introduction .. an overview of risk...

MCE14 INFORMATION SECURITY

CCET PREPARED BY : S.PON SANGEETHA /AP

UNIT III --- SECURITY ANALYSIS

TABLE OF CONTENTS 3.1. Risk Management ……………………………….………………………………………………..……

Introduction ..…………………………………………………………………………………………….

An overview of risk Management ..……………………………………………………………...

3.2. Risk Identification…………………………………………………………………………….…………

3.3. Assessing Risk………………………………………………………………….........................................

3.4. Risk Control Strategies……………………………………………………………..…………………

3.5. Selecting a risk control Strategy………………………………………………..………………..

3.6. Risk Management Discussion Points …………………………………………………………..

3.7. Summary …………………………………………………………………………………………………….

3.8. Review Questions ………………………………………………………………………………………..



Risk Management CHAPTER 1

Introduction:

The formal process of identifying and controlling the risks facing an organization is called

risk management.

This process is made up of two major undertakings:

a) Risk Identification

b) Risk Control

The first of these, Risk Identification, is process of examining and documenting the

security posture of an organization’s information technology and the risks it faces. Risk

assessment is the documentation of the results of risk identification.

The second major undertaking, risk control, is the process of paalying controls to reduce to

an organization’s data and information systems.



Risk management is also used in the public sector to identify and mitigate risk to critical

infrastructure. For the most part, these methodologies consist of the following elements,

performed, more or less, in the following order.

identify assets and identify which are most critical

identify, characterize, and assess threats

assess the vulnerability of critical assets to specific threats

determine the risk (i.e. the expected consequences of specific types of attacks on

specific assets)

identify ways to reduce those risks

prioritize risk reduction measures based on a strategy

An Overview of Risk Management:

“If you know the enemy and know yourself, you need not fear the result of a hundred

battles. If you know yourself but not the enemy, for every victory gained you will also suffer

a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”

a) Know yourself

b) Know the enemy

In an organization, it is the responsibility of each community of interest to manage the risks

that organization encounters. Each community of interest has a role to play, as outlined

below:

a) Information Security

b) Management and users

c) Information Technology



Risk Identification CHAPTER 2

3.1. Risk management

Risk management involves identifying, classifying and prioritizing organization’s

information assets, threats and vulnerabilities. Risk Identification ascertains which risks

have the potential of affecting the project and documenting the risks’ characteristics. Risk

Identification begins after the Risk Management Plan is constructed and continues

iteratively throughout the project execution. The Risk Identification process naturally

progresses into the Qualitative Risk Analysis or the Quantitative Risk Analysis Process.

Sometimes it is wise to include the identification of a risk and its response in order for it to

be included in Risk Response Planning.

At the beginning of the Risk Identification process it is a good idea to have gathered all of

the inputs you and your team will need. The inputs to the Risk Identification Process are:

an understanding of the project’s mission, scope, schedule, cost, Work Breakdown

Structure (WBS), quality criteria, and other elements.

Risk Management Plan - The Risk Management Plan provides the blueprint of overseeing

risk management throughout the project describing who, what, when, where, why, and

how. The Risk Management Plan provides the following four critical inputs to Risk

Identification:

Assignment of roles and responsibilities - identifying the who of risk

management by assigning the handling of specific tasks and roles to specific

individuals.

Budget provisions for risk-management activities - The approved funds

available for risk-management activities. You will need to track your actual costs

against these approved budget numbers.

Schedule for risk management - The revised schedule including the time needed

for risk-management activities over the duration of the project’s life cycle.



Categories of risk - The risk categories are used during Risk Identification to

organize and prioritize risks as they are identified. Alternatively, the Risk

Breakdown Structure (RBS) may be the source of risk categories.

Project Scope Statement - The project scope statement defines the project

boundaries and assumptions. During Risk Identification, risks to boundaries must

be identified in order to mitigate scope creep, and assumptions must be reassessed

to identify risks associated with them.

Organizational process assets - Organizational process assets provide information

from prior projects including historical information and lessons learned.

Enterprise environmental factors - These factors include any and all external

environmental factors and internal organizational environmental factors that

surround or influence the project’s success, such as organizational culture and

structure, infrastructure, existing resources, commercial databases, market

conditions, and project management software. After gathering all necessary inputs,

it is tie to employ the recommended tools and techniques of risk identification. The

tools and techniques are:

Documentation reviews - Documentation reviews involve comprehensively

reviewing the project documents and assumptions from the project overview and

detailed scope perspective in order to identify areas of inconsistency or lack of

clarity. Missing information and inconsistencies are indicators of a hidden risk.

Information gathering techniques - Information gathering techniques are used to

develop lists of risks and risk characteristics. Each technique is helpful for collecting a

particular kind of information. The five techniques are:

Brainstorming - Brainstorm is employed as a general data-gathering and creativity

technique which identifies risks, ideas, or solutions to issues. Brainstorming uses a

group of team members or subject-matter experts spring boarding off each other’s

ideas, to generate new ideas.

Delphi technique - The Delphi technique gains information from experts,

anonymously, about the likelihood of future events (risks) occurring. The technique

liminates bias and prevents any one expert from having undue influence on the others.



Interviewing - Interviewing in a face-to-face meeting comprised of project participants,

stakeholders, subject-matter experts, and individuals who may have participated in

similar, past projects is a technique for gaining first-hand information about and benefit

of others’ experience and knowledge.

Root cause identification - Root cause identification is a technique for identifying

essential causes of risk. Using data from an actual risk event, the technique enables you

to find out what happened and how it happened, and understand why it happened, so

that you can devise responses to prevent recurrences.

Strengths, weaknesses, opportunities, and threats (SWOT) analysis – A SWOT

analysis examines the project from the perspective of each project’s strengths,

weaknesses, opportunities, and threats to increase the breadth of the risks considered

by risk management.

Checklist analysis - Checklists list all identified or potential risks in one place.

Checklists are commonly developed from historical information or lessons learned. The

Risk Breakdown Structure (RBS) can also be used as a checklist. Just keep in mind that

checklists are never comprehensive, so using another technique is still necessary.

Assumptions analysis - All projects are initially planned on a set of assumptions and

what if scenarios. These assumptions are documented in the Project Scope Document.

During Risk Identification, assumptions are analyzed to determine the amount of

inaccuracy, inconsistency, or incompleteness associated with them.

Diagramming techniques - Diagramming techniques, such as system flow charts,

cause-and-effect diagrams, and influence diagrams are used to uncover risks that aren’t

readily apparent in verbal descriptions.

Cause and effect diagrams - Cause and effect diagrams or fishbone diagrams are used

for identifying causes of risk

System or process flow charts - Flow charts illustrate how elements and processes

interrelate.

Influence diagrams - Influence diagrams depict causal influences, time ordering of

events and other relationships between input variables and output variables. Risk



identification begins with identifying organization’s assets and assessing their value as

shown in Figure

Components of risk Managment

3.2. ASSET IDENTIFICATION AND VALUATION

This iterative process begins with identification of assets that includes all elements of an

organization’s system (people, procedures, data and information, software, hardware,

networking). Assets are then classified and categorized that is shown Table



3.2.1 People, Procedures, and Data Asset Identification

Human resources, documentation, and data information assets are more difficult to

identify. People with knowledge, experience, and good judgment should be assigned this

task. These assets should be recorded using reliable data-handling process. Asset attributes

for people are position name, number, ID, supervisor; security clearance level and special

skills.

Asset attributes for procedures are description, intended purpose relationship to

software, hardware and storage location for reference and update. Asset attributes for data

are classification, owner, creator, manager, data structure size, data structure used,

online/offline, location, backup procedures employed.

3.2.2 Hardware, Software, and Network Asset Identification

What information attributes to track depends on:

Needs of organization/risk management efforts

Management needs of information security/information technology communities

Asset attributes to be considered are: name; IP address; MAC address; element type; serial

number; manufacturer name; model/part number; software version; physical or logical

location; controlling entity.



3.2.3 Information Asset Classification

Many organizations have data classification schemes (e.g., confidential, internal, public

data). Classification of components must be specific to allow determination of priority

levels. Categories must be comprehensive and mutually exclusive.

3.2.4 Information Asset Valuation

Questions help develop criteria for asset valuation: which information asset

is most critical to organization’s success?

generates the most revenue/profitability?

would be most expensive to replace or protect?

would be the most embarrassing or cause greatest liability if revealed?

The following Figure shows a sample worksheet for the Asset Identification of information

system.

3.2.5 Listing Assets in Order of Importance



Weighting should be created for each category based on the answers to questions. The

relative importance of each asset is calculated using weighted factor analysis. The assets in

order of importance are listed using a weighted factor analysis worksheet. In the following

Table , the scores range from 0.1 to1.0, which is recommended by NIST.

2 Accessing Risks

3 Controlling Risks

3.2.6 Data Classification and Management

Corporate and military organizations use a variety of classification schemes. Information

owners are responsible for classifying the information assets and the same must be

reviewed periodically to provide protection.



The information classifications are as follows

Confidential: Used for the most sensitive information that must be tightly

controlled.

Internal: Used for all internal information

External: Used for all information approved for public release.

3.2.7 Security Clearances

For a security clearance in organizations each data user must be assigned a single level of

authorization indicating the classification level. Before accessing specific set of data,

employee must meet need-to-know requirement Extra level of protection ensures

information confidentiality is maintained.

3.2.8 Management of Classified Data

Management of classified data includes its storage, distribution, portability, and destruction

of classified data. All information that is not unclassified or public must be clearly marked

as such. A Clean desk policy requires all information be stored in appropriate storage

container daily; unneeded copies of classified information should be destroyed after double

verification. Dumpster diving can retrieve information and compromise information

security

3.2.9 Threat Identification

After identifying and performing a preliminary classification of an organization’s

information assets, the analysis phase moves onto an examination of the threats facing the

organization. The realistic threats need to be investigated further while the unimportant

threats are set aside.

The examination of identify, prioritize threats and threat agents is known as threat

assessment. Each threads can be addressed based on the following few questions.

Which threats present danger to assets?

Which threats represent the most danger to information?

How much would it cost to recover from attack?

Which threat requires greatest expenditure to prevent?



3.2.10 Vulnerability Identification

Specific avenues threat agents can exploit to attack an information asset are called

vulnerabilities. Examine how each threat could be perpetrated and list organization’s

assets and vulnerabilities. Process works best when people with diverse backgrounds

within organization work iteratively in a series of brainstorming sessions At end of risk

identification process, list of assets and their vulnerabilities is achieved.



Assessing Risks CHAPTER 3

3.1. Risk assessment

Risk assessment is a step in a risk management process. Risk assessment is the

determination of quantitative or qualitative value of risk related to a concrete situation and

a recognized threat (also called hazard). Quantitative risk assessment requires calculations

of two components of risk: R, the magnitude of the potential loss L, and the probability p

that the loss will occur.

3.2.Risk assessment in information security

There are two methods of risk assessment in information security field, qualitative

and quantitative. Purely quantitative risk assessment is a mathematical calculation based

on security metrics on the asset (system or application). Qualitative risk assessment is

performed when the organization requires a risk assessment be performed in a relatively

short time or to meet a small budget, a significant quantity of relevant data is not available,

or the persons performing the assessment don’t have the sophisticated mathematical,

financial, and risk assessment expertise required. Qualitative risk assessment can be

performed in a shorter period of time and with less data. Qualitative risk assessments are

typically performed through interviews of a sample of personnel from all relevant groups

within an organization charged with the security of the asset being assessed. Qualitative

risk assessments are descriptive versus measurable.

3.3. Likelihood

Risk is the likelihood of the occurrence of a vulnerability multiplied by the value of the

information asset minus the percentage of risk mitigated by current controls plus the

uncertainty of current knowledge of the vulnerability. Risk assessment evaluates the

relative risk for each vulnerability and assigns a risk rating or score to each information

asset.

3.4. Valuation of Information Assets



Assign weighted scores for value of each asset; actual number used can vary with needs of

organization. To be effective, assign values by asking questions:

Which threats present danger to assets?

Which threats represent the most danger to information?

How much would it cost to recover from attack?

Which threat requires greatest expenditure to prevent?

Finally: which of the above questions for each asset is most important to protection

of organization’s information?

3.5. Risk Determination

For the purpose of relative risk assessment, risk equals likelihood of vulnerability

occurrence TIMES value (or impact) MINUS percentage risk already controlled PLUS an

element of uncertainty.

For example

Information asset A has a value score of 50 and has one vulnerability: Vulnerability

1 has a likelihood of 1.0 with no current controls and you estimate that the

assumptions and data are 90% accurate.

Information asset B has a value score of 100 and has two vulnerability 2 has a

likelihood of 0.5 with a current control that addresses 50% of its risk. Vulnerability

3 has a likelihood of 0.1 with no current controls.

The resulting ranked list of risk ratings for the three vulnerabilities:

Asset A: Vulnerability 1 rated as 55 = (50 x 1.0) –0% + 10%

Where 55 = (50 x 1.0) – ( ( 50x 1.0)x0.0) + ( ( 50x1.0) x 0.1)

55 = 50 - 0 + 5

Asset B: Vulnerability 2 rated as 35 = (100 x 0.5) – 50% + 20%

Where 35 = (100 x 0.5) – ( (100 x 0.5)x 0.5) + ( ( 100 x0.5) x 0.2)

35 = 50 – 25 + 10

Asset C: Vulnerability 3 rated as 12 = (100 x 0.1) – 0% + 20%

Where 12= (100 x 0.1) – ((100 x 0.1) x 0.0) + ((100 x0.1) x 0.2)

12 = 10 - 0 + 2



3.6. Identify Possible Controls

For each threat and associated vulnerabilities that have residual risk, create preliminary

list of control ideas. Residual risk is the risk that remains to information asset even after

existing control has been applied.

3.7 Access Controls

Access controls specifically addresses admission of a user into a trusted area of

organization. It consists of a combination of policies & technologies. The different ways to

control access are

Mandatory access controls (MAC) – give users limited control over access to

information resources.Lattice-based access control: variation of MAC; users

assigned matrix of authorizations for areas of access.

Nondiscretionary controls - managed by a central authority in organization; can be

based on individual’s role (role-based controls) or a specified set of assigned tasks

(task-based controls).

Discretionary access controls (DAC) - implemented at discretion or option of data

user.

3.8 Documenting the Results of Risk Assessment

The goal of this process is to identify the information assets, list them, and rank according

to those most needing protection. The final summarized is the ranked vulnerability risk

worksheet. The worksheet details are organized as asset, asset impact, vulnerability, and

vulnerability likelihood and risk-rating factor. The ranked vulnerability risk worksheet is

initial working document for next step in risk management process: assessing and

controlling risk .The following Table shows a sample list of the worksheets.



Risks Control Strategies CHAPTER 4

Once the ranked vulnerability risk worksheet has created, they must choose one of

following four strategies to control each risk:

Apply safeguards (avoidance) that eliminate or reduce the remaining uncontrolled

risks for the vulnerability.

Transfer the risk (transference) to other areas or to outside entities.

Reduce impact (mitigation) should the vulnerability be exploited.

Understand consequences and accept risk (acceptance) without control or

mitigation.

Avoidance

Attempts to prevent exploitation of the vulnerability

Preferred approach; accomplished through countering threats, removing asset

vulnerabilities, limiting asset access, and adding protective safeguards

Three common methods of risk avoidance:

Application of policy

Training and education

Applying technology

Transference

Control approach that attempts to shift risk to other assets, processes, or

organizations

If lacking, organization should hire individuals/firms that provide security

management and administration expertise

Organization may then transfer risk associated with management of complex

systems to another organization experienced in dealing with those risks.



Mitigation

Attempts to reduce impact of vulnerability exploitation through planning and

Preparation

Approach includes three types of plans:

Incident response plan (IRP)

Disaster recovery plan (DRP)

Business continuity plan (BCP)’

Acceptance

Doing nothing to protect a vulnerability and accepting the outcome of its

exploitation

Valid only when the particular function, service, information, or asset does not

justify cost of protection

Risk appetite describes the degree to which organization is willing to accept risk

as trade-off to the expense of applying controls.



Selecting a Risk Control Strategy CHAPTER 5

Risk controls involve selecting one of the four risk control strategies for each vulnerability.

The flowchart is shown in the following Figure

When weighing the benefits of the different strategies, keep in mind that the level of thread

and value of the asset should play a major role in strategies selection. Rules of thumb on

strategy selection can be applied:

When vulnerability exists

When vulnerability can be exploited

When attacker’s cost is less than potential gain

When potential loss is substantial



3.5.1.Evaluations, Assessment, and Maintenance of Risk Controls

Once a control strategy has been implemented, it should be monitored and measured on an

ongoing basis to determine the effectiveness of the security controls and the accuracy of

the estimate of the residual risk. The following Figure shows how this cyclical process is

continues for as long as the organization continues to function.

3.5.2.Categories of Controls

Controlling risk through avoidance, mitigation or transference is accomplished by

implementing controls. There are four effective approaches to select controls by category:

Control function: Controls (safeguards) designed to defend systems are either preventive

or detective.?

Architectural layer: Some controls apply to one or more layers of organization’s technical

architecture

Strategy layer: Controls sometimes classified by risk control strategy (avoidance,

mitigation, transference) in which they operate.

Information security principle: Controls can be classified according to the characteristics



of secure information they are intended to assure. These characteristics include:

confidentiality, integrity, availability, authentication, authorization, accountability and

privacy.

3.5.3.Feasibility Studies

Before deciding on strategy, all information about economic/non-economic consequences

of vulnerability of information asset must be explored. A number of ways exist to

determine advantage of a specific control.

a) Cost Benefit Analysis (CBA)

Most common approach for information security controls is economic feasibility of

implementation. CBA is begun by evaluating worth of assets to be protected and the loss in

value if those assets are compromised. The formal process to document this is called cost

benefit analysis or economic feasibility study. Items that impact cost of a control or

safeguard include: cost of development; training fees; implementation cost; service costs;

cost of maintenance.

Benefit is the value an organization realizes by using controls to prevent losses associated

with vulnerability. Asset valuation is process of assigning financial value or worth to each

information asset; there are many components to asset valuation.

Once worth of various assets is estimated, potential loss from exploitation of vulnerability

is examined. Process results in estimate of potential loss per risk. Expected loss per risk

stated in the following equation:

Annualized loss expectancy (ALE) equals Single loss expectancy (SLE) TIMES Annualized

rate of occurrence (ARO) Where SLE is equal to asset value times exposure factor (EF).

b) The Cost Benefit Analysis (CBA) Formula

CBA determines whether or not control alternative being evaluated is worth cost incurred

to control vulnerability. CBA most easily calculated using ALE from earlier assessments,

before implementation of proposed control:



CBA = ALE (prior) – ALE (post) – ACS

ALE (prior) is annualized loss expectancy of risk before implementation of control

ALE (post) is estimated ALE based on control being in place for a period of time

ACS is the annualized cost of the safeguard.

c) Benchmarking

An alternative approach to risk management is Benchmarking. Benchmarking is process of

seeking out and studying practices in other organizations that one’s own organization

desires to duplicate. One of two measures typically used to compare practices:

Metrics-based measures

Process-based measures

Metrics-based measures are comparisons based on numerical standards, such as

Numbers of successful attacks

Staff-hours spent on systems protection

Dollars spent on protection

Numbers spent on protection

Estimated value in dollars of the information lost in successful attacks

Lose in productivity hours associated with successful attacks

Process-based measures are generally less focused on numbers and more strategic than

Metrics-based measures. It enables the organization to examine the activities an individual

company performs in pursuit of its goals rather than the specific of how goals are attained.

There are various legal reasons. They are:

Standard of due care: when adopting levels of security for a legal defense, organization

shows it has done what any prudent organization would do in similar circumstances.

Due diligence: demonstration that organization is diligent in ensuring that implemented

standards continue to provide required level of protection. Failure to support standard of

due care or due diligence can leave organization open to legal liability.

Best business practices: security efforts that provide a superior level protection of

information.



When considering best practices for adoption in an organization, consider:

Does organization resemble identified target with best practice?

Are resources at hand similar?

Is organization in a similar threat environment?

3.5.4.Base lining

Organizations don’t talk to each other (biggest problem)

No two organizations are identical

Best practices are a moving target

Knowing what was going on in information security industry in recent years

through

benchmarking doesn’t necessarily prepare for what’s next

Analysis of measures against established standards. In information security, base lining is

comparison of security activities and events against an organization’s future performance.

Useful when base lining to have a guide to the overall process.

3.5.5. Other Feasibility Studies

Operational: examines how well proposed information security alternatives will

contribute to organization’s efficiency, effectiveness, and overall operation

Technical: examines whether or not organization has or can acquire the technology

necessary to implement and support the control alternatives

Political: defines what can/cannot occur based on consensus and relationships between

communities of interest



Risk Management Discussion Points CHAPTER 6

Organizations must define level of risk it can live with

Risk appetite: defines quantity and nature of risk that organizations are willing to accept

as tradeoffs between perfect security and unlimited accessibility are weighed.

Residual risk: risk that has not been completely removed, shifted, or planned for. The

following Figure illustrates how residual risks remains after safeguards are implemented.

Documenting Results

At minimum, each information asset-threat pair should have documented control strategy

clearly identifying any remaining residual risk. Another option: document outcome of

control strategy for each information asset-vulnerability pair as an action plan. Risk

assessment may be documented in a topic-specific report.



Recommended Practices in Controlling Risk

Convince budget authorities to spend up to value of asset to protect from identified threat.

Final control choice may be balance of controls providing greatest value to as many asset-

threat pairs as possible. Organizations looking to implement controls that don’t involve

such complex, inexact and dynamic calculations. The qualitative measures are Spectrum of

steps described previously—performed with real numbers—known as a quantitative

assessment

Qualitative assessment: based on characteristics that do not use numerical measures.

Limitations

If risks are improperly assessed and prioritized, time can be wasted in dealing with risk of

losses that are not likely to occur. Spending too much time assessing and managing unlikely

risks can divert resources that could be used more profitably. Unlikely events do occur but

if the risk is unlikely enough to occur it may be better to simply retain the risk and deal

with the result if the loss does in fact occur. Qualitative risk assessment is subjective and

lack consistency. The primary justification for a formal risk assessment process is legal and

bureaucratic.

Prioritizing too highly the risk management processes could keep an organization from ever

completing a project or even getting started. This is especially true if other work is

suspended until the risk management process is considered complete.



Summary 7



Review Questions 8

1. What is risk management? Who is responsible for risk management in an

organization?

2. What are the strategies for controlling risk?

3. What are the components of risk management?

4. Describe risk avoidance. Name three common methods of risk avoidance.

5. Describe risk transference. Describe how outsourcing can be used for risk

transference.

6. Discuss the risk handling decision points with suitable diagram.

7. What is a cost benefit analysis?

8. Describe the Risk control cycle with neat diagram.

9. What is residual risk?

10. Describe risk mitigation. What are the approaches to mitigate risk?

11. In risk management strategies, why must periodic review be a part of the process?

introduction .. an overview of risk...

Documents