Chapter 20

Risk Management

Mrs. Shaikha Ali

Instructor, IS –CIT
Office: S40-2035
Learning Objectives
■ Use risk management tools and principles to manage risk effectively
■ Explore risk mitigation strategies
■ Describe risk models
■ Explain the differences between qualitative and quantitative risk
assessment
■ Use risk management tools
■ Examine risk management best practices
Key Terms
• Risk: is the possibility of suffering harm or loss.
• Risk management: is the overall decision-making process of identifying
threats and vulnerabilities and their potential impacts, determining the
costs to mitigate such events, and deciding what actions are cost
effective for controlling these risks.
• Risk assessment (Risk Analysis): is the process of analyzing an
environment to identify the risks (threats and vulnerabilities) and
mitigating actions to determine (either quantitatively or qualitatively)
the impact of an event that would affect a project, program, or
business.
• Asset: An asset is any resource or information an organization needs to
conduct its business.
Key Terms (Cont.)
• Threat: is any circumstance or event with the potential to cause harm
to an asset. For example, a malicious hacker might choose to hack
your system by using readily available hacking tools.
• Threat Actor (Agent): is the entity behind a threat.
• Threat Vector: is a method used to effect a threat—for example,
malware (threat) that is delivered via a watering-hole attack (vector).
• Vulnerability: is any characteristic of an asset that can be exploited by
a threat to cause harm. A vulnerability can also be the result of a lack
of security controls or weaknesses in controls. Your system has a
security vulnerability, for example, if you have not installed patches to
fix a cross-site scripting (XSS) error on your web site.
Key Terms (Cont.)
• Impact: is the loss (or harm) resulting when a threat exploits a vulnerability.
• Control: is a measure taken to detect, prevent, or mitigate the risk
associated with a threat. It is also called a countermeasure or safeguard.
• Qualitative risk assessment: is the process of subjectively determining the
impact of an event that affects a project, program, or business. Completing
the assessment usually involves the use of expert judgment, experience, or
group consensus.
• Quantitative risk assessment: is the process of objectively determining the
impact of an event that affects a project, program, or business. Completing
the assessment usually involves the use of metrics and models.
• Mitigate: refers to taking action to reduce the likelihood of a threat
occurring and/or to reduce the impact if a threat does occur.
What is Risk Management?
• Three definitions relating to risk management reveal why it is sometimes
considered difficult to understand:
• The dictionary defines risk as the possibility of suffering harm or loss.
• Carnegie Mellon University’s Software Engineering Institute (SEI)
defines continuous risk management as “processes, methods, and tools
for managing risks in a project”.
• The ISACA says, “In modern business terms, risk management is the
process of identifying vulnerabilities and threats to an organization’s
resources and assets and deciding what countermeasures, if any, to
take to reduce the level of risk to an acceptable level based on the value
of the asset to the organization”
• These three definitions show that risk management is based on what can
go wrong and what action should be taken, if any.
 Risk Response Techniques
• The presence of risks in a system is an absolute—they cannot be removed or eliminated.
However, actions can be taken to reduce the impact of that risk if it occurs.
• Four strategies can be followed to manage risks:
1. Accept: it may be acceptable for a manager to accept risk; in other words, despite the
potential cost of a given risk and its associated probability, the manager of the
organization will accept responsibility for the risk if it does happen.
2. Transfer: A common method of transferring risk is to purchase insurance. Insurance
allows risk to be transferred to a third party that manages specific types of risk for
multiple parties, thus reducing the individual cost.
3. Avoid: Avoiding the risk can be accomplished in many ways. Although threats cannot be
removed from the environment, the exposure can be altered. Not deploying a module
that increases risk is one manner of risk avoidance.
4. Mitigate: Risk can also be mitigated through the application of controls that reduce the
impact of an attack. Controls can alert operators so that the level of exposure is reduced
through process intervention.
 Risk Management Frameworks
• A risk management framework provides a structure for the risk
management strategy and guides the creation of the proper guidelines
with steps to follow to provide for a comprehensive coverage of the risk
environment.
• Most Common Risk Management Frameworks:
• Payment Card Industry Data Security Standard (PCI DSS): Governs the way credit
and debit card information is handled.
• ISO 27001: The international standard that describes best practice for implementing
an information security management system (ISMS).
• NIST Framework for Improving Critical Infrastructure Security: A cybersecurity
framework that provides a common taxonomy and mechanism for organizations to
manage their cybersecurity risk associated with critical infrastructure deployments.
• Control Objectives for Information and Related Technologies (COBIT): A
cybersecurity framework that integrates a business’s best aspects to its IT security,
governance, and management.
Security Controls
• Security controls are the mechanisms employed to minimize exposure
to risk and mitigate the effects of loss.
• Using the security attributes of confidentiality, integrity, and
availability associated with data, the security team should determine
the appropriate set of controls to achieve the security objectives.
• The objective is to determine the correct control baseline.
• A control baseline is the set of controls employed to address the level
of risk an enterprise faces.
 Security Controls Categories
The use of categories separates the controls into groups based on what the control uses as
its lever:
• Managerial controls: are those that are based on overall risk management.
• These security controls focus on the management of risk or the management of the
cybersecurity system.
• An example of a managerial control would be the use of periodic security risk
assessments to provide feedback to senior management on the current risk posture.
• Operational control: is a policy or procedure used to limit security risk.
• These security controls are primarily implemented and executed by people, as
opposed to systems.
• Instructions to guards are an example of an operational control.
• Technical controls: uses some form of technology to address a physical security issue.
• These security controls are primarily implemented and executed by the information
system through mechanisms contained in its hardware, software, or firmware
components.
• Biometrics is an example of a technical control.
Control Types
• Controls can also be categorized by control type.
• Controls can fit into multiple types, depending on deployment and use. A door lock is an example
of both a physical control and a preventative control.
• Deterrent control: acts to influence the attacker by reducing the likelihood of success.
• An example would be laws and regulations that increase punishment.
• Note that a deterrent control must be one that has to be known to a person for it to be effective. If it is
unknown, it cannot deter.
• Preventative control: is one that prevents specific actions from occurring.
• For example, an access control vestibule (formerly known as a mantrap) prevents tailgating.
• Preventative controls act before an event, preventing it from advancing.
• Unlike a deterrent control (which in itself also acts as a preventative control), a control classified as
preventative does not have to be known by a person in order to be effective (for example, a firewall rule).
• Detective control: is one that facilitates the detection of a physical security breach.
• Detective controls act during an event, alerting operators to specific conditions.
• Alarms are common examples of detective controls.
 Control Types (Cont.)
• Corrective controls: are used post-event, in an effort to minimize the
extent of damage.
• Backups are a prime example of a corrective control because they can facilitate rapid
resumption of operations.
• Compensating control: is one that is used to meet a requirement when the
requirement cannot be directly met.
• Fire suppression systems do not stop fire damage, but if properly employed, they can
mitigate or limit the level of damage from fire.
• Physical control: is one that prevents specific physical actions from
occurring; for example, an access control vestibule prevents tailgating.
• Physical controls prevent specific human interaction with a system and are primarily
designed to prevent accidental operation of something.
• Physical controls act before an event, preventing it from actually occurring.
• Using covers over critical buttons is one example, as is a big red “STOP” button,
positioned so it is easily reachable. The former stops inadvertent activation, while
the latter facilitates easy activation in an emergency.
 Business Risks
Risk is often divided into two areas: business risks and technology risks.
1. Business Risks Examples:
• Treasury management: Management of company holdings in bonds, futures, currencies, and so
on
• Revenue management: Management of consumer behavior and the generation of revenue
• Contract management: Management of contracts with customers, vendors, partners, and so on
• Fraud: Deliberate deception made for personal gain, to obtain property or services, and so on
• Environmental risk management: Management of risks associated with factors that affect the
environment
• Regulatory risk management: Management of risks arising from new or existing regulations
• Business continuity management: Management of risks associated with recovering and restoring
business functions after a disaster or major disruption occurs
• Technology: Management of risks associated with technology in its many forms
 Business Risks (Cont.)
1. Technology Risks Examples:
• Security and privacy: The risks associated with protecting personal, private, or confidential
information
• Information technology operations: The risks associated with the day-to-day operation of
information technology systems
• Business systems control and effectiveness: The risks associated with manual and automated
controls that safeguard company assets and resources
• Business continuity management: The risks associated with the technology and processes to
be used in the event of a disaster or major disruption
• Information systems testing: The risks associated with testing processes and procedures of
information systems
• Reliability and performance management: The risks associated with meeting reliability and
performance agreements and measures
• Information technology asset management: The risks associated with safeguarding
information technology physical assets
• Project risk management: The risks associated with managing information technology
projects
• Change management: The risks associated with managing configurations and changes
Business Impact Analysis

• Business impact analysis (BIA) is the name often used to describe a

document created by addressing the questions associated with
sources of risk and the steps taken to mitigate them in the enterprise.
• The BIA also outlines what the loss of any of your critical functions
will mean to the organization.
Impact
• Risk is the chance of something not working as planned.
• Impact is the cost associated with a realized risk.
• Impact can be in many forms, including human life (as in injury or
death), property loss, safety, financial loss, and loss of reputation.
• Losses are seldom absolute; they can come in all sizes and
combinations.
• Different levels of risk can result in different levels of impact.
General Risk Management Model
• The following five steps can be used in virtually any risk management process. Following
these steps will lead to an orderly process of analyzing and mitigating risks.
• Step 1: Asset Identification – Identify and classify the assets, systems, and processes that
need protection because they are vulnerable to threats.
• Step 2: Threat Assessment – Identify both the possible threats and the possible
vulnerabilities associated with each asset and the likelihood of their occurrence.
• Step 3: Impact Determination and Quantification – An impact is the loss created when a
threat exploits a vulnerability. When a threat is realized, it creates impact.
• Step 4: Control Design and Evaluation – Determine which controls to put in place to
mitigate the risks.
• Step 5: Residual Risk Management – Understand that risk cannot be completely
eliminated. A risk that remains after implementing controls is termed a residual risk. In
this step, you further evaluate residual risks to identify where additional controls are
required to reduce risk even more.
Risk Assessment
Risk can be assessed using either:
• Quantitative methods, where specific values are assigned.
• Quantitative risk assessment applies historical information and trends to
assess risk. Models are often used to provide information to decision-makers.
• Qualitative methods, where relative levels are considered.
• Qualitative risk assessment relies on expert judgment and experience by
comparing the impact of a threat with the probability of it occurring.
Risk Management Tools
• Numerous tools can be used to add credibility and rigor to the risk
assessment process.
• Risk assessment tools help identify relationships, causes, and effects.
They assist in prioritizing decisions and facilitate effective
management of the risk management process.
• Most Common Risk Management Tools include: Affinity grouping,
Baseline identification and analysis, Cause-and-effect analysis,
Cost/benefit analysis, Gantt charts, Interrelationship digraphs, Pareto
charts, Program evaluation and review technique (PERT) charts, and
Risk management plan.
Risk Management Best Practices
• Best practices are the best defenses that an organization can employ
in any activity.
• One manner of examining best practices is to ensure that the
business has the set of best practices to cover its operational
responsibilities.
• Risk mitigation best practices include:
• Business continuity
• High availability
• Fault tolerance
• Disaster recovery concepts
Chapter 20 Summary
After reading this chapter, you should understand the following about
risk management:
• Use risk management tools and principles to manage risk effectively
• Explore risk mitigation strategies
• Describe risk models
• Explain the differences between qualitative and quantitative risk
assessment
• Use risk management tools
• Examine risk management best practices
End of Chapter 20