Professional Documents
Culture Documents
CSE3482 2022 SecurityRiskManagement
CSE3482 2022 SecurityRiskManagement
Security
Risk Management
http://csrc.nist.gov/publications/nistpubs/800-12/800-12-html/chapter7.html
Risk in Information Security (cont.)
• Asset – anything that needs to be protected because it
has value and/or contributes to the successful
achievement of the organization’s objectives
Asset 1
vulnerability 1
vulnerability 2
…
vulnerability n
Agent 1 Event 1
Threats
Agent 2 Event 2
… …
Agent m Event k
Security Risk Management
• Security Risk Management – process of identifying
vulnerabilities in an organization’s info. system
and taking steps to protect the CIA of all of its
components.
³ two major sub-processes: Identify
the
Risk Areas
Risk Identification &
Assessment
Risk Control (Mitigation) Re-evaluate
Assess the
the Risks
Risk Risks
Management
Cycle
Implement Risk
Management Develop Risk
Actions Management
Plan
12
Security Risk Management (cont.)
Risk Management
Risk Identification Risk Control
http://www.misutilities.com/
http://www.misutilities.com/network-asset-tracker/howtouse.html
Risk Identification: Asset Inventory (cont.)
• Identifying People, Procedures and Data Assets
³ Not as readily identifiable as other assets – require that
experience and judgment be used.
³ Possible attributes:
Ø people – avoid personal names, as they may change, use:
* position name
* position number/ID
* computer/network access privileges
Ø procedures
* description
* intended purpose
* software/hardware/networking elements to which it is tied
* location of reference-document, …
Ø data
* owner
* creator
* manager
* location, …
Risk Identification:
Asset Ranking/Prioritization
Risk Identification: Asset Ranking
Each asset is
Data asset /
assigned a
score (0.1-1.0)
for each critical
factor.
Risk Identification:
Threat Identification
& Prioritization
Risk Identification: Threat Identification
Asset 1
vulnerability 1
vulnerability 2
vulnerability 3
…
vulnerability n
Agent 1 Event 1
Threats
Agent 2 Event 2
… …
Agent m Event k
Risk Identification: Threat Identification
http://www.uio.no/studier/emner/matnat/ifi/INF3510/v12/learningdocs/INF3510-2012-L03.pdf
Risk Identification: Threat Identification (cont.)
• Threat Modeling/Assessment
³ System-centric – starts from model of system, and
attempts to follow model dynamics and logic, looking
for types of attacks against each element of the model.
http://www.uio.no/studier/emner/matnat/ifi/INF3510/v12/learningdocs/INF3510-2012-L03.pdf
Risk Identification: Threat Identification (cont.)
• Threat Modeling/Assessment
³ Asset-centric – starts from assets entrusted to a system,
such as a collection of sensitive personal information, and
attempts to identify how CIA security breaches can happen.
http://www.uio.no/studier/emner/matnat/ifi/INF3510/v12/learningdocs/INF3510-2012-L03.pdf
Risk Identification: Threat Prioritization
Vulnerability
Asset Threat
Vulnerability Analysis (cont.)
If intersection
between T2
and A2 has no
vulnerability,
the risk
assessment
team simply
crosses out
that box.
Vulnerability Analysis (cont.)
antivirus software
not up-to-date
[procedural weakness]
desktop (files)
on a particular
computer/workstation
DDoS
Attack
CPU ‘freezes’ at
10,000 packets/sec
[design/implementation flaw]
server
Vulnerability
Asset Threat
Risk Assessment (cont.)
R=P*V
³ P = probability of threat-event occurrence
³ V = value lost / cost to organization
Risk Assessment (cont.)
Weighted
score
indicating the
relative
importance
(associated
loss) of the
given asset.
Should be
used if
concrete
$ amounts
are not
available.
Risk Assessment (cont.)
R = Pa × Ps × V
P
³ Pa = probability that an attack/threat (against a
vulnerability) takes place
³ Ps = probability that the attack successfully exploits
the vulnerability
Vulnerability
Asset Threat
Risk Assessment (cont.)
R = Pa × (1-Pe) × V
Ps
³ Pe = probability that the system’s security measures
effectively protect against the attack
(reflection of system’s security effectiveness)
Ps = probability Pe = probability
that the attack that the attack
is successfully is NOT successfully
executed executed, i.e.
system defences are
effective
Risk Assessment (cont.)
R = Pa×V – Pa×V×Pe
Risk if no Risk reduction
protection is if measure of
implemented Pe effectiveness
are implemented
Risk Assessment (cont.)
R = Pa × V – CC × (Pa × V) + UK × (Pa × V)
LE = Loss Expectancy
= P × V × [ 1 – CC + UK ]
a
(i.e. Potential Loss before Control is Applied)
Asset A:
Vulnerability 1 rated as 55 = 50* (1.0 - 0 + 0.1)
Asset B:
Vulnerability 2 rated as 35 = 50 * (1 - 0.5 + 0.2)
Asset B:
Vulnerability 3 rated as 12 = 10 * (1 – 0 + 0.2)
Risk Assessment (cont.)
³ Transference
Ø share responsibility for the risk with a third party
³ Mitigation
Ø reduce impact should an attack still exploit the vulnerability
³ Acceptance
Ø understand consequences and acknowledge risks without any
attempt to control or mitigate
Risk Control Strategies (cont.)
Company’s
Risk Tolerance
Residual Risk
Time
vulnerability risk vulnerability risk
before controls after controls
Security Risk Management
Cost-Benefit Analysis
Security Risk Management
Risk Management
Risk Identification Risk Control
http://www.sans.org/reading_room/whitepapers/auditing/
introduction-information-system-risk-management_1204
Qualitative Risk Analysis
• Challenges of – define likelihood & impact values
Qualitative in a manner that would allow the same
Analysis scale to be used across multiple risk
assessments
DDoS attack
on an E-
commerce
company
user/patient
files erased
due to virus
infection
compromised
user/patient
records in a
bank/hospital
Example: ‘risk determination’ categories
Quantitative Risk Analysis
• Cost-Benefit – aka economic feasibility study -
Analysis quantitative decision-making process
that:
³ determines the loss in value if the
asset remained unprotected
³ determines the cost of protecting an
asset
³ helps prioritize actions and spending
on security …
Threat
http://www.pearsonhighered.com/assets/hip/us/hip_us_pearsonhighered/
samplechapter/078973446X.pdf
Quantitative Risk Analysis (cont.)
The company has asked you to determine the annual loss that
can be expected from viruses, and whether it is cost effective
to purchase licensed copies of anti-virus software.
Quantitative Risk Analysis (cont.)
Because the ALE is $9,000, and the cost of the software that
will minimize this risk is $4,700 per year, this means the
But, what if the antivirus is not 100% effective.
company would save $4,300 per year by purchasing the
software ($9,000 - $4,700 = $4,300).
Quantitative Risk Analysis (cont.)
Time
ALE(prior) ALE(post)
before after
safeguards safeguards
Time
ALE(prior) ALE(post)
before after
safeguards safeguards
Other Feasibility Measures
• Quantitative cost-benefit analysis determines whether
a security control measure is feasible economically.
• Other factors and ‘measures of feasibility’, when
evaluating a security control, should be considered: