Risk Management Concepts

Performing an information security assessment allows an organization to

“know themselves” with respect to their risk exposures. As Sun Tzu stated in
“The Art of War”:

So it is said that if you know your enemies and know yourself, you can win a
hundred battles without a single loss.

If you only know yourself, but not your opponent, you may win or may lose.
If you know neither yourself nor your enemy, you will always endanger yourself.
Topics Covered

1. Introduction
2. Risk Terminology
3. The elements of risk
4. Risk Management Process
Questions to answer

 Why should a risk assessment be conducted?

 identify threats
 assign risk levels
 Controls

 Who should conduct the risk analysis or risk assessment?

 Internal experts.
 No one knows your systems and applications or your business better than the people who develop and run
them
Questions to answer cont…

 What can a risk analysis or risk assessment analyze?

 Review any task, project, or idea.

 What can the results of a risk assessment tell an organization?

 Examine all currently identified concerns,
 Prioritize the level of vulnerability,
 Select an appropriate level of control or to accept the risk

 Who should review the results of a risk analysis?

 Sponsor
 Results confidential
Risk Terminology

 Asset An asset is anything within an environment that should be protected. It is anything used
in a business process or task. It can be a computer file, a network service, a system resource, a
process, a program, a product, an IT infrastructure, a database, a hardware device, furniture,
product

 Asset Valuation Asset valuation is a dollar value assigned to an asset based on actual cost and
nonmonetary expenses.
Risk Terminology

 Threats Any potential occurrence that may cause an undesirable or unwanted outcome for an organization
or for a specific asset is a threat

 Vulnerability The weakness in an asset or the absence or the weakness of a safeguard or countermeasure
 If a vulnerability is exploited, loss or damage to assets can occur.

 Risk is the possibility or likelihood that a threat will exploit a vulnerability to cause harm to an asset.
 The more likely it is that a threat event will occur, the greater the risk.
 Risk = threat * vulnerability
Risk Terminology

 Exposure is being susceptible to asset loss because of a threat;

there is the possibility that vulnerability can or will be exploited by a threat agent or event.

 Safeguards A safeguard, or countermeasure, is anything that removes or reduces a vulnerability or protects

against one or more specific threats.
 Installing a software patch,
 Making a configuration change,
 hiring security guards, altering the infrastructure,
 modifying processes,
 Improving the security policy,
 training personnel more effectively,
 electrifying a perimeter fence, installing lights,
The elements of risk
Risk Management Process
 •Assess the risk.
•Treat the risk.
•Treat the risk.
•Monitor
•Monitor
Risk Management

 Risk Management is the process of identifying, analysing, evaluating and addressing your organisation’s
cyber security threats
 The primary goal of risk management is to reduce risk to an acceptable level.
 Level actually is depends on the organization, the value of its assets, the size of its budget etc
 Phases of risk management
 Identify the risk.
 Assess the risk.
 Treat the risk.
 Monitor
Risk Management

 Identify the risks that might compromise your cyber security. This usually involves identifying cyber security
vulnerabilities in your system and the threats that might exploit them.
 Assess the risk
 Analyse the severity of each risk by assessing how likely it is to occur, and how significant the impact
might be if it does.
 Evaluate how each risk fits within your risk appetite (your predetermined level of acceptable risk).
 Priorities the risks.
Risk Management

 Decide how to respond to each risk. There are generally four options:
 Reduction – modify the likelihood and/or impact of the risk, typically by implementing security
controls.
 Acceptance – make an active decision to retain the risk (e.g. because it falls within the established risk
acceptance criteria).
 Avoidance – avoid the risk entirely by ending or completely changing the activity causing the risk.
 Transfer – share the risk with another party, usually by outsourcing or taking out insurance.

 Since cyber risk management is a continual process, monitor your risks to make sure they are still
acceptable, review your controls to make sure they are still fit for purpose, and make changes as required.
Remember that your risks are continually changing as the cyber threat landscape evolves, and your systems
and activities change
Identify Threats and Vulnerabilities

create an exhaustive list of all possible threats for the organization’s identified assets
External threats
 Hacker groups, former employees
 Natural disasters(earthquakes, floods, fire, volcanoes, hurricanes, tornadoes, tsunamis, and so on)
 Environmental threats: long-term power outages, pollution, chemical spills, liquid leakage
 Government, political, or military intrusions or restrictions
 terrorism

 Internal threats
 Employees and partners
 Disgruntled employees
 Equipment failure
 Physical theft
 Social engineering
 Loss ok key staff
Risk types

 Legacy systems
• Outdated, older technologies
• May not be supported by the manufacturer
• May not have security updates
• Depending on the age, may not be accessible

 Multiparty risk
• Breaches involving multiple parties
• Often trusted business relationships
• Events often involve many different parties
Risk types

 Intellectual Property (IP) theft

• Theft of ideas, inventions, and creative expressions
• Human error, hacking, employees with access, etc.
• Identify and protect IP
• Educate employees and increase security

 Software compliance /licensing

• Operational risk with too few licenses
• Financial risk with budgeting and over accolated licenses
• Legal risk if proper licensing is not followed
 May 2019 American Medical Collection Agency
• Provided debt collection for many organisation
• Data breach disclosed personal information on 24 million individuals
• Twenty three healthcare organisations affected by this single breach
• A single breach can cause a ripple effect
Risk register

 A risk register or risk log is a document that inventories all of the identified risks to an organization or
system or within an individual project.
 A risk register is used to record and track the activities of risk management, including the following:
• Identify risks.
• Evaluate the severity and prioritize those risks.
• Prescribe responses to reduce or eliminate the risks.
• Track the progress of risk mitigation.
Risk matrix/heat map

 A risk matrix or risk heat map is a form of risk assessment that is performed on a basic graph or chart.
 It is sometimes labeled as a qualitative risk assessment
 the purpose is to help establish criticality prioritization. Using a risk matrix, each threat can be assigned a
probability and a damage level
 The simplest form of a risk matrix is a 3×3 grid comparing probability and damage potential.
Risk assessment

 An information security risk assessment, also known as an information security risk analysis, involves
identifying and assessing risks to the confidentiality, integrity, and availability of information systems and
resources. This process should be a fundamental requirement for any security program in any organization

 Risk assessment identifies the various information assets that could be affected by a cyber attack (such as hardware,
systems, laptops, customer data, and intellectual property), and then identifies the various risks that could affect those
assets.
 A risk estimation and evaluation is usually performed, followed by the selection of controls to treat the identified risks
 Identify assets that could be affected by an attack
‒ Define the risk associated with each asset
‒ Hardware, customer data, intellectual property

 Identify threats
‒ Loss of data, disruption of service etc

 Determine the risk

‒ High, medium, or low risk

 Assess the total risk to the organisation

‒ Make future plans
Risk assessment/analysis types

 There are two primary risk assessment types:

 Quantitative risk analysis assigns real dollar figures to the loss of an asset.
 Qualitative risk analysis assigns subjective and intangible values to the loss of an asset. Both
methods are necessary for a complete risk analysis.
 Most environments employ a hybrid of both risk assessment methodologies in order to gain a balanced
view of their security concerns.
Quantitative risk analysis

The six major steps or phases in quantitative risk analysis are as follows
1. Inventory assets, and assign a value (asset value, or AV).
2. Research each asset, and produce a list of all possible threats of each individual asset. For each listed
threat, calculate the exposure factor (EF) and single loss expectancy (SLE).
3. Perform a threat analysis to calculate the likelihood of each threat being realized within a single year that is,
the annualized rate of occurrence (ARO).
4. Derive the overall loss potential per threat by calculating the annualized loss expectancy (ALE).
5. Research countermeasures for each threat, and then calculate the changes to ARO and ALE based on an
applied countermeasure.
6. Perform a cost/benefit analysis of each countermeasure for each threat for each asset. Select the most
appropriate response to each threat.
Quantitative risk analysis
Asset value

1 Asset value
 Asset value (AV) is the value or worth of an asset to an organization.
 AV is used to predict the amount of loss the organization would suffer if the asset was harmed by a threat.
Exposure Factor

2 Exposure Factor
 The exposure factor (EF) represents the percentage expected overall asset value loss because of a
single realized risk.
 In most cases, a realized risk does not result in the total loss of an asset.
 The EF is usually small for assets that are easily replaceable, such as hardware.
 It can be very large for assets that are irreplaceable or proprietary, such as product designs or a
database of customers.
 The EF is expressed as a percentage.
Single Loss Expectancy

Single Loss Expectancy

 SLE is the cost associated with a single realized risk against a specific asset.
 It indicates the exact amount of loss an organization would experience if an asset were harmed by a specific
threat occurring.
 The SLE is calculated using the following formula:
SLE = asset value (AV) * exposure factor (EF)
or more simply:
SLE = AV * EF
 The SLE is expressed in a dollar value.
 For example, if an asset is valued at $200,000 and it has an EF of 45 percent for a specific threat, then the
SLE of the threat for that asset is $90,000.
The annualized rate of occurrence

The annualized rate of occurrence (ARO) is the expected frequency with which a specific threat or risk will
occur (that is, become realized) within a single year
Annualized Loss Expectancy

The annualized loss expectancy (ALE) is the possible yearly cost of all
instances of a specific realized threat against a specific asset.
The ALE is calculated using the following formula:
ALE = single loss expectancy (SLE) * annualized rate of occurrence (ARO)
Or more simply:
ALE = SLE * ARO

For example, if the SLE of an asset is $90,000 and the ARO for a specific threat (such as total power
loss) is 0 .5, then the ALE is $45,000
Calculating Safeguard Costs

 For each specific risk, you must evaluate one or more safeguards, or countermeasures, on a cost/benefit
basis..

 Measure the deployment value or the cost of the safeguard against the value of the protected asset.
 If the cost of the countermeasure is greater than the value of the asset (that is, the cost of the risk), then you
should accept the risk.
 As mentioned earlier, the annual costs of safeguards should not exceed the expected annual cost of asset
loss.
Calculating Safeguard Cost/Benefit

 Cost/benefit calculation is used to to determine whether a safeguard actually improves security without
costing too much.

 ALE before safeguard – ALE after implementing the safeguard – annual cost of safeguard (ACS) =
value of the safeguard to the company

 Negative result , the safeguard is not a financially responsible choice.

 Positive result , then value is the annual savings your organization may reap by deploying the safeguard
Quantitative risk analysis formulas
Qualitative Risk Analysis

 Qualitative risk analysis is more scenario based than it is calculator based.

 Rather than assigning exact dollar figures to possible losses, you rank threats on a scale to evaluate their
risks, costs, and effects.
 Since a purely quantitative risk assessment is not possible, balancing the results of a quantitative analysis
 is essential.
 The method of combining quantitative and qualitative analysis into a final assessment of organizational risk
is known as hybrid assessment or hybrid analysis.
Qualitative Risk Analysis

The process of performing qualitative risk analysis involves

 Brainstorming—Collecting spontaneous ideas from a group or individual
 Delphi technique—A means by which a group reaches anonymous consensus through the use of
blind votes
 Storyboarding—Drawing pictures to represent concepts and timelines
 Focus groups—Using study, research, or discussion groups centered around a single topic
 Surveys—A broad-range data-gathering technique that seeks to pull relevant information from any
source
 Questionnaires—Asking a series of questions
 Checklists—An inventory list that must be assessed against a process, task, or storage
 One-on-one meeting—A meeting between peers to discuss a topic
 Interview—A face-to-face interaction with subject matter experts or those with direct experience of an
event or situation
Risk Response

 Once the risk analysis is complete, management must address each specific risk. There are four possible
responses to risk:
 There are four possible responses to risk:
• Reduce or mitigate implementation of safeguards and countermeasures to eliminate vulnerabilities or
block threats.
• Assign or transfer Assigning risk or transferring risk is the placement of the cost of loss a risk represents
onto another entity or organization.
• Accept the valuation by management of the cost/benefit analysis of possible safeguards and the
determination that the cost of the countermeasure greatly outweighs the possible cost of loss due to a risk

• Reject or ignore A final but unacceptable possible response to risk is to reject or ignore risk. Denying that
a risk exists and hoping that it will never be realized are not valid or prudent due-care responses to risk
Risk Response

 Residual risk
 Once countermeasures are implemented, the risk that remains is known as residual risk.
 Residual risk comprises threats to specific assets against which upper management chooses not to
implement a safeguard.
 Residual risk is the risk that management has chosen to accept rather than mitigate.
 In most cases, the presence of residual risk indicates that the cost/benefit analysis showed that
 The available safeguards were not cost-effective deterrents.
 Total risk
 The amount of risk an organization would face if no safeguards were implemented.
 A formula for total risk is as follows:

threats * vulnerabilities * asset value = total risk

Countermeasure Selection and Assessment

 The cost of the countermeasure should be less than the value of the asset.
 The cost of the countermeasure should be less than the benefit of the countermeasure.
 The result of the applied countermeasure should make the cost of an attack greater for the perpetrator than the derived
benefit from an attack.
 The countermeasure should provide a solution to a real and identified problem. (Don’t install countermeasures just because
they are available, are advertised, or sound cool.)
 The benefit of the countermeasure should be testable and verifiable.
 The countermeasure should provide consistent and uniform protection across all users, systems,
 protocols, and so on.
 The countermeasure should have few or no dependencies to reduce cascade failures.
 The countermeasure should require minimal human intervention after initial deployment and
 configuration.
 The countermeasure should be tamperproof.
 The countermeasure should have overrides accessible to privileged operators only.
 The countermeasure should provide fail-safe and/or fail-secure options.
Implementation based security controls

 Security controls or countermeasures or safeguards can be implemented administratively,

logically/technically, or physically.
 One method of classifying security controls is based on how they are implemented.
 These three categories of security mechanisms should be implemented
Administrative

 Administrative access controls are the policies and procedures defined by an organization’s security policy and other regulations
or requirements.
 They are sometimes referred to as management controls.
 These controls focus on personnel and business practices.
 Examples of administrative access controls include
• policies,
• procedures,
• hiring practices,
• background checks,
• data classifications and labeling,
• security awareness and training efforts,
• vacation history,
• reports and reviews,
• work supervision,
• personnel controls, and testing.
Technical

 Technical or logical access involves the hardware or software mechanisms used to manage access and to
provide protection for resources and systems.
 It uses technology.
• authentication methods (such as usernames, passwords,
• smartcards, and biometrics),
• encryption, constrained interfaces,
• access control lists, protocols, firewalls,
• routers,
• intrusion detection systems (IDSs)
Physical

 Physical access controls are items you can physically touch.

 They include physical mechanisms deployed to prevent, monitor, or detect direct contact with systems or
areas within a facility.
 Examples of physical access controls include
 guards,
 fences,
 motion detectors,
 locked doors,
 sealed windows,
 lights, cable
 protection, laptop locks, badges, swipe cards, guard dogs, video cameras, mantraps, and alarms.
Goal-Based Security Controls

 Preventive controls: attempt to prevent an incident from occurring.

 Detective controls: attempt to detect incidents after they have occurred.
 Corrective controls: attempt to reverse the impact of an incident.
 Deterrent controls: attempt to discourage individuals from causing an incident.
 Compensating controls: are alternative controls used when a primary control is not feasible.
 Common controls: are implemented across multiple ICT systems.
Goal-Based Security Controls cont…
Monitoring and Measurement

 Security controls should provide benefits that can be monitored and measured.

 If a security control’s benefits cannot be quantified, evaluated, or compared, then it does not actually
provide any security.

 Cyber risk management is a continual process, monitor your risks to make sure they are still acceptable,
review your controls to make sure they are still fit for purpose, and make changes as required.

 A significant improvement in security should be identified to clearly justify the expense of new
countermeasure deployment.
Continuous Improvement

 Risk analysis is performed to provide upper management with the details necessary to decide which risks
should be mitigated, which should be transferred, and which should be accepted.
 The result is a cost/benefit comparison between the expected cost of asset loss and the cost of deploying
safeguards against threats and vulnerabilities.
 Risk analysis identifies risks, quantifies the impact of threats, and aids in budgeting for security.
 It helps integrate the needs and objectives of the security policy with the organization’s business goals and
intentions.
 Threats and vulnerabilities constantly change, and the risk assessment needs to be redone periodically in
order to support continuous improvement.
 Security is always changing, implemented security solution requires updates and changes over time.
DRIVERS, LAWS, AND REGULATIONS
DRIVERS, LAWS, AND REGULATIONS

 Federal Information Security Management Act of 2002 or FISMA for federal agencies.
 Gramm-Leach-Bliley Act or GLBA for financial institutions.
 Health Insurance Portability and Accountability Act or HIPAA which is focused on healthcare providers,
insurers’ and employers.
Gramm-Leach-Bliley Act (GLBA)

 The Gramm-Leach-Bliley Act, or GLBA, primarily affects financial institutions.

 GLBA defines financial institutions, as companies that offer financial products or services to individuals, like
loans, financial or investment advice, or insurance.
 Require institutions to establish standards and safeguards around administrative, technical, and physical
security.
 These safeguards are meant to protect against anticipated threats and hazards and ensure the security and
integrity of company and customer information and information systems.

 Institutions that need to maintain GLBA compliance are required to assess the risks of reasonably
foreseeable threats, and in particular those that could result in unauthorized disclosure, misuse, alteration,
and destruction of information and information systems.
The Health Insurance Portability and Accountability Act

 The Health Insurance Portability and Accountability Act (HIPAA) focuses on healthcare providers, insurers,
and employers.

 Focus on the need to adequately and effectively protect Electronic Protected Health Information or ePHI by
adhering to good business practices for systems handling ePHI.

 HIPAA requires all covered entities (healthcare providers, insurers, etc.) and their Business Associates
(vendors, contractors, etc.) to conduct an accurate and thorough Risk Analysis (or a Risk Assessment).

 This Risk Analysis should assess the potential risks and vulnerabilities that could affect the confidentiality,
integrity, and availability of ePHI.
Risk Frameworks

 A risk framework is a guideline or recipe for how risk is to be assessed, resolved, and monitored
 OCTAVE,
 FAIR,
 NIST,
 ISO27005
End

Any Questions?
Let’s Go for the next Topic. 