Risk Management for Systems

Security

205 - Information Security and

Cryptography

Areas of IT Risk

Information Security Risk • Information Security Risk Analysis or risk

assessment, is fundamental to the security of any organization.

• Information Security in any system should be commensurate with its risks. However, the process to determine which security controls are appropriate and cost effective, is quite often a complex and sometimes a subjective matter.

• It is essential to ensure that controls and expenditure are fully commensurate with the risks to which the organization is exposed.

Questions to ask!

• What are the resources that need protecting?

• What is the value of those resources, monetary or otherwise?

• What are the all the possible threats that that those resources face?

• What is the likelihood of those threats being realized?

• What would be the impact of those threats if they were realized?

Information Asset Definition

Information Assets are the physical,

hardware, software, data, communications,

administrative and personnel resources of a

computing system that once compromised

will release sensitive, not disclosed system

information to the threat agent.

Defining Risk

The term risk is used to

describe the possibility of a

threat taking advantage of an

asset’s vulnerability

Risk management

Risk

assessment Identify and

analyse risks

Risk

control Reduce risks,

provide contingency

Risk Management

Defining Risk Management

Risk management is the process of

– Establishing and maintaining

information system security within an

organization

– The identification and management of

opportunities and threats

Risk Management Approaches

• Quantitative Approach – This approach employs two fundamental elements –

• the probability of an event occurring

• the likely loss should it occur

– requires probabilities which are rarely precise

– thus data may be unreliable and inaccurate

– time consuming and expensive exercise

• Qualitative Approach – most widely used approach to risk analysis (COBRA)

– involves less uncertainty (no probabilities)

– uses interrelated elements of threats, vulnerabilities & controls

– based on expert knowledge

– parameters are: high, medium, low

Risk Management Approaches

• Knowledge-Based Approach:

– based on reusing “best practice” from similar

systems

– obsolete

• Model-Based Approach:

– based on OO modeling

– describes target of assessment at right level of

abstraction

– Brings together all stakeholders

Problems of Measuring Risk

• Businesses wish to measure in money, but many of the entities don’t permit this - – Valuation of assets

• Value of data and in-house software - no market value

• Value of goodwill and customer confidence

– Likelihood of threats • How relevant is past data to the calculation of future

probabilities? – The nature of future attacks is unpredictable

– The actions of future attackers are unpredictable

– Measurement of benefit from security measures

Risk vs Threat • Reference point

– Risk : you examine the system

– Threat: you examine the environment around it

• Impact

– Sometimes a major threat may correspond in the

context of the business to a minor risk

• Relationship

– Risks and threats do not have a one-to-one

relationship. Some threats may contribute to more

than one risk, and some risks have properties that

are not directly related to individual threats?

Risk Analysis Framework

Assets Threats Vulnerabilities

Risks

Security Measures

}

}

Analysis

Control

Goals of Risk Analysis

• All assets have been identified

• All threats have been identified

– Their impact on assets has been valued

• All vulnerabilities have been identified

and assessed

Risk Analysis Steps

1. Decide on scope of analysis – Set the system boundary

2. Identification of assets & business processes

3. Identification of threats and valuation of their impact on assets

4. Identification and assessment of vulnerabilities to threats

5. Risk assessment

1. Risk Analysis – Defining the Scope

• Draw a context diagram

• Decide on the boundary

– It will rarely be the computer!

• Make explicit assumptions about the

security of neighbouring domains

– Verify them!

2. Risk Analysis - Identification of Assets

• Hardware

• Software: purchased or developed programs

• Data

• Users

• Documentation: manuals, admin procedures

• Supplies: paper, printer cartridges, pens, etc

• Money

• Intangibles – Goodwill

– Reputation

3. Risk Analysis – Impact Valuation

Identification and valuation of threats for assets

• Identify threats, e.g. for stored data – Loss of confidentiality

– Loss of integrity

– Loss of completeness

– Loss of availability (Denial of Service)

• For many asset types the only threat is loss of availability

• Assess impact of threat in levels, e.g H-M-L – This gives the valuation of the asset in the face of

the threat

4. Risk Analysis – Process Analysis

• Every company or organisation has some processes

that are critical to its operation

• The criticality of a process may increase the impact

valuation of one or more assets identified

So

• Identify critical processes

• Review assets needed for critical processes

• Revise impact valuation of these assets

5. Risk Analysis – Vulnerabilities 1

• Identify vulnerabilities against a baseline

system

– For risk analysis of an existing system

• Existing system with its known security measures and

weaknesses

– For development of a new system

• Security facilities of the envisaged software, e.g.

Windows NT

• Standard good practice, e.g. BS 7799 recommendations

of good practice

5. Risk Analysis – Vulnerabilities 2

• For each threat –

– Identify vulnerabilities

• How to exploit a threat successfully;

– Assess levels of likelihood - High, Medium, Low

• Of attempt

– Expensive attacks are less likely (e.g. brute-force attacks on

encryption keys)

• Successful exploitation of vulnerability;

– Combine them

6. Risk Assessment & Response

• Should have all the information to produce the

Risk Assessment

• Responses to risk

– Avoid it completely by withdrawing from an activity

– Accept it and do nothing

– Reduce it with security measures

Example • Asset:

– Internal mailbox of Bill Gates

• Risk Impact Estimate examples -

– Risk of loss: Medium impact

– Risk of access by staff: High impact

– Risk of access by press: Catastrophic impact

– Risk of access by a competitor: High impact

– Risk of temporary no access by Bill: Low impact

– Risk of change of content: Medium impact

Some examples of UK real life risks

• Chances are your death will be by: – being shot by a stranger… 1 in 22,500

– drowning in the bath… 1 in 17,500

– plane crash… 1 in 800,000

– car accident… 1 in 300

– suicide… 1 in 160

– accidental fall… 1 in 150

– cancer… 1 in 4

• This year in England and Wales: – 130,000 will die of heart disease

– 24 due to adverse weather conditions

– 1 from lightning

Questions