risk management -...

Pattern Recognitionand Applications Lab

Universityof Cagliari, Italy

Department of Electrical and Electronic Engineering

Risk management

Giorgio Fumera

http://pralab.diee.unica.it

Risk Management in Computer Security

1


Introduction: risk factors

2

Threat

Vulnerability

Asset

exploits

exposed by

Impactcausing

Anything that has value for an organization (tangible or intangible):• primary: business processes and

activities, information• support: hardware, software,

network, personal, facilities



3

Threat

Vulnerability

Asset

exploits

exposed by

Impactcausing

• Non-adversarial: accidental events caused by non-deliberatesource of hazard, e.g., component or structural failures, environmental disruptions, human errors

• Adversarial: deliberate actions originating from malicious attacks by human actors, accomplished physically or by cyber means



4

Threat

Vulnerability

Asset

exploits

exposed by

Impactcausing

Weakness that can be exploited by a threat to compromise or

damage an asset


Introduction: information security risks

5

Confidentiality

Integrity

Availability

Riskscenario


Introduction: impact of information security risks

6

Information security risks can be caused by non-adversarial threats and can have an impact beyond confidentiality, integrity and availability of information, e.g., in critical infrastructures.

An example: industrial automation and control systems

Supervisory Control And Data Acquisition

Manufactory Execution System

Enterprise Resource Planning

Programmable Logic Controller


Information security risk management frameworks

• ISO/IEC 27005:2018 – Information security risk managementhttps://www.iso.org/standard/75281.html(not available through our Faculty Library)

• NIST framework for information security

7


NIST framework for information security

National Institute of Standards and Technology (NIST)– https://www.nist.gov/– founded in 1901– part of the U.S. Department of Commerce– development of industry-related standards, guidelines and best

practices– publicly available documents

8


NIST framework for information security

Context:– Information Security Handbook: A Guide for Managers (2006)

https://www.nist.gov/publications/information-security-handbook-guide-managers (Special Publication 800 series)

– Cybersecurity Framework v1.1 (2018)https://www.nist.gov/cyberframework

Risk management: Special Publication 800 series– SP 800-39, Managing Information Security Risk: Organization, Mission,

and Information System View (2011)https://csrc.nist.gov/publications/detail/sp/800-39/final

– SP 800-37 Rev. 2, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (2018)https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final

– SP 800-30 Rev. 1, Guide for Conducting Risk Assessments (2012)https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final

Concepts and principles consistent with ISO and IEC standards

9


NIST Information Security Handbook (2006)

10

SP 800-100Guidelines to provide a broad overview of information security program elements to assist managersin understanding how to establish and implement an information security program



• Information Security Governance• System Development Life Cycle• Awareness and Training• Capital Planning and Investment Control • Interconnecting Systems • Performance Measures • Security Planning • Information Technology Contingency Planning • Risk Management• Certification, Accreditation, and Security Assessments• Security Services and Products Acquisition • Incident Response • Configuration Management

11



Risk management: an important component of a successful information security program

– Principal goal: to protect organizations and their ability to perform their mission, not just information assets

– Scope: an essential management function of the organization, tightly woven into system development life cycle (SDLC) – not only a technical function carried out by information security experts who operate and manage information security systems

– Benefits: allowing information security program managers to balance the operational and economic costs of protective measures and achieve gains in mission capability; fostering informed decision making

– Risk assessments should be conducted and integrated into the SDLC for information systems, not because it is required by law or regulation, but because it is a good practice and supports the organization’s business objectives or mission

12


NIST Cybersecurity Framework (2018)

13

A risk-based approach to managing cybersecurity risk

framework core functions

• Flexible approach to cybersecurity, applicable to anyorganization relying on technology

• Provides a common organizing structure for multiple approaches to cybersecurity by assembling currently effective standards, guidelines, and practices


NIST Cybersecurity Framework (2018)

April 16, 2018 Cybersecurity Framework Version 1.1

This publication is available free of charge from: https://doi.org/10.6028/NIST.CSWP.04162018 12

2.4 Coordination of Framework Implementation

Figure 2 describes a common flow of information and decisions at the following levels within an organization:

x Executive x Business/Process x Implementation/Operations

The executive level communicates the mission priorities, available resources, and overall risk tolerance to the business/process level. The business/process level uses the information as inputs into the risk management process, and then collaborates with the implementation/operations level to communicate business needs and create a Profile. The implementation/operations level communicates the Profile implementation progress to the business/process level. The business/process level uses this information to perform an impact assessment. Business/process level management reports the outcomes of that impact assessment to the executive level to inform the organization’s overall risk management process and to the implementation/operations level for awareness of business impact.

Figure 2: Notional Information and Decision Flows within an Organization

Risk management: information and decisions flow within an organization

14


NIST SP 800-39 – Managing Information Security Risk

15

Purpose: to provide guidance for an integrated, organization-wide program for managing information security risk to organizational operations (i.e., mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation resulting from the operation and use of federal information systems



16

Multitiered organization-wide risk management



17

Risk management process

describing the environment in which risk-based decisions are made

to produce a risk management strategy


NIST SP 800-30 – Guide for conducting risk assessments

18

Purpose: to provide guidance for conducting risk assessments of federal information systems and organizations, amplifying the guidance in Special Publication 800-39• how to carry out steps in the risk

assessment process• how risk assessments and other

organizational risk management processes complement and inform each other

• identifying specific risk factors to monitor on an ongoing basis

Content:• risk management process• risk assessment process• resources: glossary; information on threat

sources, event and likelihood; vulnerabilities; impact; risk determination and response


NIST SP 800-30 – Guide for conducting risk assessments

• Concepts and principles similar to and consistent with ISO and IEC standards

• Flexible guidelines – no specific requirements on:– formality, rigor, level of detail of the particular risk assessment– methodologies, tools, and techniques – format and content of assessment results and reporting mechanisms

• Cautionary note: risk assessments are often not precise instruments of measurement and reflect– the limitations of the specific assessment methodologies, tools, and

techniques employed– subjectivity, quality, and trustworthiness of the data used– the interpretation of assessment results– the skills and expertise of those conducting the assessments

19


Definition of risk

A multidimensional concept, whose definition varies with the purpose and discipline/sector.

Risk is a measure of the extent to which an entity is threatenedby a potential circumstance or event, and is a function of:

– the adverse impacts that would arise if the circumstance or event occurs

– the likelihood of occurrence

20


Definition of information security risk

Information security risks arise from the loss of confidentiality, integrity, or availability of information or information systems.

They reflect the potential adverse impacts to organizational operations:

– mission– functions– image– reputation

and to organizational assets, individuals, and other organizations (where a threat intersects with a vulnerability, risk is present –NIST Information Security Handbook)

21


Definition of risk assessment

The process of identifying, estimating, and prioritizinginformation security risks.

This requires the careful analysis of threat and vulnerabilityinformation to determine the extent to which circumstances or events could adversely impact an organization and the likelihood that such circumstances or events will occur.

22


The context of risk assessment

23

Risk management process

focus of SP 800-30

describes the environment in

which risk-based decisions are made

to produce a risk management

strategy


Risk framing components

24

defines risk factors and their

relationships

specifyes the range of values of risk factors and how to combine them to evaluate risk – can be

quantitative, qualitative, or semi-qualitative

describes how combinations of risk factors are identified/analyzed

– can be threat-oriented, asset/impact-oriented, or

vulnerability-oriented


Risk model: an example

25


Assessment approaches

26

Quantitative

• Use of numbers• Meanings and

proportionality are maintained inside and outside the assessment context• Issues: reliability,

significance, effort required

Qualitative

• Based on non-numerical categories or levels

• Useful to support communicating risk results to decision makers

• Understanding categories or levels requires clear examples

Semi-quantitative

• Use of bins, scales, or representative numbers whose values and meanings are not maintained in other contexts

• Expert judgment is crucial in assigning values


Analysis approach

27

Threat

Vulnerability

Asset

exploits

exposed by

Impactcausing


Analysis approach

28

Threat-oriented

•Identification of threat sources and events

•development of threat scenarios

•Identification of vulnerabilities

Asset/impact-oriented

•Identification of impacts or consequences of concern and critical assets

•Identification of threat events that could lead to and/or threat sources that could seek those impacts or consequences

Vulnerability-oriented

•Identification of predisposing conditions or exploitable weaknesses/deficiencies in organizational information systems or its environments

•identification of threat events that could exercise those vulnerabilities together with possible consequences of vulnerabilities being exercised


Application of risk assessments

29

supporting organizational strategies, policies, guidance,

and processes for managing risk

supporting the determination of mission/business process protection and

resiliency requirements, and the allocation of those requirements to the enterprise

architecture as part of mission/business segments

traditional risk assessments focus at the Tier 3 level, and tend to

overlook other significant risk factors

that may be more appropriately assessed at

higher levels


The NIST SP 800-30 risk assessment process

Special Publication 800-30 Guide for Conducting Risk Assessments ________________________________________________________________________________________________

CHAPTER 3 PAGE 23

CHAPTER THREE

THE PROCESS CONDUCTING RISK ASSESSMENTS WITHIN ORGANIZATIONS

his chapter describes the process of assessing information security risk including: (i) a high-level overview of the risk assessment process; (ii) the activities necessary to prepare for risk assessments; (iii) the activities necessary to conduct effective risk assessments;

(iv) the activities necessary to communicate the assessment results and share risk-related information; and (v) the activities necessary to maintain the results of risk assessments on an ongoing basis. The risk assessment process43 is composed of four steps: (i) prepare for the assessment; (ii) conduct the assessment; (iii) communicate assessment results; and (iv) maintain the assessment.44 Each step is divided into a set of tasks. For each task, supplemental guidance provides additional information for organizations conducting risk assessments. Risk tables and exemplary assessment scales are listed in appropriate tasks and cross-referenced to additional, more detailed information in the supporting appendices. Figure 5 illustrates the basic steps in the risk assessment process and highlights the specific tasks for conducting the assessment.

FIGURE 5: RISK ASSESSMENT PROCESS

43 The intent of the process description in Chapter Three is to provide a common expression of the essential elements of an effective risk assessment. It is not intended to limit organizational flexibility in conducting those assessments. Other procedures can be implemented if organizations choose to do so, consistent with the intent of the process description. 44 The four-step risk assessment process described in this publication is consistent with the general risk assessment process described in NIST Special Publication 800-39. The additional steps and tasks result from the need to provide more detailed guidance to effectively carry out the specific activities associated with risk assessments.

T

Step 1: Prepare for Assessment

Derived from Organizational Risk Frame

Step 2: Conduct Assessment Expanded Task View

Determine Likelihood of Occurrence

Identify Threat Sources and Events

Identify Vulnerabilities and Predisposing Conditions

Determine Magnitude of Impact

Determine Risk

Step

3: C

omm

unic

ate

Res

ults

Step

4: M

aint

ain

Ass

essm

ent

30


Comparison with ISO 31000 process

31


Step 1: preparing for the risk assessment

32

Tasks 1-1 Identify the purpose of the assessment

1-2 Identify the scope

1-3 Identify the assumptions and constraints associated with the assessment

1-4 Identify the sources of information to be used as inputs to the assessment

1-5 Identify the risk model and analytic approaches (i.e., assessment and analysis approaches) to be employed



33

TASK 1-1: Identifying the purpose• what information is it intended to produce?• what decisions is it intended to support?• how to capture and present information produced?

TASK 1-2: Identifying the scope• organizational applicability: organization tiers and parts

affected • time frame supported: how long will the results be

relevant? what influences the need to update the assessment?

• architectural/technological considerations: specific technologies, mission/businness segment architecure, organizational information systems and its environment



34

TASK 1-3: Identifying assumptions and constraints• threats sources: types of sources to be considered, identification process• threat events: types of threat events to be considered, required level of

detail of their description• vulnerabilities and predisposing conditions: types of vulnerabilities and

predisposing conditions to be considered, required level of detail of their description

• likelihood determination process• impacts to organizational operations (missions, functions, image, and

reputation) and assets, individuals, other organizations• risk tolerance and uncertainty: what levels and types of risk are

acceptable? reasons for uncertainty about risk factors• analytic approach: assessment approaches (quantitative, qualitative,

semi-quantitative) and analysis approaches (threat-oriented, asset/impact-oriented, vulnerability-oriented)



35

TASK 1-4: Identifying the sources of threat, vulnerability, and impact information• threats and vulnerabilities: internal sources (e.g., risk and

vulnerability assessment reports, incident reports, security logs, trouble tickets, monitoring results) and external sources (e.g., cross-community organizations like CERT, research and non-governmental organizations), etc.

• predisposing conditions: descriptions of information systems, environments of operation, shared services, common infrastructures, enterprise architecture, etc.

• impact information: mission/business impact analyses, information system component inventories, security categorizations, etc.



36

TASK 1-5: Identifying the risk model and analytic approach

• risk models include, or can be translated into, the risk factors: threat, vulnerability, impact, likelihood, and predisposing condition

• assessment approach: quantitative, qualitative, semi-quantitative

• analysis approach: threat-oriented, asset/impact-oriented, vulnerability-oriented

• definition or selection of existing assessment scales, annotated with organizationally-meaningful examples for specific values

• defining algorithms (e.g., formulas, tables, rules) for combining risk factors


Step 2: conducting the risk assessment

37

Objective: to produce a list of information security risks that can be prioritized by risk level and used to inform risk response decisions

Special Publication 800-30 Guide for Conducting Risk Assessments ________________________________________________________________________________________________

CHAPTER 3 PAGE 23

CHAPTER THREE

THE PROCESS CONDUCTING RISK ASSESSMENTS WITHIN ORGANIZATIONS

his chapter describes the process of assessing information security risk including: (i) a high-level overview of the risk assessment process; (ii) the activities necessary to prepare for risk assessments; (iii) the activities necessary to conduct effective risk assessments;

(iv) the activities necessary to communicate the assessment results and share risk-related information; and (v) the activities necessary to maintain the results of risk assessments on an ongoing basis. The risk assessment process43 is composed of four steps: (i) prepare for the assessment; (ii) conduct the assessment; (iii) communicate assessment results; and (iv) maintain the assessment.44 Each step is divided into a set of tasks. For each task, supplemental guidance provides additional information for organizations conducting risk assessments. Risk tables and exemplary assessment scales are listed in appropriate tasks and cross-referenced to additional, more detailed information in the supporting appendices. Figure 5 illustrates the basic steps in the risk assessment process and highlights the specific tasks for conducting the assessment.

FIGURE 5: RISK ASSESSMENT PROCESS

43 The intent of the process description in Chapter Three is to provide a common expression of the essential elements of an effective risk assessment. It is not intended to limit organizational flexibility in conducting those assessments. Other procedures can be implemented if organizations choose to do so, consistent with the intent of the process description. 44 The four-step risk assessment process described in this publication is consistent with the general risk assessment process described in NIST Special Publication 800-39. The additional steps and tasks result from the need to provide more detailed guidance to effectively carry out the specific activities associated with risk assessments.

T

Step 1: Prepare for Assessment

Derived from Organizational Risk Frame

Step 2: Conduct Assessment Expanded Task View

Determine Likelihood of Occurrence

Identify Threat Sources and Events

Identify Vulnerabilities and Predisposing Conditions

Determine Magnitude of Impact

Determine Risk

Step

3: C

omm

unic

ate

Res

ults

Step

4: M

aint

ain

Ass

essm

ent

• iterations among the tasks is necessary and expected

• task ordering can be modified



38

TASK 2-1: Identify and characterize threat sources of concern• adversarial threats: capability, intent and targeting

characteristics• non-adversarial threats: range of effects



39

threat source taxonomy(first two levels only)

ADVERSARIAL ACCIDENTAL STRUCTURAL ENVIRONMENTAL

Group

Nation-State

Individual

Organization

User

Privileged User/Administrator

IT Equipment

EnvironmentalControls

Software

Natural or man-madedisaster

Unusual Natural Event

InfrastructureFailure/Outage



40

Exemplary assessment scale: characteristics of adversary capability



41

TASK 2-2: Identify threat events• potential threat events• relevance of threat events• threat sources that could initiate the events



42

Perform reconnaissance and gather information, e.g., sniffing of exposed networks

Craft or create attack tools, e.g., phishing attacks

Deliver/insert/install malicious capabilities, e.g., known malware to internal information systems (virus

via email)

Exploit and compromise, e.g., poorly configured or unauthorized information

systems exposed to the Internet

Conduct an attack, e.g., Distributed Denial of

Service (DDoS)

Achieve results, e.g., obtain sensitive information via

exfiltration

Maintain a presence or set of capabilities, e.g., obfuscate adversary

actions

Coordinate a campaign, e g., cyber attacks using

external (outsider), internal (insider), and supply chain (supplier) attack vectors

Representative examples of adversarial threat events



43

Exemplary tables: F1–F6

TASK 2-3: Identify and select relevant vulnerabilities and predisposing conditions that affect the likelihood that threat events of concern result in adverse impacts



44

Exemplary assessment scale for vulnerability severity



45

TASK 2-4: Determining the likelihood that threat events of concern result in adverse impacts• characteristics of the threat sources that could initiate

the events (for adversarial threats, including capability, intent and targeting), or that make the event occur (non-adversarial threats)

• vulnerabilities/predisposing conditions identified• organizational susceptibility reflecting the safeguards/

countermeasures planned or implemented



46

The overall likelihoodof a threat event

is a combination of:

• likelihood of event occurrence (e.g., due to human error or natural disaster) or initiation (by an adversary)

• likelihood of adverse impactsresulting from initiation or occurrence

Combining algorithmsdepend on:

• organizational attitudes toward risk (overall risk tolerance, uncertainty tolerance)

• specific tolerances toward uncertainty in different risk factors

• organizational weighting of risk factors



47

Examples of likelihood combining rules

• use the maximum of the two likelihood values• use the minimum of the two likelihood values• consider likelihood of initiation/occurrence only,

assuming that adverse impacts are certain• consider likelihood of impact only, assuming that if

adverse impacts are possible, adversaries will initiate the events

• take a weighted average of the two likelihood values


Assessment scales: likelihood

48

Exemplary assessment scale: likelihood of threat event initiation (adversarial)



49

Exemplary assessment scale: likelihood of threat event resulting in adverse impact



50

Exemplary assessment scale: overall likelihood



51

TASK 2-5: Determining the adverse impacts from threat events of concern

Factors to consider:•characteristics of the threat sources that could initiate the events•vulnerabilities/predisposing conditions identified•susceptibility reflecting the safeguards/countermeasures planned or implemented to

impede such eventsDescription of adverse impacts in terms of potential harm to:•organizational operations•assets•individuals•other organizationsMay involve identification of assets or potential targets of threat sources, • information resources (e.g., information, data repositories, information systems,

applications, information technologies, communications links)•people•physical resources (e.g., buildings, power supplies)



52

Exemplary assessment scale: threat event impact



53

Exemplary assessment scale: threat event impact (continued)



54

TASK 2-6: Determine the risk to the organization from threat events of concernRisk level is a function of:• impact resulting from the events• likelihood of the events occurring

Risks at the same level or with similar scores can be further prioritized

Including information related to uncertainties arising from, e.g.:• missing information• subjective determinations• assumptions made


Assessment scales: level of risk

55

Exemplary assessment scale: level of risk


Assessment scales: level of risk

56

Exemplary assessment scale: level of risk as a combination of likelihood and impact (risk matrix)

risk management -...

Documents