Risk Management for Systems
Security
205 - Information Security and
Cryptography
Areas of IT Risk
Information Security Risk • Information Security Risk Analysis or risk
assessment, is fundamental to the security of any organization.
• Information Security in any system should be commensurate with its risks. However, the process to determine which security controls are appropriate and cost effective, is quite often a complex and sometimes a subjective matter.
• It is essential to ensure that controls and expenditure are fully commensurate with the risks to which the organization is exposed.
Questions to ask!
• What are the resources that need protecting?
• What is the value of those resources, monetary or otherwise?
• What are the all the possible threats that that those resources face?
• What is the likelihood of those threats being realized?
• What would be the impact of those threats if they were realized?
Information Asset Definition
Information Assets are the physical,
hardware, software, data, communications,
administrative and personnel resources of a
computing system that once compromised
will release sensitive, not disclosed system
information to the threat agent.
Defining Risk
The term risk is used to
describe the possibility of a
threat taking advantage of an
asset’s vulnerability
Risk management
Risk
assessment Identify and
analyse risks
Risk
control Reduce risks,
provide contingency
Risk Management
Defining Risk Management
Risk management is the process of
– Establishing and maintaining
information system security within an
organization
– The identification and management of
opportunities and threats
Risk Management Approaches
• Quantitative Approach – This approach employs two fundamental elements –
• the probability of an event occurring
• the likely loss should it occur
– requires probabilities which are rarely precise
– thus data may be unreliable and inaccurate
– time consuming and expensive exercise
• Qualitative Approach – most widely used approach to risk analysis (COBRA)
– involves less uncertainty (no probabilities)
– uses interrelated elements of threats, vulnerabilities & controls
– based on expert knowledge
– parameters are: high, medium, low
Risk Management Approaches
• Knowledge-Based Approach:
– based on reusing “best practice” from similar
systems
– obsolete
• Model-Based Approach:
– based on OO modeling
– describes target of assessment at right level of
abstraction
– Brings together all stakeholders
Problems of Measuring Risk
• Businesses wish to measure in money, but many of the entities don’t permit this - – Valuation of assets
• Value of data and in-house software - no market value
• Value of goodwill and customer confidence
– Likelihood of threats • How relevant is past data to the calculation of future
probabilities? – The nature of future attacks is unpredictable
– The actions of future attackers are unpredictable
– Measurement of benefit from security measures
Risk vs Threat • Reference point
– Risk : you examine the system
– Threat: you examine the environment around it
• Impact
– Sometimes a major threat may correspond in the
context of the business to a minor risk
• Relationship
– Risks and threats do not have a one-to-one
relationship. Some threats may contribute to more
than one risk, and some risks have properties that
are not directly related to individual threats?
Risk Analysis Framework
Assets Threats Vulnerabilities
Risks
Security Measures
}
}
Analysis
Control
Goals of Risk Analysis
• All assets have been identified
• All threats have been identified
– Their impact on assets has been valued
• All vulnerabilities have been identified
and assessed
Risk Analysis Steps
1. Decide on scope of analysis – Set the system boundary
2. Identification of assets & business processes
3. Identification of threats and valuation of their impact on assets
4. Identification and assessment of vulnerabilities to threats
5. Risk assessment
1. Risk Analysis – Defining the Scope
• Draw a context diagram
• Decide on the boundary
– It will rarely be the computer!
• Make explicit assumptions about the
security of neighbouring domains
– Verify them!
2. Risk Analysis - Identification of Assets
• Hardware
• Software: purchased or developed programs
• Data
• Users
• Documentation: manuals, admin procedures
• Supplies: paper, printer cartridges, pens, etc
• Money
• Intangibles – Goodwill
– Reputation
3. Risk Analysis – Impact Valuation
Identification and valuation of threats for assets
• Identify threats, e.g. for stored data – Loss of confidentiality
– Loss of integrity
– Loss of completeness
– Loss of availability (Denial of Service)
• For many asset types the only threat is loss of availability
• Assess impact of threat in levels, e.g H-M-L – This gives the valuation of the asset in the face of
the threat
4. Risk Analysis – Process Analysis
• Every company or organisation has some processes
that are critical to its operation
• The criticality of a process may increase the impact
valuation of one or more assets identified
So
• Identify critical processes
• Review assets needed for critical processes
• Revise impact valuation of these assets
5. Risk Analysis – Vulnerabilities 1
• Identify vulnerabilities against a baseline
system
– For risk analysis of an existing system
• Existing system with its known security measures and
weaknesses
– For development of a new system
• Security facilities of the envisaged software, e.g.
Windows NT
• Standard good practice, e.g. BS 7799 recommendations
of good practice
5. Risk Analysis – Vulnerabilities 2
• For each threat –
– Identify vulnerabilities
• How to exploit a threat successfully;
– Assess levels of likelihood - High, Medium, Low
• Of attempt
– Expensive attacks are less likely (e.g. brute-force attacks on
encryption keys)
• Successful exploitation of vulnerability;
– Combine them
6. Risk Assessment & Response
• Should have all the information to produce the
Risk Assessment
• Responses to risk
– Avoid it completely by withdrawing from an activity
– Accept it and do nothing
– Reduce it with security measures
Example • Asset:
– Internal mailbox of Bill Gates
• Risk Impact Estimate examples -
– Risk of loss: Medium impact
– Risk of access by staff: High impact
– Risk of access by press: Catastrophic impact
– Risk of access by a competitor: High impact
– Risk of temporary no access by Bill: Low impact
– Risk of change of content: Medium impact
Some examples of UK real life risks
• Chances are your death will be by: – being shot by a stranger… 1 in 22,500
– drowning in the bath… 1 in 17,500
– plane crash… 1 in 800,000
– car accident… 1 in 300
– suicide… 1 in 160
– accidental fall… 1 in 150
– cancer… 1 in 4
• This year in England and Wales: – 130,000 will die of heart disease
– 24 due to adverse weather conditions
– 1 from lightning
Questions