TEL2813/IS2621TEL2813/IS2621 Security ManagementSecurity Management

Risk Management: Identifying and Assessing Risk

April 1, 2008

1

IntroductionInformation security departments are created primarily to manage IT riskManaging risk is one of the key responsibilities of every manager within the organizationorganizationIn any well-developed risk management program, two formal processes are at work: p g , p

Risk identification and assessment Risk control

2

Knowing Our Environment

Identify, Examine and Understand information and how it is processed, stored, and transmitted

Initiate an in-depth risk management programRisk management is a process

f d d l h d dmeans - safeguards and controls that are devised and implemented are not install-and-forget devices

3

Knowing the EnemyIdentify, examine, and understand

the threatsManagers must be prepared

to fully identify those threats that pose risks to the organization and the security of its informationorganization and the security of its information assets

Risk management is the processof assessing the risks to an organization’s information and determining how those risks can be controlled or mitigatedg

4

Risk ManagementThe process concerned with identification, measurement, control and minimization of security risks in information ysystems to a level commensurate with the value of the assets protected (NIST)

IdentifyIdentifythe

Risk Areas

Re-evaluatethe Risks Assess the

RisksRisk Management

Implement RiskManagement

ActionsDevelop RiskM t

ManagementCycle

Risk Assessment

Risk Control (Mitigation)Actions ManagementPlan

( g )

5

Accountability for Risk Management

All communities of interest must work together:

Evaluating risk controlsEvaluating risk controlsDetermining which control options are cost-effective Acquiring or installing appropriate controlsAcquiring or installing appropriate controlsOverseeing processes to ensure that controls remain effective Id tif i i kIdentifying risksAssessing risksSummarizing findingsg g

6

Risk Identification Process

7

Risk Identification

Risk identification begins with the process of self-examinationbegins with the process of self examination

Managers identify the organization’s informationidentify the organization s information assets, classify them into useful groups andclassify them into useful groups, and prioritize them by their overall importance

8

Creating an Inventory of Information Assets

Identify information assets, includingpeople procedures data and informationpeople, procedures, data and information, software, hardware, and networking elements

Should be done without pre-judging value of each assetvalue of each asset

Values will be assigned later in the process

9

Organizational Assets

10

Identifying Hardware, Software, and Network Assets

Inventory process requires a certain amount of planningamount of planning Determine which attributes of each of these information assets should bethese information assets should be tracked

Will depend on the needs of theWill depend on the needs of the organization and its risk management effortsits risk management efforts

11

Attributes for AssetsPotential attributes:Potential attributes:

NameIP addressIP addressMAC addressAsset typeAsset typeManufacturer nameManufacturer’s model or part number

Software version, update revision,

Physical locationLogical locationLogical locationControlling entity

12

Identifying People, Procedures, and Data Assets

Whose Responsibility ?managers who possess the necessarymanagers who possess the necessary knowledge, experience, and judgment

RecordingRecordinguse reliable data-handling process

13

Suggested AttributesPeople

Position name/number/ID

ProceduresDescriptionIntended purposename/number/ID

Supervisor name/number/ID

Intended purposeSoftware/hardware/networking elements to which it is tiedSecurity clearance

levelSpecial skills

which it is tied Location where it is stored for referencepLocation where it is stored for update purposes

14

Suggested Attributes

DataClassificationOwner/creator/managerSize of data structureData structure usedOnline or offlineLocationBackup procedures

15

Classifying and Categorizing Assets

Determine whether its asset categories are meaningful

After initial inventory is assembled,

Inventory should also reflect sensitivity and security priority assigned to each assetA classification scheme categorizes these

f b d hinformation assets based on their sensitivity and security needs

16

Classifying and Categorizing Assets (Continued)

Categoriesdesignates level of protection needed for a particular information asset

Classification categories must be h i d t ll l icomprehensive and mutually exclusive

Some asset types, such as personnel, l l f hmay require an alternative classification scheme

that would identify the clearance needed to use the asset typeyp

17

Assessing Values for Information AssetsAssign a relative valueAssign a relative value

to ensure that the most valuable information assets are given the highest priority, for example:

h h h l h f hWhich is the most critical to the success of the organization? Which generates the most revenue? Which generates the highest profitability?Which generates the highest profitability? Which is the most expensive to replace? Which is the most expensive to protect? Whose loss or compromise would be the most ose oss o co p o se ou d be t e ostembarrassing or cause the greatest liability?

Final step in the RI process is to list the assets in order of importanceassets in order of importance

Can use a weighted factor analysis worksheet18

Sample Asset Classification Worksheet

19

Weighted Factor Analysis Worksheet (NIST SP 800-30)

20

Data Classification Model

Data owners must classify information assets for which they are responsible and review the classifications periodicallyExample:

PublicFor official use onlyS i iSensitiveClassified

21

Data Classification ModelU.S. military classification scheme

more complex categorization system than the h f t tischemes of most corporations

Uses a five-level classification scheme as defined in Executive Order 12958:defined in Executive Order 12958:

Unclassified DataSensitive But Unclassified (SBU) DataConfidential DataSecret DataTop Secret DataTop Secret Data

22

Security ClearancesPersonnel Security Clearance Structure:

Complement to data classification scheme Each user of information asset is assigned an authorization level that indicates level of information classification he or she can access

Most organizations have developed a set of roles and corresponding security clearances

I di id l i d i t th t l tIndividuals are assigned into groups that correlate with classifications of the information assets they need for their work

23

Security Clearances (Continued)

Need-to-know principle:Regardless of one’s security clearance anRegardless of one s security clearance, an individual is not allowed to view data simply because it falls within that individual’s level of clearance Before he or she is allowed access to a specific set of data, that person must also need-to-know the data as well

24

Management ofClassified Information Assets

Managing an information asset includes considering the storage, distribution, portability, and destruction of that information asset

Information asset that has a classification d i ti th th l ifi d blidesignation other than unclassified or public:

Must be clearly marked as such Must be available only to authorized individualsMust be available only to authorized individuals

25

Management ofClassified Information Assets

Clean Desk policyTo maintain confidentiality of classified ydocuments, managers can implement a clean desk policy

D t ti f iti t i lDestruction of sensitive materialWhen copies of classified information are no longer valuable or too many copiesno longer valuable or too many copies exist, care should be taken to destroy them properly to discourage dumpster divingp p y g p g

26

Threat IdentificationAny organization typically faces a wide variety of threatsIf you assume that every threat can and willIf you assume that every threat can and will attack every information asset, then the project scope becomes too complexTo make the process less unwieldy, manage separately

each step in the threat identification andeach step in the threat identification and vulnerability identification processes

27

Identify And Prioritize Threats and Threat Agents

Each threat presents a unique challengeMust be handled with specific controls thatMust be handled with specific controls that directly address particular threat and threat agent’s attack strategy

Threat assessmenteach threat must be examined toeach threat must be examined to determine its potential to affect targeted information asset

28

Threats to Information Security

29

Threats to Information Security (whitman survey)

30

Weighted Ranking of Threat-Driven ExpendituresTop Threat-Driven Expenses Rating

Deliberate software attacks 12.7Acts of human error or failure 7 6Acts of human error or failure 7.6Technical software failures or errors 7.0Technical hardware failures or errors 6.0QoS deviations from service providers 4.9Deliberate acts of espionage or trespass 4.7Deliberate acts of theft 4.1Deliberate acts of sabotage or vandalism 4.0T h l i l b l 3 3Technological obsolescence 3.3Forces of nature 3.0Compromises to intellectual property 2.2Deliberate acts of information extortion 1.0Deliberate acts of information extortion 1.0

31

Vulnerability AssessmentSteps revisited

Identify the information assets of the organization and Document some threat assessment criteriaDocument some threat assessment criteria, Begin to review every information asset for each threat

Leads to creation of list of vulnerabilities that remain potential risks to organizationrisks to organization

At the end of the risk identification process, a list of assets and their vulnerabilities has been developed

The goal: to evaluate relative risk of each listed vulnerabilityg y

32

Risk Identification Estimate Factors

Risk isThe likelihood of the occurrence of a vulnerabilityy

Multiplied byThe value of the information assetThe value of the information asset

MinusThe percentage of risk mitigated by current controlsThe percentage of risk mitigated by current controls

PlusThe uncertainty of current knowledge of the vulnerabilityThe uncertainty of current knowledge of the vulnerability

33

LikelihoodLikelihood

of the threat occurring is the estimation of the probability that a threat will succeed in achievingprobability that a threat will succeed in achieving an undesirable event is the overall rating - often a numerical value on a defined scale (such as 0.1 – 1.0) - of thedefined scale (such as 0.1 1.0) of the probability that a specific vulnerability will be exploited

Using the information documented during theUsing the information documented during the risk identification process,

assign weighted scores based on the value of each information asset i e 1-100 low-med-high etcinformation asset, i.e. 1-100, low-med-high, etc

34

Assessing Potential LossTo be effective, the likelihood values must be assigned by asking:

Which threats present a danger to this organization’s assets in the given environment?Which threats represent the most danger to the organization’s g ginformation?How much would it cost to recover from a successful attack?Which threats would require the greatest expenditure to prevent?Which threats would require the greatest expenditure to prevent?Which of the aforementioned questions is the most important to the protection of information from threats within this organization?

35

Mitigated Risk / UncertaintyIf it is partially controlled,

Estimate what percentage of the vulnerability has b t ll dbeen controlled

Uncertaintyis an estimate made by the manager usingis an estimate made by the manager using judgment and experienceIt is not possible to know everything about every vulnerabilityvulnerabilityThe degree to which a current control can reduce risk is also subject to estimation error

36

Risk Determination ExampleAsset A has a value of 50 and has vulnerability #1,

likelihood of 1.0 with no current controlsassumptions and data are 90% accurateassumptions and data are 90% accurate

Asset B has a value of 100 and has two vulnerabilities

V l bilit #2Vulnerability #2 likelihood of 0.5 with a current control that addresses 50% of its risk

Vulnerability # 3Vulnerability # 3 likelihood of 0.1 with no current controls

assumptions and data are 80% accuratea u p o a d da a a 80% a u a

37

Risk Determination Example

Resulting ranked list of risk ratings for the three vulnerabilities is as follows:the three vulnerabilities is as follows:

Asset A: Vulnerability 1 rated as 55 = (50 × 1.0) – 0% + 10%(50 1.0) 0% + 10%

Asset B: Vulnerability 2 rated as 35 = (100 × 0.5) – 50% + 20%( )

Asset B: Vulnerability 3 rated as 12 = (100 × 0.1) – 0 % + 20%( )

38

Identify Possible Controls

For each threat and its associated vulnerabilities that have residual risk, create a preliminary list of control ideasThree general categories of controls g gexist:

PoliciesProgramsTechnical controls

39

Access ControlsAccess controls specifically

address admission of a user into a trusted area of the organizationthe organization

These areas can include information systems, physically restricted areas such as computer rooms, and even the organization in its entirety

Access controls usually consist of a combination of policies, programs, and technologiestechnologies

40

Types of Access Controls

Mandatory Access Controls (MACs): Required qStructured and coordinated with a data classification schemeWhen implemented, users and data owners have limited control over their access to information resourcesinformation resourcesUse data classification scheme that rates each collection of information

41

Types of Access Controls (Continued)

Access Control MatrixAccess Control ListAccess Control List

the column of attributes associated with a particular object is called an access controlparticular object is called an access control list (ACL)

CapabilitiesCapabilitiesThe row of attributes associated with a particular subjectparticular subject

42

Types of Access Controls (Continued)

Nondiscretionary controls are determined by a central authority in the organization

Can be based on roles—called role-based controls—or on a specified set of tasks—called task-based controlsTask-based controls can, in turn, be based on lists maintained on subjects or objectsRole-based controls are tied to the role that aRole based controls are tied to the role that a particular user performs in an organization, whereas task-based controls are tied to a particular assignment or responsibilityparticular assignment or responsibility

43

Types of Access Controls (Continued)

Discretionary Access Controls (DACs) are implemented at the discretion or option of the data userdata user

The ability to share resources in a peer-to-peer configuration allows

l d ibl idusers to control and possibly provide access to information or resources at their disposal

The users can allow general, unrestricted access, or specific individuals or sets of individuals to access these resourcesthese resources

44

Documenting the Results of Risk Assessment

The goal of the risk management process:Identify information assets and their vulnerabilities Rank them according to the need for protection

In preparing this list, collectwealth of factual information about the assets andwealth of factual information about the assets and the threats they faceinformation about the controls that are already in lplace

The final summarized document is the ranked vulnerability risk worksheetvulnerability risk worksheet

45

Ranked Vulnerability Risk Worksheet

46

Documenting the Results of Risk Assessment (Continued)

What are the deliverables from this stage of the risk management project?stage of the risk management project? The risk identification process should designatedesignate

what function the reports serve, who is responsible for preparing them andwho is responsible for preparing them, and who reviews them

47

Risk Identification and Assessment Deliverables

48

Risk Management:Assessing and Controlling Riskg g

Risk Control StrategiesChoose basic risk control strategy :

Avoidance:applying safeguards that eliminate or reduce the remaining uncontrolled risks for the vulnerability

Transference:Transference:shifting the risk to other areas or to outside entities

Mitigation:reducing the impact should the vulnerability be exploited

Acceptance:understanding the consequences and accept the riskunderstanding the consequences and accept the risk without control or mitigation

Avoidance

Attempts to prevent the exploitation of the vulnerabilityyAccomplished through:

Application of policyApplication of policyApplication of training and educationCountering threatsCountering threatsImplementation of technical security controls and safeguardscontrols and safeguards

TransferenceAttempts to shift the risk to other assets, other processes, or other organizationsMay be accomplished by

Rethinking how services are offeredRevising deployment modelsOutsourcing to other organizationsP h i iPurchasing insuranceImplementing service contracts with providers

MitigationAttempts to reduce the damage caused by the exploitation of vulnerability

by means of planning and preparation, Includes three types of plans:

Disaster recovery plan (DRP)Disaster recovery plan (DRP)Incident response plan (IRP)Business continuity plan (BCP)y p ( )

Depends upon the ability to detect and respond to an attack as

i kl iblquickly as possible

Summaries of Mitigation Plans

Acceptance

Acceptance is the choice to do nothing to protect an information asset and to accept the loss when it occursThis control, or lack of control, assumes that it may be a prudent business decision to

E i l iExamine alternatives Conclude the cost of protecting an asset does not justify the security expendituredoes not justify the security expenditure

Acceptance (Continued)Only valid use of acceptance strategy occurs when organization has:

Determined level of risk to information assetDetermined level of risk to information assetAssessed probability of attack and likelihood of a successful exploitation of vulnerabilityApproximated ARO of the exploitApproximated ARO of the exploitEstimated potential loss from attacksPerformed a thorough cost benefit analysisEvaluated controls using each appropriate type of feasibilityDecided that the particular asset did not justify the

t f t ticost of protection

Risk Control Strategy Selection

Risk control involves selecting one of the four risk control strategies for the vulnerabilities present within the organization

Acceptance of riskIf the loss is within the range of losses the organization can absorb, or if the attacker’s gain is less than expected costs ofif the attacker s gain is less than expected costs of the attack,

Otherwise, one of the other control strategies , gwill have to be selected

Risk Handling Action Points

Risk Control Strategy SelectionSome rulesWhen a vulnerability exists:

Implement security controls to reduce the likelihood of a vulnerability being exercisedvulnerability being exercised

When a vulnerability can be exploited:Apply layered controls to minimize the risk or prevent occurrenceoccurrence

When the attacker’s potential gain is greater than the costs of attack:

Apply protections to increase the attacker’s cost or reduce theApply protections to increase the attacker’s cost, or reduce the attacker’s gain, using technical or managerial controls

When potential loss is substantial:A l d i t l t li it th t t f th tt k th bApply design controls to limit the extent of the attack, thereby reducing the potential for loss

Evaluation, Assessment, And Maintenance Of Risk Controls

Once a control strategy has been selected and implementedand implemented

Effectiveness of controls should be monitoredand measured on an ongoing basis to g g

Determine its effectiveness Accuracy of estimated risk that will remain after all planned controls are in place

The Risk Control Cycle

Categories of Controls

Implementing controls or safeguardsTo control risk by means of

avoidance, mitigation, transferencetransference

Controls can be one of four categories:Control functionControl functionArchitectural layerStrategy layerInformation security principle

Control FunctionPreventive controls

Stop attempts to exploit a vulnerability by implementing enforcement of an organizationalimplementing enforcement of an organizational policy or a security principle Use a technical procedure, or some combination of technical means and enforcement methodstechnical means and enforcement methods

Detective controls Alerts about violations of security principles, organizational policies or attempts to exploitorganizational policies, or attempts to exploit vulnerabilities Use techniques such as audit trails, intrusion detection and configuration monitoringdetection, and configuration monitoring

Architectural LayerSome controls apply to one or more layers of an organization’s technical architecturePossible architectural layers include the following:

Organizational policyOrganizational policyExternal networks / Extranets Demilitarized zonesIntranetsNetwork devices that interface network zones SystemsSystemsApplications

Strategy Layer

Controls are sometimes classified by the risk control strategy they operate within:risk control strategy they operate within:

AvoidanceMitigationMitigationTransference

Note that the acceptance strategy is notNote that the acceptance strategy is not an option since it involves the absence of controlscontrols

Information Security PrincipleRisk controls operate within one or more of the commonly accepted information security

i i lprinciples:ConfidentialityIntegrityIntegrityAvailabilityAuthenticationAuthorizationAccountabilityPrivacyPrivacy

Feasibility Studies and CostFeasibility Studies and Cost Benefit AnalysisInformation about the consequences of the vulnerability must be exploredthe vulnerability must be explored

Before deciding on the strategy for a specific vulnerability,vulnerability,

Determine advantage or disadvantage of a specific controla specific control

Primary means are based on the value of information assets that control is designed toinformation assets that control is designed to protect

Cost Benefit Analysis (CBA)

Economic Feasibility criterion most commonly used when evaluating a project that implements information security controls and safeguards

Should begin a CBA by evaluatingShould begin a CBA by evaluatingWorth of the information assets to be protected Loss in value if those information assets areLoss in value if those information assets are compromised

Cost Benefit Analysis or Economic Feasibility Study

CostIt is difficult

to determine the value of information, to determine the cost of safeguarding itto determine the cost of safeguarding it

Some of the items that affect the cost of a control or safeguard include:

Cost of development or acquisition of hardware, software, and servicesTraining fees gCost of implementation Service costs Cost of maintenanceCost of maintenance

Benefit

Benefit is the value to the organization of using controls to prevent losses associated with a specific vulnerability

Usually determined by Valuing the information asset or assets exposed by vulnerability Determining how much of that value is at risk andDetermining how much of that value is at risk and how much risk there is for the asset

This is expressed as pAnnualized Loss Expectancy (ALE)

Asset ValuationAsset valuation isAsset valuation is

a challenging process of assigning financial value or worth to each information asset

Value of information differs Within organizations and between organizationsB d i f ti h t i ti d i dBased on information characteristics and perceived value of that information

Valuation of assets involves:Valuation of assets involves:Estimation of real and perceived costs associated with design, development, installation, maintenance, protection recovery and defense against loss andprotection, recovery, and defense against loss and litigation

Asset Valuation ComponentsSome of the components of asset valuation include:

Value retained from the cost of creating the information assetValue retained from past maintenance of the information assetValue retained from past maintenance of the information assetValue implied by the cost of replacing the informationValue from providing the informationValue acquired from the cost of protecting the informationValue acquired from the cost of protecting the informationValue to ownersValue of intellectual propertyVal e to ad e sa iesValue to adversariesLoss of productivity while the information assets are unavailableLoss of revenue while information assets are unavailable

Asset Valuation Approaches

Organization must be able to place a dollar value on each information assets itdollar value on each information assets it owns, based on:

How much did it cost to create or acquire?How much did it cost to create or acquire?How much would it cost to recreate or recover?recover?How much does it cost to maintain?How much is it worth to the organization?How much is it worth to the organization?How much is it worth to the competition?

Asset Valuation Approaches (Continued)

Potential loss is that which could occur from the exploitation of vulnerability or a threat occurrenceThe questions that must be asked include:

What loss could occur, and what financial impact would it have?What would it cost to recover from the attack inWhat would it cost to recover from the attack, in addition to the financial impact of damage?What is the single loss expectancy for each risk?g p y

Asset Valuation Techniquesl l ( )Single loss expectancy (SLE):

value associated with most likely loss from an attackBased on estimated asset value and expectedBased on estimated asset value and expected percentage of loss that would occur from attack:SLE = asset value (AV) x exposure factor (EF)

EF = the percentage loss that would occur from a given vulnerability being exploited

Annualized rate of occurrence (ARO)( )probability of an attack within a given time frame, annualized per year

Annualized loss expectancy (ALE)Annualized loss expectancy (ALE)ALE = SLE x ARO

The Cost Benefit Analysis (CBA) FormulaCBA determines whether or not a control alternative is worth its associated costCBAs may be calculated

Before a control or safeguard is implemented to determine if the control is worth implementingdetermine if the control is worth implementing OR

After controls have been implemented and have pbeen functioning for a time:

CBA = ALE(prior) – ALE(post) – ACS

The Cost Benefit Analysis (CBA) Formula

ALE(prior to control) is the annualized loss expectancy of the risk before the implementation of the control

ALE(post control) is h d f h l h bthe ALE examined after the control has been in

place for a period of time

ACS isACS is the annual cost of the safeguard

Other Feasibility ApproachesOrganizational feasibility analysis

examines how well the proposed information security alternatives will contribute to operation of an organization

Operational (behavioral) feasibility analysis

Addresses user acceptance and support, management acceptance and support, and

ll i t f i ti ’overall requirements of organization’s stakeholders

Other Feasibility Approaches

Technical feasibility analysisexamines whether or not the organizationexamines whether or not the organization has or can acquire the technology to implement and support the alternatives

Political feasibility analysisdefines what can and cannot occur baseddefines what can and cannot occur based on the consensus and relationships between the communities of interest

BenchmarkingBenchmarking:

Seeking out and studying practices of other organizations that produce desired resultsorganizations that produce desired results Measuring differences between how organizations conduct business

When benchmarking an organization typicallyWhen benchmarking, an organization typically uses one of two measures to compare practices:

Metrics-based measures comparisons based on numerical standards

Process-based measures generally less focused on numbers and are more strategic

Benchmarking (Continued)

In the field of information security, two categories of benchmarks are used:categories of benchmarks are used:

Standards of due care and due diligence, and Best practicesBest practices

Within best practices, the gold standard is a subcategory of practices that area subcategory of practices that are typically viewed as “the best of the best”

Due Care and Due DiligenceFor legal reasons, an organization may be forced to adopt a certain minimum level of securitysecurityDue Care

adopt levels of security for legal defense, d h h h h d hneed to show that they have done what any

prudent organization would do in similar circumstances

D diliDue diligence demonstration that organization is persistent in ensuring implemented standards continue to g pprovide required level of protection

Applying Best Practicesdd h f llAddress the following questions:Does your organization resemble the organization that is implementing the best practice under p g pconsideration?Is your organization in a similar industry? Does your organization face similar challenges? o you o ga a o a a a gIs your organizational structure similar to the organization from which you are modeling the best practices? pCan your organization expend resources that are in line with the requirements of the best practice? Is your organization in a similar threat environmentIs your organization in a similar threat environment as the one cited in the best practice?

Problems with Benchmarking and Best PracticesOrganizations don’t talk to each other

No two organizations are identical

Best practices are a moving target

Simply knowing what was going on a few years ago does not necessarily indicate what to do nextto do next

Risk Appetite

Risk appetitedefines the quantity and nature of risk thatdefines the quantity and nature of risk that organizations are willing to accept, as they evaluate the trade-offs between perfect security and unlimited accessibility

Reasoned approach to risk is one that ppbalances expense against possible losses if exploited

Residual RiskWhen vulnerabilities have been controlled as much as possible, there is often remaining risk th t h t b l t l t d fthat has not been completely accounted for residual riskResidual Risk:Residual Risk:

Risk from a threat less the effect of threat-reducing safeguards plusRisk from a vulnerability less the effect of vulnerability-reducing safeguards plusRisk to an asset less the effect of asset value-s to a asset ess t e e ect o asset a uereducing safeguards

Residual Risk

The significance of residual risk must be judged within the context of anmust be judged within the context of an organization’s risk appetite

The goal of information securityThe goal of information security is not to bring residual risk to zero, but to bring it in line with an organization’sbut to bring it in line with an organization s risk appetite

Documenting Results

When risk management program has been completed,

Series of proposed controls are preparedEach justified by one or more feasibility or

ti li ti hrationalization approaches

At minimum, each information asset-threat pair should have a documented control strategy thatshould have a documented control strategy that

Clearly identifies any residual risk remaining after the proposed strategy has been executedp p gy

Documenting Results

Some organizations document outcome of control strategy for eachoutcome of control strategy for each information asset-threat pair in an action plan

Includes:Concrete tasks, each with accountabilityConcrete tasks, each with accountability assigned to an organizational unit or to an individual

Recommended Risk Control Practices

Each time a control is added to the matrix

It changes the ALE for the associated asset vulnerability as well as othersOne safeguard can decrease risk associated with all subsequent control evaluationsevaluations

May change the value assigned or calculated in a prior estimate.

Qualitative Measures

Quantitative assessment performs asset valuation with actual values or estimatesvaluation with actual values or estimatesAn organization could determine that it cannot put specific numbers on thesecannot put specific numbers on these valuesOrganizations could use qualitativeOrganizations could use qualitative assessments instead, using scales instead of specific estimatesof specific estimates

Delphi Approach

A group rates and ranks assetsThe individual responses are compiledThe individual responses are compiled and sent back to the groupReevaluate and redo the rating/rankingReevaluate and redo the rating/rankingIterate till agreements reached

The OCTAVE MethodOperationally Critical Threat, Asset, and Vulnerability EvaluationSM (OCTAVESM) Method:

Defines essential components of a comprehensiveDefines essential components of a comprehensive, systematic, context-driven, self-directed information security risk evaluation

By following OCTAVE Method organization canBy following OCTAVE Method, organization can make information-protection decisions based on risks to

confidentiality, integrity, and availability of critical information technology assetstechnology assets

Operational or business units and IT department work together to address information security needs of the organizationorganization

Phases of The OCTAVE Method

Phase 1: Build Asset-Based Threat ProfilesOrganizational evaluation Key areas of expertise within organization are examined to elicit important knowledge about:

I f ti tInformation assetsThreats to those assetsSecurity requirements of assetsy qWhat organization is currently doing to protect its information assets

W k i i ti l li i dWeaknesses in organizational policies and practice

Phases of The OCTAVE Method (Continued)

Phase 2: Identify Infrastructure Vulnerabilities

Evaluation of information infrastructure Key operational components of informationKey operational components of information technology infrastructure are examined for weaknesses (technology vulnerabilities) that can lead to unauthorized action

Phases of The OCTAVE Method (Continued)

Phase 3: Develop Security Strategy and PlansRisks are analyzed in this phase Information generated by organizational and information infrastructure evaluations (Phases 1 and 2) is analyzed to:2) is analyzed to:

Identify risks to organization Evaluate risks based on their impact to theEvaluate risks based on their impact to the organization’s mission

Organization protection strategy and risk mitigation l f th hi h t i it i k d l dplans for the highest priority risks are developed

Important Aspects of the OCTAVE MethodThe OCTAVE Method:

Self directedRequires analysis team to conduct evaluation and analyze information

Basic tasks of the team are to:Basic tasks of the team are to:Facilitate knowledge elicitation workshops of Phase 1Gather any necessary supporting data Analyze threat and risk informationDevelop a protection strategy for the organizationDevelop mitigation plans to address risks to theDevelop mitigation plans to address risks to the organization’s critical assets

Important Aspects of the OCTAVE Method (Continued)

OCTAVE Method:Uses workshop-based approach for gathering p pp g ginformation and making decisionsRelies upon the following major catalogs of i f tiinformation:

Catalog of practices: collection of good strategic and operational security practicesp y pThreat profile: range of major sources of threats that an organization needs to consider Catalog of vulnerabilities: collection ofCatalog of vulnerabilities: collection of vulnerabilities based on platform and application

Phases & Processes of the OCTAVE Method

Each phase of the OCTAVE Method contains two or more processes. Each process is made of activities. Phase 1: Build Asset-Based Threat Profiles

Process 1: Identify Senior Management Knowledge Process 2: Identify Operational Area Management KnowledgeKnowledge Process 3: Identify Staff Knowledge Process 4: Create Threat ProfilesProcess 4: Create Threat Profiles

Phases & Processes of the OCTAVE Method (Continued)

Phase 2: Identify Infrastructure VulnerabilitiesVulnerabilities

Process 5: Identify Key ComponentsProcess 6: Evaluate Selected ComponentsProcess 6: Evaluate Selected Components

Phase 3: Develop Security Strategy and PlansPlans

Process 7: Conduct Risk AnalysisP 8 D l P t ti St tProcess 8: Develop Protection Strategy

Preparing for the OCTAVE Method

Obtain senior management sponsorship of OCTAVESelect analysis team members. Train analysis teamySelect operational areas to participate in OCTAVESelect participantsCoordinate logisticsgBrief all participants

The OCTAVE Method

For more information, you can download the OctaveSM method implementation guide from www.cert.org/octave/omig.htmlg/ / g

SummaryIntroduction

Risk Control Strategiesg

Risk Control Strategy Selection

Categories of ControlsCategories of Controls

Feasibility Studies and Cost-Benefit Analysis

Ri k M Di i P iRisk Management Discussion Points

Recommended Risk Control Practices

The OCTAVE Method

Cost-Benefit Analysis, Net Present Value Model,l f d lInternal Rate of Return Model

Return on Investment(Based on Book by Gordon and Loeb)( y )

Cost-benefit framework

CBA widely accepted economic principle forwidely accepted economic principle for managing organizational resourcesRequires cost of activity compared with theRequires cost of activity compared with the benefit

Cost > Benefit?Cost < Benefit?Cost = Benefit?

Cyber security CostOperating Cost

Expenditure that will benefit a single period’s ti ( fi l )operations (one fiscal year)

E.g., cost of patching software to correct breaches in the fiscal year

lCapital InvestmentExpenditure that will benefit for several periods (Appears in balance sheet)(Appears in balance sheet)E.g., purchase of an IDS system (+ personnel cost)

Expect to work at least next few yearsExpect to work at least next few years

Cyber security CostCapital investments lose their economic values

Portion of the investment that has been lostPortion of the investment that has been lost during a particular period is charged to that period

In practice, h di i i i i h f dthe distinction is not straightforward

Some argue Most Cyber security expenditure are operating costsHowever, they have spill over effect – hence could be treated as capital investment

Middle ground!!Middle ground!!

Cyber security Cost : In practice

Most org. treat cyber security expenditure as Operating costs

Accounting and tax rules allow/motivateAccounting and tax rules allow/motivateBy expensing these costs in the year of expenditure, tax savings are realized immediately

Distinction is good (recommended)Distinction is good (recommended)From planning perspective

A good approachView all as capital investments with varying time horizonsOC becomes a special case of CIp

Cost (C) vs. Benefit (B)

Assume B and C can be assessed for different level of cyber security activities

Organization’s goals should beImplement security procedures up to the point where (B-C) is maximumImplementing beyond that point meansImplementing beyond that point means

The incremental costs > the incremental benefitsNet benefit beyond that maximum point is negative

Cost (C) vs. Benefit (B)

Cost-Benefit principleKeep increasing security activities as longKeep increasing security activities as long as the incremental benefits exceed their incremental costs

If security activities can be increased in small amountssmall amounts

Such activities should be set at the point where the incremental (cost = benefit)( )

Total cost (C)

Cost vs BenefitTotal cost/

Total Benefit Total Benefit (B)

Net BenefitSecurity activities are increasing at decreasing rate

There are diminishing associated

Security ActivitiesSA*

There are diminishing associated marginal benefits

Can assume that C hasFixed portion (irrespective of levels ActivitiesSA

Net Benefit

Fixed portion (irrespective of levels of activities)Variable portion (varies with the level of activities)

Security Activities

)Assume to initially increase at decreasing rate and then increase at increasing rate

Activities

SA*Would increase security activities till SA*Would increase security activities till SA*

Net Present Value Model

C and B can be quantified in terms of Net Present Value (NPV)Net Present Value (NPV)NPV

Financial tool for comparting anticipatedFinancial tool for comparting anticipated benefits and costs voer different time periodsperiodsGood way to put CBA into practice

Net Present Value Model

To compute NPV, First discount all anticipated benefits and pcosts to today’s value or present value (PV)NPV = PV – Initial cost of the project

Key aspect of NPV modelCompare the discounted cash flows

i t d ith th f t b fit dassociated with the future benefits and costs to the initial cost of an investment

All costs are in monetary unitAll costs are in monetary unit

Net Present Value Model

∑=

+−+−=n

t

ttto kCBCNPV

1

)1/()(

NPV model is most easily considered in terms of incremental investments

Co: Cost of initial investment

Bt and Ct: ti i t d b fit d t Realistic situation is

Some level of security is already in place (e.g., basic firewalls, access controls)

anticipated benefits and costs, resp., in time period t from the additional security activities

k: )It can be used to compare the incremental costs with incremental benefits associated with increases in SA

Discount rate, which is usually considered an organization’s cost of capitalIt indicates the minimum rate a

j t d t i dproject needs to earn in order that the organization’s value will not be reduced

Net Present Value Model

NPV greater than zeroAccept the incremental security activitiesAccept the incremental security activities

NPV less than zeroReject the incremental security activitiesReject the incremental security activities

NPV = zeroIndifference

k can be used to model risk

Internal Rate of Return (IRR) Model

Also known as economic rate of returnIRR: Is the discount rate that makes the NVP = zero, thus:Decision

IRR k t th SA

∑=

+−=n

t

ttto IRRCBC

1

)1/()(

IRR > k, accept the SAIRR < k, rejectIRR = k, indifferenceIRR k, indifference

To select security investmentsNVP ranking is preffered than IRR ranking

Must-do Projects

Some SA are required by law and hence must be donemust be done

Irrespective of IRR/NVP

ExampleExampleHIPAA compliance requirements

Safeguards must be in place to provideSafeguards must be in place to provide authorized access to patient informationMany outsource SAy

Example 1

Organization wants a new IDSInitial investment is $200,000$ ,

Beginning of the first periodExpected to have a two-year useful lifeAnnual increment benefits generated from the investment is estimated = $400,000Ann al inc emental ope ating cost fo theAnnual incremental operating cost for the system is estimated to be $100,000.Discount rate: 15%Discount rate: 15%

Example 1

What happens if useful life is oneWhat happens if useful life is oneuseful life is one

year?useful life is one

year?

Example 1

Example 2

Initial investment is $280,000Beginning of the first period

Expected to have a two-year useful lifeAnnual increment benefits generated from gthe investment is estimated = $400,000Annual incremental operating cost for the system is estimated to be $100,000.Discount rate: 15%

Example 2

What happens if useful life is oneWhat happens if useful life is oneuseful life is one

year?useful life is one

year?

Example 2

More on kHigher k means lower NVP

Attractiveness of SA will be related to kAttractiveness of SA will be related to kMost corporations use

weighted-average cost of capital (WC) inweighted average cost of capital (WC) in discounting future cash flowsFor risky projects, some premiums may be y p j p yaddedE.g., WC = 15 and k = 20

Example 1 and 2

Return on InvestmentROI is essentially

Last period’s annual profits divided bydivided by

cost of the investment required to generate the profitROI viewed as

Hi t i l f f d f l ti tHistorical measure of performance used for evaluating past investments

NPV & IRRPerformance measures used to make decisions about potential new investmentsUnlike IRR, ROI technically does not consider time value of moneymoney

Return on InvestmentROIs for the two examples

Example 1: 300K/200K * 100% = 150%Example 2: 300K/280K * 100% = 107%Example 2: 300K/280K 100% = 107%

ROI assumes thatThe investment will continue to produce returns of $300 for year 2 3 4 & beyondyear 2, 3, 4 & beyondDramatically overstates the economic rate of return.The more that the returns persist, the better the ROI is an approximation of the IRRapproximation of the IRR

If 300K net benefit could go on forever, the ROI = IRR

Survey shows,Many managers are using ROI acronyms to represent IRRMany managers are using ROI acronyms to represent IRR

Survey