Ri$k Analysis
Christina Kong
Nicole Lei
Agenda
zIntroduction
zRisk Analysis
zNIST Risk Management Guide
zElectronic Commerce Security
Assessment
zThreat Tree Workshop
zTerm Project
zConclusion
What is Risk Analysis
zQuantify the impact of potential threats
{Put $$ value on Assets
{Identify potential threats and vulnerabilities
{Cost/Benefit
How much $$$
z Asset Value
{Corporate world ($$)
{Government (National Security)
z Exposure Factor (EF)
z Single Loss Expectancy (SLE)
{$$ * EF
z Annualized Rate of Occurrence (ARO)
z Annualized Loss Expectancy (ALE)
{SLE * ARO
Quantitative vs. Qualitative
zQuantitative
{Money, money and more money
{Usually in Corporate world
zQualitative
{Subjective quality rating
{Government sector
Asset Identification and Valuation
zBeware: Always overlooked!!
zThe fundamental step in ALL security
auditing methodologies
zNecessary to perform the cost/benefit
analysis
zIncorrect value reduce the financial
effectiveness
Threat Identification
z Usually being Categorized, for example:
{Criminal
{Personnel
{Environmental
{Information warfare
{Application/operational
{Computer infrastructure
{Data classification
{Delayed processing
NIST – Risk Assessment
Information Gathering
zAny or a combination of the following:
{Questionnaire
{On-Site Interviews
{Document Review
{Use automated Scanning
Risk Mitigation
zYour options:
{Risk Assumption
{Risk Avoidance
{Risk Limitation
{Risk Transference
Risk Mitigation Action Points
Difficulty with Data
zLack of consistency in content, conduct
and coverage of information security data
zLack of standardization in terminology,
valuation and classifications of security
breaches
How much we know and how much we don’t know
Relevance of Data
z What? You said my data is useless : (
{“There are no statistically valid sample applicable to
specific vulnerabilities for use in information security risk
assessment. Because future frequency is unknown and
cannot be adequately estimated, we attempt to use data
on past loss experience. But past data consist of a
series of known events; they are not a complete or valid
sampling set of independent observations – as
demanded by the laws of probability”
Donn B. Parker, Fighting Computer Crime
One Real Life example
Pennsylvania Governor’s Office of
Information Technology
Electronic Commerce Security
Assessment
zDefinition of Electronic Transaction
{“transaction” – an action or set of actions
occurring between two or more persons relating
to the conduct of business, commercial or
governmental affairs
{“electronic” – as relating to technology having
electrical, digital, magnetic, wireless, optical,
electromagnetic or similar capabilities
8 Steps for Determining Appropriate
Application Security Procedures
z Step 1: Define the electronic government
transaction
z Step 2: Identify the type of information
necessary for the transaction
z Step 3: Evaluate the consequences of a security
breach
z Step 4: Plot the security breach impact result on
the Security Assessment Matrix
8 Steps continued…
z Step 5: Evaluate the security breach risk
z Step 6: Plot the security breach risk result on the
matrix
z Step 7: Review the results of the Security
Assessment Matrix
z Step 8: Create a Network Diagram
Threat Tree
zOrigins from “fault trees” in system
reliability engineering
zOne approach to identify threats
zIt is an analytical threat derivation
technique that has been designed to
assist system engineer during the
security development of computer
systems
Basic Threat Tree Structure
Threat Tree How-To
zWhen using threat trees normally the threats
are categorized into three different types:
{Disclosure Threats
zConfidentiality
{Integrity Threats
{Denial of Service Threats
zAvailability
Wake up!! Let’s do some work!
zSimple Threat Tree Example
{Unauthorized Account Access
z???
• ???
• ???
z???
• ???
• ???
z???
• ???
• ???
Conclusion
zAny Questions?
zHomework Assignment