Professional Documents
Culture Documents
Lecture1 Identifying &assessing Risk
Lecture1 Identifying &assessing Risk
sa
Figure 1-1
Components of Risk Management
Risk management: identifying and Assessing Risk
An observation made over 2400 years ago by Chinese General Sun Tzu is relevant
to information security today:
“ If you know the enemy and know yourself, you need not fear the result of a hundred
battles. If you know yourself but not the enemy, for every victory gained you will also suffer
a defeat. If you know neither the enemy nor yourself, you will succumb in every battle” .
Source: Oxford University Press.
Risk management: identifying and Assessing Risk
InfoSec strategy and tactics are similar in some ways to those employed in conventional warfare, with
the obvious exception that the law prohibits offensive operations on the part of a targeted
organization. InfoSec managers and technicians are the defenders of information. They constantly
face a myriad of threats to the organization's information assets. A layered defense is the foundation
of any InfoSec program. So, as Sun Tzu recommends, to reduce risk, an organization must (1) know
itself and (2) know its enemy. This means that managers from all three communities of interest must
locate the weaknesses of their organization's operations; understand how the organization's
information is processed, stored, and transmitted; and identify what resources are available. Only
then can they develop a strategic plan of defense.
Risk management: identifying and Assessing Risk
Know Yourself
First, you must identify, examine, and understand the information and systems currently in place
within your organization. To protect assets, which are defined here as information and the systems
that use, store, and transmit information, you must understand what they are, how they add value to
the organization, and to which vulnerabilities they are susceptible. Once you know what you have, you
can identify what you are already doing to protect it.
Risk Identification
A risk management strategy calls on information security professionals to identify, classify, and prioritize
the organization’s information assets. Once that has been done, the threat identification process begins.
Each information asset is examined to identify vulnerabilities, and when vulnerabilities are found, controls
are identified and assessed regarding their capability to limit possible losses should an attack occur.
Risk management: identifying and Assessing Risk
The iterative process of identifying assets and assessing their value begins
Asset with the identification of the elements of an organization’s systems:
Identification and people, procedures, data/information, software, hardware, and networks.
The assets are then classified and categorized, with details added as the
Value Assessment analysis goes deeper.
Threat Examples
Compromises to intellectual Software piracy or other copyright infringement
property
Deviations in quality of service Fluctuations in power, data, and other services
from service providers
Espionage or trespass Unauthorized access and/or data collection
Forces of nature Fire, flood, earthquake, lightning, etc
Human error or failure Accidents, employee mistakes, failure to follow policy
Before you begin the risk analysis process, it may be helpful to create a list of the TVA "triples" to
facilitate your examination of the severity of the vulnerabilities. For example, between Threat 1 and
Asset 1 there may or may not be a vulnerability. After all, not all threats pose risks to all assets. If a
pharmaceutical company's most important asset is its research and development database and that
database resides on a stand-alone network (i.e., one that is not connected to the Internet), then there
may be no vulnerability to external hackers. If the intersection of T1 and A1 has no vulnerability, then
the risk assessment team simply crosses out that box. It is much more likely, however, that one or more
vulnerabilities exist between the two, and as these vulnerabilities are identified, they are categorized
as follows:
T1V1Al- Vulnerability 1 that exists between Threat 1 and Asset 1
T1V2.Al- Vulnerability 2. that exists between Threat 1 and Asset 1
T2.V1Al- Vulnerability 1 that exists between Threat 2. and Asset 1 ... and so on.
Risk management: identifying and Assessing Risk
Risk Assessment
Now that you have identified the organization’s information assets and the threats and
vulnerabilities of those assets, it’s time to assess the relative risk for each vulnerability. This is
accomplished through a process called risk assessment. Risk assessment assigns a risk rating or
score to each information asset. Although this number does not mean anything in absolute
terms, it is useful in gauging the relative risk to each vulnerable information asset and facilitates
the development of comparative ratings later in the risk control process.
Risk management: identifying and Assessing Risk
Likelihood The probability that a specific vulnerability within an organization will be successfully attacked is
referred to as likelihood. In risk assessment, you assign a numeric value to the likelihood of a vulnerability
being successfully exploited. A likelihood vulnerability could be assigned a number between 0.1 (for low)
and 1.0 (for high), or it could be assigned a number between 1 and 100, but 0 is not used because
vulnerabilities with a zero likelihood have been removed from the asset/vulnerability list. Whatever rating
system is used, you should bring all your professionalism, experience, and judgment to bear, and you
should use the rating model you selected consistently. Whenever possible, use external references for
likelihood values that have been reviewed and adjusted for your specific circumstances. Many
asset/vulnerability combinations have sources for determining their likelihoods. For example, the likelihood
of a fire has been actuarially estimated for each type of structure (such as a building). Likewise, the
likelihood that a given e-mail contains a virus or worm has been researched. Finally, the number of network
attacks can be forecast based on how many network addresses the organization has been assigned.
Risk management: identifying and Assessing Risk
Assessing potential impact on asset value Once the probability of an attack by a threat has been evaluated,
the organization typically looks at the possible impact or consequences of a successful attack. A feared
consequence is the loss of asset value. the impact of an attack (most often as a loss in asset value) is of
great concern to the organization in determining where to focus its protection efforts. The weighted tables
used in risk identification can help organizations better understand the magnitude of a successful breach.
Another good source of information is popular media venues that report on successful attacks in other
organizations.
"The level of impact from a threat event is the magnitude of harm that can be expected to result from the
consequences of unauthorized disclosure of information, unauthorized modification of information,
unauthorized destruction of information, or loss of information or information system availability. Such harm
can be experienced by a variety of organizational and non-organizational stakeholders, including, for
example, heads of agencies, mission and business owners, information owners/stewards, mission/business
process owners, information system owners, or individuals/groups in the public or private sectors relying on
the organization- in essence, anyone with a vested interest in the organization's operations, assets, or
individuals, including other organizations in partnership with the organization, or the Nation".
Risk management: identifying and Assessing Risk
Most commonly, organizations create multiple scenarios to better understand the potential impact of
a successful attack. Using a "worst case/most likely outcome" approach is common. In this approach,
organizations begin by speculating on the worst possible outcome of a successful attack by a
particular threat, given the organization's current protection mechanisms. Once the organization
frames this worst- case scenario, it moves on to determine the most likely outcome. The organization
uses this approach in most of its planning and assessment activities.
• Percentage of risk mitigated by current controls If a vulnerability is fully managed by an existing
control, it can be set aside. If it is partially controlled, you can estimate what percentage of the
vulnerability has been controlled.
Risk management: identifying and Assessing Risk
Uncertainty It is not possible to know everything about every vulnerability, such as the likelihood of an
attack against an asset or how great an impact a successful attack would have on the organization.
"Uncertainty is inherent in the evaluation of risk, due to such considerations as:
1. limitations on the extent to which the future will resemble the past
2. imperfect or incomplete knowledge of the threat (e.g., characteristics of adversaries, including
tactics, techniques, and procedures)
3. undiscovered vulnerabilities in technologies or products
4. unrecognized dependencies, which can lead to unforeseen impacts.
Uncertainty about the value of specific risk factors can also be due to the step in the RMF or phase in
the system development life cycle at which a risk assessment is performed. For example, at early
phases in the system development life cycle, the presence and effectiveness of security controls may
be unknown, while at later phases in the life cycle, the cost of evaluating control effectiveness may
outweigh the benefits in terms of more fully informed decision making. Finally, uncertainty can be due
to incomplete knowledge of the risks associated with other information systems, mission/business
processes, services, common infrastructures, and/or organizations. The degree of uncertainty in risk
assessment results, due to these different reasons, can be communicated in the form of the results.
Risk management: identifying and Assessing Risk
• For the purpose of making relative risk assessments, we can say that risk equals the likelihood
of a vulnerability occurring times the value (or impact) of that asset to the organization minus
Risk the percentage of risk that is already being controlled plus an element of uncertainty.
Determination
• Once the risk has been identified and its relative severity against the value of the information
asset has been evaluated, the organization must decide whether the current level of risk is
Evaluating
acceptable or something must be done.
Risk