2. Table of Contents
• How Much Security Do You Really Need
• Risk Management
• Information Security Risk Assessment
• Case Studies
• Risk Assessment in Practice.
3. Risk and Risk management
• Risk is the potential that a given threat will
exploit vulnerabilities of an asset or group of
assets and thereby cause harm to the organization
• Risk management--- “Process of identifying,
controlling and minimizing or eliminating
security risks that may affect information systems,
for an acceptable cost.”
• Risk assessment--- “ assessment of threats to,
impact on and vulnerabilities of information and
information processing facilities and the
likelihood of their occurrence.”
4. Who is the enemy? Why do they do it?
• Offenders
– Crackers---mostly teenagers doing as intellectual
challenge
– Information system’s criminals---Espionage and/or
Fraud/abuse---for a nation/company to gain a
competitive advantage over its rivals
– Vandals---authorized users and strangers (cracker
or a criminal)---motivated by anger directed at an
individual/organization/life in general
5. Motives of Cyber Criminal
• Power assurance---to restore criminal’s self-
confidence or self-worth through low-aggression
means;
• Power assertive---to restore criminal’s self-
confidence or self-worth through moderate- to
high-aggression;
• Anger (retaliatory)---rage towards a person,
group, institution, or a symbol
• Sadistic---derive gratification from the
pain/suffering of others
• Profit-oriented---material or personal gain
7. Types of Damage
• Interruption---destroyed/unavailable
services/resources
• Interception---unauthorized party snooping or
getting access to a resource
• Modification--- unauthorized party modifying
a resource
• Fabrication---unauthorized party inserts a fake
asset/resource
8. The purpose of risk management
•Ensure overall business and business assets are
safe
•Protect against competitive disadvantage
•Compliance with laws and best business
practices
•Maintain a good public reputation
9. Accountability for Risk Management
• It is the responsibility of each community of interest to
manage risks; each community has a role to play:
– Information Security - best understands the threats and attacks
that introduce risk into the organization
– Management and Users – play a part in the early detection and
response process - they also insure sufficient resources are
allocated
– Information Technology – must assist in building secure
systems and operating them safely
10. Accountability for Risk Management
• All three communities
must also:
– Evaluate the risk controls
– Determine which control
options are cost effective
– Assist in acquiring or
installing needed controls
– Ensure that the controls
remain effective
Value of
Assets
Cost of
protecting
those assets
11. Risk Matrix
RISK
MATRIX
IMPACT
L
I
K
E
L
I
H
O
O
D
NEGLIGIBLE MINOR MODERATE SEVERE CRITICAL
VERY LIKELY
LOW MEDIUM HIGH VERY HIGH UNACCEPTABLE
LIKELY LOW MEDIUM HIGH HIGH VERY HIGH
MODERATELY
LIKELY
LOW LOW MEDIUM HIGH
HIGH
UNLIKELY LOW LOW LOW MEDIUM MEDIUM
VERY
UNLIKELY
LOW LOW LOW LOW LOW
12. Steps of a risk management plan
• Step 1: Identify Risk
• Step 2: Assess Risk
• Step 3: Control Risk
• Steps are similar regardless of context
(InfoSec, Physical Security, Financial, etc.)
• This presentation will focus on controlling risk
within an InfoSec context
13. Risk Identification
• The steps to risk identification are:
– Identify your organization’s information assets
– Classify and categorize said assets into useful
groups
– Rank assets necessity to the organization
To the right is a simplified example of how a company
may identify risks
14. Risk Assessment
• The steps to risk assessment are:
– Identify threats and threat agents
– Prioritize threats and threat agents
– Assess vulnerabilities in current InfoSec plan
– Determine risk of each threat
R = P * V – M + U
R = Risk
P = Probability of threat attack
V = Value of Information Asset
M = Mitigation by current controls
U = Uncertainty of vulnerability
The table to the right combines elements of all of these in a
highly simplified format
15. Risk control
• The steps to risk control are:
• Cost-Benefit Analysis (CBA)
• Single Loss Expectancy (SLE)
• Annualized Rate of Occurrence (ARO)
• Annual Loss Expectancy (ALE)
• Annual Cost of the Safeguard (ASG)
• Feasibility Analysis
• Organizational Feasibility
• Operational Feasibility
• Technical Feasibility
• Political Feasibility
• Risk Control Strategy Implementation
16. Cost-Benefit analysis
• Determine what risk control
strategies are cost effective
• Below are some common
formulas used to calculate
cost-benefit analysis
• SLE = AV * EF
– AV = Asset Value, EF =
Exposure factor (% of asset
affected)
• ALE = SLE * ARO
• CBA = ALE (pre-control) –
ALE (post-control) – ACE
17. Feasibility analysis
• Organizational: Does the plan correspond to the organization’s
objectives? What is in it for the organization? Does it limit the
organization’s capabilities in any way?
• Operational: Will shareholders (users, managers, etc.) be
able/willing to accept the plan? Is the system compatible with the
new changes? Have the possible changes been communicated to the
employees?
• Technical: Is the necessary technology owned or obtainable? Are our
employees trained and if not can we afford to train them? Should we
hire new employees?
• Political: Can InfoSec acquire the necessary budget and approval to
implement the plan? Is the budget required justifiable? Does InfoSec
have to compete with other departments to acquire the desired
budget?
19. Risk control Strategy: defense
• Defense: Prevent the
exploitation of the system
via application of policy,
training/education, and
technology. Preferably
layered security (defense
in depth)
Counter threats
Remove vulnerabilities
from assess
Limit access to assets
Add protective safeguards
20. Risk control Strategy: transferal
• Transferal: Shift risks to
other areas or outside
entities to handle
• Can include:
Purchasing insurance
Outsourcing to other
organizations
Implementing service
contracts with providers
Revising deployment
models
22. Risk control Strategy: Acceptance
Appropriate when:
The cost to protect an
asset or assets exceeds
the cost to replace
it/them
When the probability of
risk is very low and the
asset is of low priority
Otherwise acceptance =
negligence
23. Risk control Strategy: Termination
• Termination: Removing
or discontinuing the
information asset from
the organization
• Examples include:
Equipment disposal
Discontinuing a
provided service
Firing an employee
24. Pros and cons of each strategy
Pros
• Defense: Preferred all round
approach
• Transferal: Easy and
effective
• Mitigation: Effective when
all else fails
• Acceptance: Cheap and easy
• Termination: Relatively
cheap and safe
Cons
• Defense: Expensive and
laborious
• Transferal: Dependence on
external entities
• Mitigation: Guarantees
company loss
• Acceptance: Rarely
appropriate, unsafe
• Termination: Rarely
appropriate, requires company
loss
25. Standard approaches to risk
management
• U.S CERT’s Operationally Critical Threat Assessment
Vulnerability Evaluation (OCTAVE) Methods
(Original, OCTAVE-S, OCTAVE-Allegro)
• ISO 27005 Standard for InfoSec Risk Management
• NIST Risk Management Model
• Microsoft Risk Management Approach
• Jack A. Jones’ Factor Analysis of Information Risk
(FAIR)
• Delphi Technique
26. Principles of Information Security - Chapter
3
Slide # 26
Risk Determination
For the purpose of relative risk assessment:
RISK =
likelihood of vulnerability occurrence times
value (or impact)
MINUS
percentage risk already controlled
PLUS
an element of uncertainty
27. Principles of Information Security - Chapter
3
Slide # 27
Access Controls
• One particular application of controls is in the area of
access controls
• Access controls are those controls that specifically
address admission of a user into a trusted area of the
organization
• There are a number of approaches to controlling access
• Access controls can be
– discretionary
– mandatory
– nondiscretionary
28. Principles of Information Security - Chapter
3
Slide # 28
Types of Access Controls
• Discretionary Access Controls (DAC) are implemented at
the discretion or option of the data user
• Mandatory Access Controls (MACs) are structured and
coordinated with a data classification scheme, and are required
• Nondiscretionary Controls are those determined by a central
authority in the organization and can be based on that individual’s
role
29. Principles of Information Security - Chapter
3
Slide # 29
Lattice-based Control
• Another type of nondiscretionary access is lattice-based
control, where a lattice structure (or matrix) is created
containing subjects and objects, and the boundaries
associated with each pair is contained
• This specifies the level of access each subject has to each
object
• In a lattice-based control the column of attributes
associated with a particular object are referred to as an
access control list or ACL
• The row of attributes associated with a particular subject
(such as a user) is referred to as a capabilities table
30. Documenting Results of
Risk Assessment
• The goal of this process has been to identify the
information assets of the organization that have specific
vulnerabilities and create a list of them, ranked for focus
on those most needing protection first
• In preparing this list we have collected and preserved
factual information about the assets, the threats they face,
and the vulnerabilities they experience
• We should also have collected some information about
the controls that are already in place
31. Asset Identification and Valuation
• This iterative process begins with the
identification of assets, including all of the
elements of an organization’s system
• Then, we classify and categorize the assets adding
details as we dig deeper into the analysis
33. Hardware, Software, and Network Asset
Identification
• Automated tools can
sometimes uncover the
system elements that make
up the hardware, software,
and network components
• Once created, the inventory
listing must be kept current,
often through a tool that
periodically refreshes the
data
SD
Firewall
Certificates
PKI
System Audits
Physical Security
Redundant Array of
Inexpensive Drives (RAID)
Uninterrupted Power
Supply (UPS)
SD
Professional Workstation 6000
PRO
Tape Backups
User Training
Password Protection
Countermeasures
System Certification and Accreditation
34. Hardware, Software, and Network Asset
Identification
• What attributes of each of these information assets
should be tracked?
• When deciding which information assets to track,
consider including these asset attributes:
– Name
– IP address
– MAC address
– Element type
– Serial number
– Manufacturer name
35. People, Procedures, and
Data Asset Identification
• Unlike the tangible hardware and software elements
already described, the human resources, documentation,
and data information assets are not as readily discovered
and documented
• These assets should be identified, described, and
evaluated by people using knowledge, experience, and
judgment
• As these elements are identified, they should also be
recorded into some reliable data handling process
36. Asset Information for People
• For People:
– Position name/number/ID – try to avoid names and
stick to identifying positions, roles, or functions
– Supervisor
– Security clearance level
– Special skills
37. Asset Information for Procedures
• For Procedures:
– Description
– Intended purpose
– What elements is it tied to
– Where is it stored for reference
– Where is it stored for update purposes
38. Asset Information for Data
• For Data:
– Classification
– Owner/creator/manager
– Size of data structure
– Data structure used – sequential, relational
– Online or offline
– Where located
– Backup procedures employed
39. Information Asset Classification
• Many organizations already have a classification scheme
• Examples of these kinds of classifications are:
– confidential data
– internal data
– public data
• Informal organizations may have to organize themselves
to create a useable data classification model
• The other side of the data classification scheme is the
personnel security clearance structure
40. Information Asset Valuation
• Each asset is categorized
• Questions to assist in developing the criteria to be used
for asset valuation:
– Which information asset is the most critical to the success of
the organization?
– Which information asset generates the most revenue?
– Which information asset generates the most profitability?
– Which information asset would be the most expensive to
replace?
– Which information asset would be the most expensive to
protect?
– Which information asset would be the most embarrassing or
cause the greatest liability if revealed?
42. Examples of Information Security Vulnerabilities
• Information security vulnerabilities are weaknesses that
expose an organization to risk.
• Through employees: Social interaction, Customer interaction,
Discussing work in public locations,
• Through former employees---Former employees working for
competitors, Former employees retaining company data,
Former employees discussing company matters
• Though Technology---Social networking, File sharing, Rapid
technological changes, Legacy systems, Storing data on
mobile devices such as mobile phones, Internet browsers
• Through hardware---. Susceptibility to dust, heat and humidity,
Hardware design flaws, Out of date hardware,
Misconfiguration of hardware
43. Examples of Information Security Vulnerabilities (Cont.)
• Through software---Insufficient testing, Lack of audit trail, Software bugs
and design faults, Unchecked user input, Software that fails to consider
human factors, Software complexity (bloatware), Software as a service
(relinquishing control of data), Software vendors that go out of business or
change ownership
• Through Network---Unprotected network communications, Open physical
connections, IPs and ports, Insecure network architecture, Unused user ids,
Excessive privileges, Unnecessary jobs and scripts executing , Wifi
networks
• Through IT Management---Insufficient IT capacity , Missed security
patches, Insufficient incident and problem management, Configuration
errors and missed security notices , System operation errors
• Partners and suppliers---Disruption of telecom services, Disruption of
utility services such as electric, gas, water, Hardware failure, Software
failure, Lost mail and courier packages, Supply disruptions, Sharing
confidential data with partners and suppliers
44. CASE STUDY : UN Security Risk Management
Process
45. Programme Criticality
• The programme criticality framework is a common
United Nations system framework for decision-
making that puts in place a systematic structured
approach that uses programme criticality as a way to
ensure that programme activities can be balanced
against security risks.
• The concept of criticality means the critical impact of
an activity on the population, not necessarily on the
organisation.
46. Programme Criticality
• Programme criticality assessment is mandatory in
areas with residual risk levels of ‘high’ and ‘very
high,’ as determined in the Security Risk Assessments
(SRAs).
• Primary accountability for programme criticality is
with United Nations senior management at the
country level.
47. Risk Matrix for UN programme
RISK
MATRIX
IMPACT
L
I
K
E
L
I
H
O
O
D
NEGLIGIBLE MINOR MODERATE SEVERE CRITICAL
VERY LIKELY
LOW MEDIUM HIGH VERY HIGH UNACCEPTABLE
LIKELY LOW MEDIUM HIGH HIGH VERY HIGH
MODERATELY
LIKELY
LOW LOW MEDIUM HIGH
HIGH
UNLIKELY LOW LOW LOW MEDIUM MEDIUM
VERY
UNLIKELY
LOW LOW LOW LOW LOW
48. Programme Criticality
A programme criticality assessment has steps as follows:
• 1. Establish geographical scope and timeframe
• 2. List strategic results (SRs)
• 3. List UN activities/outputs (involving UN personnel)
• 4. Assess contribution to strategic results
• 5. Assess likelihood of implementation
• 6. Evaluate activities/outputs with PC1 criteria
• 7. View PC level results, form consensus within the UN system and
approve final results
• 8. Agree on a process to address and manage the results of the PC
assessment
• 9. Follow-up and review.
49. • There are two possible criteria for an activity to be
considered a PC1 activity:
– Either the activity is assessed as lifesaving (humanitarian or
non-humanitarian) at scale (defined as any activity to
support processes or services, including needs
assessments), that would have an immediate and significant
impact on mortality; or
– The activity is a directed activity that receives the
endorsement of the Office of the Secretary-General for this
particular situation.
Programme Criticality
50. • Risk level has no impact on programme criticality.
There must be no consideration of risk level when
determining PC.
• Programme criticality has no impact on risk level.
There must be no consideration of PC when
determining risk level.
Programme Criticality
51. Programme Criticality
Maximum Acceptable Risk per Level of Programme Criticality
Residual Risk Level
Unacceptable
Very High
High
Medium
Low
Prog Crit Level
N/A
PC 1
PC 2
PC 3
PC 4
Programme
Criticality
Framework
Security Risk
Assessment
Balance Risk and Programme Criticality
PC1 activities in High Risk Level must be certified by the Executive Head of the UN organization and approved by the
USG DSS.
52. • Intelligence and Information Cycle.
• Strategic-level Integrated Mission Planning Process.
• Mission-level Integrated Planning, Coordination and
implementation.
• Mission Component Planning and Implementation
Processes.
• UN Budget Processes.
• Staff Selection and Managed Mobility System.
• Any other process that impacts the substance of UN
security.
Other Processes with Security Implications
53. Step 1
Setting the geographical scope and timeframe
• Where will we be
working and what is
the timeframe for the
analysis?
57. Step 5
Security Risk Assessment
• How vulnerable is the
Organization to these
threats?
• How will they affect
the Organization, and
which threats require
the most attention?
58. Step 6
Security Risk Management Decisions
• What can actually be
done about these
risks?
59. Step 7
Security Risk Management Implementation
• Procedural and budget
aspects of
implementing the
agreed security risk
management
measures.
60. Step 8
Acceptable Risk
• Is the risk acceptable
in balance with the
criticality of
programme activities?
61. Step 9
Follow up and Review
• Are the measures
working?
• Is the assessment of
risk now similar to
how it was projected?