Chao-Hsien Chu, Ph.D.College of Information Sciences and Technology

The Pennsylvania State UniversityUniversity Park, PA 16802

chu@ist.psu.edu

Risk ManagementRisk Management

LearningbyDoing

Theo

ry

Practi

ce

IST 515

ObjectivesObjectives

This module will familiarize you with the following:

• The basic terminology used in risk management

• The role and importance of risk management practices.

• The identification of asset, threat, and vulnerability.

• Risk assessment methodologies.

• Risk assessment process.

• Risk management principles.

• Controls to identify, rate, and reduce the risk to specific information assets.

ReadingsReadings

• Tipton, H. and Henry, K. (Eds.), Official (ISC)2 Guide to the CISSP CBK, Auerbach, 2007. Domain 1 (Required).

• Stoneburner, G., Goguen, A. and Feringa, A., “Risk Management Guide for Information Technology Systems,” NIST SP 800-30, July 2002. (Required)

• Stine, K., Kissel, R., Barker, W. C., Fahlsing, J. and Gulick, J., “Guide for Mapping Types of Information and Information Systems to Security Categories,” NIST SP 800-60, August 2008.

• Wikipedia, “Failure Mode and Effects Analysis,” http://en.wikipedia.org/wiki/Failure_mode_and_effects_analysis

• Marquis, H., “Ten Steps to Do It Yourself CRAMM,” 2006. http://www.itsmsolutions.com/newsletters/DITYvol2iss8.htm

Readings - ExamplesReadings - Examples

• Tan, D., “Quantitative Risk Analysis Step-By-Step,” SANS Institute, 2002.

• R. Marchany, “Conducting a Risk Analysis,” in Mark Luker and Rodney Petersen (Eds), Computer and Network Security in Higher Education, Chapter 3, EDUCAUSE. (STAR Project).

• H. P. In, Y.-G. Kim, T. Lee, C.-J. Moon, Y. J., and I. Kim, "A Security Risk Analysis Model for Information Systems," D.-K. Baik (Ed.): AsiaSim 2004, LNAI 3398, Springer, pp. 505513, 2005. (� Quantitative Method)

Essential TerminologiesEssential Terminologies

Vulnerability: A flaw or weakness in a system security procedures,

design, implementation, or internal controls that could be exercised and result in a security breach or a violation of the system’s security policy.

Threat: The potential for a threat-source to exercise (accidentally

trigger or intentionally exploit) a specific vulnerability.

Threat-Source: Either (1) intent and method targeted at the intentional

exploitation of a vulnerability or (2) a situation and method that may accidentally trigger a vulnerability.

Elements of Risk ManagementElements of Risk Management

Threat

Vulnerability

VulnerabilityS

afeg

uard

sS

afeg

uard

s

Threat

Threat

Assets

DataFacilitiesHardwareSoftware

Risk

Risk Assessment Risk Management

• Risk avoidance.• Risk transfer.• Risk mitigation.• Risk acceptance.

(NIST-SP-800-12)

Essential TerminologiesEssential Terminologies

Risk: The possibility of loss (American Heritage Dictionary). The net negative impact of the exercise of a vulnerability, considering

both the probability and the impact of occurrence (NIST SP 800-30). A function of the likelihood of a given threat-source’s exercising a

particular potential vulnerability, and the resulting impact of the adverse event on the organization.

Risk Management: The technique or profession of assessing, minimizing, and preventing

accidental loss to a business, as through the use of insurance, safety measures (Random House Dictionary).

Reduces risks by defining and controlling threats and vulnerabilities ((ISC)2).

The process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level (NIST SP 800-30).

Examples of Critical AssetsExamples of Critical Assets

People and skills Goodwill Intellectual Property Hardware/Software Data Documentation Supplies Physical plant Money

LogicalAsset

PhysicalAsset

Value

Common Computer ThreatsCommon Computer Threats

Errors and omissions. Fraud and theft. Employee sabotage. Loss of physical and infrastructure support. Malicious hackers. Industrial espionage. Malicious code. Threats to personal privacy. Insider threats.

Common Threat SourcesCommon Threat Sources

Natural Threats. Floods, earthquakes, tornadoes, landslides, avalanches, electrical storms, and other such events.

Human Threats. Malicious outsider or insider, terrorist, spy political, human intervention.

Environmental Threats. Long-term power failure, pollution, chemicals, liquid leakage.

Technical Threats. Hardware/software failure, malicious code, unauthorized use.

Physical Threats. Closed-circuit TV failure, perimeter defense failure.

Operational Threats. Automated or manual process.

Human ThreatsHuman Threats

Threat-Source Motivation Threat Actions

• Hacker• Cracker

• Challenge• Ego• Rebellion

• Hacking• Social engineering• System intrusion, break-ins• Unauthorized system access

• Computer criminal

• Destruction of information• Illegal information

disclosure• Monetary gain• Unauthorized data alteration

• Computer crime• Fraudulent act• Information bribery• Spoofing• System intrusion

• Terrorist

• Blackmail• Destruction• Exploitation• Revenge

• Bomb/Terrorism• Information warfare• System attack• System penetration• System tampering

Threat-Source Motivation Threat Actions

• Industrial espionage

• Competitive advantage• Economic espionage

• Economic exploitation• Information theft• Intrusion on personal privacy• Social engineering• System penetration• Unauthorized system access

• Insider

• Curiosity• Ego• Intelligence• Monetary gain• Revenge• Unintentional errors and

omissions

• Assault on an employee• Blackmail• Browsing of proprietary

information• Computer abuse• Fraud and theft• Information bribery• Input of falsified, corrupted data• Interception• Malicious code• Sale of personal information• System bugs• System intrusion• System sabotage• Unauthorized system access

VulnerabilitiesVulnerabilities

• Flaw or weakness in system that can be exploited to violate system integrity.– Security Procedures– Design– Implementation

• Threats trigger vulnerabilities:– Accidental– Malicious

Vulnerability SourcesVulnerability Sources

Previous risk assessment document of the IT system assessed.

Audit reports, system anomaly reports, security review reports, and system test and evaluation reports.

Vulnerability lists such as NIST I-CAT vulnerability database (http://icat.nist.gov)

Security advisors. Vendor advisories. Commercial computer/incident/emergency response teams

and post list (e.g., SecurityFocus.com) Information Assurance Vulnerability Alert and bulletins

for military systems. System software security analyses.

Vulnerability/Threat PairsVulnerability/Threat PairsVulnerability Threat-Source Threat Action

Terminated employee’s system ID are not removed from the system

Terminated employeesDialing into the company’s network and assessing company proprietary data

Company firewall allows inbound telnet and guest ID enabled on XYZ server

Unauthorized usersUsing telnet to XYZ server and browsing system files with the guest ID

The vendor has identified flaws in the security design of the system

Unauthorized users

Obtaining unauthorized access to sensitive system files based on known system vulnerabilities

Data center uses water sprinklers to suppress fire; tarpaulins to protect hardware and equipment from water damage are not in place

Fire, negligent personsWater sprinklers being turned on in the data center

Types of Risk AnalysisTypes of Risk Analysis

• Quantitative:– Assigns real numbers to costs of safeguards and damage– Annual loss exposure (ALE)– Probability of event occurring– Can be unreliable/inaccurate

• Qualitative:– Judges an organization’s risk to threats– Based on judgment, intuition, and experience– Ranks the seriousness of the threats for the sensitivity of

the asserts– Subjective, lacks hard numbers to justify return on

investment

Process of Quantitative AnalysisProcess of Quantitative Analysis

• Seek initial management approval.• Establish a risk assessment team.• Review information currently available within the

organization. • Estimate the loss – SLE (Single Loss Expectancy )

SLE = asset value (in $) × exposure factor (loss in successful threat exploit, as %)

• Calculate the Annualized Rate of Occurrence (ARO) - how often a threat will be successful in exploiting a vulnerability over the period of a year (or Likelihood of Exploitation)

• Calculate the Annualized Loss Expectancy (ALE):ALE = ARO × SLE

Example of Quantitative AnalysisExample of Quantitative Analysis

• Risk = Risk-impact x Risk-Probability– Loss of car: risk-impact is cost to replace car,

e.g. $10,000– Probability of car loss: 0.10 – Risk = 10,000 x 0.10 = 1,000

• General measured per year– Annual Loss Exposure (ALE)

Elements of Security RisksElements of Security Risks

Classification of Assets, Threats and Classification of Assets, Threats and VulnerabilitiesVulnerabilities

Asset Threat Vulnerability

1. Information/Data 1. Human/Non-human 1. Administering

2. Documents 2. Network/Physical Documents, Personnel,

3. Hardware 3.Technical/Environment Regulation

4. Software 4. Inside/Outside 2. Physical Circumstances

5. Human Resource 5. Accidental/Deliberate or Facilities

6. Circumstances 3. Technical Hardware,

Software, Communication/

Network

Example of Risk AnalysisExample of Risk Analysis

Logic of Risk AnalysisLogic of Risk Analysis

• RISK = Loss * Probability• Loss means the decline of asset value when an asset

is exposed to some vulnerabilities.• Probability means the probability of threat-

occurrence from the corresponding vulnerabilities.• Total Risk of AM3

= 100 x (0.8 x 0.5 + 0.9 x 0.7 + 0.6 x 0.4) / 3

= 100 x 1.27 / 3

= 42.3

The effectiveness of Risk Mitigation The effectiveness of Risk Mitigation MethodsMethods

Mitigation Method

Vulnerability Model Vaccine Smart Card Firewall

VM1 (unprotected major communication facilities)

0.2 0.6 0.1*

VM2 (unfit network management) 0.6 0.5 0.5

VM3 (unprotected storage devices) 0.3 0.2 0.1

Mitigation EffectMitigation Effect

• Applying a risk mitigation method to some vulnerabilities can reduce the rate of not only one vulnerability but also several related vulnerabilities simultaneously.

• We can get the rate of risk reduction effectively with considering which vulnerabilities can be affected by selecting some risk mitigation methods.

• Risk reduction after applying firewall

= 100 * (0.1 * 0.5 + 0.5 * 0.7 + 0.1 * 0.4) / 3

= 100 * 0.44 / 3 = 14.7

Risk AnalysisRisk Analysis

• What kind of threats can be reduced? • What are residual risks if the risk mitigations are

applied? • What is the ROI of each risk mitigation?• ROI = Benefit / Cost• Benefit = (initial risk) - (residual risk after the risk

mitigation method is applied)• Total Cost = Acquisition Cost + Operation Cost +

Business Opportunity Cost

Process of Qualitative AssessmentProcess of Qualitative Assessment

• Seek management approval to conduct analysis.• Form a risk assessment team.• Request related documents.• Setup interviews with organizational members to identify

vulnerabilities, threats and countermeasures.• Analyze the data. Matching the threat to a vulnerability,

matching threats to assets, determining how likely the threat is to exploit the vulnerability, determining the impact to the organization in the event an exploit is successful and matching current and planned countermeasures (that is, protection) to the threat–vulnerability pair.

• Calculate risk.• Recommend countermeasures and calculate residual risk.

Likelihood DefinitionsLikelihood Definitions

Likelihood Level

Likelihood Definition

HighThe threat-source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective.

MediumThe threat-source is motivated and capable, but controls are in place that may impede successful exercise of the vulnerability.

Low

The threat-source lacks motivation or capability, or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised.

Magnitude of Impact DefinitionsMagnitude of Impact Definitions

Magnitude of Impact

Impact Definition

High

Exercise of the vulnerability (1) may result in the highly costly loss of major tangible assets or resources; (2) may significantly violate, harm, or impede an organization’s mission, reputation, or interest; or (3) may result in human death or serious injury.

Medium

Exercise of the vulnerability (1) may result in the costly loss of tangible assets or resources; (2) may violate, harm, or impede an organization’s mission, reputation, or interest; or (3) may result in human injury.

LowExercise of the vulnerability (1) may result in the loss of some tangible assets or resources or (2) may noticeably affect an organization’s mission, reputation, or interest.

Risk-Level MatrixRisk-Level Matrix

Threat

Likelihood

Impact

Low

(10)

Medium

(50)

High

(100)

High (1.0)Low

10 x 1.0 = 10

Medium

50 x 1.0 = 50

High

100 x 1.0 = 100

Medium (0.5)Low

10 x 0.5 = 5

Medium

50 x 0.5 = 25

Medium

100 x 0.5 = 50

Low (0.1)Low

10 x 0.1 = 1

Low

50 x 0.1 =5

Low

100 x 0.1 = 10

Risk Scale and Necessary ActionsRisk Scale and Necessary Actions

Risk Level Risk Description and Necessary Actions

High

If an observation or finding is evaluated as a high risk, there is a strong need for corrective measures. An existing system may continue to operate, but a corrective action plan must be put in place as soon as possible.

Medium

If an observation is rated as medium risk, corrective actions are needed and a plan must be developed to incorporate these actions within a reasonable period of time.

LowIf an observation is described as low risk, the system’s DAA must determine whether corrective actions are still required or decide to accept the risk.

Example of Risk ScalesExample of Risk Scales

Impact

Likelihood

1 Rare

2Unlikely

3Moderate

4Likely

5AlmostCertain

5. Extreme

4. Very High

3. Medium

2. Low

1. Negligible

Comments

Because of the time constraint, I will not continue to cover the remaining slides. As you can see, there are more materials and examples that we can cover in a class lesson. If you are

interested in the topic, please read the materials by yourself or consider to take an in-depth

course like IST 564 or SRA 330. Both courses cover extensively on risk management.

Assets and Their PriorityAssets and Their Priority

Description of Asset Machine Name Priority+Authentication-authorization services host1.dept.edu CDNS name server host2.dept.edu CPhysical plant, environmental servers host3.dept.edu CDNS name server (secondary) host4.dept.edu CNetwork (routers, servers, modems, etc.) host5.dept.edu CHR database server host6.dept.edu EPayroll server host7.dept.edu EProduction control servers host8.dept.edu NClient systems (Win95/NT, Macs) host9.dept.edu NDatabase group “crash-and-burn” system host10.dept.edu N

+ C, critical element; E, essential; N, normal STAR Project

Definition of PriorityDefinition of Priority

• Critical: If the loss of its function would result in the university ceasing to function as a business entity.

• Essential: The loss of asset would cripple the university’s capacity to function, but it could survive for a week or so without the asset. All effort would be made to restore the function within a week.

• Normal: If the loss of asset resulted in some inconvenience.

STAR Project

Asset Weight Matrix to Prioritize IT AssetsAsset Weight Matrix to Prioritize IT Assets

A/A DNS(p) Plant DNS(s) Network HRAuthentication-authorization services

9 9 4.5 9 5

DNS name server (primary) 0 9 0 9 5

Physical plant, environmental Servers

0 0 2 9 4.5

DNS name server (secondary)

3.5 9 7 9 5

Network (routers, servers, modems, etc.)

0 0 0 0 0

HR database server 4 4 3.5 4 9

Total Votes 7.5 22 28.5 10.5 45 19.5

STAR Project

List of Controls for Critical Risks List of Controls for Critical Risks

Risk DescriptionClear text Clear text data moving among our systems and networks

Client system access control Control of access to distributed desktop client workstations

Construction mistakes Service interruptions during construction, renovations

Key person dependency Too few staff to cover critical responsibilities

Natural disaster Flood, earthquake, fire, etc.

Passwords Selection, security, number of passwords, etc.

Physical security (IS internal) IS private space (machine room, wire closets, offices, etc.)

Physical security (IS external) IS public space (laboratories, classrooms, library, etc.)

Spoofing E-mail and IP address forgery or circumvention

Data disclosure Inappropriate acquisition or release of university data

System administration practices Adequacy of knowledge, skills, and procedures

Operational policies Appropriate strategies, directions, and policies

STAR Project

Summary of Compliance Matrix Summary of Compliance Matrix

STAR Project

Risk Assessment MethodologiesRisk Assessment Methodologies

• NIST SP 800-30 and 800-66 (HIPAA).• OCTAVE (Operationally Critical Threat, Asset

and Vulnerability Evaluation). Carnegie Mellon University.

• FRAP (Facilitated Risk Analysis Process). Tom Peltier.

• CRAMM (CCTA Risk Analysis and Management Method).

• Spanning Tree Analysis.• Failure Modes and Effect Analysis.

Risk Assessment MethodologiesRisk Assessment Methodologies

Method Source Feature Industry

NIST SP 800-30; 800-66 NIST QualitativeHealthcare; HIPAA

OCAVECarnegie Mellon Univ.

Software InstituteQualitative Software

FRAP (Facilitated Risk Analysis Process)

Tom Peltier, 2005 Qualitative General

CRAMM (CCTA Risk Analysis and Management Method)

Central Computing and Telecommunications Agency, 2007

QualitativeNATO; Unisys; RAC

Spanning Tree Analysis(ISC)2 Information Systems Security Engineering Professional

QuantitativeHardware & software systems

FMEA (Failure Modes and Effect Analysis)

US Military, 1940 QuantitativeAerospace; Automotive

Risk Assessment Process -NISTRisk Assessment Process -NIST

System characterization. Vulnerability identification. Threat identification. Countermeasure identification. Likelihood determination. Impact determination. Risk determination. Additional countermeasures recommendations. Document results.

1. System Characterization

2. Threat Identification

3. Vulnerability Identification

4. Control Analysis

5. Likelihood Determination

Risk Assessment Activities

• Hardware/software• System interfaces• Data & information• People• System mission

• History of attack• Data from intelligence

agencies

• Reports from prior risk assessment

• Audit comments• Security requirements• Security test results

• Current controls• Planned controls

• Threat-source motivation• Threat capacity• Nature of vulnerability• Current controls

• System boundary• System functions• Systems and data

criticality• System and data

sensitivity

• Threat statement

• List of potential vulnerabilities

• List of current and planned controls

• Likelihood rating

Input Output

6. Impact Analysis• Loss of integrity

• Loss of availability• Loss of confidentiality

7. Risk Determination

8. Control Recommendation

9. Result Documentation

Risk Assessment Activities

• Mission impact analysis• Asset criticality

assessment• Data criticality• Data sensitivity

• Likelihood of threat exploitation

• Magnitude of impact• Adequacy of planned or

current controls

• Risk and associated risk levels

• Recommended controls

• Risk assessment report

Input Output

• Impact rating

Risk Mitigation Action PointsRisk Mitigation Action Points

Vulnerable Exploitable

Attacker’sCost < Gain

LossAnticipated> Threshold

Vulnerabilityto attack exists

UnacceptableRisk

Accept RiskAccept Risk

ThreatSource

SystemDesign &

No Risk No Risk

NoNo

Yes Yes

RiskExists

YesYes

No No

Uncertaint

y

Uncertaint

y

Uncertaint

y

How Risk Management Work?How Risk Management Work?

DefineBoundaries,Scope, andmethodology

Collect andSynthesizeData

InterpretResults

Risk Assessment Risk Mitigation

Uncertaint

y* There are many approaches to safeguard selection

SelectSafeguard*

AcceptResidual

Risk

Implement

Control

Risk Management CycleRisk Management Cycle

From GAO/AIMD-99-139

Risk Management PrinciplesRisk Management Principles

Risk Avoidance. Is the practice of coming up with alternatives so that the risk in question is not realized.

Risk Transfer. Is the practice of passing on the risk in question to another entity, such as an insurance company.

Risk Mitigation. Is the practice of eliminating or significantly decreasing the level of risk presented. E.g., company can put countermeasure such as firewall, IDS etc. in place to deter malicious from accessing the highly sensitive information.

Risk Acceptance. Is the practice of simply accepting certain risk (s), typically based on a business decision that may also weigh the cost versus the benefit of dealing with the risk in another way.

Risk Mitigation OptionsRisk Mitigation Options

Risk Assumption. To accept the potential risk and continue operating the IT system or to implement controls to lower the risk to an acceptable level.

Risk Avoidance. To avoid the risk by eliminating the risk cause and/or consequence (e.g., forgo certain functions of the system or shut down the system when risks are identified)

Risk Limitation. To limit the risk by implementing controls that minimize the adverse impact of a threat’s exercising a vulnerability (e.g., use of supporting, preventive, detective controls).

Risk Planning. To manage risk by developing a risk mitigation plan that prioritizes, implements, and maintains controls.

Research and Acknowledgment. To lower the risk of loss by acknowledging the vulnerability or flaw and researching controls to correct the vulnerability.

Risk Transference. To transfer the risk by using other options to compensate for the loss, such as purchasing insurance.

Risk Management ActionsRisk Management Actions

ImpactLikelihood

Low Medium High

SignificantConsiderablemanagement

required

Must manageand monitor risks

Extensivemanagement

essential

Moderate

Risks may be worth accepting

with monitoring

Managementeffort worthwhile

Managementeffort required

Minor Accept risks Accept, but monitor risks

Manage and monitor risks

ControlsControls

• Mechanisms or procedures for mitigating vulnerabilities

– Prevent

– Detect

– Recover

• Understand cost and coverage of control

• Controls follow vulnerability and threat analysis

Risk Mitigation StrategyRisk Mitigation Strategy

When vulnerability (or flaw, weakness) exists implement assurance techniques to reduce the likelihood of a vulnerability’s being exercised.

When a vulnerability can be exercised apply layered protections, architectural designs, and administrative controls to minimize the risk of or prevent this occurrence.

When the attacker’s cost is less than the potential gain apply protections to decrease an attacker’s motivation by increasing the attacker’s cost (e.g., use of system controls such as limiting what a system user can access and do can significantly reduce an attacker’s gain).

When loss is too great apply design principles, architectural designs, and technical and nontechnical protections to limit the extent of the attack, thereby reducing the potential for loss.

1. Prioritize Actions

2. Evaluate RecommendedControl Options

3. Conduct Cost-Benefit Analysis

4. Select Controls

5. Assign Responsibility

Risk Mitigation Activities

• Risk levels from the risk assessment report

• Risk assessment report

• Actions ranking from high to low

• List of possible controls

• Cost-benefit analysis

• Selected controls

• List of responsible persons

Input Output

7. Implement Selected Controls

6. Develop SafeguardImplementation Plan

• Safeguard implementation plan

• Residual risks

• Feasibility• Effectiveness

• Impact of implementing• Impact of not implementing• Associated costs

• Risks and associated risk levels

• Prioritized actions• Recommended controls• Selected planned controls• Responsible persons• Start date• Target completion date• Maintenance requirements

Categories of Security ControlCategories of Security Control

Security controls, when used appropriately, can prevent, limit, or deter threat-source damage to an organization’s mission. An organization should consider technical, management, and operational security control, or a combination of such controls, to maximum the effectiveness of controls for their IT systems and organization.

Technical Controls. These controls usually involve system architecture, engineering disciplines, and security packages with a mix of hardware, software, and firmware.

Management Controls. These controls focus on the stipulation of information protection policy, guidelines, and standards.

Operational Controls. These controls ensure that security procedures are properly enforced and implemented in accordance with the organization’s goals and mission.

Framework of Technical Security ControlsFramework of Technical Security Controls

Cryptographic Key Management

Security Administration

System Protections(least privilege, object reuse, process separation)

Identification

Protected Communications(Safe from disclosure, substitution, modifications & replay)

Intrusion Detectionand Containment

Access ControlEnforcement

Authorization

Authentication

State Restore

Proof of Wholeness

Audit

Non-repudiation

TransactionPrivacy

Useror

Process

Resource

Prevent

Detect, Recover

Support

Management Security ControlsManagement Security Controls

Preventive: Assign security responsibility. Develop and maintain system security plan. Implement personnel security controls such as separation of

duties, least privilege, and user computer access registration and termination.

Conduct security awareness and technical training.Detection: Implement personnel security controls such as personnel

clearance, background investigations, rotation of duties. Conduct periodic review of security controls. Perform periodic system audits. Conduct ongoing risk management. Authorize IT systems to address and accept residual risk.

Management Security ControlsManagement Security Controls

Recovery: Provide continuity of support and develop, test, and

maintain the continuity of operations plan. Establish an incident response capability to prepare for,

recognize, report, and respond to the incident and return the system to operational status.

Operational Security ControlsOperational Security Controls

Preventive: Control data media access and disposal (e.g., physical access

control, degaussing method) Limit external data distribution (e.g., use of labeling) Control software viruses Safeguard computing facility Secure wiring closets that house hubs and cables Provide backup capability Establish off-site storage procedures and security Protect laptops, personal computers (PC), workstations Protect IT assets from fire damage Provide emergency power source Control the humidity and temperature of the computing facility Detection: Provide physical security Ensure environmental security.

Potential ProjectsPotential Projects

• Developing a risk management plan.• A qualitative risk assessment approach to xxx• A quantitative risk assessment approach to xxx• A comparative analysis of risk assessment

methods.