RM 2 - Risk Assessment

Risk Assessment
Unit 2
Mukesh Patel School of Technology Management and Engineering Rejo Mathew, Asst Prof, IT
www.nmims.edu/Engineering
Outline
 Introduction
 Critical components of Risk Assessment
 Types of Risk assessment – Quantitative and Qualitative
 Identification and Evaluation of Threats
 IPR infringement
 Vulnerabilities and Countermeasures
Introduction
 Risk Assessment/ Risk Analysis- process to identify and evaluate risks
 Need for Risk Assessment -

 To study the impact of the risk on the business
 Classify the risks based on different levels of risks
 Prioritize the risks so that one can handle one by one
 Limited budget for security. Performance vs Security aspect
 Helps to identify the best method/safeguards to control the risk
 Control measures taken gives the best results and benefits
Introduction
Importance of Risk Assessment.
 RA should be completed
 When evaluating risk—Risk assessments are a part of the overall risk
management process. Risk assessments are useful any time risk
management is being used. This is true if the risks need to be
prioritized.
 When evaluating a control—You can use an RA to evaluate the
usefulness of a control. Management can’t approve all controls. They
will approve some controls and not others. An RA helps management
decide which controls to adopt.
 Periodically after a control has been implemented—An RA is a point-
in-time document. However, risks don’t stand still. Attackers are
constantly upgrading their techniques and tactics. You should
schedule RAs on a regular basis after a control has been
implemented. The goal is to determine if the control is still useful.
Introduction
Steps of Risk Assessment
 Identify threats and vulnerabilities

 Identify the likelihood that a risk will occur
This can be based on historical data or opinions. For example,
imagine a risk occurred an average of four times in the past three
years. If no steps are taken to reduce the risk, it will probably
occur 4 times next year. If historical data isn’t available, experts
can provide opinions on the likelihood of the risk occurring.
 Identify asset values
The value of assets helps to determine the impact of a risk. The
assets can be hardware assets, software assets, or data. Some
risks can affect all three.
Introduction
Steps of Risk Assessment
 Determine the impact of a risk—This can be based on

historical data or opinions. Imagine a risk resulted in losses
averaging $20,000 a year in the past three years. If no steps
are taken to reduce the risk, it will probably result in a loss of
about $20,000 next year. If historical data isn’t available,
experts can provide opinions on the impact of the risk
occurring.
 Determine the usefulness of a safeguard or control—
Safeguards or controls are used to reduce the risk or reduce
the impact. Some controls will be more effective than others.
The RA helps determine which ones to implement.
Critical Components of RA
Critical steps of Risk Assessment.
 Identify scope.
The scope identifies the boundary of the RA. It helps to
eliminate scope creep by keeping the project on track.
 Identify critical areas.
RA identifies the critical areas that should be included. This
helps the RA team focus only on what’s important.
 Identify team
RA team personnel should not be the same people who are
responsible for correcting deficiencies. This helps avoid a
conflict of interest.
Types of Risk Assessment
 Quantitative
It is an objective method. It uses numbers such as actual dollar
values. It requires a significant amount of data. Gathering this
data often takes time. If the data is available, this type of RA
becomes a simple math problem with the use of formulas.
 Qualitative
It is a subjective method. It uses relative values based on
opinions from experts. Experts provide their input on the
probability and impact of a risk. It can be completed rather
quickly.
Identifying and Valuing Assets
 Identify the information assets in your organization
(hardware, software, and data) and place values on them.
 Most common valuation methods include the following:

 Replacement cost valuation puts a dollar value on an asset
corresponding to the cost that the organization would incur if the
asset had to be replaced at market prices.
 Original cost valuation uses the original purchase price of an asset as
that asset's value.
 Depreciated valuation use the original cost minus some allowance for
the deterioration in value of the asset since the time it was
purchased.
 Qualitative valuation assign priorities to assets based upon their
value to the organization.
Quantitative Risk Assessment
 Quantitative risk assessment attempts to assign values to
each risk and then use those values to weigh the potential
benefit achieved by implementing additional security
measures.
Few definitions
 Asset value (AV): The value of the asset, as determined by one of the methods
described previously.
 Exposure factor (EF): The expected portion of an asset that would be destroyed
by a given risk, expressed as a percentage of the asset.
 Annualized rate of occurrence (ARO): The number of times you expect a risk to
occur each year.
 Single loss expectancy (SLE): The loss expected from a single incident. It is
computed as the product of the AV and EF.
 Annualized loss expectancy (ALE): The expected loss for a year from a given risk.
It is computed as the product of the ARO and the SLE.
 Cost of measure/ Safeguard control: The cost of control used to mitigate the risk
 Benefit = (ALE X life of measure) - cost of measure.

If the result is a positive number, you should implement the security measure.
If it's a negative number, you may wish to pass.
 A company issues laptop computers to employees. The value of each
laptop is $2,000. This includes the hardware, software, and data. About
100 laptops are being used at any time. In the past two years, the
company has lost an average of one laptop per quarter. These laptops
were stolen when systems were left unattended. Calculate the following
a. SLE
b. ARO
c. ALE
SLE - $2,000
ARO - 4
ALE - $2,000 x 4 - $8,000
 The company could purchase hardware locks for the laptops in bulk at a
cost of $10 each. The safeguard value is $10 x 100 laptops, or $1,000. It’s
estimated that if the locks are purchased, the ARO will decrease from 4 to
1. Should the company purchase these locks?
a. ARO and ALE with control
b. Savings with Control
c. Safeguard value (cost of control)
d. Realized Savings
ARO with Control – 1 ALE with control - $2000
Savings with Control - $6000
Safeguard value (cost of control) - $10 x100 - $1000
Realized Savings - $5000 (Savings with control of $6,000 - safeguard
value of $1,000)
Qualitative Risk Assessment
 It focuses on analyzing the intangible properties of an asset rather than
focusing on monetary value.
 It determines the level of risk based on probability and impact
 Probability: The likelihood that a threat will exploit a vulnerability. use a

scale such as Low, Medium, or High to define the probability of risk.
 Impact: The negative result if a risk occurs. Used to identify the

magnitude of a risk. Impact is expressed as a relative value. The impact
assessment could use words such as Low, Medium, or High.
 A qualitative analysis can be divided into two sections:

 The first section attempts to prioritize the risk.
 The second section evaluates the effectiveness of controls.
Probability Scale
Impact Scale
Prioritizing Risks
 An online website selling e-commerce products
Qualitative Analysis survey results
Prioritizing Risks
The list of risks from most important to least important is:

 Priority 1— DoS attack, with a value of 100
 Priority 2— Web defacing, with a value of 45
 Priority 3— Loss of Web site data due to hardware
failure, with a value of 27
 Priority 4— Loss of data from unauthorized access,
with a value of 3
Risk Matrix
Evaluating Effectiveness of Controls
 DoS attack—Protect with DMZ and/or IDS.

Mitigation choices survey results
 Web defacing—Protect with DMZ.
 Loss of Web site data due to hardware failure—
Protect with RAID and backup plan.
Limitations of Qualitative RA
 Subjective
The analysis and results are based on opinions more than facts. A different
perspective on these opinions could provide a completely different result. If
the opinions are gathered in a group, a strong participant could shape the
ideas of the entire group.
 Based on expertise of the experts
The value of the assessment is only as valuable as the expertise of the
experts. If the experts have a solid foundation of knowledge and wide
breadth of experience, the results can be valuable. On the other hand, the
results may have very limited value.
Limitations of Qualitative RA
 No cost-benefit analysis
The usefulness of the controls isn’t as clear as with a quantitative analysis.
Although the opinions of the experts are still valuable, the results may not
be as clear to management. Management may have a more difficult time
deciding which safeguards to use.
 No real standards
A company needs to define the scales used in the process. For example, the
scale can be as simple as Low, Medium, and High. However, the scale needs
to be developed and defined for the participants. This requires the
expertise of someone that understands risk assessments and how the data
will be used.
Quantitative vs Qualitative
Quantitative Qualitative
Objective Subjective
Deductive Inductive
Uses numeric value and tools Based on opinion of experts
Time consuming Less time consuming
Costly as it depends on data
collection which is difficult to
obtain Less Costly
Results easily aggregated for Results are longer, detailed, variable in

analysis and easily presented content; difficult to analyse
Rigid and more abstract level of Flexible and more in-depth understanding
study and insights
Identifying and Evaluating Threats
 Review historical Data
 Attacks The success of the next attack depends on the level of protection
you implemented since then. This is true for any event
 Natural Events Most organizations that are in risk zones for natural
disasters have disaster recovery and business continuity plans in place.
This includes hurricanes, tornadoes, and earthquakes.
 Accidents any event that affects C I A. E.g. users accidentally deleting data
or user errors or mishaps in the workplace.
 Equipment Failures Equipment failures result in outages. Some systems

are more prone to failure than others. Some have much
greater business impact. By analyzing past failures, one can often
predict future failures. Identify the systems that will benefit from
additional redundant hardware.
Identifying and Evaluating Threats
 Threat Modelling : process used to identify possible threats
on a system. Attackers perspective
 It provides information on
 The system it includes background information of the system
 Threat Profile a list of threats. It identifies what the attacker may try to
do to the system, including possible goals of the attack.
 Threat Analysis Each threat in the threat profile is analyzed to determine

if an asset is vulnerable. Reviews existing controls to determine their
effectiveness against the threat
IPR Infringement
 Copyright Infringement works protected by copyright used without
permission such as the right to reproduce, distribute, display or perform
the protected work, or to make derivative works. Copyright holders can
invoke legal and technological measures to prevent and penalize
copyright infringement.
 Patent Infringement It may vary by jurisdiction, but it typically includes

making, using, selling or importing the patented invention. Patents are
territorial, and infringement is only possible in a country where a patent
is in force. Permission is granted in the form of a license.
 Trademark Infringement violation of the exclusive rights attached to a

trademark without the authorization of the trademark owner or any
licensees. Use of a trademark which is identical or confusingly similar to
a trademark owned by another party, in relation to products or services
which are identical or similar to the products or services which the
registration covers. An owner of a trademark may commence civil legal
proceedings against a party which infringes its registered trademark.
IPR Infringement
 Design Infringement The visual features protected are the shape,
configuration, pattern or ornamentation rather than the product itself. A
person infringes a registered design during the period of registration
within a particular jurisdiction. Often infringement decisions are focused
on the similarities between the two designs, rather than the differences.
 Trade Secret Infringement also called “misappropriation.” Someone

improperly acquires a trade secret or discloses or uses a trade secret
without consent or with having reason to know that knowledge of the
trade secret was acquired through a mistake or accident. It can happen
inadvertently or through negligence.
 Cybersquatting is registering, trafficking in, or using an Internet domain

name with bad faith intent to profit from the goodwill of a trademark
belonging to someone else. Cybersquatter then offers to sell the domain
to the person or company who owns a trademark contained within the
name at an inflated price.
Identifying and Evaluating
Vulnerabilities
 By using different assessments
 Vulnerability Assessment This assessment will prioritize the

vulnerabilities to determine which weaknesses are relevant. Two types
are Internal and External assessments. Vulnerability scanners perform
network reconnaissance.
 Exploit Assessment referred to as “penetration tests.” It attempts to

discover what vulnerabilities an attacker can exploit. First perform
vulnerability assessment to discover weaknesses next attempt the
exploit. It is intrusive as the goal is to test the exploit. Take precautions
when performing exploit assessments as it may disrupt all operations.
Countermeasures
 One should consider the following and the purpose
 In place controls These are controls that are currently installed in the
operational system
 Planned controls These are controls that have a specified implementation

date.
 Control categories Controls fall into three primary categories:

administrative controls, technical controls, and physical controls.
Countermeasures
 Control Categories
 Administrative Security Controls Policies and Procedures, Security Plans,

Insurance, Personnel Checks, Awareness and training, Rules of behaviour
 Technical Security Controls Login identifier, session timeout, system logs,

audit trails, input validation, Firewalls, Encryption
 Physical Security Controls Locked doors, Guards and access logs, Video
cameras, Fire detection and suppression, Water leak detection,
Temperature and humidity detection, Electrical grounding and circuit
breakers

RM 2 - Risk Assessment

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

RM 2 - Risk Assessment

Uploaded by

Copyright:

Available Formats

Risk Assessment

 Need for Risk Assessment -

 Identify threats and vulnerabilities

 Determine the impact of a risk—This can be based on

 Most common valuation methods include the following:

 Benefit = (ALE X life of measure) - cost of measure.

 It determines the level of risk based on probability and impact

 Probability: The likelihood that a threat will exploit a vulnerability. use a

 Impact: The negative result if a risk occurs. Used to identify the

 A qualitative analysis can be divided into two sections:

Qualitative Analysis survey results

The list of risks from most important to least important is:

 DoS attack—Protect with DMZ and/or IDS.

Results easily aggregated for Results are longer, detailed, variable in

 Equipment Failures Equipment failures result in outages. Some systems

 Threat Analysis Each threat in the threat profile is analyzed to determine

 Patent Infringement It may vary by jurisdiction, but it typically includes

 Trademark Infringement violation of the exclusive rights attached to a

 Trade Secret Infringement also called “misappropriation.” Someone

 Cybersquatting is registering, trafficking in, or using an Internet domain

 Vulnerability Assessment This assessment will prioritize the

 Exploit Assessment referred to as “penetration tests.” It attempts to

 Planned controls These are controls that have a specified implementation

 Control categories Controls fall into three primary categories:

 Administrative Security Controls Policies and Procedures, Security Plans,

 Technical Security Controls Login identifier, session timeout, system logs,

You might also like