Professional Documents
Culture Documents
03RM - Riskassessment 1
03RM - Riskassessment 1
http://pralab.diee.unica.it 75
Main sources
The context: risk management frameworks and guidelines
– ISO 31000:2018 Risk management – Guidelines
(not focused on information security)
– ISO 27005:2018 Information security risk management
– NIST SP 800-39 Managing information security risk
Specific risk assessment guidelines
– NIST SP 800-30 Rev. 1 Guide for conducting risk assessments (2012)
https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final
– IEC/ISO 31010:2019 Risk management – Risk assessment techniques
https://www.iso.org/standard/72140.html
http://pralab.diee.unica.it 76
The context: ISO risk management framework
Risk assessment
http://pralab.diee.unica.it 77
The context: NIST risk management framework
Risk assessment
describes the
environment in which
risk-based decisions are
made to produce a risk
management strategy
http://pralab.diee.unica.it 78
The context: NIST risk management framework
http://pralab.diee.unica.it 79
The context: NIST risk management framework
NIST SP 800-39 Managing information security risk
Threat Likelihood
exploits
Assets
Impact
and context causing
Main activities
1. threat and vulnerability identification,
including threat likelihood and impact
2. risk determination, as a function of likelihood and impact
http://pralab.diee.unica.it 80
The context: NIST risk management framework
http://pralab.diee.unica.it 81
The context: NIST risk management framework
(cont.)
– Impacts can refer to organizational operations (i.e., mission, functions,
image, and reputation), organizational assets, individuals, other
organizations, and the Nation.
– Likelihood can be determined using a variety of approaches
• the likelihood that a threat event will occur and that, if it occurs, it will result in
adverse effects, can be treated as separate factors, or in combination
• qualitative risk assessments is preferred under a high degree of uncertainty
• either threat assumptions or actual threat data can be used (e.g., historical
data on cyber attacks or on earthquakes, specific information on adversary
capabilities, intentions, and targeting); empirical data can be used, if available
(e.g., types of cyber attacks, cyber attack trends, frequencies of attacks)
• likelihood can refer to (i) worst case (i.e., attack will be successful unless
strong, objective reasons to presume otherwise); (ii) best case (i.e., attack will
not be successful unless specific, credible information to the contrary); or (iii)
something in between best and worst cases (e.g., the most probable case)
http://pralab.diee.unica.it 82
NIST SP 800-30 Guide for conducting risk assessments
http://pralab.diee.unica.it 84
NIST SP 800-30 – Risk framing components
http://pralab.diee.unica.it 85
NIST SP 800-30 – Risk framing components
Risk model: the main factors
– threats (e.g. sources and events): (i) hostile cyber or physical attacks;
(ii) human errors of omission or commission; (iii) structural failures of
organization-controlled resources (e.g., hardware, software,
environmental controls); (iv) natural and man-made disasters,
accidents, and failures beyond the control of the organization
(existing taxonomies can be used to identify relevant threats)
– vulnerabilities: weaknesses in (i) information systems, system security
procedures, internal controls, or implementation that could be
exploited by a threat source (often related to unapplied or weak
security controls); (ii) organizational governance structures (e.g., lack
of effective risk management strategies and adequate risk framing,
poor intra-agency communications)
Threats and vulnerabilities can be combined into threat scenarios
(cont.)
http://pralab.diee.unica.it 86
NIST SP 800-30 – Risk framing components
(cont.)
– predisposing conditions affect (increase or decrease) the likelihood
that threat events, once initiated, result in adverse impacts (e.g.,
location of a facility in a flood-prone region, information systems with
complex external network connectivity)
– likelihood of occurrence is related to the probability that a given
threat is capable of exploiting a given vulnerability; it depends on the
likelihood of threat event occurrence and of the corresponding impact
• for adversarial threats likelihood assessment depends on: (i) adversary
intent; (ii) adversary capability; (iii) adversary targeting
• for other threats it is estimated based on historical evidence, empirical
data, or other factors
– impact: magnitude of harm that can result from the consequences of
compromising confidentiality, integrity or availability
http://pralab.diee.unica.it 87
NIST SP 800-30 – Risk framing components
http://pralab.diee.unica.it 88
NIST SP 800-30 – Assessment approaches
Risk, and its contributing factors, can be assessed in a variety of ways,
depending on organizational culture and attitudes toward the concepts
of uncertainty and risk communication, and on the available information
Quantitative Qualitative Semi-quantitative
http://pralab.diee.unica.it 89
NIST SP 800-30 – Analysis approach
Analysis approach differ in the orientation or starting point of the risk
assessment, level of detail in the assessment, and how risks due to
similar threat scenarios are treated
http://pralab.diee.unica.it 90
NIST SP 800-30 – Application of risk assessments
supporting the determination of
supporting organizational mission/business process protection and
strategies, policies, guidance, resiliency requirements, and the allocation of
those requirements to the enterprise
and processes for managing risk architecture as part of mission/business
segments
traditional risk
assessments focus at the
Tier 3 level, and tend to
overlook other
significant risk factors
that may be more
appropriately assessed at
higher levels
http://pralab.diee.unica.it 91
assessment; (ii) conduct the assessment; (iii) communicate assessment results; and (iv) maintain
the assessment. 44 Each step is divided into a set of tasks. For each task, supplemental guidance
provides additional information for organizations conducting risk assessments. Risk tables and
exemplary assessment scales are listed in appropriate tasks and cross-referenced to additional,
NIST SP 800-30 – The risk assessment process
more detailed information in the supporting appendices. Figure 5 illustrates the basic steps in the
risk assessment process and highlights the specific tasks for conducting the assessment.
Determine Risk
http://pralab.diee.unica.it
43
The intent of the process description in Chapter Three is to provide a common expression of the essential elements of 92
an effective risk assessment. It is not intended to limit organizational flexibility in conducting those assessments. Other
Special Publication 800-30 Guide for Conducting Risk Assessments
________________________________________________________________________________________________
THE PROCESS
CONDUCTING RISK ASSESSMENTS WITHIN ORGANIZATIONS
T his chapter describes the process of assessing information security risk including: (i) a
high-level overview of the risk assessment process; (ii) the activities necessary to prepare
for risk assessments; (iii) the activities necessary to conduct effective risk assessments;
(iv) the activities necessary to communicate the assessment results and share risk-related
Comparison with ISO 27005:2018
information; and (v) the activities necessary to maintain the results of risk assessments on an
ongoing basis. The risk assessment process 43 is composed of four steps: (i) prepare for the
assessment; (ii) conduct the assessment; (iii) communicate assessment results; and (iv) maintain
the assessment. 44 Each step is divided into a set of tasks. For each task, supplemental guidance
provides additional information for organizations conducting risk assessments. Risk tables and
exemplary assessment scales are listed in appropriate tasks and cross-referenced to additional,
more detailed information in the supporting appendices. Figure 5 illustrates the basic steps in the
risk assessment process and highlights the specific tasks for conducting the assessment.
Determine Risk
43
The intent of the process description in Chapter Three is to provide a common expression of the essential elements of
http://pralab.diee.unica.it
an effective risk assessment. It is not intended to limit organizational flexibility in conducting those assessments. Other 93
procedures can be implemented if organizations choose to do so, consistent with the intent of the process description.
44
The four-step risk assessment process described in this publication is consistent with the general risk assessment
Step 1: preparing for the risk assessment
Tasks
1-1 Identify the purpose of the assessment
1-2 Identify the scope
1-3 Identify the assumptions and constraints associated with the
assessment
1-4 Identify the sources of information to be used as inputs to the
assessment
1-5 Identify the risk model and analytic approaches (i.e., assessment and
analysis approaches) to be employed
http://pralab.diee.unica.it 94
Step 1: preparing for the risk assessment
TASK 1-1: Identifying the purpose
– what information is it intended to produce?
– what decisions is it intended to support?
– how to capture and present information produced?
http://pralab.diee.unica.it 95
Step 1: preparing for the risk assessment
TASK 1-3: Identifying assumptions and constraints
– threats sources: types of sources to be considered, identification process
– threat events: types of threat events to be considered, required level of
detail of their description
– vulnerabilities and predisposing conditions: types of vulnerabilities and
predisposing conditions to be considered, required level of detail of their
description
– likelihood determination process
– impacts to organizational operations (missions, functions, image, and
reputation) and assets, individuals, other organizations
– risk tolerance and uncertainty: what levels and types of risk are
acceptable? reasons for uncertainty about risk factors
– analytic approach: assessment approaches (quantitative, qualitative,
semi-quantitative) and analysis approaches (threat-oriented,
asset/impact-oriented, vulnerability-oriented)
http://pralab.diee.unica.it 96
Step 1: preparing for the risk assessment
TASK 1-4: Identifying the sources of information about threats,
vulnerabilities and impacts
– threats and vulnerabilities: internal sources (e.g., risk and
vulnerability assessment reports, incident reports, security logs,
trouble tickets, monitoring results) and external sources (e.g., cross-
community organizations like CERT, research and non-governmental
organizations), etc.
– predisposing conditions: descriptions of information systems,
environments of operation, shared services, common infrastructures,
enterprise architecture, etc.
– impact information: mission/business impact analyses, information
system component inventories, security categorizations, etc.
http://pralab.diee.unica.it 97
Step 1: preparing for the risk assessment
TASK 1-5: Identifying the risk model and analytic approach
– risk models include, or can be translated into, the risk factors: threat,
vulnerability, impact, likelihood, and predisposing condition
– assessment approach: quantitative, qualitative, semi-quantitative
– analysis approach: threat-oriented, asset/impact-oriented,
vulnerability-oriented
– definition, or selection of, existing assessment scales, annotated with
organizationally-meaningful examples for specific values
– defining algorithms (e.g., formulas, tables, rules) for combining risk
factors
http://pralab.diee.unica.it 98
ongoing basis. The risk assessment process 43 is composed of four steps: (i) prepare for the
assessment; (ii) conduct the assessment; (iii) communicate assessment results; and (iv) maintai
the assessment. 44 Each step is divided into a set of tasks. For each task, supplemental guidance
Step 2: conducting the risk assessment
provides additional information for organizations conducting risk assessments. Risk tables and
exemplary assessment scales are listed in appropriate tasks and cross-referenced to additional,
more detailed information in the supporting appendices. Figure 5 illustrates the basic steps in t
risk assessment process and highlights the specific tasks for conducting the assessment.
Objective: to produce a list of information security risks that can be
prioritized by risk level and used to inform risk response decisions
– iterations among the tasks is necessary Step and expected
1: Prepare for Assessment
Derived from Organizational Risk Frame
– task ordering can be modified
Determine Risk
http://pralab.diee.unica.it 99
Step 2: conducting the risk assessment
TASK 2-1: Identify and characterize threat sources of concern
– adversarial threats: capability, intent and targeting characteristics
– non-adversarial threats: range of effects
http://pralab.diee.unica.it 102
Step 2: conducting the risk assessment
TASK 2-4: Determining the likelihood that threat events of
concern result in adverse impacts
depends on:
– characteristics of the threat sources that could initiate the events (for
adversarial threats, including capability, intent and targeting), or that
make the event occur (non-adversarial threats)
– vulnerabilities/predisposing conditions identified
– organizational susceptibility reflecting the safeguards/
countermeasures planned or implemented
http://pralab.diee.unica.it 103
Step 2: conducting the risk assessment
• organizational attitudes
• likelihood of event
toward risk (overall risk
occurrence (e.g., due to
tolerance, uncertainty
human error or natural
tolerance)
disaster) or initiation (by an
• specific tolerances toward
adversary)
uncertainty in different risk
• likelihood of adverse
factors
impacts resulting from
• organizational weighting of
initiation or occurrence
risk factors
http://pralab.diee.unica.it 104
Step 2: conducting the risk assessment
TASK 2-5: Determining the adverse impacts from threat events of
concern
Factors to consider:
– characteristics of the threat sources that could initiate the events
– vulnerabilities/predisposing conditions identified
– susceptibility reflecting the safeguards/countermeasures planned or
implemented to impede such events
Description of adverse impacts in terms of potential harm to:
– organizational operations
– assets
– individuals
– other organizations
May involve identification of assets or potential targets of threat sources
– information resources (e.g., information, data repositories, information
systems, applications, information technologies, communications links)
– people
– physical resources (e.g., buildings, power supplies)
http://pralab.diee.unica.it 105
Step 2: conducting the risk assessment
TASK 2-6: Determining the risk to the organization from threat
events of concern
Risk level is a function of:
– impact resulting from the events
– likelihood of the events occurring
Risks at the same level or with similar scores can be further prioritized.
Information on uncertainties should be included, e.g., arising from:
– missing information
– subjective determinations
– assumptions made
http://pralab.diee.unica.it 106
Conducting the risk assessment: overview
cause exploit
Threat sources Threat events Vulnerabilities
adversarial
non-adversarial relevance severity
capability
impact effects
targeting
likelihood of likelihood of
initiation/occurrence adverse impact
likelihood impact
http://pralab.diee.unica.it 107
The Risk Assessment Process
Qualitative and quantitative approaches
http://pralab.diee.unica.it 108
Risk assessment approaches
NIST SP 800-30 guidelines identify three kinds of risk assessment
approaches to evaluate each risk factor (likelihood, impact, etc.)
and risk itself
Quantitative Qualitative Semi-quantitative
http://pralab.diee.unica.it 109
Risk assessment approaches
According to NIST SP 800-30, the choice, adaptation or definition of a
specific risk assessment approach is part of the preparation step, and
is driven by different organizational considerations, e.g.:
– the quality and quantity of information available on threats,
vulnerabilities and impacts
– the specific orientation carrying the highest priority for organizations
– the availability of analysis tools emphasizing certain orientations
http://pralab.diee.unica.it 110
Risk assessment approaches
No specific guideline on quantitative approaches are given by
NIST SP 800-30 for information security.
http://pralab.diee.unica.it 111
Qualitative risk assessment
Non-numerical categories or levels are used for each risk factor and for the
final risk level
– basic categories: low, medium, high
– more refined categories can be used, e.g.: very low, low, medium, high, very high
This kind of assessment of the risk level is often suitable enough for decision
makers, since it allows risk prioritization.
Main issues: how should one define the meaning of "low", "medium", etc.?
How can the risk level be assessed for a given threat as a combination of its
likelihood (e.g., low) and impact (e.g., high)? For instance:
– when should the likelihood of a given threat exploiting a specific vulnerability of a
given asset be considered "low", or "medium", etc.?
– when should the impact of such an event be considered "low", or "medium", etc.?
– when should the corresponding risk be considered "low", etc.?
Detailed guidelines are provided by NIST SP 800-30 on this matter.
http://pralab.diee.unica.it 112
Semi-quantitative risk assessment
Numerical values are used, e.g.:
– bins, e.g.: 0–15, 16–35, 36–70, 71–85, 86–100
– scales, e.g., 1, 2, 3, ..., 10
– other representative numbers
http://pralab.diee.unica.it 113
Overview of the risk assessment process
cause exploit
Threat sources Threat events Vulnerabilities
adversarial
non-adversarial relevance severity
capability
impact effects
targeting
likelihood of likelihood of
initiation/occurrence adverse impact
likelihood impact
How to assess the risk factors
and the risk level, i.e., each
element in the ovals? risk
http://pralab.diee.unica.it 114
NIST SP 800-30 guidelines on assessment scales
http://pralab.diee.unica.it 115
Exemplary assessment scale
Threat sources
adversarial
capability
impact
targeting
Adversary capability
http://pralab.diee.unica.it 116
Exemplary assessment scale
Threat sources
adversarial
capability
impact
targeting
adversarial
capability
impact
targeting
Adversary targeting
http://pralab.diee.unica.it 118
Exemplary assessment scale
Threat sources
Special Publication 800-30 Guide for Conducting Risk Assessments
________________________________________________________________________________________________
non-adversarial
TABLE D-6: ASSESSMENT SCALE – RANGE OF EFFECTS FOR NON-ADVERSARIAL THREAT SOURCES
effects
Qualitative Semi-Quantitative Description
Values Values
The effects of the error, accident, or act of nature are sweeping, involving almost all of the cyber
Very High 96-100 10 resources of the [Tier 3: information systems; Tier 2: mission/business processes or EA segments,
common infrastructure, or support services; Tier 1: organization/governance structure].
The effects of the error, accident, or act of nature are extensive, involving most of the cyber
resources of the [Tier 3: information systems; Tier 2: mission/business processes or EA segments,
High 80-95 8
common infrastructure, or support services; Tier 1: organization/governance structure], including
many critical resources.
The effects of the error, accident, or act of nature are wide-ranging, involving a significant portion
of the cyber resources of the [Tier 3: information systems; Tier 2: mission/business processes or
Moderate 21-79 5
EA segments, common infrastructure, or support services; Tier 1: organization/governance
structure], including some critical resources.
The effects of the error, accident, or act of nature are limited, involving some of the cyber
resources of the [Tier 3: information systems; Tier 2: mission/business processes or EA segments,
Low 5-20 2
common infrastructure, or support services; Tier 1: organization/governance structure], but
involving no critical resources.
The effects of the error, accident, or act of nature are minimal, involving few if any of the cyber
resources of the [Tier 3: information systems; Tier 2: mission/business processes or EA segments,
Very Low 0-4 0
common infrastructure, or support services; Tier 1: organization/governance structure], and
involving no critical resources.
Threat events
Special Publication 800-30 Guide for Conducting Risk Assessments
________________________________________________________________________________________________
relevance
TABLE E-4: RELEVANCE OF THREAT EVENTS
Value Description
Confirmed The threat event or TTP has been seen by the organization.
Expected The threat event or TTP has been seen by the organization’s peers or partners.
Anticipated The threat event or TTP has been reported by a trusted source.
Predicted The threat event or TTP has been predicted by a trusted source.
Possible The threat event or TTP has been described by a somewhat credible source.
N/A The threat event or TTP is not currently applicable. For example, a threat event or TTP could assume specific technologies,
architectures, or processes that are not present in the organization, mission/business process, EA segment, or information
system; or predisposing conditions that are not present (e.g., location in a flood plain). Alternately, if the organization is using
detailed or specific threat information, a threat event or TTP could be deemed inapplicable because information indicates that
no adversary is expected to initiate the threat event or use the TTP.
severity
Severity of vulnerabilities
http://pralab.diee.unica.it 121
Exemplary assessment scale
likelihood of likelihood of
initiation/occurrence adverse impact
overall
likelihood
Very High 96-100 10 Adversary is almost certain to initiate the threat event.
likelihood of likelihood of
High 80-95 8 Adversary
initiation/occurrenceis highly likely to initiate the threat event.
adverse impact
Moderate 21-79 5 Adversary is somewhat likely to initiate the treat event.
Low 5-20 2 Adversary is unlikely to initiate the threat event.
Very Low 0-4 0 overall
Adversary is highly unlikely to initiate the threat event.
likelihood
TABLE G-3: ASSESSMENT SCALE – LIKELIHOOD OF THREAT EVENT OCCURRENCE (NON-ADVERSARIAL)
Very High 96-100 10 Error, accident, or act of nature is almost certain to occur; or occurs more than 100 times a year.
High 80-95 8 Error, accident, or act of nature is highly likely to occur; or occurs between 10-100 times a year.
Error, accident, or act of nature is somewhat likely to occur; or occurs between 1-10 times a
Moderate 21-79 5
year.
Error, accident, or act of nature is unlikely to occur; or occurs less than once a year, but more
Low 5-20 2
than once every 10 years.
Error, accident, or act of nature is highly unlikely to occur; or occurs less than once every 10
Very Low 0-4 0
years.
overall
likelihood
http://pralab.diee.unica.it 125
Exemplary assessment scale
likelihood of likelihood of
initiation/occurrence adverse impact
overall
likelihood
http://pralab.diee.unica.it
Impact of a threat event (cont.) 128
Exemplary assessment scale
risk
risk
http://pralab.diee.unica.it 130
Level of risk: the risk matrix
Level of impact
Likelihood
Very low Low Moderate High Very high
Very high Very low Low Moderate High Very high
High Very low Low Moderate High Very high
Moderate Very low Low Moderate Moderate High
Low Very low Low Low Low Moderate
Very low Very low Very low Very low Low Low
http://pralab.diee.unica.it 131
Level of risk: the risk matrix
Level of impact
Likelihood
Very low Low Moderate High Very high
Very high Very low Low Moderate High Very high
High Very low Low Moderate High Very high
Moderate Very low Low Moderate Moderate High
Low Very low Low Low Low Moderate
Very low Very low Very low Very low Low Low (?)