Principles of
Information Security
TOPIC 5: RISK MANAGEMENT
(CH4)
B A S E D O N C H 7 O F M A N A G E M E N T I N F O R M A T I O N S Y S T E M S M A N A G I N G T H E D I G I TA L F I R M F I F T E E N T H E D I T I O N
K E N N E T H C . L A U D O N • J A N E P. L A U D O N
�Introduction
Organizations must design and create safe environments in which business
processes and procedures can function
Risk management: process of identifying and controlling risks facing an
organization.
2
�Introduction
Risk management involves three major undertakings:
◦ Risk assessment: determine to what extent an organization’s information assets are
exposed to risk.
◦ Risk identification: The recognition, enumeration, and documentation of risks to an
organization’s information assets.
◦ Risk control (AKA Risk treatment: applying controls to reduce risks to an organization’s data
and information assets to an acceptable level.
3
�An Overview of Risk Management
Know yourself: identify, examine, and understand the information and systems currently in
place.
Know the enemy: identify, examine, and understand threats facing the organization
Responsibility of each community of interest within an organization to manage risks that are
encountered
4
�The Roles of the Communities of Interest
Information security, management and users, and information technology all must work
together
Communities of interest are responsible for:
◦ Evaluating the risk controls
◦ Determining which control options are cost effective for the organization
◦ Acquiring or installing the needed controls
◦ Ensuring that the controls remain effective
5
�6
�Residual Risk and Risk Appetite
Residual risk: the risk to information assets that remains even after current controls have been
applied.
Risk appetite: the quantity and nature of risk that organizations are willing to accept as they
evaluate the trade-offs between perfect security and unlimited accessibility.
The goal of information security is to bring residual risk into line with risk appetite.
7
�8
�Risk Identification
Risk management involves identifying, classifying, and prioritizing an organization’s assets
9
�Plan and Organize the Process
Begin by organizing a team with representation across all affected groups
The process must then be planned out
◦ Periodic deliverables
◦ Reviews
◦ Presentations to management
Tasks laid out, assignments made and timetables discussed
10
�Asset Identification and Inventory
Iterative process; begins with identification of assets, including all elements of an organization’s
system (people, procedures, data and information, software, hardware, networking)
Assets are then classified and categorized
11
�Asset
Categorization
12
�People, Procedures, and Data Asset
Identification
Human resources, documentation, and data information assets are more difficult to identify
Important asset attributes should be considered:
◦ People: position name/number/ID; supervisor; security clearance level; special skills
◦ Procedures: description; intended purpose; relation to software/hardware/networking elements;
storage location for reference; storage location for update
◦ Data: classification; owner/creator/manager; data structure size; data structure used; online/offline;
location; backup procedures employed
13
�Hardware, Software, and Network Asset
Identification
What information attributes to track depends on:
◦ Needs of organization/risk management efforts
◦ Preferences/needs of the security and information technology communities
Asset attributes to be considered are:
◦ Name: device or program name; meaningful; not convey information to attacker.
◦ IP address: identifies the connection of each device in network.
◦ MAC address: a serial number for each device.
◦ element type: for hardware (servers, desktop, routers); for software (OS, custom applications:
accounting, HR, payroll).
◦ serial number: for hardware and software.
◦ manufacturer name: record the manufacturer name of device or software; useful when a manufacturer
announces a vulnerability.
◦ software version; physical or logical location; controlling entity
14
�Classifying and Prioritizing Information
Assets
Many organizations have data classification schemes (e.g., confidential, internal, external or
public data)
Classification of components must be specific to allow determination of priority levels
Categories must be comprehensive and mutually exclusive.
Reviewed at least once a year to ensure correct classification.
15
�Data Classification and Management
Security clearance structure
◦ Each data user assigned a single level of authorization indicating classification level
◦ Before accessing specific set of data, employee must meet need-to-know requirement
Clean desk policy: an organizational policy that specifies employees must inspect their
work areas and ensure that all classified information, documents, and materials are
secured at the end of every workday.
Dumpster diving: an information attack that involves searching through a target
organization’s trash and recycling bins for sensitive information.
16
�17
�Information Asset Valuation
Questions help develop criteria for asset valuation
Which information asset:
◦ How critical is the asset to the success of the organization?
◦ How much does the information asset contribute to revenue generation? (what about non-profit?)
◦ How much does the information asset contribute to profit generation?
◦ How expensive is the information asset to replace?
◦ How expensive is the information asset to protect?
◦ How much embarrassment or liability would the asset’s loss or compromise cause?
18
�19
�Information Asset Valuation (cont’d.)
Information asset prioritization
◦ Create weighting for each category based on the answers to questions
◦ Calculate relative importance of each asset using weighted factor analysis
◦ List the assets in order of importance using a weighted factor analysis worksheet
20
�21
�Identifying and Prioritizing Threats
Realistic threats need investigation; unimportant threats are set aside
Threat assessment: the evaluation of the threats to information assets, including a
determination of their potential to endanger the organization.
◦ Which threats present danger to assets?
◦ Which threats represent the most danger to information?
◦ How much would it cost to recover from attack?
◦ Which threat requires greatest expenditure to prevent?
22
�23
�Vulnerability Identification
Vulnerabilities: specific avenues threat agents can exploit to attack an
information asset.
Examine how each threat could be perpetrated and list organization’s assets and
vulnerabilities.
The process of creating the list of vulnerabilities and assets depends on the
experience of people.
This process works best when people with diverse backgrounds within
organization work iteratively in a series of brainstorming sessions
At end of risk identification process, list of assets and their vulnerabilities is
achieved
24
�25
�26
�Risk Management
27
�Risk Assessment
Risk assessment evaluates the relative risk for each vulnerability
Assigns a risk rating or score to each information asset
The goal at this point: create a method for evaluating the relative risk of each listed vulnerability
28
�Risk Assessment
29
�Determining the Likelihood of a Threat
Event
Likelihood: the probability that a specific vulnerability will be the object of a successful
attack
Assign numeric value: number between 0.1 (low) and 1.0 (high), or a number between 1
and 100
◦ Zero not used since vulnerabilities with zero likelihood are removed from asset/vulnerability
list
◦ Use selected rating model consistently.
◦ Example: an organization is targeted by hackers once every five year (1/5) or (%20).
An event with a likelihood of more than once a year obviously has a higher probability of
attack.
◦ Example: an organization is expected to be targeted by a malware attack at least four times
per year (4/1) or (%400).
30
�Attack Success Probability
The probability of an attack’s success if the organization becomes a target.
Person or team that performs the risk assessment calculations must work closely
with the IT/security groups to understand the current level of protection.
For poorly prepared organizations: “very likely” or %75.
For well-protected organizations: “very unlikely” or %10.
Impact (Loss magnitude): how much of an information asset could be lost in a successful
attack.
31
�Risk Determination
32
�Example 1
Information asset A is an online e-commerce database. Industry reports indicate a 10 percent
chance of an attack this year, based on an estimate of one attack every 10 years. The information
security and IT departments report that if the organization is attacked, the attack has a 50
percent chance of success based on current asset vulnerabilities and protection mechanisms.
The asset is valued at a score of 50 on a scale of 0 to 100, and information security and IT staff
expect that 100 percent of the asset would be lost or compromised by a successful attack. You
estimate that the assumptions and data are 90 percent accurate.
Solution:
◦ Asset A’s risk is
33
�Example 2 (Cont.)
Information asset B is an internal personnel database behind a firewall. Industry reports indicate
a 1 percent chance of an attack. The information security and IT departments report that if the
organization is attacked, the attack has a 10 percent chance of success based on current asset
vulnerabilities and protection mechanisms. The asset is valued at a score of 25 on a scale of 0 to
100, and information security and IT staff expect that 50 percent of the asset would be lost or
compromised by a successful attack, because not all of the asset is stored in a single location.
You estimate that the assumptions and data are 90 percent accurate.
Solution:
◦ Asset B’s risk is
34
�Example 2
Information asset B is an internal personnel database behind a firewall. Industry reports indicate
a 1 percent chance of an attack. The information security and IT departments report that if the
organization is attacked, the attack has a 10 percent chance of success based on current asset
vulnerabilities and protection mechanisms. The asset is valued at a score of 25 on a scale of 0 to
100, and information security and IT staff expect that 50 percent of the asset would be lost or
compromised by a successful attack, because not all of the asset is stored in a single location.
You estimate that the assumptions and data are 90 percent accurate.
Solution:
◦ Asset B’s risk is
35
�Documenting
the Results of
Risk
Assessment
36
�Risk Management
37
�Identify Possible Controls
For each threat and associated vulnerabilities that have residual risk, create preliminary
list of control ideas
Residual risk is risk that remains to information asset even after existing control has
been applied
Risk control involves three basic steps:
◦ Selection
◦ Justification to upper management
◦ Implementation, monitoring, and ongoing assessment of the adopted controls.
38
�Risk Control Strategies
Once ranked vulnerability risk worksheet complete, must choose one of four strategies to
control each risk:
◦ Defend (Mitigate)
◦ Transfer
◦ Accept
◦ Terminate
39
�Defend (Mitigate)
mitigation risk treatment (Defend strategy): The risk treatment strategy that
attempts to eliminate or reduce any remaining uncontrolled risk through the
application of additional controls and safeguards in an effort to change the
likelihood of a successful attack on an information asset.
Preferred approach
Accomplished through countering threats, removing asset vulnerabilities, limiting
asset access, and adding protective safeguards
Three common methods of risk avoidance:
◦ Application of policy
◦ Training and education
◦ Applying technology
40
�Transfer
Risk transfer strategy: the attempts to shift risk to other assets, processes, or organizations.
If lacking, organization should hire individuals/firms that provide security management and
administration expertise
Organization may then transfer risk associated with management of complex systems to another
organization experienced in dealing with those risks
41
�Accept
Acceptance strategy: doing nothing to protect a vulnerability or an information asset and
accepting the outcome of its exploitation.
Valid only when the particular function, service, information, or asset does not justify cost of
protection.
Example: the cost of protecting a server is $100,000/year, and only $10,000/year would cost to
replace the information contained in that server.
42
�Terminate
Termination strategy: eliminates all risk associated with an information asset by removing it from
service.
May seek an alternate mechanism to meet customer needs
Example: the risks associated with implementing business-to-customer operations are not
sufficiently offset by the potential benefits.
43
�Selecting a Risk Control Strategy
Level of threat and value of asset play major role in selection of strategy
Rules of thumb on strategy selection can be applied:
◦ When a vulnerability exists
◦ When a vulnerability can be exploited
◦ When attacker’s cost is less than potential gain
◦ When potential loss is substantial
44
�45
�Feasibility Studies
Before deciding on strategy, all information about economic/noneconomic consequences of
vulnerability of information asset must be explored
A number of ways exist to determine advantage of a specific control
Items that affect cost of a control or safeguard include cost of development or acquisition,
training fees, implementation cost, service costs, and cost of maintenance.
46
�Cost Benefit Analysis (CBA)
CBAs can be calculated before a control is implemented; and after control has
been functioning for a while.
Determines whether implementing a particular control is worth its cost.
Items that affect cost of a control or safeguard include: cost of development or
acquisition; training fees; implementation cost; service costs; cost of
maintenance
Benefit: the value an organization realizes using controls to prevent losses from
a vulnerability
47
�Cost Benefit Analysis (CBA) (cont’d.)
Asset valuation: process of assigning financial value or worth to each information asset
Process result is estimate of potential loss per risk
Expected loss per risk stated in the following equation:
◦ Annualized Loss Expectancy (ALE) =
Single Loss Expectancy (SLE) ×
Annualized Rate of Occurrence (ARO)
SLE = Asset Value × Exposure Factor (EF)
48
�Example
A web site has an estimated value of $1 million, as determined by an asset valuation,
and a hacker defacement scenario indicates that a deliberate act of sabotage or
vandalism could damage 10% of the Web site, with an estimate of once every two years
occurrence. Calculate the Annual Loss Expectancy (ALE).
Solution:
ALE= SLE x ARO
SLE= Exposure Factor x Asset Value
SLE= 10%(0.1) x 1,000,000$= 100,000$
So,
ALE= 100,000$ x 50%(0.5)= 50,000$
49
�The Cost Benefit Analysis (CBA)
Formula
CBA most easily calculated using ALE from earlier assessments, before implementation of
proposed control:
◦ CBA = ALE(prior) – ALE(post) – ACS
◦ ALE(prior) is annualized loss expectancy of risk before implementation of control
◦ ALE(post) is estimated ALE based on control being in place for a period of time
◦ ACS is the annualized cost of the safeguard
50
�Example
Refer to the previous scenario, the ALE before adding the security control is estimated
with 50,000$. The company decided to invest on the security of their website with an
amount $4,000 per year, which estimated to decrease the percentage of exposure to
3%, and 25% occurrence. Calculate the CBA.
Solution:
ALE(prior)= 100,000$ x 50%(0.5)= 50,000$
SLE(post)= 1,000,000$ x 3%(0.03)= 30,000$
ALE(post)= 30,000 x 25%(0.25)= 7,500$
CBA= ALE(prior) – ALE(post) – ACS
CBA= 50,000$ – 7,500$ – 4,000$
CBA= 38,500$
51
