Professional Documents
Culture Documents
Risk
Risk
Risk
So it is said that if you know your enemies and know yourself, you can win a
hundred battles without a single loss.
If you only know yourself, but not your opponent, you may win or may lose.
If you know neither yourself nor your enemy, you will always endanger yourself.
Topics Covered
1. Introduction
2. Risk Terminology
3. The elements of risk
4. Risk Management Process
Questions to answer
Asset An asset is anything within an environment that should be protected. It is anything used
in a business process or task. It can be a computer file, a network service, a system resource, a
process, a program, a product, an IT infrastructure, a database, a hardware device, furniture,
product
Asset Valuation Asset valuation is a dollar value assigned to an asset based on actual cost and
nonmonetary expenses.
Risk Terminology
Threats Any potential occurrence that may cause an undesirable or unwanted outcome for an organization
or for a specific asset is a threat
Vulnerability The weakness in an asset or the absence or the weakness of a safeguard or countermeasure
If a vulnerability is exploited, loss or damage to assets can occur.
Risk is the possibility or likelihood that a threat will exploit a vulnerability to cause harm to an asset.
The more likely it is that a threat event will occur, the greater the risk.
Risk = threat * vulnerability
Risk Terminology
Risk Management is the process of identifying, analysing, evaluating and addressing your organisation’s
cyber security threats
The primary goal of risk management is to reduce risk to an acceptable level.
Level actually is depends on the organization, the value of its assets, the size of its budget etc
Phases of risk management
Identify the risk.
Assess the risk.
Treat the risk.
Monitor
Risk Management
Identify the risks that might compromise your cyber security. This usually involves identifying cyber security
vulnerabilities in your system and the threats that might exploit them.
Assess the risk
Analyse the severity of each risk by assessing how likely it is to occur, and how significant the impact
might be if it does.
Evaluate how each risk fits within your risk appetite (your predetermined level of acceptable risk).
Priorities the risks.
Risk Management
Decide how to respond to each risk. There are generally four options:
Reduction – modify the likelihood and/or impact of the risk, typically by implementing security
controls.
Acceptance – make an active decision to retain the risk (e.g. because it falls within the established risk
acceptance criteria).
Avoidance – avoid the risk entirely by ending or completely changing the activity causing the risk.
Transfer – share the risk with another party, usually by outsourcing or taking out insurance.
Since cyber risk management is a continual process, monitor your risks to make sure they are still
acceptable, review your controls to make sure they are still fit for purpose, and make changes as required.
Remember that your risks are continually changing as the cyber threat landscape evolves, and your systems
and activities change
Identify Threats and Vulnerabilities
create an exhaustive list of all possible threats for the organization’s identified assets
External threats
Hacker groups, former employees
Natural disasters(earthquakes, floods, fire, volcanoes, hurricanes, tornadoes, tsunamis, and so on)
Environmental threats: long-term power outages, pollution, chemical spills, liquid leakage
Government, political, or military intrusions or restrictions
terrorism
Internal threats
Employees and partners
Disgruntled employees
Equipment failure
Physical theft
Social engineering
Loss ok key staff
Risk types
Legacy systems
• Outdated, older technologies
• May not be supported by the manufacturer
• May not have security updates
• Depending on the age, may not be accessible
Multiparty risk
• Breaches involving multiple parties
• Often trusted business relationships
• Events often involve many different parties
Risk types
A risk register or risk log is a document that inventories all of the identified risks to an organization or
system or within an individual project.
A risk register is used to record and track the activities of risk management, including the following:
• Identify risks.
• Evaluate the severity and prioritize those risks.
• Prescribe responses to reduce or eliminate the risks.
• Track the progress of risk mitigation.
Risk matrix/heat map
A risk matrix or risk heat map is a form of risk assessment that is performed on a basic graph or chart.
It is sometimes labeled as a qualitative risk assessment
the purpose is to help establish criticality prioritization. Using a risk matrix, each threat can be assigned a
probability and a damage level
The simplest form of a risk matrix is a 3×3 grid comparing probability and damage potential.
Risk assessment
An information security risk assessment, also known as an information security risk analysis, involves
identifying and assessing risks to the confidentiality, integrity, and availability of information systems and
resources. This process should be a fundamental requirement for any security program in any organization
Risk assessment identifies the various information assets that could be affected by a cyber attack (such as hardware,
systems, laptops, customer data, and intellectual property), and then identifies the various risks that could affect those
assets.
A risk estimation and evaluation is usually performed, followed by the selection of controls to treat the identified risks
Identify assets that could be affected by an attack
‒ Define the risk associated with each asset
‒ Hardware, customer data, intellectual property
Identify threats
‒ Loss of data, disruption of service etc
The six major steps or phases in quantitative risk analysis are as follows
1. Inventory assets, and assign a value (asset value, or AV).
2. Research each asset, and produce a list of all possible threats of each individual asset. For each listed
threat, calculate the exposure factor (EF) and single loss expectancy (SLE).
3. Perform a threat analysis to calculate the likelihood of each threat being realized within a single year that is,
the annualized rate of occurrence (ARO).
4. Derive the overall loss potential per threat by calculating the annualized loss expectancy (ALE).
5. Research countermeasures for each threat, and then calculate the changes to ARO and ALE based on an
applied countermeasure.
6. Perform a cost/benefit analysis of each countermeasure for each threat for each asset. Select the most
appropriate response to each threat.
Quantitative risk analysis
Asset value
1 Asset value
Asset value (AV) is the value or worth of an asset to an organization.
AV is used to predict the amount of loss the organization would suffer if the asset was harmed by a threat.
Exposure Factor
2 Exposure Factor
The exposure factor (EF) represents the percentage expected overall asset value loss because of a
single realized risk.
In most cases, a realized risk does not result in the total loss of an asset.
The EF is usually small for assets that are easily replaceable, such as hardware.
It can be very large for assets that are irreplaceable or proprietary, such as product designs or a
database of customers.
The EF is expressed as a percentage.
Single Loss Expectancy
The annualized rate of occurrence (ARO) is the expected frequency with which a specific threat or risk will
occur (that is, become realized) within a single year
Annualized Loss Expectancy
The annualized loss expectancy (ALE) is the possible yearly cost of all
instances of a specific realized threat against a specific asset.
The ALE is calculated using the following formula:
ALE = single loss expectancy (SLE) * annualized rate of occurrence (ARO)
Or more simply:
ALE = SLE * ARO
For example, if the SLE of an asset is $90,000 and the ARO for a specific threat (such as total power
loss) is 0 .5, then the ALE is $45,000
Calculating Safeguard Costs
For each specific risk, you must evaluate one or more safeguards, or countermeasures, on a cost/benefit
basis..
Measure the deployment value or the cost of the safeguard against the value of the protected asset.
If the cost of the countermeasure is greater than the value of the asset (that is, the cost of the risk), then you
should accept the risk.
As mentioned earlier, the annual costs of safeguards should not exceed the expected annual cost of asset
loss.
Calculating Safeguard Cost/Benefit
Cost/benefit calculation is used to to determine whether a safeguard actually improves security without
costing too much.
ALE before safeguard – ALE after implementing the safeguard – annual cost of safeguard (ACS) =
value of the safeguard to the company
Positive result , then value is the annual savings your organization may reap by deploying the safeguard
Quantitative risk analysis formulas
Qualitative Risk Analysis
Once the risk analysis is complete, management must address each specific risk. There are four possible
responses to risk:
There are four possible responses to risk:
• Reduce or mitigate implementation of safeguards and countermeasures to eliminate vulnerabilities or
block threats.
• Assign or transfer Assigning risk or transferring risk is the placement of the cost of loss a risk represents
onto another entity or organization.
• Accept the valuation by management of the cost/benefit analysis of possible safeguards and the
determination that the cost of the countermeasure greatly outweighs the possible cost of loss due to a risk
• Reject or ignore A final but unacceptable possible response to risk is to reject or ignore risk. Denying that
a risk exists and hoping that it will never be realized are not valid or prudent due-care responses to risk
Risk Response
Residual risk
Once countermeasures are implemented, the risk that remains is known as residual risk.
Residual risk comprises threats to specific assets against which upper management chooses not to
implement a safeguard.
Residual risk is the risk that management has chosen to accept rather than mitigate.
In most cases, the presence of residual risk indicates that the cost/benefit analysis showed that
The available safeguards were not cost-effective deterrents.
Total risk
The amount of risk an organization would face if no safeguards were implemented.
A formula for total risk is as follows:
The cost of the countermeasure should be less than the value of the asset.
The cost of the countermeasure should be less than the benefit of the countermeasure.
The result of the applied countermeasure should make the cost of an attack greater for the perpetrator than the derived
benefit from an attack.
The countermeasure should provide a solution to a real and identified problem. (Don’t install countermeasures just because
they are available, are advertised, or sound cool.)
The benefit of the countermeasure should be testable and verifiable.
The countermeasure should provide consistent and uniform protection across all users, systems,
protocols, and so on.
The countermeasure should have few or no dependencies to reduce cascade failures.
The countermeasure should require minimal human intervention after initial deployment and
configuration.
The countermeasure should be tamperproof.
The countermeasure should have overrides accessible to privileged operators only.
The countermeasure should provide fail-safe and/or fail-secure options.
Implementation based security controls
Administrative access controls are the policies and procedures defined by an organization’s security policy and other regulations
or requirements.
They are sometimes referred to as management controls.
These controls focus on personnel and business practices.
Examples of administrative access controls include
• policies,
• procedures,
• hiring practices,
• background checks,
• data classifications and labeling,
• security awareness and training efforts,
• vacation history,
• reports and reviews,
• work supervision,
• personnel controls, and testing.
Technical
Technical or logical access involves the hardware or software mechanisms used to manage access and to
provide protection for resources and systems.
It uses technology.
• authentication methods (such as usernames, passwords,
• smartcards, and biometrics),
• encryption, constrained interfaces,
• access control lists, protocols, firewalls,
• routers,
• intrusion detection systems (IDSs)
Physical
Security controls should provide benefits that can be monitored and measured.
If a security control’s benefits cannot be quantified, evaluated, or compared, then it does not actually
provide any security.
Cyber risk management is a continual process, monitor your risks to make sure they are still acceptable,
review your controls to make sure they are still fit for purpose, and make changes as required.
A significant improvement in security should be identified to clearly justify the expense of new
countermeasure deployment.
Continuous Improvement
Risk analysis is performed to provide upper management with the details necessary to decide which risks
should be mitigated, which should be transferred, and which should be accepted.
The result is a cost/benefit comparison between the expected cost of asset loss and the cost of deploying
safeguards against threats and vulnerabilities.
Risk analysis identifies risks, quantifies the impact of threats, and aids in budgeting for security.
It helps integrate the needs and objectives of the security policy with the organization’s business goals and
intentions.
Threats and vulnerabilities constantly change, and the risk assessment needs to be redone periodically in
order to support continuous improvement.
Security is always changing, implemented security solution requires updates and changes over time.
DRIVERS, LAWS, AND REGULATIONS
DRIVERS, LAWS, AND REGULATIONS
Federal Information Security Management Act of 2002 or FISMA for federal agencies.
Gramm-Leach-Bliley Act or GLBA for financial institutions.
Health Insurance Portability and Accountability Act or HIPAA which is focused on healthcare providers,
insurers’ and employers.
Gramm-Leach-Bliley Act (GLBA)
GLBA defines financial institutions, as companies that offer financial products or services to individuals, like
loans, financial or investment advice, or insurance.
Require institutions to establish standards and safeguards around administrative, technical, and physical
security.
These safeguards are meant to protect against anticipated threats and hazards and ensure the security and
integrity of company and customer information and information systems.
Institutions that need to maintain GLBA compliance are required to assess the risks of reasonably
foreseeable threats, and in particular those that could result in unauthorized disclosure, misuse, alteration,
and destruction of information and information systems.
The Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act (HIPAA) focuses on healthcare providers, insurers,
and employers.
Focus on the need to adequately and effectively protect Electronic Protected Health Information or ePHI by
adhering to good business practices for systems handling ePHI.
HIPAA requires all covered entities (healthcare providers, insurers, etc.) and their Business Associates
(vendors, contractors, etc.) to conduct an accurate and thorough Risk Analysis (or a Risk Assessment).
This Risk Analysis should assess the potential risks and vulnerabilities that could affect the confidentiality,
integrity, and availability of ePHI.
Risk Frameworks
A risk framework is a guideline or recipe for how risk is to be assessed, resolved, and monitored
OCTAVE,
FAIR,
NIST,
ISO27005
End
Any Questions?
Let’s Go for the next Topic.