarios Y0 Y1 Y2 Tree leaves are the costs can accomodate multiple outcomes 40/43 Summary: What you should know by now What Risk is What Risk Analysis is How it fits on the big picture Risk Assessment Process There are multiple Risk Analysis Methods Different goals and required effort 41/43 Recommended Reading Literature Risk Analysis: Assessing Uncertainties beyond Expected Values and Probabilities Chapters 1 to 6 Terje Aven The Security Risk Assessment Handbook Second Edition Chapters 1 and 2 Douglas J. Landoll 42/43