CSE 3482

Introduction to Computer Security

Security
Risk Management

Instructor: Prof. P. Madani, Winter 2022

Credit: Prof. N. Vlajic
Required Reading

Computer Security, Stallings: Section 14.3 & 14.4

 Learning Objectives

Upon completion of this material, you should be able to:

• Define risk management and its role in an organization.
• Use risk management techniques to identify and
prioritize risk factors for information assets.
• Asses risk based on the likelihood of adverse events and
the effect on information assets when events occur.
• Document the results of risk identification.
• Detail risk treatment alternatives.
 True Story
A company suffered a catastrophic
loss one night when its office burned
to the ground.
As the employees gathered around the charred remains
the next morning, the president asked the secretary if
she had been performing the daily computer backups.
To his relief she replied that yes, each day before she went
home she backed up all of the financial information,
invoices, orders ...
The president then asked the secretary to retrieve the
backup so they could begin to determine their current
financial status.
“Well”, the secretary said, “I guess I cannot do that. You
see, I put those backups in the desk drawer next to the
computer in the office.”
M. Ciampa, “Security+ Guide to Network Sec. Fundamentals”, 3rd Edition, pp. 303
 Introduction

“Investing in stocks carries a risk …”

“Bad hand hygiene (not washing hands) carries a risk …

“Car speeding carries a risk …”

“An outdate (not updated) anti-virus software

carries a risk …”
Definition of Risk
• Risk – likelihood that a chosen action or activity
(including the choice of inaction) will lead to a
loss (un undesired outcome)

• Risk Management – identification, assessment,

and prioritization of risks followed by coordinated
use of resources to monitor, control or minimize
the impact of risk-related events or to maximize
the gains.
³ examples: finances, industrial processes, public health
and safety, insurance, etc.
³ one of the key responsibilities of every manager within
an organization
http://en.wikipedia.org/wiki/Risk_management
 Risk in Information Security
• Risks in Info. Security – risks which arise from an
organization’s use of info. technology (IT)
³ related concepts: asset, vulnerability, threat

http://csrc.nist.gov/publications/nistpubs/800-12/800-12-html/chapter7.html
Risk in Information Security (cont.)
• Asset – anything that needs to be protected because it
has value and/or contributes to the successful
achievement of the organization’s objectives

• Threat – any circumstance or event with the potential

to cause harm to an asset and/or result in harm
to organization

• Vulnerability – a weakness in an asset that can be

exploited by threat

• Risk – probability of a threat acting upon a vulnerability

causing harm to an asset
Risk in Information Security (cont.)
• Interplay between Risk & other Info. Sec. Concepts
http://blog.patriot-tech.com/
 Risk in Information Security (cont.)
• Asset, Threat, Vulnerability & Risk in Info. Sec.
http://en.wikipedia.org/wiki/File:2010-T10-ArchitectureDiagram.png
 Risk in Information Security (cont.)
• Key Risk-Related Question: Which vulnerabilities,
in which assets, should we worry about (i.e., remove)?

Asset 1
vulnerability 1
vulnerability 2
…
vulnerability n
Agent 1 Event 1
Threats
Agent 2 Event 2
… …
Agent m Event k
 Security Risk Management
• Security Risk Management – process of identifying
vulnerabilities in an organization’s info. system
and taking steps to protect the CIA of all of its
components.
³ two major sub-processes: Identify
the
Risk Areas
Risk Identification &
Assessment
Risk Control (Mitigation) Re-evaluate
Assess the
the Risks
Risk Risks

Management
Cycle
Implement Risk
Management Develop Risk
Actions Management
Plan
12
Security Risk Management (cont.)

Risk Management
Risk Identification Risk Control

Identify & Prioritize Assets

Cost-Benefit Analysis

Identify & Prioritize Threats

Avoid
Identify Vulnerabilities
between Assets and Threats Control
(Vulnerability Analysis)
Transfer
Risk Assessment
Mitigate
Calculate Relative Risk
of Each Vulnerability Accept
Risk Identification
Risk Identification:
Asset Inventory
 Risk Identification: Asset Inventory

• Risk identification begins with identification of all

information assets, including:

³ No prejudging of asset values should be done at this stage

– values are assigned later!
 Risk Identification: Asset Inventory (cont.)

• Identifying Hardware, Software & Networking Assets

³ Can be done automatically (using specialized software)
or manually.
³ Needs certain planning – e.g. which attributes of each
asset should be tracked, such as:
Ø name – tip: naming should not convey critical info to potential attackers
Ø asset tag – unique number assigned during acquisition process
Ø IP address
Ø MAC address
Ø software version
Ø serial number
Ø manufacturer name
Ø manufacturer model or part number
Risk Identification: Asset Inventory (cont.)

Example: Network Asset Tracker

http://www.misutilities.com/
http://www.misutilities.com/network-asset-tracker/howtouse.html
Risk Identification: Asset Inventory (cont.)
• Identifying People, Procedures and Data Assets
³ Not as readily identifiable as other assets – require that
experience and judgment be used.
³ Possible attributes:
Ø people – avoid personal names, as they may change, use:
* position name
* position number/ID
* computer/network access privileges
Ø procedures
* description
* intended purpose
* software/hardware/networking elements to which it is tied
* location of reference-document, …
Ø data
* owner
* creator
* manager
* location, …
 Risk Identification:
Asset Ranking/Prioritization
Risk Identification: Asset Ranking

• Assets should be ranked so that most valuable assets

get highest priority when managing risks.

³ Questions to consider when determining asset value/rank:

1) Which info. asset is most critical to overall success of

organization?

Example: Amazon’s ranking assets

Amazon’s network consists of regular desktops and web servers.
Web servers that advertise company’s products and receive orders
24/7 - critical.
Desktops used by customer service department – not so critical.
 Risk Identification: Asset Ranking (cont.)

2) Which info. asset generates most revenue?

3) Which info. asset generates highest profitability?

Example: Amazon’s ranking assets

At Amazon.com, some servers support book sales (resulting in
highest revenue), while others support sales of beauty products
(resulting in highest profit).

4) Which info. asset is most expensive to replace?

5) Which info. asset’s loss or compromise would be most

embarrassing or cause greatest liability?
 Risk Identification: Asset Ranking (cont.)

Example: Weighted asset ranking (NIST SP 800-30)

Not all asset ranking questions/categories may be equally important
to the company.
A weighting scheme could be used to account for this …
Each criteria is assigned a weight (0 – 100), must total 100!
information transmitted:

Each asset is
Data asset /

assigned a
score (0.1-1.0)
for each critical
factor.
 Risk Identification:
Threat Identification
& Prioritization
Risk Identification: Threat Identification

• Now that assets are known, we should see if threats

to those assets exist …

Asset 1
vulnerability 1
vulnerability 2
vulnerability 3
…
vulnerability n
Agent 1 Event 1
Threats
Agent 2 Event 2
… …
Agent m Event k
Risk Identification: Threat Identification

• Any organization faces a wide variety of threats.

• To keep risk management ‘manageable’ …
³ realistic threats must be identified and further investigated,
while unimportant threats should be set aside

Example: CSI/FBI survey of types of threats/attacks

Risk Identification: Threat Identification

Example: PwC Report “US Cybercrime: Rising Risks,

Reduced Readiness” (2014)
http://www.pwc.com/us/en/increasing-it-effectiveness/publications/assets/2014-us-state-of-cybercrime.pdf

Significant Detected Incidents Across Industries:

Risk Identification: Threat Identification

Example: PwC Report “US Cybercrime: Rising Risks,

Reduced Readiness” (2014)
http://www.pwc.com/us/en/increasing-it-effectiveness/publications/assets/2014-us-state-of-cybercrime.pdf

Significant Detected Incidents Across Industries:

Risk Identification: Threat Identification (cont.)

• Threat Modeling/Assessment – practice of building

an abstract model of how an attack may proceed and
cause damage [attacker-, system-, or asset- centric]

³ Attacker-centric – starts from attackers, evaluates their

motivations and goals, and how they might achieve them
through attack tree.

http://www.uio.no/studier/emner/matnat/ifi/INF3510/v12/learningdocs/INF3510-2012-L03.pdf
Risk Identification: Threat Identification (cont.)

• Threat Modeling/Assessment
³ System-centric – starts from model of system, and
attempts to follow model dynamics and logic, looking
for types of attacks against each element of the model.

http://www.uio.no/studier/emner/matnat/ifi/INF3510/v12/learningdocs/INF3510-2012-L03.pdf
Risk Identification: Threat Identification (cont.)

• Threat Modeling/Assessment
³ Asset-centric – starts from assets entrusted to a system,
such as a collection of sensitive personal information, and
attempts to identify how CIA security breaches can happen.

http://www.uio.no/studier/emner/matnat/ifi/INF3510/v12/learningdocs/INF3510-2012-L03.pdf
Risk Identification: Threat Prioritization

• Questions used to prioritize threats:

³ Which threats present a danger to organization’s assets
in its current environment? ( ‘pre-step’ )
Ø Goal: reduce the risk management’s scope and cost.
Ø Examine each category from CSI/FBI list, or as identified
through threat assessment process, and eliminate any that
do not apply to your organization.

³ Which threats represent the most danger … ?

Ø Goal: provide a rough assessment of each threat’s potential
impact given current level of organization’s preparedness.
Ø ‘Danger’ might be a measured of:
1) probability that the threat attacks organization
2) severity, i.e. overall damage that the threat could create
Risk Identification: Threat Prioritization (cont.)

• Other questions used to assess/prioritize threats:

³ How much would it cost to recover from a successful
attack?
³ Which threats would require greatest expenditure
to prevent?

• Threat ranking can be quantitative or qualitative.

• Once threats are prioritized, each asset should be reviewed

against each threat to create a specific list of vulnerabilities.
 Risk Identification:
Vulnerability Analysis
Vulnerability Analysis

• Vulnerability – flaw or weakness in an info. asset, its

design, implementation or security
procedure that can be exploited
accidentally or deliberately by a threat
³ a known threat is a real ‘threat’ to an
organization only if there is an actual
vulnerability it can exploit
³ sheer existence of a vulnerability does
not mean harm WILL be caused –
threat agent is required
³ vulnerability that is easy to exploit is
often a high-danger vulnerability

Vulnerability
Asset Threat
Vulnerability Analysis (cont.)

• TVA Worksheet – at the end of risk identification

procedure, organization should derive
threats-vulnerabilities-assets (TVA)
worksheet
³ this worksheet is a starting point for
risk assessment phase
³ TVA worksheet combines prioritized
lists of assets and threats
Ø prioritized list of assets is placed on x-axis,
with most important assets on the left
Ø prioritized list of threats is placed on y-axis,
with most dangerous threats at the top
Ø resulting grid enables a simplified priority-
based vulnerability assessment
 Vulnerability Analysis (cont.)
If one multiple vulnerabilities exist between T1 & A1, they can be categorized:
T1V1A1 – Vulnerability 1 that exists between Threat 1 and Asset 1
T1V2A1 – Vulnerability 2 that exists between Threat 1 and Asset 1, …

If intersection
between T2
and A2 has no
vulnerability,
the risk
assessment
team simply
crosses out
that box.
 Vulnerability Analysis (cont.)

Example: Vulnerability assessment of critical files

people open
suspicious e-mail
attachments and/or
copy files off USBs
[procedural weakness] Deliberate
Software Attack –
Virus Attack

antivirus software
not up-to-date
[procedural weakness]
desktop (files)
on a particular
computer/workstation

Asset Vulnerability Threat

Vulnerability Analysis (cont.)

Example: Vulnerability assessment of critical files

NIC can support data-rates

of up to 50 Mbps
[design weakness]

DDoS
Attack
CPU ‘freezes’ at
10,000 packets/sec
[design/implementation flaw]
server

Asset Vulnerability Threat

Vulnerability Analysis (cont.)

Example: Vulnerability assessment of a router

temperature control in
router/server room is not
adequate Þ router
overheats and
shuts downs
[design and Act of Human
implementation weakness] Error or Failure
net. administrator
allows access to unauthor.
user Þ unauthor. user uploads
a virus, router crashes
[procedural weakness]
router

Asset Vulnerability Threat

Vulnerability Analysis (cont.)

Example: Vulnerability assessment of a DMZ router

Asset !!!
Risk Assessment
Risk Assessment

• Summary of Vulnerability Analysis

Act of human error or failure

People Deliberate act of trespass

Procedure flaw or Deliberate act of extortion

cause weakness Deliberate act of sabotage
Data damage in asset’s
Deliberate software attacks
Software (loss) design, exploit
implementation, Technical software failures
Hardware or Technical hardware failures
Networking security procedure Forces of nature
Etc.

Vulnerability

Asset Threat
 Risk Assessment (cont.)

• Risk Assessment – provides relative numerical risk

ratings (scores) to each vulnerability
³ in risk management, it is not the
presence of a vulnerability that really
matters, but the associated risk!
• (Security) Risk – quantifies:
1) possibility that a threat successfully acts upon a
vulnerability and
2) how severe the consequences would be

R=P*V
³ P = probability of threat-event occurrence
³ V = value lost / cost to organization
Risk Assessment (cont.)
Weighted
score
indicating the
relative
importance
(associated
loss) of the
given asset.
Should be
used if
concrete
$ amounts
are not
available.
Risk Assessment (cont.)

• Extended Risk Formula v.1.

R = Pa × Ps × V
P
³ Pa = probability that an attack/threat (against a
vulnerability) takes place
³ Ps = probability that the attack successfully exploits
the vulnerability

Vulnerability
Asset Threat
Risk Assessment (cont.)

• Extended Risk Formula v.2.

R = Pa × (1-Pe) × V
Ps
³ Pe = probability that the system’s security measures
effectively protect against the attack
(reflection of system’s security effectiveness)

Ps = probability Pe = probability
that the attack that the attack
is successfully is NOT successfully
executed executed, i.e.
system defences are
effective
Risk Assessment (cont.)

• Extended Risk Formula v.2. (cont.)

R = Pa×V – Pa×V×Pe
Risk if no Risk reduction
protection is if measure of
implemented Pe effectiveness
are implemented
 Risk Assessment (cont.)

• Extended Whitman’s Risk Formula *

R = Pa × V – CC × (Pa × V) + UK × (Pa × V)
LE = Loss Expectancy
= P × V × [ 1 – CC + UK ]
a
(i.e. Potential Loss before Control is Applied)

³ Pa = probability that certain vulnerability (affecting a

particular asset) will/could get exploited
³ V = value of information asset Î [1, 100]
³ CC = current control = percentage/fraction of risk already
mitigated by current control
³ UK = uncertainty of knowledge = fraction of risk that is not
fully known
Risk Assessment (cont.)

Example: Risk determination Pa = 1

Asset A
Has a value of 50.
Has one vulnerability, with a likelihood of 1.0.
A
No current control for this vulnerability. V = 50
Your assumptions and data are 90% accurate.
Asset B
Has a value of 100.
Pa = 0.5 Pa = 0.1
Has two vulnerabilities:
* vulnerability #2 with a likelihood of 0.5, and
a current control that addresses 50% of its risk; B
* vulnerability #3 with a likelihood of 0.1 and
no current controls. V = 100
Your assumptions and data are 80% accurate.

Which asset/vulnerability should be dealt with first ?!

 Risk Assessment (cont.)

Example: Risk determination

The resulting ranked list of risk ratings for the three

vulnerabilities is as follows:

Asset A:
Vulnerability 1 rated as 55 = 50* (1.0 - 0 + 0.1)

Asset B:
Vulnerability 2 rated as 35 = 50 * (1 - 0.5 + 0.2)

Asset B:
Vulnerability 3 rated as 12 = 10 * (1 – 0 + 0.2)
 Risk Assessment (cont.)

• Documenting Results – 5 types of documents

Of Risk Assessment ideally created

1) Information asset classification worksheet

2) Weighted asset worksheet
3) Weighted threat worksheet
4) TVA worksheet
5) Ranked vulnerability risk worksheet
³ extension of TVA worksheet, showing only the assets
and relevant vulnerabilities
³ assigns a risk-rating ranked value for each uncontrolled
asset-vulnerability pair
 Risk Assessment (cont.)
VL: likelihood
A: vulnerable AI: weighted V: each asset’s of vulnerability
assets asset value vulnerability AI x VL
realization

Customer service email

has relatively low value
but represents most
pressing issue due to
high vulnerability
likelihood.

• At the end of risk assessment process, the TVA

and/or ranked-vulnerability worksheets should
be used to develop a prioritized list of tasks.
Risk Control
Risk Control Strategies

Once all vulnerabilities/risks are evaluated, the company has to decide

on the ‘course of action’ – often influenced by $$$ …

risk high, cost low

risk low, cost high

Computer Security, Stallings, pp. 487

 Risk Control Strategies (cont.)

• Basic Strategies to Control Risks

³ Avoidance
Ø do not proceed with the activity or system that creates this risk

³ Reduced Likelihood (Control)

Ø by implementing suitable controls, lower the chances of the
vulnerability being exploited

³ Transference
Ø share responsibility for the risk with a third party

³ Mitigation
Ø reduce impact should an attack still exploit the vulnerability

³ Acceptance
Ø understand consequences and acknowledge risks without any
attempt to control or mitigate
Risk Control Strategies (cont.)

• Avoidance – strategy that results in complete

abandonment of activities or
systems due to overly excessive risk
³ usually results in loss of convenience or
ability to preform some function that is
useful to the organization
³ the loss of this capacity is traded off
against the reduced risk profile

Recommended for vulnerabilities with

very high risk factor
that are very costly to fix.
Risk Control Strategies (cont.)

• Reduced – risk control strategy that attempts to

Likelihood prevent exploitation of vulnerability by
(Control) means of following techniques:
³ application of technology
Ø implementation of security controls & safeguards,
such as: anti-virus software, firewall, secure HTTP
and FTP servers, etc.
³ policy
Ø e.g. insisting on safe procedures
³ training and education
Ø change in technology and policy must be coupled
with employee’s training and education

Recommended for vulnerabilities with

high risk factor that are moderately costly to fix.
Risk Control Strategies (cont.)

• Transference – risk control strategy that attempts

to shift risk to other assets, other
processes or other organizations
³ if organization does not have adequate
security experience, hire individuals or
firms that provide expertise
Ø ‘stick to your knitting’!
Ø e.g., by hiring a Web consulting firm, risk
associated with domain name registration,
Web presence, Web service, … are passed
onto organization with more experience

Recommended for vulnerabilities with

high risk factor that are moderately costly to fix
if employing outside expertise.
Risk Control Strategies (cont.)

• Mitigation – risk control strategy that attempts to

reduce the significance of impact caused
by a vulnerability – includes 3 plans:

Recommended for vulnerabilities that are

low-risk and moderately costly to fix.
 Risk Control Strategies (cont.)

• Acceptance – assumes NO action towards protecting an

an information asset – accept outcome …
³ should be used only after doing all of the
following
Ø assess the probability of attack and likelihood
of successful exploitation of a vulnerability
Ø approximate annual occurrence of such an attack
Ø estimate potential loss that could result from
steps attacks
to be
discussed Ø perform a thorough cost-benefit analysis
assuming various protection techniques
Ø determine that particular asset did not
justify the cost of protection!

Recommended when vulnerability risk < cost of any control.

Risk Control Strategies (cont.)

• Risk Tolerance – risk that organization is willing to

accept after implementing risk-
mitigation controls

• Residual Risk – risk that has not been completely

removed, reduced or planned for,
after (initial) risk-mitigation
controls have been employed
³ goal of information security is not to
bring residual risk to 0, but to bring
it in line with companies risk tolerance
³ risk-mitigation controls may (have to)
be reinforced until residual risk falls
within tolerance
Risk Control Strategies (cont.)

How do we know whether risk control techniques

have worked / are sufficient?!

Example: Risk tolerance vs. residual risk

Risk

Company’s
Risk Tolerance

Residual Risk

Time
vulnerability risk vulnerability risk
before controls after controls
Security Risk Management
Cost-Benefit Analysis
Security Risk Management

Risk Management
Risk Identification Risk Control

Identify & Prioritize Assets

Cost-Benefit Analysis

Identify & Prioritize Threats

Avoid
Identify Vulnerabilities
between Assets and Threats Control
(Vulnerability Analysis)
Transfer
Risk Assessment
Mitigate
Calculate Relative Risk
of Each Vulnerability Accept
Risk Analysis (cont.)
• Qualitative Risk – scenario based approach - uses
Analysis labels & relative values (high/low)
rather than numbers; blends in
experience & personal judgment

• Quantitative Risk – predicts level of monetary loss

Analysis for each threat, and monetary
benefit of controlling the treat
³ each element is quantified and
entered into equations, e.g.:
Ø asset value
Ø threat frequency
Ø severity of vulnerability
Ø damage impact
Ø safeguard cost …
 Risk Analysis (cont.)
Qualitative Analysis
• Requires simple (if any)
calculations.
pros • Considers hands-on opinions
of individuals who know the
process best.
• Assessment and results are
subjective.
• Does not enable dollar
cons
cost/benefit discussion.
• Difficult to track
performance.
Quantitative Analysis
• Easier to automate and
evaluate.
• Very useful in performance
tracking - provide credible
cost/benefit analysis.
• Very detailed information
about environment need to
be gathered.
• Complex calculations – may
not be understood by all.
Risk Analysis (cont.)

“Quantitative risk analysis is the standard way of measuring risk in

many fields, such as finance and insurance, but it is not commonly used
to measure risk in information systems.
Two of the reasons claimed for this are:
1) the difficulties in identifying and assigning a value to assets, and
2) the lack of statistical information that would make it possible to
determine frequency.
Thus, many of the risk assessment tools that are used today for
information systems are measurements of qualitative risk.”

http://www.sans.org/reading_room/whitepapers/auditing/
introduction-information-system-risk-management_1204
 Qualitative Risk Analysis
• Challenges of – define likelihood & impact values
Qualitative in a manner that would allow the same
Analysis scale to be used across multiple risk
assessments

Example: ‘likelihood of threat’ categories

Example: ‘threat impact/consequences’ categories

DDoS attack
on an E-
commerce
company

user/patient
files erased
due to virus
infection

compromised
user/patient
records in a
bank/hospital
Example: ‘risk determination’ categories
Quantitative Risk Analysis
• Cost-Benefit – aka economic feasibility study -
Analysis quantitative decision-making process
that:
³ determines the loss in value if the
asset remained unprotected
³ determines the cost of protecting an
asset
³ helps prioritize actions and spending
on security …

Company should not spend more

to protect an asset than the asset is worth!
Quantitative Risk Analysis (cont.)

• Asset Value (AV) – combination of the following:

³ cost of buying/developing
hardware, software, service
³ cost of installing, maintaining,
upgrading hardware, software,
service
³ cost to train and re-train
personnel
³ direct profit gained from the
utilization of the asset

• Exposure – percentage loss that would occur from

Factor (EF) a given vulnerability being exploited
by a given threat
Quantitative Risk Analysis (cont.)

• Single Loss – most likely loss (in value) from an attack

Expectancy
(SLE) SLE = AV * EF

Example: A Web-site’s SLE due to a DDoS Attack

Estimated value of a Web-site: AV = $ 1,000,000.
A DDoS on the site would result in 10% losses of the site
value (EF=0.1).
SLE for the site: AV * EF = $ 100,000.

Would it be worth investing in anti-DDoS system that costs

$100,000 a year?
Quantitative Risk Analysis (cont.)

• Annualized Rate – indicates how often an attack is

of Occurrence expected to successfully occur in
(ARO) a year
³ if an attack occurs once every
2 years Þ ARO = 0.5

• Annualized Loss – overall loss incurred by an attack

Expectancy (i.e. by exploiting a vulnerability)
(ALE) in each year

ALE = ARO * SLE

Quantitative Risk Analysis (cont.)

Example: Determining ARO, SLE, ALE

Threat

http://www.pearsonhighered.com/assets/hip/us/hip_us_pearsonhighered/
samplechapter/078973446X.pdf
Quantitative Risk Analysis (cont.)

Example: Determining ALE to Occur from Risks

http://www.windowsecurity.com/articles/Risk_Assessment_and_Threat_Identification.html

A widget manufacturer has installed new network servers,

changing its network from P2P, to client/server-based network.
The network consists of 200 users who make an average of
$20 an hour, working on 200 workstations.
Previously, none of the workstations involved in the network
had an anti-virus software installed on the machines. This was
because there was no connection to the Internet and the
workstations did not have USB/disk drives or Internet
connectivity, so the risk of viruses was deemed minimal.
One of the new servers provides a broadband connection to
the Internet, which employees can now use to send and receive
email, and surf the Internet.
Quantitative Risk Analysis (cont.)

Example: Determining ALE to Occur from Risks (cont.)

• 200 employees One of the managers read in a
• 200 workstations trade magazine that other widget
• $20 hour companies have reported an
annual 75% chance of virus
infection after installing T1 lines,
and it may take up to 3 hours to
restore the system.

A vendor will sell licensed copies

of antivirus for all servers and
the 200 workstations at a cost
of $4,700 per year.

The company has asked you to determine the annual loss that
can be expected from viruses, and whether it is cost effective
to purchase licensed copies of anti-virus software.
Quantitative Risk Analysis (cont.)

Example: Determining ALE to Occur from Risks (cont.)

Based on the provided data:

ARO = 0.75
SLE = 200 user * ($ 20 / user-hour)
* 3 hours = $ 12,000
ALE = SLE * ARO = $ 9,000
ACS = $ 4,700

Because the ALE is $9,000, and the cost of the software that
will minimize this risk is $4,700 per year, this means the
But, what if the antivirus is not 100% effective.
company would save $4,300 per year by purchasing the
software ($9,000 - $4,700 = $4,300).
Quantitative Risk Analysis (cont.)

• Cost-Benefit Analysis – expresses cost benefit of a

Formula safeguard – i.e., determines
whether a particular control
is worth its cost
safeguard is justified
if it results in
NRRB>0 GROSS risk reduction benefit

NRRB = [ALE(prior) - ALE(post)] – ACS

NET risk reduction benefit

(money saved)

³ ALE(prior) – ALE before implementing control

³ ALE(post) – ALE after implementing control
³ ACS – annual cost of safeguard
Quantitative Risk Analysis (cont.)

Example: Cost-Benefit Analysis

ALE NRRB
GRRB net risk
gross risk reduction
reduction benefit
benefit
ACS
annual. cost
of safeguards

Time
ALE(prior) ALE(post)
before after
safeguards safeguards

Only NRRB>0 justifies the use of safeguard(s)!

Quantitative Risk Analysis (cont.)

Example: Determining NRRB

Your organization has decide to centralize anti-virus support on a
server which automatically updates virus signatures on user’s PCs.
When calculating risk due to viruses, the annualized loss expect.
(ALE) is $145,000. The cost of this anti-virus countermeasure is
estimated to $24,000/year, and it will lower the ALE to $65,000.
Is this a cost-effective countermeasure? Why or why not?
ALE (prior) = $145 k
ALE (post) = $65 k
ACS = $24 k
NRRB = ALE (prior) – ALE (post) – ACS =
= $145 k - $65 k - $24 k =
= $56 k, so there are + cost benefits of this solution
 Quantitative Risk Analysis (cont.)

Example: Cert. Info. Sys. Sec. Prof. (CISSP) Exam

ALE (prior) = AV*EF*ARO = $106 *0.1*0.2 = $20,000

ALE (post) = $0 (best case scenario - safeguard 100% eff.)
ACS = ?
For NRRB ³ 0, safeguard of up to $20,000 acceptable.
Quantitative Risk Analysis (cont.)

Example: Cost-benefit analysis in case of 100%

effective safeguard
ALE NRRB
GRRB net risk
gross risk reduction
reduction benefit
benefit
ACS
annual. cost
of safeguards

Time
ALE(prior) ALE(post)
before after
safeguards safeguards
Other Feasibility Measures
• Quantitative cost-benefit analysis determines whether
a security control measure is feasible economically.
• Other factors and ‘measures of feasibility’, when
evaluating a security control, should be considered:

NRRB = [ALE(prior) - ALE(post)] – ACS

=AROpost*AVpost*EFpost

• Organizational – examines how well a proposed

Feasibility security control will contribute to
organization’s strategic objectives
³ e.g. a firewall might be a good
security safeguard, but may prevent
effective flow of multimedia data
Other Feasibility Measures (cont.)
• Behavioral – examines user’s and management’s
Feasibility acceptance and support of a proposed
security control
³ e.g. if users do not accept a new policy/
technology/program, it will inevitably fail
³ most common methods for obtaining
user acceptance are:
Ø communication – affected parties must
know the purpose and benefits of the
proposed change
Ø education – affected parties must be
educated on how to work under the new
constraints
Ø involvement – affected parties must be
given a chance to express what they want
and what they will tolerate from the system
Other Feasibility Measures (cont.)
• Technical – determine whether organization has or
Feasibility can acquire technology and/or necessary
technical expertise to implement and
support a control
³ e.g. use of VPN may require special software
hardware support / installation on all
computers

• Political – determines what can and cannot be done

Feasibility based on consensus and relationship
between different departments …
³ IT and Info. Sec. department might have
to compete for same resources
 Relative Risk Analysis
• Rather than using quantitative or qualitative risk analysis
an organization may resort to relative risk analysis of a
control, including:

• Benchmarking – study practices used in other

organizations that obtain results
you would like to duplicate

• Due Care or – implement a minimum level of

Due Diligence security
³ failure to maintain a standard of due
care can open an organization to legal
liability – especially important if dealing
with customer data
 Relative Risk Analysis (cont.)
• Best Practices – implement entire set of security
controls as recommended for your
industry / general public
³ ‘best practices’ according to Microsoft:
Ø use antivirus software
Ø use strong passwords
Ø verify your software security setting
Ø update product security
Ø build personal firewalls
Ø back up early and often
Ø protect against power surges and losses

• Gold Standard – implement controls beyond best

practices – for those that strive to
be ‘the best of the best’