Pattern Recognitionand Applications Lab

Universityof Cagliari, Italy

Department of Electrical and Electronic Engineering

Risk Management

Giorgio Fumera

fumera@unica.it

Cybersecurity – Spring semester 2020-2021

http://pralab.diee.unica.it

Outline

• Introduction to risk management• Risk management frameworks

– ISO standards– NIST guidelines

• The risk assessment process– NIST guidelines– qualitative and quantitative risk assessment– risk assessment techniques

• Risk treatment• Data collection and processing for risk assessment• Real-world examples of risk assessment

1

http://pralab.diee.unica.it

Resources

2

PART THREE – Management IssuesCh. 14 IT Security Management

and Risk Assessment

Ch. 10 Management and IncidentsPar. 10.4 Risk Analysis

• ISO standards (available through the Faculty library)• NIST documents

http://pralab.diee.unica.it

Introduction to Risk Management

3

http://pralab.diee.unica.it

What is risk?

A concept inherently present in every human activity

Non-technical definition of "risk" (Oxford Dictionary of English)A situation involving exposure to danger:all outdoor activities carry an element of risk– the possibility that something unpleasant or unwelcome will happen:

reduce the risk of heart disease

4

http://pralab.diee.unica.it

What is risk?

A concept inherently present in every human activity

Non-technical definition of "risk" (Oxford Dictionary of English)A situation involving exposure to danger:all outdoor activities carry an element of risk– the possibility that something unpleasant or unwelcome will happen:

reduce the risk of heart disease

Examples from everyday life activities– walking along or crossing a road– driving a motorcycle– choosing a master course– ...

5

http://pralab.diee.unica.it

What is risk?

A concept inherently present in every human activity

Technical definition of "risk" (Oxford Dictionary of English)A situation involving exposure to danger:all outdoor activities carry an element of risk– the possibility that something unpleasant or unwelcome will happen:

reduce the risk of heart disease– a possibility of harm or damage against which something is insured:

all-risks insurance for professional photographers– the possibility of financial loss:

the Bank is rigorous when it comes to analysing and evaluating risk

6

http://pralab.diee.unica.it

What is risk?

A concept inherently present in every human activity

A situation involving exposure to danger:all outdoor activities carry an element of risk– the possibility that something unpleasant or unwelcome will happen:

reduce the risk of heart disease– a possibility of harm or damage against which something is insured:

all-risks insurance for professional photographers– the possibility of financial loss:

the Bank is rigorous when it comes to analysing and evaluating risk

risk is always related to uncertainty on future events

7

http://pralab.diee.unica.it

Dealing with risk

8

Examples from everyday life activities– walking along or crossing a road– driving a motorcycle– choosing a master course– ...

Avoiding risk entirely is not possible

Risk can only be reduced or mitigated,at some cost

http://pralab.diee.unica.it

Organizations' view of risks

• Private organizations (companies, industry, financial institutions, etc.)

• Public organizations/services (education system, health system, etc.)

• Cross-sector organizations: critical infrastructures(transports, communications, energy, etc.)

• States (health, climate change, pollution, etc.)

9

organization'sassets

risk mitigation actions

undesired events

http://pralab.diee.unica.it

Assets and risks in different sectors

• Enterprises• Industry• Financial institutions• Process plants (e.g., nuclear and chemical plants)• Civil engineering (buildings, infrastructures)• Environmental engineering• Transports• Aerospace• Military• Energy• Communications• Health system• ...

10

http://pralab.diee.unica.it

The main elements of risk analysis

11

consequences

organization'sassets

likelihood

undesired event

level of risk

risk mitigation actionsdecision-making:top management or political level

http://pralab.diee.unica.it

Risk management initiatives

Risk management initiatives have been undertaken over the years in many sectors

– involvement of public and private bodies– normative outcomes: regulations, standards, guidelines– technical outcomes: methodolgies, techniques

Examples– nuclear field: International Atomic Energy Agency (IAEA)– banking: Basel Committee– industry: International Organization for Standards (ISO)

National Institute of Standards and Technology (NIST)

12

http://pralab.diee.unica.it

Risk management: historical notes

Enterprise sector (1900's –):– beginning of the 20th cent.: management model in the financial sector– 1950's: application to the insurance sector (USA)

– 1960's: application to engineering & construction companies

– 1990's: Enterprise Risk Management model –global, integrated view into organizations' life

– 2009: formalization in the ISO 31000 standard

Banking sector (1974 –)– beginning of the 20th cent.: management model in the financial sector– 1974: Basel Committee (Banking Regulations and Supervisory Practices)

– 1988 – 2017: Basel accords

13

http://pralab.diee.unica.it

Risk management: historical notes

Industrial sectors (1950's –):

– chemical plants

EC (European Commission) Seveso Directive – Technological Disaster Risk Reduction (1982)

http://ec.europa.eu/environment/seveso/index.htm

– aerospaceNASA (National Aeronautics and Space Administration, USA)

1986: Space Shuttle Challenger disaster

https://sma.nasa.gov/sma-disciplines/risk-management

– nuclear plants

IAEA (International Atomic Energy Agency), https://www.iaea.org

1986: Chernobyl accident

14

http://pralab.diee.unica.it

Cybersecurity risks

15

Risks related to information systems

Who is affected by cybersecurity risks?– organizations that develop and provide ICT products and services– individuals and organizations that use ICT products and services

EnterprisesIndustryFinancial institutionsProcess plantsCivil engineeringEnvironmental engineeringTransports

AerospaceMilitaryEnergyCommunicationsHealth system...

http://pralab.diee.unica.it

Cybersecurity risks: an example

16

Industrial automation and control systems

Supervisory Control And

Data Acquisition

Manufactory Execution

System

Enterprise Resource

Planning

Programmable Logic

Controller

Abdo et al., A safety/security risk analysis approach of Industrial Control Systems,

Computers & Security 72 (2018) 175–195

http://pralab.diee.unica.it

Risk management in cybersecurity

A still evolving field, building on results from other sectors– principles– frameworks– standards– methodologies– specific techniques

The main actors involved:– International Organization for Standards (ISO)– National Institute of Standards and Technology (NIST)

17

http://pralab.diee.unica.it

The risk management process

18

April 16, 2018 Cybersecurity Framework Version 1.1

This publication is available free of charge from: https://doi.org/10.6028/NIST.CSWP.04162018 12

2.4 Coordination of Framework Implementation

Figure 2 describes a common flow of information and decisions at the following levels within an organization:

x Executive x Business/Process x Implementation/Operations

The executive level communicates the mission priorities, available resources, and overall risk tolerance to the business/process level. The business/process level uses the information as inputs into the risk management process, and then collaborates with the implementation/operations level to communicate business needs and create a Profile. The implementation/operations level communicates the Profile implementation progress to the business/process level. The business/process level uses this information to perform an impact assessment. Business/process level management reports the outcomes of that impact assessment to the executive level to inform the organization’s overall risk management process and to the implementation/operations level for awareness of business impact.

Figure 2: Notional Information and Decision Flows within an Organization An example for the enterprise sector (NIST Cybersecurity Framework, 2018)

Risk management: fundamental component of any organizationBroad involvement of all organizational levels

http://pralab.diee.unica.it

International Organization for Standards (ISO)

https://www.iso.orgMain facts

– worldwide federation of national standard bodies– develops and publishes international standards for most industry sectors – some standards can be certified by external certification bodies– liasies with other governmental and non-governmental organizations– collaborates with the International Electrotechnical Commission (IEC) on

electrotechnical standardization matters– ISO standards are not available for free

How to consult ISO standards at UNICA– free access provided by the Faculty Library (computer room) to UNICA

students, through UNI – Ente Nazionale Italiano di Normazionehttps://www.uni.com (ask the Library staff for instructions)

– requires UNICA student's account– documents are only available for consultation

19

http://pralab.diee.unica.it

National Institute of Standards and Technology (NIST)

https://www.nist.gov/

Main facts– founded in 1901– part of the U.S. Department of Commerce– industry-related standards, guidelines and best practices– all NIST documents are publicly available

20