1
What is Risk Management?
Who uses Risk Management?
How is Risk Management used?
2
What is Risk Management?
Risk Management is the name given to a
logical and systematic method of
identifying, analysing, treating and
monitoring the risks involved in any activity
or process.
3
What is Risk Management?
Risk Management is a methodology
that helps managers make best use of
their available resources
4
Who uses Risk Management?
Risk Management practices
are widely used in public and
the private sectors, covering
a wide range of activities or
operations.
These include:
• Finance and
Investment
• Insurance
• Health Care
• Public
Institutions
• Governments
5
Who uses Risk Management?
 Effective Risk Management
is a recognised and valued skill.
 Educational institutions have formal study
courses and award degrees in Risk
Management.
 The Risk Management process is well
established. (International RM process
standards.)
6
Who uses Risk Management?
Risk Management is
now an integral part of business
planning.
7
How is Risk Management used?
The Risk Management
process steps are a
generic guide for
any organisation,
regardless of the
type of business, activity
or function.
There are
7
steps
in the RM
process
8
The basic process steps are:
Establish the context
Identify the risks
Analyse the risks
Evaluate the risks
Treat the risks
9
‘Risk’ is dynamic and subject to constant change,
so the process includes continuing:
Monitoring and review
and
Communication & consultation
10
Risk Management in Information Security Project
 Risk management: process of identifying and
controlling risks facing an organization
 Risk identification: process of examining an
organization’s current information technology
security situation
 Risk assessment: assign a risk rating to each asset
 Risk control: applying controls to reduce risks to an
organizations data and information systems
11
Risk Identification
Steps:





Plan and organize the process
Categorize system components
Inventory and categorize assets
Identify threats
Specify vulnerable assets
14
Risk Identification
 Risk identification begins with the
process of self-examination
 Managers
 identify the organization’s
information assets
 classify them into useful groups
 prioritize them by their overall
importance
15
Creating an Inventory of Information Assets
 Identify information assets, including people, procedures,
data and information, software, hardware, and networking
elements
 Should be done without pre-judging value of each asset
 Values will be assigned later in the process
16
Table 4-1 - Categorizing Components
17
Suggested Attributes for Hardware,
Software, and Network Assets
 When deciding which attributes to track for each information
asset, consider the following list of potential attributes:











Name
IP address
MAC address
Asset type
Serial number
Manufacturer name
Manufacturer’s model or part number
Software version, update revision, or FCO number
Physical location
Logical location
Controlling entity
19
Suggested Attributes for
People, Procedures, and Data Assets
 People




Position name/number/ID
Supervisor name/number/ID
Security clearance level
Special skills
 Procedures





Description
Intended purpose
Software/hardware/networking elements to which it is tied
Location where it is stored for reference
Location where it is stored for update purposes
21
Suggested Attributes for People,
Procedures, and Data Assets
 Data
 Classification
 Owner/creator/manager
 Size of data structure
 Data structure used
 Online or offline
 Location
 Backup procedures
22
Classifying and Categorizing Assets
 Once initial inventory is assembled, determine whether its
asset categories are meaningful
 Inventory should also reflect sensitivity and security priority
assigned to each information asset
 A classification scheme categorizes these information assets
based on their sensitivity and security needs
23
Classifying and Categorizing Assets
(Continued)
 Each of these categories designates level of
protection needed for a particular information asset
 Some asset types, such as personnel, may require an
alternative classification scheme that would identify
the clearance needed to use the asset type
 Classification categories must be comprehensive
and mutually exclusive
24
Management of
Classified Information Assets
 Managing an information asset includes considering
the storage, distribution, portability, and destruction
of that information asset
 Information asset that has a classification
designation other than unclassified or public:
 Must be clearly marked as such
 Must be available only to authorized individuals
26
Management of
Classified Information Assets
 To maintain confidentiality of classified documents,
managers can implement a clean desk policy
 When copies of classified information are no longer
valuable or too many copies exist, care should be
taken to destroy them properly to discourage
dumpster diving
27
Military Data Classification Cover Sheets
28
29
Assessing Values for Information Assets
 As each information asset is identified, categorized, and
classified, assign a relative value
 Relative values are comparative judgments made to ensure
that the most valuable information assets are given the
highest priority, for example:
 Which information asset is the most critical to the success of
the organization?
 Which information asset generates the most revenue?
 Which information asset generates the highest profitability?
 Which information asset is the most expensive to replace?
 Which information asset is the most expensive to protect?
 Which information asset’s loss or compromise would be the
most embarrassing or cause the greatest liability?
30
Listing Assets in Order of Importance
 The final step in the asset identification process is to
list the assets in order of importance
 Can be achieved by using a weighted factor analysis
sheet
31
Table 4-2 – Example Weighted Factor
Analysis
32
Threat Identification
 Each threat presents a unique challenge to
information security
 Must be handled with specific controls that directly
address particular threat and threat agent’s attack
strategy
 Before threats can be assessed in risk identification
process, each threat must be further examined to
determine its potential to affect targeted information
asset
 In general, referred to as threat assessment
33
Threats to Information Security
34
Weighted Ranking of Threat-Driven
Expenditures
Top Threat-Driven Expenses
Deliberate software attacks
Acts of human error or failure
Technical software failures or errors
Technical hardware failures or errors
Quality-of-service deviations from service providers
Deliberate acts of espionage or trespass
Deliberate acts of theft
Deliberate acts of sabotage or vandalism
Technological obsolescence
Forces of nature
Compromises to intellectual property
Deliberate acts of information extortion
Rating
12.7
7.6
7.0
6.0
4.9
4.7
4.1
4.0
3.3
3.0
2.2
1.0
35
Vulnerability Assessment
 Once you have identified the information assets of the
organization and documented some threat assessment
criteria, you can begin to review every information asset for
each threat
 Leads to creation of list of vulnerabilities that remain potential
risks to organization
 Vulnerabilities are specific avenues that threat agents can
exploit to attack an information asset
 At the end of the risk identification process, a list of assets
and their vulnerabilities has been developed
 This list serves as starting point for next step in the risk
management process—risk assessment
36
Risk Assessment
 The goal at this point is to create a method to
evaluate relative risk of each listed vulnerability
37
Risk Assessment
Steps:





Assign value to attack on assets
Assess likelihood of attack on vulnerabilities
Calculate relative risk factor to assets
Review possible controls
Document findings
38
Risk Estimate Factors
Risk is
The likelihood of the occurrence of a vulnerability
Multiplied by
The value of the information asset
Minus
The percentage of risk mitigated by current controls
Plus
The uncertainty of current knowledge of the vulnerability
39
Likelihood
 Likelihood is the overall rating - often a numerical
value on a defined scale (such as 0.1 – 1.0) - of the
probability that a specific vulnerability will be
exploited
 Why no 0.0?
 Can also use a weighted score, i.e. 1-100, low-medhigh, etc
40
Valuation of Information Assets
 Assign weighted scores for value of each asset;
actual number used can vary with needs of
organization
 Can use the one from Risk Identification with some
refinement if necessary
41
Percentage of Risk
Mitigated by Current Controls
 If a vulnerability is fully managed by an existing
control, it can be set aside
 If it is partially controlled, estimate what percentage
of the vulnerability has been controlled
42
Uncertainty
 It is not possible to know everything about every
vulnerability
 The degree to which a current control can reduce
risk is also subject to estimation error
 Uncertainty is an estimate made by the manager
using judgment and experience
43
Risk Determination Example
 Asset A has a value of 20 and has one vulnerability,
which has a likelihood of 1.0 with no current controls
 Your assumptions and data are 75% accurate
 Asset B has a value of 90 and has two vulnerabilities
 Vulnerability #2 has a likelihood of 0.4 with a current
control that addresses 50% of its risk
 Vulnerability # 3 has a likelihood of 0.1 with no
current controls
 Your assumptions and data are 80% accurate
44
Risk Determination Example
 Resulting ranked list of risk ratings for the three
vulnerabilities is as follows:
 Asset A: Vulnerability 1 rated as 25 = (20 × 1.0) –
0% + 25%
 Asset B: Vulnerability 2 rated as 25.2= (90 × 0.4) –
50% + 20%
 Asset B: Vulnerability 3 rated as 10.8 = (90 × 0.1) –
0 % + 20%
45
Identify Possible Controls
 For each threat and its associated vulnerabilities that have
risk of being exploited, create a preliminary list of control
ideas
 Three general categories of controls exist:
 Policies
 Programs
 Education, training, and awareness programs.
 Technical controls
46
Documenting the Results
of Risk Assessment
 The goal of the risk management process:
 Identify information assets and their vulnerabilities
 Rank them according to the need for protection
 In preparing this list, wealth of factual information
about the assets and the threats they face is collected
 Also, information about the controls that are already
in place is collected
 The final summarized document is the ranked
vulnerability risk worksheet
47
Ranked Vulnerability Risk Worksheet
What’s the assumption made in this worksheet?
48
Documenting the Results of Risk
Assessment (Continued)
 By the end of risk assessment, you should have
three deliverables
 Information asset classification worksheet
 Weighted factor analysis worksheet
 Ranked vulnerability risk worksheet
49
Risk Control
Introduction
 The primary goal of risk control is to reduce risk to
an acceptable level
 What level is acceptable?
 It is impossible to design and deploy a totally riskfree environment
 Risk control is often achieved by applying
safeguards
 Safeguard: anything that removes a vulnerability or
protects against one or more specific threats.
51
52
Risk Control Strategies
 An organization must choose one of four basic
strategies to control risks :
 Avoidance: applying safeguards that eliminate or
reduce the remaining uncontrolled risks for the
vulnerability
 Transference: shifting the risk to other areas or to
outside entities
 Mitigation: reducing the impact should the
vulnerability be exploited
 Acceptance: understanding the consequences and
accept the risk without control or mitigation
53
Avoidance
 Avoidance is the risk control strategy that attempts
to prevent the exploitation of the vulnerability
 Avoidance is accomplished through:
 Application of policy
 Application of training and education
 Countering threats
 Implementation of technical security controls and
safeguards
54
Transference
 Transference is the control approach that attempts to
shift the risk to other assets, other processes, or
other organizations
 May be accomplished by
 Rethinking how services are offered
 Revising deployment models
 Outsourcing to other organizations
 Purchasing insurance
 Implementing service contracts with providers
55
Mitigation
 Reduce risk
 by means of planning and preparation, the damage
caused by the exploitation of vulnerability
 This approach includes three types of plans:
 Disaster recovery plan (DRP)
 Incident response plan (IRP)
 Business continuity plan (BCP)
 Mitigation depends upon the ability to detect and
respond to an attack as quickly as possible
56
Summaries of Mitigation Plans
57
Acceptance
 Acceptance of risk is the choice to do nothing to protect an
information asset and to accept the outcome from any
resulting exploitation.
 It also means that management has agreed to accept the
consequences and the loss if the risk is realized.
58
Acceptance (Continued)
 Only valid use of acceptance strategy occurs when organization
has:
 Determined level of risk to information asset
 Assessed probability of attack and likelihood of a successful
exploitation of vulnerability
 Approximated ARO of the exploit
 Estimated potential loss from attacks
 Performed a thorough cost benefit analysis
 Evaluated controls using each appropriate type of feasibility
 Decided that the particular asset did not justify the cost of protection
 Usually require a sign-off letter.
59
Risk Handling Action Points
60
Evaluation, Assessment, And
Maintenance Of Risk Controls
 Once a control strategy has been selected and
implemented
 Effectiveness of controls should be monitored and
measured on an ongoing basis to determine its
effectiveness
 Accuracy of estimated risk that will remain after all
planned controls are in place
61
The Risk Control Cycle
62
Feasibility Studies and Cost Benefit
Analysis
 Before deciding on the strategy for a specific
vulnerability, all readily accessible information about
the consequences of the vulnerability must be explored
―What are the advantages of implementing a control as
opposed to the disadvantages of implementing the
control?‖
 Number of ways to determine advantage or
disadvantage of a specific control
 Primary means are based on the value of information
assets that control is designed to protect
63
Cost Benefit Analysis (CBA)
 Economic Feasibility: criterion most commonly
used when evaluating a project that implements
information security controls and safeguards
 A primary goal is to ensure that only cost-effective
safeguards are deployed.
 Organizations are urged to begin a cost benefit
analysis by evaluating
 Worth of the information assets to be protected
 Loss in value if those information assets are
compromised
64
Cost
 Just as it is difficult to determine the value of information, it
is difficult to determine the cost of safeguarding it
 Some of the items that affect the cost of a control or
safeguard include:
 Cost of purchase, development, and licensing
 Cost of implementation and customization
 Cost of annual operation, maintenance, administration, and so
on
 Cost of annual repairs and upgrades
 Productivity improvement or loss
 Changes to environment
 Cost of testing and evaluation
 Training fees
65
Benefit
 Benefit is the value to the organization of using
controls to prevent losses associated with a specific
vulnerability
 Usually determined by
 Valuing the information asset or assets exposed by
vulnerability
 Determining how much of that value is at risk and
how much risk there is for the asset
 Determining the annualized loss expectancy (ALE)
 Benefit is expressed as the reduction in ALE due to
implementation of the control/safeguard
66
Asset Valuation
 Asset valuation is the process of assigning financial
value or worth to each information asset
 Actual cost
 Non-monetary expenses
67
Asset Valuation (Cont’d)
68
SLE
 Single loss expectancy (SLE): the cost associated
with a single realized risk against specific asset
 Based on asset value and expected percentage of loss
that would occur from a particular attack:
SLE = asset value (AV) x exposure factor (EF)
Where EF = the percentage loss if a specific asset
were violated by a realized risk
 Example, if an asset is valued at $20,000, and it has an
EF of 45% for a specific threat, then the SLE of the
threat for that asset is _____.
 This information is usually estimated
69
ARO
 Annualized Rate of Occurrence: the expected
frequency with which a specific threat or risk will
occur within a single year
 Needs estimation
 Learn from history
 Guesswork
 Statistical analysis
70
ALE
 Annualized loss expectancy: the possible yearly cost
of all instances of a specific realized threat against a
specific asset
 ALE=SLE*ARO
71
The Cost Benefit Analysis (CBA)
Formula
 CBA determines whether or not a control alternative
is worth its associated cost
 CBAs may be calculated
 Before a control or safeguard is implemented to
determine if the control is worth implementing
OR
 After controls have been implemented and have been
functioning for a time:
CBA = ALE(prior) – ALE(post) – ACS
72
The Cost Benefit Analysis (CBA)
Formula
 ALE(prior to control) is the annualized loss
expectancy of the risk before the implementation of
the control
 ALE(post control) is the ALE examined after the
control has been in place for a period of time
 ACS is the annual cost of the safeguard
73
Example 1
 A computer is susceptible to hacker attack. If the
hacker attack were successful, it will cause a
financial loss of $5,000. Assume hacker attacks
happen once per six month. Calculate ARO, SLE,
and ALE
 A new firewall is installed on the computer, now the
hacker attack happens once every two years. The
financial loss is the same if the attack happens.
Calculate ARO, SLE, ALE
 The cost of the firewall is $6,000. (treat this as the
Annual Cost) Is this control (firewall) economically
feasible according to cost-benefit analysis
74
Example 2
 A company is considering install Intrusion
Detection system (IDS). Currently intrusion (hacker
attack) happens once every month on average. Each
time will cost about $10,000. The IDS will be able
to detect 90% of the intrusions. When an intrusion
is detected, the average financial loss due to that
intrusion will be reduced to $2,000. The cost for the
IDS is $50,000. Use CBA to decide whether the
IDS is economically feasible.
75
CBA discussion
 It is a daunting job to calculate EF, SLE, ARO, and
ALE for every asset and every threat/risk
 Usually a security control affects more than one
vulnerability
 Fortunately, there are quantitative risk assessment
tools available.
76
Other Feasibility Approaches
 Organizational feasibility analysis
 examines how well proposed information security
alternatives will contribute to operation of an organization
 Operational feasibility
 addresses user/management acceptance and support
 Technical feasibility
 examines whether or not the organization has or can
acquire the technology to implement and support the
alternatives
 Political feasibility
 defines what can and cannot occur based on the consensus
and relationships between the communities of interest
77
Benchmarking
 Benchmarking is an activity where organizations continuously
engage in self--study and compare themselves with the leaders in
their field so they can identify, adapt, and apply significantly
better practices.
 Benchmarking:
 Seeking out and studying practices of other organizations that
produce desired results
 Measuring differences between how organizations conduct business
 When benchmarking, an organization typically uses one of two
measures to compare practices:
 Metrics-based measures are comparisons based on numerical
standards
 Process-based measures are generally less focused on numbers and
are more strategic
78
Benchmarking Steps
 Self-assessment.
 Decide what to benchmark.
 Comparison.
 Decide who to benchmark.
 Analysis and Adaptation.
 Ask why you are getting your results and why others are
getting better results.
 Implementation.
 Think carefully about what enablers (e.g., resources, schedule
changes) are needed.
 Feedback.
 Carefully monitor and measure the results of your innovation
and recalibrate if necessary.
79
Benchmarking (Continued)
 In the field of information security, two categories
of benchmarks are used:
 Standards of due care and due diligence, and
 Best practices
80
Due Care and Due Diligence
 For legal reasons, an organization may be forced to
adopt a certain minimum level of security
 When organizations adopt levels of security for legal
defense, they may need to show that they have done
what any prudent organization would do in similar
circumstances
 Called standard of due care
 Due diligence is demonstration that organization is
persistent in ensuring implemented standards continue
to provide required level of protection
81
Best Business Practices
 Best business practices: security efforts that seek to
provide a superior level of performance
 Are among the best in the industry, balancing access
to information with adequate protection, while
maintaining a solid degree of fiscal responsibility
 Companies with best practices may not be the best
in every area
 May simply have established an extremely high
quality or successful security effort in one or more
area
 http://fasp.nist.gov
82
The Gold Standard
 Even the best business practices are not sufficient for
some organizations
 These organizations aspire to set the standard by
implementing the most protective, supportive, and yet
fiscally responsible standards they can
 The gold standard is a defining level of performance
that demonstrates a company’s industrial leadership,
quality, and concern for the protection of information
 Seeking the gold standard is a method of striving for
excellence
83
Applying Best Practices
 When considering best practices for adoption,
address the following questions:
 Does your organization resemble the organization that is
implementing the best practice under consideration?
 Is your organization in a similar industry?
 Does your organization face similar challenges?
 Is your organizational structure similar to the organization from
which you are modeling the best practices?
 Can your organization expend resources that are in line with the
requirements of the best practice?
 Is your organization in a similar threat environment as the one
cited in the best practice?
84
Problems with Benchmarking and Best
Practices
 Organizations don’t talk to each other
 No two organizations are identical
 Best practices are a moving target
 Simply knowing what was going on a few years ago
does not necessarily indicate what to do next
85
Baselining
 Baselining is the analysis of measures against
established standards
 In information security, baselining is the
comparison of security activities and events against
the organization’s future performance
 The information gathered for an organization’s first
risk assessment becomes the baseline for future
comparisons
86
Risk Appetite
 Risk appetite
 the quantity and nature of risk that organizations are
willing to accept, as they evaluate the trade-offs
between perfect security and unlimited accessibility
 Reasoned approach to risk is one that balances
expense against possible losses if exploited
87
Residual Risk
 When vulnerabilities have been controlled as much as
possible, there is often remaining risk that has not been
completely accounted for  residual risk
88
Residual Risk
 The significance of residual risk must be judged
within the context of an organization’s risk appetite
 The goal of information security is not to bring
residual risk to zero, but to bring it in line with an
organization’s risk appetite
89
Documenting Results
 When risk management program has been
completed, series of proposed controls are prepared
 Each justified by one or more feasibility or
rationalization approaches
 At minimum, each information asset-threat pair
should have a documented control strategy that
 Clearly identifies any residual risk remaining after
the proposed strategy has been executed
90
Documenting Results
 Some organizations document outcome of control
strategy for each information asset-threat pair in an
action plan
 Includes:
 Concrete tasks, each with accountability assigned to
an organizational unit or to an individual
91
Qualitative Measures
 Quantitative assessment performs asset valuation
with actual values or estimates
 An organization could determine that it cannot put
specific numbers on these values
 Organizations could use qualitative assessments
instead.
 More scenario based
 Rank threats on a scale to evaluate their risks, costs
and effects
92