INFORMATION SECURITY MANAGEMENT

LECTURE 7: RISK MANAGEMENTIDENTIFYING AND ASSESSING RISK

You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi Berra

Introduction

• Information security departments are created primarily to manage IT risk

• In any well-developed risk management program, two formal processes are at work – Risk identification and assessment – Risk control

Risk Management

“The process of determining the maximum acceptable level of overall risk to and from a proposed activity, then using risk assessment techniques to determine the initial level of risk and, if this is excessive, developing a strategy to ameliorate appropriate individual risks until the overall level of risk is reduced to an acceptable level.”

Knowing Yourself & The Enemy

• Identifying, examining and understanding the information and how it is processed, stored, and transmitted

• Identifying, examining, and understanding the threats facing the organization’s information assets

Communities of Interest:All Play a role

• Information Security

• Information Technology

• Management and Users

Risk Terminology

• Asset & Asset valuation• Threat• Vulnerability• Exposure• Risk

Risk Terminology

Asset Identification

Identify organization’s information assets Inventory: software/hardware, and networking

elements More easily tracked (automated inventory system)

People, procedures, data and info May take more time / ongoing

Creating an Inventory of Information Assets

• Determine which attributes of each information asset should be tracked

• Potential asset attributes– Name, IP address– MAC address, asset type– Physical location, logical location– Controlling entity

Creating an Inventory of Information Assets (cont’d.)

• Identifying people, procedures and data assets

• Sample attributes – People - Position name/number/ID– Procedures – Description/Intended purpose– Data – Classification & Owner/creator/manager

Asset: Classifying and Categorizing

• Determine whether the asset categories are meaningful

• Inventory should also reflect each asset’s sensitivity and security priority

• Classification categories must be comprehensive and mutually exclusive• Not one schema for all assets

Asset Valuation

• Assign a relative value:– As each information asset is identified, categorized,

and classified

Goal: assign value to encompass both tangible and intangible costs

Importance of Assets

• List the assets in order of importance• Achieved by using a weighted factor analysis

worksheet

Risk Terminology

Threat Identification

• Any organization typically faces a wide variety of threats

Threat Assessment

• Each threat presents a unique challenge to information security

• Each must be further examined to determine its potential to affect the targeted information asset

Threat Identification (cont’d.)

Source: Adapted from M. E. Whitman. Enemy at the gates: Threats to information security.

Communications of the ACM, August2003. Reprinted with permissionWeighted ranks of threats to information security

Vulnerability Assessment

• Vulnerability Assessment– Review every information asset for each threat

– Leads to the creation of a list of vulnerabilities that remain potential risks to the organization

• Vulnerabilities are specific avenues that threat agents can exploit to attack an information asset

Vulnerability Assessment

Management of Information Security, 3rd ed. Table 8-4 Vulnerability assessment of a DMZ router

Source: Course Technology/Cengage Learning

The TVA Worksheet (cont’d.)

Table 8-5 Sample TVA spreadsheet

Source: Course Technology/Cengage Learning

Introduction to Risk Assessment

• The goal is to create a method to evaluate the relative risk of each listed vulnerability

Figure 8-3 Risk identification estimate factors

Source: Course Technology/Cengage Learning

Likelihood

• The overall rating of the probability that a specific vulnerability will be exploited

• Using the information documented during the risk identification process, you can assign weighted scores based on the value of each information asset

Percentage of Risk Mitigated by Current Controls• If a vulnerability is fully managed by an

existing control, it can be set aside

• If it is partially controlled, estimate what percentage of the vulnerability has been controlled

Uncertainty

• It is not possible to know everything about every vulnerability

• The degree to which a current control can reduce risk is also subject to estimation error

• Uncertainty is an estimate made by the manager using judgment and experience

Risk Determination – Example 1

Asset A has a value of 50 and has one vulnerability, which has a likelihood of 1.0 with

no current controls. Your assumptions and data are 90% accurate

Risk Determination – Example 2

Asset B has a value of 100 and has two vulnerabilities:

vulnerability #1 has a likelihood of 0.5 with a current control that addresses 50% of its riskvulnerability # 2 has a likelihood of 0.1 with no current controls.

Your assumptions and data are 80% accurate

Example of Qualitative Risk Assessment

Threat Impact Initial Probability

Counter-measure

Residual Probability

Flood damage

H L Water alarms L

Theft H L Key cards, surveillance, guards

L

Logical intrusion

H M Intrusion prevention system

L

Quantitative Risk Assessment

Extension of a qualitative risk assessment. Metrics for each risk are: Asset value: replacement cost and/or income

derived through the use of an asset Exposure Factor (EF): portion of asset's value

lost through a threat (also called impact) Single Loss Expectancy (SLE) = Asset ($) x

EF (%)

Quantitative Risk Assessment

Metrics (cont.) Annualized Rate of Occurrence (ARO)

Probability of loss in a year, % Annual Loss Expectancy (ALE) =

SLE x ARO

Example of Quantitative Risk Assesment Theft of a laptop computer, with the data

encrypted

Asset value: $4,000

Exposure factor ?

SLE, ARO, ALE ?

Example of Quantitative Risk Assesment Dropping a laptop computer and breaking the

screen Asset value: $4,000

Exposure factor ?

SLE, ARO, ALE ?