christopher alberts audrey dorofee

Sponsored by the U.S. Department of Defense© 2004 by Carnegie Mellon University

page 1

Pittsburgh, PA 15213-3890

Rethinking Risk Management

Christopher AlbertsAudrey Dorofee

Report Documentation Page Form ApprovedOMB No. 0704-0188

Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering andmaintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information,including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, ArlingtonVA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if itdoes not display a currently valid OMB control number.

1. REPORT DATE JAN 2004 2. REPORT TYPE

3. DATES COVERED 00-00-2004 to 00-00-2004

4. TITLE AND SUBTITLE Rethinking Risk Management

5a. CONTRACT NUMBER

5b. GRANT NUMBER

5c. PROGRAM ELEMENT NUMBER

6. AUTHOR(S) 5d. PROJECT NUMBER

5e. TASK NUMBER

5f. WORK UNIT NUMBER

7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) Carnegie Mellon University,Software Engineering Institute,Pittsburgh,PA,15213

8. PERFORMING ORGANIZATIONREPORT NUMBER

9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSOR/MONITOR’S ACRONYM(S)

11. SPONSOR/MONITOR’S REPORT NUMBER(S)

12. DISTRIBUTION/AVAILABILITY STATEMENT Approved for public release; distribution unlimited

13. SUPPLEMENTARY NOTES

14. ABSTRACT

15. SUBJECT TERMS

16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF ABSTRACT Same as

Report (SAR)

18. NUMBEROF PAGES

19

19a. NAME OFRESPONSIBLE PERSON

a. REPORT unclassified

b. ABSTRACT unclassified

c. THIS PAGE unclassified

Standard Form 298 (Rev. 8-98) Prescribed by ANSI Std Z39-18

© 2004 by Carnegie Mellon University page 2

HIPAA Data SecurityThe Health Insurance Portability and Accountability Act (HIPAA) of 1996 establishes a standard of due care for data security in healthcare organizations.

The regulation requires each healthcare organization to conduct a security risk assessment to ensure that its security program effectively mitigates its risk.


Key QuestionsDo state-of-the-practice risk assessments accurately characterize the security risk confronting healthcare organizations?

Are some risks overlooked by state-of-the-practice risk assessments?


Example: Work Process

Activity 2

Activity 1

Activity 3

Activity 4 Mission


Example: Organizational Control

Activity 1

Activity 2

Activity 3

Activity 4 Mission

Organization A Organization B Organization C


Activity 1

Activity 2

Activity 3

Activity 4 Mission

Organization A Organization B Organization C

Inherited Risk

Example: Inherited Risk

Organization C’s risk analysis only considers what happens within its organizational boundaries. However, risk is inherited from activities performed earlier in the process.


Current RealityOutsourcing requires work products to move across organizational borders.

Distributed computing enables information to flow outside of defined system boundaries.


Current Risk Assessment Practices

State-of-the-practice risk assessments begin by drawing boundaries around the entity “being analyzed” (i.e., a technology or an organization).

These assessment techniques view risk as a static entity.

They cannot address the• flow of work and information outside of artificially

defined boundaries• complex interrelationships among processes and

technologies


The Dynamic Nature of RiskRisk must be viewed as being dynamic in nature, moving with the workflow or the information flow.

Failure to account for the dynamic nature of risk precludes development of an accurate risk profile, because much of the risk is inherited from the surrounding environment.


Common Risk Assessment Deficiencies

The operational context is not sufficiently established.

Dependencies and interrelationships among risks and risk factors are not identified.

There is a tendency for local optimization of risk mitigation efforts.• Only a subset of mission-related risk factors are

examined at any given time. • Inherited risk is not considered during the analysis.


What Is NeededA risk analysis designed for the complexities of the modern business environment, where • outsourcing of business processes are commonplace• distributed technologies have become ubiquitous


Multi-Dimensional Risk AnalysisDefines a set of objects, rules, and heuristics used to model and analyze risk

Can be tailored to many different domains and many different types of risk

Focuses on assuring the completion of defined missions

Addresses common risk assessment deficiencies


Addressing the DeficienciesAn operational model with the following attributes is developed• flow of work or information• sequencing of activities• timing of activities

Risk factors are mapped to the operational model, enabling analysis of combinatorial effects among risk factors.

Risk reduction strategies are globally optimized. • A range of mission-related risk factors are examined,

providing a balanced view of risk. • Inherited risk is integral to the analysis.


Multi-Dimensional Risk Analysis Framework

Phase 2Prepare to

Conduct Risk Analysis

Phase 1Develop

Operational Model

Phase 3Conduct Risk

Analysis

Scope and requirementsStandard domain model (optional) Operational model

Risk tools and techniques

Prioritized risksMitigation strategies


A Common Basis for Analyzing RiskMulti-Dimensional Risk

Analysis Technique

Other Risk Assessments

CSIRT Risk Assessment

Software Process Risk Assessment

Operational Security Risk Assessment

Incident Response Risk Model

Operational Security Risk

ModelOther Risk

Models

Software Process Risk

Model


Four Dimensions of RiskMission Risk

Architecture Risk

Activity Risk

Event Risk


Depth of AnalysisType I Gap Analysis

Type II Basic Risk Analysis

Type III Advanced Risk Analysis

Type IV Measured Risk Analysis


Why Focus on Incident Response?

1. Experience has shown that many organizations initially focus on incident response when developing a cyber-security capability.

2. An incident-response capability is a requirement of the HIPAA data security regulations.

3. An incident-response capability is typically distributed across multiple departments or organizations.


Project StatusFirst pilot analyzing risk to a CSIRT capability is underway. • The operational model has been developed.• Evaluations of CSIRT capabilities are beginning.

Currently looking for a second pilot in another domain.• operational security risk (HIPAA risk assessment)• software acquisition risk• unique problems (e.g., risk in operating weapons

systems, critical infrastructure risks)

christopher alberts audrey dorofee

Documents