Chapter 2 Risk Management

Certified Information Security Manager (CISM) Kelly Handerhan, Instructor 

Chapter 2: Risk Management

RISK MANAGEMENT 



Processes of identifying, analyzing, assessing, mitigating, or transferring transferring risk. It’s main goal is the the reduction of probability probability or impact of a risk. Summary topic that includes all risk-relate risk -related d actions

CISM

2

WHERE DO RISKS COME FROM? •

•

•

CISM

Manmade •

Disgruntled Employees

•

Fraud

•

Strikes

•

Corporate/Political Espionage

Physical •

Fire

•

Flood

•

Earthquake

Technical •

Viruses

•

Power

•

Hardware Failure

RISK MANAGEMENT 

Risk-related Definitions



Risk Management 





•

CISM

Risk Assessment 

Identify and Valuate Assets



Identifyy Threats and Vulnerabilities PSE (Preliminary Security Evaluation) Identif

Risk Analysis 

Qualitative



Quantitative

Risk Mitigation/Response 

Reduce



Accept



Transfer



Avoid



Reject

Ongoing Controls Evaluation 4

HOW HO W MUCH SECURITY IS ENOUGH?

Just enough.

CISM

RISK RELA RELATED TED DEFINITIO DEFINITIONS NS 

Risk: Likelihood that a threat will exploit a vulnerability in an asset



Threat: Has the potential to harm an asset



Vulnerability: Vulnerabi lity: A weakness; a lack of a safeguard



Exploit: Instance of compromise



Controls: Protective mechanisms mechanisms to secure vulnerabilities vulnerabilities 





Safeguards: Proactive Countermeasures: Countermeasure s: Reactive mechanism

Secondary Risk: Risk event that comes as a result of another risk response



Residual Risk: The amount of risk left over after a risk response



Fallback Plan: “Plan B”



Workaround: Unplanned Response (for unidentified unidentified risk or when other responses don’t work

CISM

6

ASSESSMENT 

Identify and Valuate Assets



Identify Threats and Vulnerabilities



Methodologies: 





CISM

OCTAVE: an approach where analysts identify asses and their OCTA criticality, identify vulnerabilities and threats and base the protection strategy to reduce risk FRAP: Facilitated Risk Analysis Process. Qualitative analysis used to determine whether or not to proceed with a quantitative analysis. If likelihood likelihood or impact is too low, the quantitative analysis if foregone. NIST 800-30: Risk management Guide for Information Technology systems

7

NIST 800-30 

9 Step Process: 

















CISM

System characterization Threat identifi identification cation Vulnerability Vulnerabili ty identific identification ation Control analysis Likelihood Lik elihood Determination Impact Analysis Risk Determination Control Recommendation Recommendationss Results Documentation

8

RISK RIS K ANA ANAL LYSIS 

Qualitative 





Subjective analysis to help prioritize probability and impact of risk events. May use Delphi Technique Technique

Quantitative: 







CISM

Providing a dollar value to a particular risk event. Much more sophisticated in nature, a quantitative analysis if much more difficult and requires a special skill set Business decisions are made on a quantitative analysis Can't exist on its own. Quantitative analysis depends on qualitative information 9

QUALI QUA LIT TATI TIVE VE AN ANAL ALYSI YSIS S 





Subjective in Nature Uses words like “high” “medium” “low” to describe likelihood li kelihood and severity (or probability and impact) of a threat exposing a vulnerability

Delphi technique is often used to solicit objective opinions

CISM

10

QUANT QUA NTIT ITA ATI TIVE VE AN ANAL ALYSI YSIS S 









More experience required than with Qualitative Qualit ative Involves calculations to determine a dollar doll ar value associated with each risk event Business Decisions are made on this type of analysis

Goal is to the dollar value of a risk and use that amount to determine what the best control is for a particular asset Necessary for a cost/benefit analysis

CISM

11

QUANT ITA QUANTIT ATI TIVE VE ANALYSIS ANALYSIS FOR FORMUL MULAS AS AND DEFINITIONS 













(AV) Asset Value: (AV) Value: Dollar figure that represents what the asset is worth to the organization (EF) Exposure Factor: The percentage of loss that is expected to result in the manifestation of a particular risk event. (SLE) Single Loss Expectancy: Dollar figure that represents the cost of a single occurrence of a threat instance instance (ARO) Annual Rate of Occurrence: How often the threat is expected to materialize (ALE) Annual Loss Expectancy: Cost per year as a result of the threat (TCO) Total Cost of Ownership is the total cost of implementing a safeguard. Often in addition to initial costs, there are ongoing maintenance fees as well. (ROI) Return on Investment: Amount of money saved by implementatio implementation n of a safeguard. Sometimes referred to as the value of the safeguard/con safeguard/control. trol.

CISM

12

QUANT ITA QUANTIT ATI TIVE VE ANALYSI ANALYSIS S FOR FORMUL MULAS AS AND DEFINITIONS CONTINUED 



SLE = AV * EF ALE = SLE * ARO

TCO = Initial Cost of Control + Yearly fees Return on Investment: ALE (before implementing control)  – ALE (after implementing control)  – cost of control

= ROI (V ( Value of Control)

CISM

13

QUANTI QUAN TIT TATI TIVE VE AN ANAL ALYSIS YSIS EX EXAM AMPL PLE E 

Assume your company has 500 systems that t hat contain PII (Personally Identifiable Information). Information). You need to convince management of the need to implement controls controls to secure customer information. information. Though the systems cost $2,000 a piece, the true tru e value of the laptops is $10,000 ($8,000 for fo r the potentially exposed PII.) $10,000 is the AV for each resource. Over the past ten years, we have suffered a total of thirty compromises. There is already a control in place that provides limited protection. Currently Currently,, in the event that an attack att ack compromises the confidentiality of this information, 75% of data will be compromised.



Asset value is $10,000; Exposure Factor is (75%)



The Single Loss Expectancy is $7,500 (AV*EF)





 Your  Y our ARO is 30/1 30/100 (number ( number of comprom c ompromise ises/ye s/years ars eval evaluate uated)=3 d)=3 The annual loss expectancy is currently $22,500 (SLE*ARO)

CISM

14

TCO EXAMPLE To deploy antivirus software within an organization o rganization has an upfront cost of 50 per computer. computer. There are 500 computers, so the initial cost will be $25,000. The software vendor charges an additional 5% yearly fee to upgrade the software, or $1,250per year. It will take 2 hours per computer to install and configure this software —1000 hours. The staff makes 30 dollars per hour. The company is evaluating costs for a 4 year period. period. 

Cost of software: $25,000



4 year vendor support $5,000



Staff cost: $30,000



TCO of control = $60,000



TCO of control per year = $15,000

CISM

15

ROI EXAMPLE 



After implementing the software, your exposure factor drops to 20%. What is the ROI for the control After implementing the control, the SLE will be Asset value of $10,000* Exposure Factor of (20%)= $2,000



ALE will be $6000 or SLE($2,000) * ARO (3)



ROI = ALE (Before)

$22,500

-ALE (After)

-$6,000

-Yearly TCO of Control

-$15,000

$1,500 This is a positive outcome and the control should be implemented. I f ROI is

Return on investment/Value of Control

negative, it is a bad decision to implement the control.

CISM

16

QUA NTIT QUANT ITA ATI TIVE VE ANA A NAL LYSI YSIS S SCENARIO 1 Scenario 1 A widget manufacturer has installed new network servers, changing its network from a peer -to-peer network to a client/server-based network. The network consists of 200 users who make an average of $20 an hour, working on 100 workstations. Previously, Previously, none of the workstations involved in the network had anti -virus software installed on the machines. This was because there was no connection to the Internet, and the workstations didn’t have floppy disk dri ves or Internet connectivity, so the risk of viru ses was deemed minimal. One of the new servers provides a broadband connection to the Internet, which employees can now use to send and receive email, and surf the Internet. On e of the managers read in a trade magazine that other widget companies have reported an 80 percent chance of viruses infecting their network after installing T1 lines and other methods of Internet connectivity, and that it may take upwards of three hours to restore data that’s been damaged o r destroyed. A vendor will sell licensed copies of an ti-virus software for all servers and the 100 workstations at a cost of $4, 700 per year. The company has asked you to determine the annual loss that can be expected from viruses, and determine if it is beneficial in terms of cost to purchase licensed copies of anti-vi rus software.

1. What is the Annualized Rate of Occurrence (ARO) for this risk? 2. Calcula Calculate te the the Single Single Loss Expecta Expectancy ncy (SLE) for this risk. 3. Using the formula ARO x SLE = ALE, ALE, calculate calculate the Annual Loss Expectancy Expectancy..

4. Determine whether it is beneficial in terms of monetary value to pu rchase the anti -virus software by calculating how much money would be saved or lost by purchasing the software. CISM

17

QUANTIT QUANT ITA ATI TIVE VE AN ANAL ALYSI YSIS S SCENARIO 2  You ha ve a war wareho ehouse use tha that's t's val ue is i s 1,00 1 ,00 0,0 0,000 00 (bet ( betwee ween n actua ac tuall struc st ructure ture and con conten tents). ts). If a fire were to occur it is e xpected that 40% of the warehouse would be damaged. the risk of a fire PER year is 8%

1) what is the Exposure Factor (it's directly given in the problem above) 2) What is the Single Loss Expectancy of a fire 3) What is the Annual Rate of Occurrence ? 4) what is the Annual Loss Expectancy of a Fire to the warehouse? Now suppose we can buy a fire suppressi on system that would reduce the damage to the warehouse if a fire occurred to 15% (from 40%). The cost of the countermeasure is $5,000.00. 5) What would the new Exposure Factor be? 6) What would the new SLE be? 7) What the ARO change? 8) Would the ALE change? 9) If the ALE changes, what’s the new ALE?

10) Should you buy the counter measure for this year? 11) if so how much money would you be “saving” this year?

12) if we have to renew the countermeasure countermeasure every year (ie pay $5,000 per year) is it still worth it?

CISM

18

QUA NTIT QUANT ITA ATI TIVE VE ANA A NAL LYSI YSIS S SCENARIO 3 Scenario 3 When performing a risk assessment you have developed the following values for a specific threat/risk pair. Asset value = 100K, exposure factor = 35%; Annual rate of occurrence is 5 times per year; the cost of a recommended safeguard is $5000 per year, which will reduce the annual loss expectancy in half. What is the SLE? a) $175,000 b) $35,000 c) $82,500 d) $87,500

CISM

19

RISK MITI MITIGA GATION TION •

Quantitative Analysis leads to the proper risk Mitigation strategy.

•

Reduce

•

Accept

•

Transfer 

•

Avoidance

•

Rejection

CISM

20

ADDITIONAL RISK TERMS Total Risk: The risk that exists before any control is implemented

•

Residual Risk: Leftover risk after after applying applying a control

•

Secondary Risk: When one risk response triggers another risk event

•

CISM

21

RISK MANA MANAGEMENT GEMENT PR PROCESS OCESS REVIEW •

•

Risk Assessment •

usually the most difficult to accomplish

•

Many unknowns

•

Necessary effort of gathering the right data

Risk Analysis: •

•

Risk Mitigation •

•

can be done qualitatively and/or quantitatively

Take steps to reduce risk to acceptable level

Maintain that risk level

***Remember ***Remem ber - Risk must be managed, managed, since it cannot cannot be totally totally eliminated

CISM

22