information risk management and frameworks security risk management risk acceptance risk acceptance...

$: Information Risk Management and Frameworks security risk management Risk acceptance Risk acceptance After risks are identi ed and quanti ed, they must be \managed" The simplest option$
Information Risk Management and Frameworks

Tyler Moore

CSE 5/7338Tandy School of Computer Science, University of Tulsa

Outline

1 Information security risk managementRisk acceptanceRisk mitigationRisk avoidance

2 Frameworks

2 / 23

Information security risk management


Just as it can be useful to translate infosec risks and defenses into thelanguage of investment (ROSI, NPV, etc.), one must also be aware ofterminology from risk management

As IT becomes essential to many businesses, border betweeninformation security investment and general risk management hasblurred

4 / 23


Risk management terminology overview

Riskanalysis

identification

quantification

Riskmanagement

acceptance

mitigation

avoidance

transfer

Riskmonitoring

validation

documentation

Cyberinsurance

5 / 23

Notes

Notes

Notes

Notes

Information security risk management Risk acceptance

Risk acceptance

After risks are identified and quantified, they must be “managed”

The simplest option is to do nothing

Such “risk acceptance” is prudent when:1 Worst-case loss is small enough to be paid from proceeds or reserves2 Probability of occurrence is smaller than other business risks that

threaten the organization’s survival

This is why the security policies for start-ups are often weaker thanfor entrenched firms

6 / 23

Information security risk management Risk mitigation

Risk mitigation

If risk is too big and probable to be accepted, risk mitigation aims toreduce the probability and severity of a loss

This is where security investment comes in

Recall that the optimal level of investment normally leaves residualrisk that must be dealt with using acceptance, avoidance, or transfer

7 / 23

Information security risk management Risk avoidance

Risk avoidance

Aims to reduce the probability and severity of loss, as in riskmitigation

However, rather than use technology, here one forgoes risky activities

This introduces opportunity costs of lost business opportunities

Example: online merchant refusing overseas orders due to high fraudrisk

Example: company disconnects database with customers’ personalinformation online

Question: what are the opportunity costs in these cases?

8 / 23


Risk transfer

The final option is to buy an insurance contract to recover any futurelosses incurred

This is only available in limited circumstances

Why has the cyber-insurance market remained small?

Difficulty in quantifying lossesEven when possible, many firms would rather keep quiet than sharewith an insurance companyExternalities mean that the costs of insecurity are often borne by othersCorrelated risk is prevalent

9 / 23

Notes

Notes

Notes

Notes


Risk management example: credit card issuers

Credit card issuers regularly manage fraud

1 Risk acceptance: fraud is paid from the payment fees charged tomerchants

2 Risk mitigation: install anti-fraud technology (raises costs of security)

3 Risk avoidance: downgrade high-risk cardholders to debit or requireonline verification (leads to lost business)

4 Risk transfer: structure consumer credit risk and sell it on the market

10 / 23

Frameworks

The rise of frameworks

Quantitative investment metrics can be difficult to calculate

Often depend on figures that are not readily available (e.g.,probability of loss, loss amount)

Frameworks emphasize the process of managing cybersecurity withoutexplicit regard to loss, likelihood of attack

12 / 23

Frameworks

A simple early framework: SANS 20 Critical Controls

Source: https://www.sans.org/critical-security-controls/controls13 / 23

Frameworks

NIST Cybersecurity Framework

NIST has created a standardized cybersecurity framework1 Framework Core: common activities and outcomes2 Framework Implementation Tiers: 4 levels that capture

sophistication of risk management approach3 Framework Profile: organization-specific configuration of the core

14 / 23

Notes

Notes

Notes

Notes

https://www.sans.org/critical-security-controls/controls

Frameworks

NIST Cybersecurity Framework Core

Organized around 5core functions: identify,protect, detect,respond, recover

Each function hascategories andsubcategories

15 / 23

Frameworks

NIST framework details

Source: http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf16 / 23

Frameworks

NIST framework details

Source: http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf17 / 23

Frameworks

NIST Cybersecurity Framework Implementation Tiers

1 Partial: no formalized risk managment, limited organizationalawareness, no external collaboration

2 Risk Informed: Risk management practices approved andprioritization informed by threat and mission requirements,organizational awareness but no organization-wide approach to risk,and no formal external collaboration

3 Repeatable: Formalized risk management in policy, organization-widerisk management approach, some external collaboration

4 Adaptive: Practices adapted based on prior experience and gatheredindicators, organization-wide risk management approach embedded inculture, external collaboration including active sharing with others

NIST encourages everyone to reach level 2, beyond that depends onrisk reduction and cost-effectiveness

18 / 23

Notes

Notes

Notes

Notes

http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf


Frameworks

How NIST envisions the framework to fit in an organization

Source: http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf

19 / 23

Frameworks

Use Case #1: Review of Cybersecurity Practices

While they do not replace a risk management process, these fivehigh-level Functions will provide a concise way for seniorexecutives and others to distill the fundamental concepts ofcybersecurity risk so that they can assess how identified risks aremanaged, and how their organization stacks up at a high levelagainst existing cybersecurity standards, guidelines, andpractices. The Framework can also help an organization answerfundamental questions, including “How are we doing?” Thenthey can move in a more informed way to strengthen theircybersecurity practices where and when deemed necessary

http://www.nist.gov/cyberframework/upload/

cybersecurity-framework-021214.pdf

20 / 23

Frameworks

Use Case #2: Establish or Improve a CybersecurityProgram

NIST lays out a 7-step plan

1 1: Prioritize and Scope

2 2: Orient

3 3: Create a Current Profile

4 4: Conduct a Risk Assessment

5 5: Create a Targe Profile

6 6: Determine, Analyze and Prioritize Gaps

7 7: Implement Action Plan

21 / 23

Frameworks

Use Case #3: Communicating Cybersecurity Requirementswith Stakeholders

NIST envisions that the framework can serve as a “common languateto communicate requirements”

For example, if evaluating outsourcing partners, asking for theirframework profile could help assess security practices

Offers the potential to mitigate information asymmetries betweenfirms

22 / 23

Notes

Notes

Notes

Notes




Frameworks

Frameworks: wrapping up

Frameworks formalize best practices and structure how organizationsthink about cybersecurity implementation

How do frameworks compare to the metric-based approaches (ROSI,ENBIS, etc.) described in the course?

Can they coexist? Should they?

23 / 23

Notes

Notes

Notes

Notes

information risk management and frameworks security risk management risk acceptance risk acceptance...

Documents