Risk Management

Lecture 10
 A true story
A local company suffered a catastrophic loss one night when its office
burned to the ground. As the employees gathered around the charred
remains the next morning, the president asked the secretary if she had been
performing the daily computer backups. To the president’s relief she replied
that yes, each day before she went home she backed up all the financial
information regarding customers, invoices, order and payments.
The president then asked the secretary to retrieve the backup so they could
begin to determine their current financial status.
“Well”, the secretary said, “I guess I cannot do that. You see, I put those
backups in the desk drawer next to the computer in the office. ”

M. Ciampa, “Security+Guide to Network Security Fundamentals”, pp 303

 What is Risk & Risk Management?
Risk: It is an object, person or other entity that represent a danger, harm or loss to an
asset.
Risk Management: Is the process of Identifying, assessing and evaluating the level of
risk facing the organization, specifically the threats to the information stored and used by
the organization for achieving business objectives. Then deciding what
countermeasures, if any, to take in reducing risk to an acceptable level, based on the
value of the information resource to the organization.

3
Risk Management Process
Risk Management
“If you know the enemy and know yourself, you need not fear the
result of a hundred battles
If you know yourself but not the enemy, for every victory gained you
will also suffer a defeat
If you know neither the enemy nor yourself, you will succumb in every
battle”
-- Sun Tzu
i) Risk Identification
What is the purpose of this phase ?
The aims of this phase is to identify , classify and prioritizing the organization’s
information assets(Know ourselves) and identify all important types and sources of
risk and uncertainty (know our enemy), associated with each of the investment
objectives.
This is a crucial phase. If a risk is not identified it cannot be evaluated and managed
There are many different types of risks:
 Legal risks
 Environmental risks
 Market risks
 Regulatory risks etc.

6
Identifying Risk

7
Threat Identification
To identify threats or risks to assets ask:
who or what could cause it harm?
how could this occur?
depends on risk assessors experience
uses variety of sources
natural threat chance from insurance stats
lists of potential threats in standards, IT security surveys, info from
governments
tailored to organization’s environment
and any vulnerabilities in its IT systems
Threat Sources
threats may be
natural “acts of god”
man-made and either accidental or deliberate
should consider human attackers
motivation
capability
resources
probability of attack
deterrence
any previous history of attack on org
 Information Assets
IS
Components

People Procedures Data SW HW

Employees Non- Standard System

Transmission Application
employees \Procedures Devises

People at
Authorized Sensitive
trusted Process OS Net Work
Staff Procedures
organizations

Security
Other staff Strangers Storage
Component

10
 Information Asset Inventory creation (contd.)
Potential asset attributes
Name
Asset tag
IP address
MAC address
asset type
Serial number
manufacturer name
Manufacturer’s model or part number
Software version, update revision, or FCO number
Physical location, logical location
Controlling entity

11
Management of Information Security, 3rd ed.
Information Asset Inventory creation (contd.)
Identifying people, procedures and data assets. Sample attributes
for people, procedures, and data assets
People
Position name/number/ID
Supervisor name/number/ID
Security clearance level
Special skills
 Information Asset Inventory creation (contd.)
Sample attributes for people, procedures, and data assets (cont’d.)
Procedures
Description
Intended purpose Software/hardware/networking
elements to which it is tied
Location where it is stored for reference
Location where it is stored for update purposes
Information Asset Inventory creation (contd.)
Sample attributes for people, procedures, and data assets
(cont’d.)
Data
Classification
Owner/creator/manager
Size of data structure
Data structure used
Online or offline
Location
Backup procedures

14
Management of Information Security, 3rd ed.
ii) Analyze the risk
Assessing risk is the process of determining the likelihood of the threat being
exercised against the vulnerability and the resulting impact from a successful
compromise , i.e determine the relative risk for each of the vulnerabilities

Although all elements of the risk management cycle are important, risk
assessments provide the foundation for other elements of the cycle. In particular,
risk assessments provide a basis for establishing appropriate policies and
selecting cost-effective techniques to implement these policies

15
iii) Evaluate the Risk or Risk Assessment
Risk assessment assigns a risk rating or score to each specific information
asset, useful in evaluating the relative risk and making comparative ratings
later in the risk control process
Risks need to be ranked and prioritized. Most risk management solutions
have different categories of risks, depending on the severity of the risk.
 A risk that may cause some inconvenience is rated lowly, risks that can
result in catastrophic loss are rated the highest.
It is important to rank risks because it allows the organization to gain a
holistic view of the risk exposure of the whole organization.
The business may be vulnerable to several low-level risks, but it may not
require upper management intervention.
On the other hand, just one of the highest-rated risks is enough to require
immediate intervention.
Discuss the various methods of Risk Assessment
Defining Likelihood

Likelihood is :
• The estimation of the probability that a threat will succeed in achieving an undesirable
event
• Is the overall rating - often a numerical value on a defined scale (such as 0.1 – 1.0) - of
the probability that a specific vulnerability will be exploited

• Sample Likelihood Definitions

17
Defining Impact
• Impact (Value)
• Using the information documented during the risk identification process, assign
weighted scores based on the value of each information asset, i.e.1-100, low-
med-high, etc.

Sample Impact Definitions

18
However, in order for the risk assessment to be meaningful, reusable and
easily communicated, specific ratings should be produced for the entire
organization as below example

Examples of Organizational Effect

19
Sample Risk Determination Matrix

20
iv) Treat the Risk
Every risk needs to be eliminated or contained as much as possible.
This is done by connecting with the experts of the field to which the
risk belongs.
In a risk management solution, all the relevant stakeholders can be
sent notifications from within the system. The discussion regarding
the risk and its possible solution can take place from within the
system.
Upper management can also keep a close eye on the solutions being
suggested and the progress being made within the system. Instead of
everyone contacting each other to get updates, everyone can get
updates directly from within the risk management solution.
Risk Treatment Alternatives
Risk acceptance: accept risk (perhaps because of excessive cost of risk
treatment)
Risk avoidance: do not proceed with the activity that causes the risk (loss of
convenience)
Risk transfer: buy insurance; outsource
Reduce consequence: modify the uses of an asset to reduce risk impact (e.g.,
offsite backup)
Reduce likelihood: implement suitable controls
v) Monitor and Review the Risk
Not all risks can be eliminated, some risks are always present.
Monitoring risks also allows for business continuity.
Some Common Risk Assessment
methodologies
National Institute of Standards & Technology
(NIST) Methodology
NIST Special Publication (SP) 800-30, Risk Management Guide for
Information Technology Systems is the US Federal Government’s standard.

This methodology is primarily designed to be qualitative and is based upon

skilled security analysts working with system owners and technical experts
to thoroughly identify, evaluate and manage risk in IT systems.

24
The NIST methodology consists of 9 steps each has inputs and out puts:
Step 1: System Characterization
Step 2: Threat Identification
Step 3: Vulnerability Identification
Step 4: Control Analysis
Step 5: Likelihood Determination
Step 6: Impact Analysis
Step 7: Risk Determination
Step 8: Control Recommendations
Step 9: Results Documentation

25
26
Who should carry out the Risk Assessment?
A risk assessment is carried out by a team of people who have knowledge of
specific areas of the business.

It is the responsibility of each party of interest to manage risks

Each party has a role to play:

Information Security Officer - best understands the threats and attacks that
introduce risk into the organization
Management and Users – play a part in the early detection and response
process - they also insure sufficient resources are allocated
Information Technology – must assist in building secure systems and
operating them safely

27
Summary of Risk Assessment Practices and Related Benefits

28
•

• THE END