INFORMATION SECURITY MANAGEMENT LECTURE 8: RISK MANAGEMENT CONTROLLING RISK You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi Berra Introduction • To keep up with the competition, organizations must design and create a safe environment in which business processes and procedures can function Risk Control Strategies • Choose one of four basic strategies: Avoidance Transference Mitigation Acceptance Avoidance • The risk control strategy that attempts to prevent the exploitation of the vulnerability • Examples Transference • The control approach that attempts to shift the risk to other assets, other processes, or other organizations • Examples Mitigation • The control approach that attempts to reduce the damage caused by exploitation of vulnerability – – Using planning and preparation Depends upon the ability to detect and respond to an attack as quickly as possible • Types of Mitigation Plans Acceptance • Do nothing to protect an information asset – To accept the loss when it occurs Managing Risk • Risk appetite (also known as risk tolerance) • The reasoned approach to risk is one that balances the expense (in terms of finance and the usability of information assets) against the possible losses if exploited Managing Risk – Residual Risk • Residual Risk is a combined function of: – Threats, vulnerabilities and assets, less the effects of the safeguards in place • Goal of information security is not to bring residual risk to zero Managing Risk – Residual Risk • Once a control strategy has been selected and implemented: – The effectiveness of controls should be monitored and measured on an ongoing basis determines effectiveness and accuracy of the residual risk estimate Managing Risk (cont’d.) Figure 9-1 Residual risk Source: Course Technology/Cengage Learning Managing Risk – Risk Control • Risk control involves selecting one of the four risk control strategies Should the organization ever accept the risk? Risk Acceptance Figure 9-2 Risk-handling action points Source: Course Technology/Cengage Learning Risk Control Cycle Figure 9-3 Risk control cycle Source: Course Technology/Cengage Learning Feasibility and Cost-Benefit Analysis • There are a number of ways to determine the advantage or disadvantage of a specific control • The primary means are based on the value of the information assets that it is designed to protect • Economic feasibility – Evaluating the worth of the information assets to be protected and the loss in value if those information assets are compromised Cost-Benefit Analysis: Cost • Factors that affect the cost of a safeguard – – – – Cost of development or acquisition of hardware, software, and services Training fees Cost of implementation Service and maintenance costs Cost-Benefit Analysis: Benefit The value to the organization of using controls to prevent losses associated with a specific vulnerability Cost-Benefit Analysis: Asset Valuation The process of assigning financial value or worth to each information asset Involves estimation of real and perceived costs associated with the design, development, installation, maintenance, protection, recovery, and defense against loss and litigation Cost-Benefit Analysis: Asset Valuation • An organization must be able to place a dollar value on each information asset it owns • Potential loss is that which could occur from the exploitation of vulnerability or a threat occurrence Cost-Benefit Analysis Calculation • CBA determines whether or not a control alternative is worth its associated cost • CBAs may be calculated before a control or safeguard is implemented Or calculated after controls have been implemented and have been functioning for a time Cost-Benefit Analysis Calculation CBA = ALE(prior) – ALE(post) – ACS – ALE (prior to control) is the annualized loss expectancy of the risk before the implementation of the control – ALE (post-control) is the ALE examined after the control has been in place for a period of time – ACS is the annual cost of the safeguard Example of Cost-Benefit Analysis Calculation Dropping an iPad and breaking the screen Asset value: $700 Exposure factor: 50% SLE = $700 x 50% = $350 ARO = 25% chance of damaging ALE (prior) = 25% x $350 = $87.50 ALE (post) = 5% x $350 = $17.50 CBA (cost of case = $30) CBA = ALE(prior) – ALE(post) – ACS CBA = 87.50 – 17.50 – 30.00 = $40 Example of Cost-Benefit Analysis Calculation Unprotected customer database Asset value: $200,000 Exposure factor: 50% SLE = $200,000 x 50% = $50,000 ARO = 75% chance of occurring ALE (prior) = 75% x $200,000 = $50,000 ALE (post) = 10% x $200,000 = $20,000 CBA (ACS = $5,000) CBA = ALE(prior) – ALE(post) – ACS CBA = $50,000 – $20,000 – $5,000 = $25,000 Other Methods of Establishing Feasibility • • • • Organizational feasibility analysis Operational feasibility Technical feasibility Political feasibility Alternatives to Feasibility Analysis • Benchmarking • Due care and due diligence • Best business practices • Gold standard • Government recommendations • Baseline Risk Management and Employees “Only two things are finite, the universe and human stupidity, and I’m not sure about the former.” - Albert Einstein Types of Employees and Security Knowledge Those who know Those who don’t Those who think they know but don’t Recommended Risk Control Practices • Organizations typically look for a more straightforward method of implementing controls • This preference has prompted an ongoing search for ways to design security architectures that go beyond the direct application of specific controls for specific information asset vulnerability Recommended Risk Control Practices • Qualitative/Quantitative Approach • Octave Methods • Microsoft Risk Management Approach • FAIR Qualitative and Hybrid Measures • Quantitative assessment • Qualitative assessment • Hybrid assessment OCTAVE Method • The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Method • Variations of the OCTAVE method – – – The original OCTAVE method OCTAVE-S OCTAVE-Allegro www.cert.org/octave/ Microsoft Risk Management Approach • Four phases in the Microsoft InfoSec risk management process: – – – – Assessing risk Conducting decision support Implementing controls Measuring program effectiveness www.microsoft.com/technet/security/topics/complianceandpolicies/secrisk/default.mspx Microsoft Risk Management Approach Figure A-1 Security Risk Management Guide Source: Course Technology/Cengage Learning Factor analysis of Information Risk (FAIR) • Basic FAIR analysis is comprised of four stages: • • • • Stage 1 - Identify scenario components Stage 2 - Evaluate loss event frequency Stage 3 - Evaluate probable loss magnitude(PLM) Stage 4 - Derive and articulate Risk • Unlike other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using scales with value ranges, for example very high to very low http://fairwiki.riskmanagementinsight.com FAIR (cont’d.) Figure 9-4 Factor analysis of information risk (FAIR) Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning (Based on concepts from Jack A. Jones)