INFORMATION ASSURANCE AND SECURITY

TOPIC 5: RISK MANAGEMENT

COMPETITIVE ADVANTAGE VS. COMPETITIVE
DISADVANTAGE
Competitive Advantage
 The adoption and implementation of an innovative business model,
method, technique, resource, or technology in order to outperform the
competition.
Competitive Disadvantage
 Falling behind through competition resulting in loss of market share
from an inability to maintain the highly responsive services required by
their stakeholders.
OVERVIEW OF RISK MANAGEMENT
 Risk Assessment
 A determination of the extent to which an organization’s information assets are exposed to risk.
 Risk Control
 The application of controls that reduce the risks to an organization’s information assets to an
acceptable level.
 Risk Identification
 The recognition, enumeration, and documentation of risks to an organization’s information
assets.
 Risk Management
 The process of identifying risk, assessing its relative magnitude, and taking steps to reduce it to
an acceptable level.
COMPONENTS OF RISK MANAGEMENT
THE ROLES OF THE COMMUNITIES OF INTEREST

Evaluating current and proposed risk controls

Determining which control options are cost-effective for the
organization
Acquiring or installing the needed controls
Ensuring that the controls remain effective
RISK APPETITE AND RESIDUAL RISK

Residual Risk
 The risk to information assets that remains even after current controls
have been applied.
Risk Appetite
 The quantity and nature of risk that organizations are willing to accept
as they evaluate the trade-offs between perfect security and unlimited
accessibility.
RESIDUAL RISK
RISK IDENTIFICATION
PLANNING AND ORGANIZING THE PROCESS

Team Organization
 Users
 Managers
 IT/IS Groups
Processes and Tasks
 Timetables
IDENTIFYING, INVENTORYING, AND CATEGORIZING ASSETS
PEOPLE, PROCEDURES, AND DATA ASSET IDENTIFICATION

 People:
 Position name, number, or ID (avoid using people’s names and stick to identifying positions, roles, or functions); supervisor;
security clearance level; special skills
 Procedures:
 Description; intended purpose; relationship to software, hardware, and networking elements; storage location for reference;
storage location for update
 Data:
 Classification; owner, creator, and manager; size of data structure; data structure used (sequential or relational); online or
offline; location; backup procedures employed. As you develop the data-tracking process, consider carefully how much data
should be tracked and for which specific assets.
HARDWARE, SOFTWARE, AND NETWORK ASSET
IDENTIFICATION

 Name  Manufacturer’s model number or part

 IP address number
 Media access control (MAC) address  Software version, update revision, or
FCO number
 Element type
 Physical location
 Serial number
 Logical location
 Manufacturer name
 Controlling entity
INFORMATION ASSET INVENTORY

 networked databases
 hard copy—in filing cabinets, desks, and in employee hands and briefcases
 portable hard drives, flash drives, laptops, smartphones, and other mobile devices
 spreadsheets and database tools
ASSET CATEGORIZATION

 People comprise employees and nonemployees.

 Procedures that do not expose knowledge a potential attacker might find useful, and sensitive procedures that
could allow an adversary to gain an advantage or craft an attack against the organization’s assets.
 Data components account for the management of information in all its states: transmission, processing, and
storage.
 Software components are assigned to one of three categories: applications, operating systems, or security
components.
 Hardware system devices and their peripherals, and devices that are part of information security control systems.
CLASSIFYING, VALUING, AND PRIORITIZING INFORMATION
ASSETS

 Data Classification and Management

 Security Clearance
 Information Asset Valuation
 Information Asset Prioritization
DATA CLASSIFICATION AND MANAGEMENT

 Confidential: Used for the most sensitive corporate information that must be tightly
controlled, even within the company. Access to information with this classification is
strictly on a need-to-know basis or as required by the terms of a contract.
 Internal: Used for all internal information that does not meet the criteria for the
confidential category. Internal information is to be viewed only by corporate
employees, authorized contractors, and other third parties.
 External: All information that has been approved by management for public release.
DATA CLASSIFICATION AND MANAGEMENT

 ‘Top Secret’ shall be applied to information, the unauthorized disclosure of which

reasonably could be expected to cause exceptionally grave damage to the national
security that the original classification authority is able to identify or describe.
 ‘Secret’ shall be applied to information, the unauthorized disclosure of which
reasonably could be expected to cause serious damage to the national security that the
original classification authority is able to identify or describe.
 ‘Confidential’ shall be applied to information, the unauthorized disclosure of which
reasonably could be expected to cause damage to the national security that the
original classification authority is able to identify or describe.
SECURITY CLEARANCE

A security clearance is a personnel security structure in which

each user of an information asset is assigned an authorization
level that identifies the level of classified information he or she
is "cleared" to access.
INFORMATION ASSET VALUATION

Asset valuation is the process of assigning financial value or

worth to each information asset.
INFORMATION ASSET PRIORITIZATION

 Once the inventory and value assessment are complete, you can prioritize
each asset using a straightforward process known as weighted factor
analysis or simply using a weighted table. In this process, each
information asset is assigned scores for a set of assigned critical factors.
IDENTIFYING AND PRIORITIZING THREATS
RISK ASSESSMENT
PLANNING AND ORGANIZING RISK ASSESSMENT
DETERMINING THE LOSS FREQUENCY

 Attack success probability is the number of successful attacks that are expected to
occur within a specified time period.
 Likelihood is the probability that a specific vulnerability within an organization will
be the target of an attack.
 Loss frequency is the calculation of the likelihood of an attack coupled with the attack
frequency to determine the expected number of losses within a specified time range.
EVALUATING LOSS MAGNITUDE

 Loss magnitude, also known as event loss magnitude, is the combination

of an asset’s value and the percentage of it that might be lost in an attack.
ASSESSING RISK ACCEPTABILITY

 For each threat and its associated vulnerabilities that have residual risk, you must create a ranking of
their relative risk levels. These rankings provide a simplistic approach to documenting residual risk—
the leftover risk after the organization has done everything feasible to protect its assets. Next, the
organization must compare the residual risk to its risk appetite—the amount of risk the organization is
willing to tolerate.
 When the organization’s risk appetite is less than an asset’s residual risk, it must move to the next stage
of risk control and look for additional strategies to further reduce the risk. Failure to do so indicates
negligence on the part of the organization’s security and management teams. When the organization’s
risk appetite is greater than the asset’s residual risk, the organization should move to the latter stages of
risk control and continue to monitor and assess its controls and assets.
RISK CONTROL
JUSTIFYING CONTROLS

 Annualized cost of a safeguard (ACS) - In a cost-benefit analysis, the total cost of a control or safeguard, including all purchase,
maintenance, subscription, personnel, and support fees, divided by the total number of expected years of use.
 Annualized loss expectancy (ALE) - In a cost-benefit analysis, the product of the annualized rate of occurrence and single loss
expectancy.
 Annualized rate of occurrence (ARO) - In a cost-benefit analysis, the expected frequency of an attack, expressed on a per-year
basis.
 Cost avoidance - The financial savings from using the defense risk control strategy to implement a control and eliminate the
financial ramifications of an incident.
 Cost-benefit analysis (CBA) - Also known as an economic feasibility study, the formal assessment and presentation of the
economic expenditures needed for a particular security control, contrasted with its projected value to the organization.
 Exposure factor (EF) - In a cost-benefit analysis, the expected percentage of loss that would occur from a particular attack.
 Single loss expectancy (SLE) - In a cost-benefit analysis, the calculated value associated with the most likely loss from an attack.
The SLE is the product of the asset’s value and the exposure factor.
QUANTITATIVE AND QUALITATIVE ASSESSMENT

 Qualitative assessment is an asset valuation approach that uses

categorical or non-numeric values rather than absolute numerical
measures.

 Quantitative assessment is an asset valuation approach that attempts to

assign absolute numerical measures.
BENCHMARKING AND BEST PRACTICES

 Benchmarking - An attempt to improve information security practices by comparing an

organization’s efforts against practices of a similar organization or an industry-developed
standard to produce results it would like to duplicate. Sometimes referred to as external
benchmarking.
 Best business practices - Security efforts that are considered among the best in the industry.
metrics-based measures Performance measures or metrics based on observed numerical data.
 Performance gap - The difference between an organization’s observed and desired performance.
 Process-based measures - Performance measures or metrics based on intangible activities.
BASELINING

Baseline is an assessment of the performance of some action or

process against which future performance is assessed; the first
measurement (benchmark) in benchmarking.
FEASIBILITY STUDIES

 Operational feasibility - An examination of how well a particular solution fits within the organization’s culture and
the extent to which users are expected to accept the solution. Also known as behavioral feasibility.
 Organizational feasibility - An examination of how well a particular solution fits within the organization’s
strategic planning objectives and goals.
 Political feasibility - An examination of how well a particular solution fits within the organization’s political
environment—for example, the working relationship within the organization’s communities of interest or between
the organization and its external environment.
 Technical feasibility - An examination of how well a particular solution is supportable given the organization’s
current technological infrastructure and resources, which include hardware, software, networking, and personnel.
ANY QUESTIONS?
REFERENCES

 Principles of Information Security, Sixth Edition Michael E. Whitman and Herbert J. MattordLibrary of Congress Control
Number: 2017930059
THANK YOU!