www.tvtc.gov.

sa

Risk management & incident response

Topics:
Risk management: identifying and
Assessing Risk
- Introduction to risk management
- Risk Identification
- Risk Assessment and risk appetite
 Risk management: identifying and Assessing Risk

Introduction to risk management

One part of information security is risk management, which is the process of identifying and controlling
the risks to an organization’s information assets.
Given that contingency planning is considered part of the risk management process.
Risk management consists of two major undertakings:
Risk identification is the process of examining, documenting, and assessing the security posture of an
organization’s information technology and the risks it faces.
Risk control is the process of applying controls to reduce the risks to an organization’s data and
information systems. The various components of risk management and their relationships to one
another are shown in Figure 1-1.
 Risk management: identifying and Assessing Risk

Figure 1-1
Components of Risk Management
 Risk management: identifying and Assessing Risk

Looked at another way, risk management is the process of identifying vulnerabilities in an

organization’s information systems and taking carefully reasoned steps to ensure the
confidentiality, integrity, and availability of all the components of the organization’s information
system. When the organization depends on IT-based systems to remain viable, information
security and the discipline of risk management move beyond theoretical discussions and become
an integral part of the economic basis for making business decisions. These decisions are based on
trade-offs between the costs of applying information systems controls and the benefits realized
from the operation of secured, available systems.
 Risk management: identifying and Assessing Risk

An observation made over 2400 years ago by Chinese General Sun Tzu is relevant
to information security today:
“ If you know the enemy and know yourself, you need not fear the result of a hundred
battles. If you know yourself but not the enemy, for every victory gained you will also suffer
a defeat. If you know neither the enemy nor yourself, you will succumb in every battle” .
Source: Oxford University Press.
 Risk management: identifying and Assessing Risk

InfoSec strategy and tactics are similar in some ways to those employed in conventional warfare, with
the obvious exception that the law prohibits offensive operations on the part of a targeted
organization. InfoSec managers and technicians are the defenders of information. They constantly
face a myriad of threats to the organization's information assets. A layered defense is the foundation
of any InfoSec program. So, as Sun Tzu recommends, to reduce risk, an organization must (1) know
itself and (2) know its enemy. This means that managers from all three communities of interest must
locate the weaknesses of their organization's operations; understand how the organization's
information is processed, stored, and transmitted; and identify what resources are available. Only
then can they develop a strategic plan of defense.
 Risk management: identifying and Assessing Risk

Know Yourself
First, you must identify, examine, and understand the information and systems currently in place
within your organization. To protect assets, which are defined here as information and the systems
that use, store, and transmit information, you must understand what they are, how they add value to
the organization, and to which vulnerabilities they are susceptible. Once you know what you have, you
can identify what you are already doing to protect it.

Know the Enemy

Once you are informed of your organization’s assets and weaknesses, you can move on to the other
part of Sun Tzu’s advice: know the enemy. This means identifying, examining, and understanding the
threats facing the organization. You must determine those threat aspects that most directly affect the
organization and the security of the organization’s information assets. You can then use your
understanding of these aspects to create a list of threats prioritized by how important each asset is to
the organization.
 Risk management: identifying and Assessing Risk

Accountability for Risk management

With increasing mobility in the job market, it’s important to think about how accountability can be
separated from individuals. If someone leaves, it’s important that the handover of the risks they were
responsible for is robust enough that the accountability doesn’t end with them.
In reality when a person departs from an organization, there is a gap before they are replaced. This creates
a key risk for the business, in that their risk accountabilities may not be managed by anyone. When
someone takes on a new role within the organization, are they given sufficient training and “induction” on
their accountabilities and responsibilities with respect to risk? Are employees kept up to speed in a
changing regulatory or external environment, when risks shift? When they leave, how is their knowledge
and responsibility for risks transferred? For many companies, the transition gap between when someone
leaves and another starts can heighten vulnerability for effective risk management.
Succession planning is a critical part of organizational management, but very few organizations are
effective in creating succession and handover plans for significant business risks. Building key risks into job
descriptions and the recruitment/onboarding process is an effective strategy for embedding clear
responsibility for risk.
 Risk management: identifying and Assessing Risk

Risk Identification
A risk management strategy calls on information security professionals to identify, classify, and prioritize
the organization’s information assets. Once that has been done, the threat identification process begins.
Each information asset is examined to identify vulnerabilities, and when vulnerabilities are found, controls
are identified and assessed regarding their capability to limit possible losses should an attack occur.
 Risk management: identifying and Assessing Risk

The iterative process of identifying assets and assessing their value begins
Asset with the identification of the elements of an organization’s systems:
Identification and people, procedures, data/information, software, hardware, and networks.
The assets are then classified and categorized, with details added as the
Value Assessment analysis goes deeper.

The ultimate goal of risk identification is to assess the circumstances and

Threat setting of each information asset to reveal any vulnerabilities. Armed with
a properly classified inventory, you can assess potential weaknesses in
Assessment each information asset- a process known as threat assessment.

identified 12 categories of threats to InfoSec, which are listed alphabetically

Identifying in Table 1-1. Each of these threats presents a unique challenge to InfoSec
and must be handled with specific controls that directly address the
Threats particular threat and the threat agent's attack strategy.

Risk management:
Threat
Compromises to intellectual
property
Deviations in quality of service
from service providers
Espionage or trespass
Forces of nature
Human error or failure
Sabotage or vandalism
Software attacks
Threats
to lnfoSec
identifying and Assessing Risk
Examples
Software piracy or other copyright infringement
Fluctuations in power, data, and other services
Unauthorized access and/or data collection
Fire, flood, earthquake, lightning, etc
Accidents, employee mistakes, failure to follow policy
Damage to or destruction of systems or information
Malware: viruses, worms, macros, denial-of-services, or script
injections
 Risk management: identifying and Assessing Risk

The TVA Worksheet

At the end of the risk identification process, an organization should have (1) a prioritized list of
assets and (2.) a prioritized list of threats facing those assets. The organization should have a
working knowledge of the vulnerabilities that exist between each threat and each asset. These
lists serve as the starting point for the next step in the risk management process: risk assessment.
The prioritized lists of assets and threats can be combined into a Threats-Vulnerabilities-Assets
(TVA) worksheet, in preparation for the addition of vulnerability and control information during
risk assessment. Along one axis lies the prioritized set of assets.
 Risk management: identifying and Assessing Risk

Table 1-2 shows the placement of assets along the

horizontal axis, with the most important asset at the left.
The prioritized list of threats is placed along the vertical
axis, with the most important or most dangerous threat
listed at the top. The resulting grid provides a convenient
method of examining the "exposure" of assets, allowing
a simple vulnerability assessment. We now have a
starting point for our risk assessment, along with the
other documents and forms.
 Risk management: identifying and Assessing Risk

Before you begin the risk analysis process, it may be helpful to create a list of the TVA "triples" to
facilitate your examination of the severity of the vulnerabilities. For example, between Threat 1 and
Asset 1 there may or may not be a vulnerability. After all, not all threats pose risks to all assets. If a
pharmaceutical company's most important asset is its research and development database and that
database resides on a stand-alone network (i.e., one that is not connected to the Internet), then there
may be no vulnerability to external hackers. If the intersection of T1 and A1 has no vulnerability, then
the risk assessment team simply crosses out that box. It is much more likely, however, that one or more
vulnerabilities exist between the two, and as these vulnerabilities are identified, they are categorized
as follows:
T1V1Al- Vulnerability 1 that exists between Threat 1 and Asset 1
T1V2.Al- Vulnerability 2. that exists between Threat 1 and Asset 1
T2.V1Al- Vulnerability 1 that exists between Threat 2. and Asset 1 ... and so on.
 Risk management: identifying and Assessing Risk

Risk Assessment and Risk appetite

Risk Assessment
Now that you have identified the organization’s information assets and the threats and
vulnerabilities of those assets, it’s time to assess the relative risk for each vulnerability. This is
accomplished through a process called risk assessment. Risk assessment assigns a risk rating or
score to each information asset. Although this number does not mean anything in absolute
terms, it is useful in gauging the relative risk to each vulnerable information asset and facilitates
the development of comparative ratings later in the risk control process.
 Risk management: identifying and Assessing Risk

Likelihood The probability that a specific vulnerability within an organization will be successfully attacked is
referred to as likelihood. In risk assessment, you assign a numeric value to the likelihood of a vulnerability
being successfully exploited. A likelihood vulnerability could be assigned a number between 0.1 (for low)
and 1.0 (for high), or it could be assigned a number between 1 and 100, but 0 is not used because
vulnerabilities with a zero likelihood have been removed from the asset/vulnerability list. Whatever rating
system is used, you should bring all your professionalism, experience, and judgment to bear, and you
should use the rating model you selected consistently. Whenever possible, use external references for
likelihood values that have been reviewed and adjusted for your specific circumstances. Many
asset/vulnerability combinations have sources for determining their likelihoods. For example, the likelihood
of a fire has been actuarially estimated for each type of structure (such as a building). Likewise, the
likelihood that a given e-mail contains a virus or worm has been researched. Finally, the number of network
attacks can be forecast based on how many network addresses the organization has been assigned.
 Risk management: identifying and Assessing Risk

Assessing potential impact on asset value Once the probability of an attack by a threat has been evaluated,
the organization typically looks at the possible impact or consequences of a successful attack. A feared
consequence is the loss of asset value. the impact of an attack (most often as a loss in asset value) is of
great concern to the organization in determining where to focus its protection efforts. The weighted tables
used in risk identification can help organizations better understand the magnitude of a successful breach.
Another good source of information is popular media venues that report on successful attacks in other
organizations.
"The level of impact from a threat event is the magnitude of harm that can be expected to result from the
consequences of unauthorized disclosure of information, unauthorized modification of information,
unauthorized destruction of information, or loss of information or information system availability. Such harm
can be experienced by a variety of organizational and non-organizational stakeholders, including, for
example, heads of agencies, mission and business owners, information owners/stewards, mission/business
process owners, information system owners, or individuals/groups in the public or private sectors relying on
the organization- in essence, anyone with a vested interest in the organization's operations, assets, or
individuals, including other organizations in partnership with the organization, or the Nation".
 Risk management: identifying and Assessing Risk

Most commonly, organizations create multiple scenarios to better understand the potential impact of
a successful attack. Using a "worst case/most likely outcome" approach is common. In this approach,
organizations begin by speculating on the worst possible outcome of a successful attack by a
particular threat, given the organization's current protection mechanisms. Once the organization
frames this worst- case scenario, it moves on to determine the most likely outcome. The organization
uses this approach in most of its planning and assessment activities.
• Percentage of risk mitigated by current controls If a vulnerability is fully managed by an existing
control, it can be set aside. If it is partially controlled, you can estimate what percentage of the
vulnerability has been controlled.
 Risk management: identifying and Assessing Risk

Uncertainty It is not possible to know everything about every vulnerability, such as the likelihood of an
attack against an asset or how great an impact a successful attack would have on the organization.
"Uncertainty is inherent in the evaluation of risk, due to such considerations as:
1. limitations on the extent to which the future will resemble the past
2. imperfect or incomplete knowledge of the threat (e.g., characteristics of adversaries, including
tactics, techniques, and procedures)
3. undiscovered vulnerabilities in technologies or products
4. unrecognized dependencies, which can lead to unforeseen impacts.

Uncertainty about the value of specific risk factors can also be due to the step in the RMF or phase in
the system development life cycle at which a risk assessment is performed. For example, at early
phases in the system development life cycle, the presence and effectiveness of security controls may
be unknown, while at later phases in the life cycle, the cost of evaluating control effectiveness may
outweigh the benefits in terms of more fully informed decision making. Finally, uncertainty can be due
to incomplete knowledge of the risks associated with other information systems, mission/business
processes, services, common infrastructures, and/or organizations. The degree of uncertainty in risk
assessment results, due to these different reasons, can be communicated in the form of the results.
 Risk management: identifying and Assessing Risk

• For the purpose of making relative risk assessments, we can say that risk equals the likelihood
of a vulnerability occurring times the value (or impact) of that asset to the organization minus
Risk the percentage of risk that is already being controlled plus an element of uncertainty.
Determination

• Once the risk has been identified and its relative severity against the value of the information
asset has been evaluated, the organization must decide whether the current level of risk is
Evaluating
acceptable or something must be done.
Risk

• Is the General Level of Risk You Accept

• The first thing to know about risk appetite is that…it’s one of the first things that you must determine. Why?
Because determining risk appetite will help you determine the amount of risk you’re willing to “live” with,
Risk Appetite and how much risk you need to manage.
 Futon Alkharashi
Fa.alkharashi@gmail.com