INFORMATION SECURITY
MANAGEMENT
LECTURE 8: RISK MANAGEMENT
CONTROLLING RISK
You got to be careful if you don’t know where you’re going,
because you might not get there. – Yogi Berra
Managing Risk (cont’d.)
Figure 9-1 Residual risk
Source: Course Technology/Cengage Learning
Managing Risk – Risk Control
• Risk control involves selecting one of the four
risk control strategies
Should the organization ever
accept the risk?
Risk Control Cycle
Figure 9-3 Risk control cycle
Source: Course Technology/Cengage Learning
Cost Benefit – Asset Valuation
 Asset value: replacement cost and/or income
derived through the use of an asset
 Exposure Factor (EF): portion of asset's value
lost through a threat (also called impact)
Single Loss Expectancy (SLE) =
Asset ($) x EF (%)
Cost Benefit – Asset Valuation
 Annualized Rate of Occurrence (ARO)

Probability of loss in a year, %
Annual Loss Expectancy (ALE) =
SLE x ARO
Example of Quantitative Risk
Assesment
 Theft of a laptop computer, with the data
encrypted
 Asset value: $4,000
Exposure factor ?
SLE, ARO, ALE ?
Example of Quantitative Risk
Assesment
 Dropping a laptop computer and breaking the
screen
 Asset value: $4,000
Exposure factor ?
SLE, ARO, ALE ?
Cost-Benefit Analysis Calculation
CBA = ALE(prior) – ALE(post) – ACS
–
ALE (prior to control) is the annualized loss
expectancy of the risk before the implementation
of the control
–
ALE (post-control) is the ALE examined after the
control has been in place for a period of time
–
ACS is the annual cost of the safeguard
Example of Cost-Benefit Analysis
Calculation
 Dropping an iPad and breaking the screen
 Asset value: $700

Exposure factor: 50%
SLE =
ARO = 25% chance of damaging
ALE (prior) =

ALE (post) =



 CBA (cost of case = $30)


CBA = ALE(prior) – ALE(post) – ACS
CBA =
Example of Cost-Benefit Analysis
Calculation
 Unprotected customer database
 Asset value: $200,000





Exposure factor: 50%
SLE =
ARO = 75% chance of occurring
ALE (prior) =
ALE (post) =
 CBA (ACS = $5,000)


CBA = ALE(prior) – ALE(post) – ACS
CBA =
Recommended Risk Control Practices
• Qualitative/Quantitative Approach
• Octave Methods
• Microsoft Risk Management Approach
• FAIR
Qualitative and Hybrid Measures
• Quantitative assessment
• Qualitative assessment
• Hybrid assessment
OCTAVE Method
• The Operationally Critical Threat, Asset, and
Vulnerability Evaluation (OCTAVE) Method
• Variations of the OCTAVE method
–
–
–
The original OCTAVE method
OCTAVE-S
OCTAVE-Allegro
www.cert.org/octave/
Microsoft Risk Management Approach
• Four phases in the Microsoft InfoSec risk
management process:
–
–
–
–
Assessing risk
Conducting decision support
Implementing controls
Measuring program effectiveness
www.microsoft.com/technet/security/topics/complianceandpolicies/secrisk/default.mspx
Microsoft Risk Management Approach
Figure A-1 Security Risk Management Guide
Source: Course Technology/Cengage Learning
Factor analysis of Information Risk
(FAIR)
• Basic FAIR analysis is comprised of four stages:
•
•
•
•
Stage 1 - Identify scenario components
Stage 2 - Evaluate loss event frequency
Stage 3 - Evaluate probable loss magnitude(PLM)
Stage 4 - Derive and articulate Risk
• Unlike other risk management frameworks, FAIR
relies on the qualitative assessment of many risk
components using scales with value ranges, for
example very high to very low
http://fairwiki.riskmanagementinsight.com
FAIR (cont’d.)
Figure 9-4 Factor analysis of information risk (FAIR)
Management of Information Security, 3rd ed.
Source: Course Technology/Cengage Learning
(Based on concepts from Jack A. Jones)
HEALTH FIRST CASE STUDY
Analyzing Risk
Step 1: Define Assets
Step 1: Define Assets
Consider Consequential Financial Loss
Asset Name
$ Value
Direct
Loss:
Consequenti
al Financial
Loss
Replaceme
nt
Medical DB
Daily Operation (DO)
Medical Malpractice (M)
HIPAA Liability (H)
Notification
(NL)
$ Value
Law
Liability
Confidentiality,
Integrity, and
Availability Notes
C? I? A?
Step 1: Define Assets
Consider Consequential Financial Loss
Asset Name
$ Value
$ Value
Direct Loss:
Consequential
Replacement Financial Loss
Medical DB
DO+M_H+NL
Daily Operation (DO)
$
Medical Malpractice (M)
$
HIPAA Liability (H)
$
Notification Law Liability (NL)
$
Confidentiality,
Integrity, and
Availability Notes
C IA
HIPAA Criminal Penalties
$ Penalty
Imprisonment
Offense
Up to $50K
Up to one year
Wrongful disclosure of
individually identifiable health
information
Up to $100K
Up to 5 years
…committed under false
pretenses
Up to $500K
Up to 10 years
… with intent to sell, achieve
personal gain, or cause
malicious harm
Then consider bad press, state audit, state law penalties, civil lawsuits,
lost claims, …
Step 2: Estimate Potential Loss for Threats
Step 3: Estimate Likelihood of Exploitation
 Normal threats: Threats common to all
organizations
 Inherent threats: Threats particular to your
specific industry
 Known vulnerabilities: Previous audit reports
indicate deficiencies.
Step 2: Estimate Potential Loss for Threats
Step 3: Estimate Likelihood of Exploitation
Slow Down Business
1 week
2
1 year
Temp. Shut Down Business
Threaten Business
Threat
(Probability)
Hacker/Criminal
Loss of Electricity
Snow Emergency
1
Malware
Pandemic
Failed Disk
Tornado/Wind Storm
Stolen Laptop
5 years
(.2)
Stolen Backup Tape(s)
10 years
(.1)
Vulnerability
(Severity)
Flood
20 years
(.05)
4
50 years
(.02)
Earthquake
Social Engineering
Intruder
Fire
3
Step 4: Compute Expected Loss
Step 5: Treat Risk
Step 4: Compute E(Loss)
ALE = SLE * ARO
Asset
Threat
Single
Loss
Annuali Annual
zed Rate Loss
of
Expecta
Expecta
Occurre
ncy
ncy
nce
(ALE)
(SLE)
(ARO)
Step 5: Treat Risk
 Risk Acceptance: Handle




attack when necessary
Risk Avoidance: Stop doing
risky behavior
Risk Mitigation: Implement
control to minimize
vulnerability
Risk Transference: Pay
someone to assume risk for
you
Risk Planning: Implement a
set of controls