lecture slides-lecture 2
TRANSCRIPT
-
Lecture 2
Building an Information Risk Management Toolkit:
Learning the Language of Risk Management: RM Theory I
Dr. Barbara Endicott-Popovsky
-
QUICK REVIEW Terminology
-
Risk Undesirable effect of uncertainty on achieving business objectives
Risk Management Framework A system that addresses risk and reward
Risk Management Process Process that communicates with stakeholders about, risk management; and
identifies, analyzes, prioritizes, treats, and monitors while addressing reward.
The purpose of risk management is to change the future, not to explain the past
The Book of Risk, Dan Borge
Risk: Key Terms
-
General Approach
identify, characterize, and assess threats
assess the vulnerability of critical assets
determine the risk (i.e. expected consequences of specific types of attacks on specific assets)
identify ways to control those risks
prioritize risk reduction measures
-
Security Design
Threats Vulnerabilities
Controls
(Threats + Vulnerabilities = Controls)
-
Certificate for Information Assurance and Cybersecurity
7
The Role of Risk in IA
-
QUANTITATIVE RISK MANGEMENT
-
Certificate for Information Assurance and Cybersecurity
-
QUALITATIVE RISK MANGEMENT
-
Impact Definition
Example:
Hi Significant Impact
Medium Impact
Low Tolerable Impact
Courtesy: Rick Coffey, City University
-
Probability Definition
Example:
Hi More than 70% likely
Medium 30-70% likely
Low Less than 30% likely
Courtesy: Rick Coffey, City University
-
Simple Risk Matrix
3 6 9
2 4 6
1 2 3
Low Med Hi
Probability
Hi
Med
Low
List of Risks
(in Categories)
Courtesy: Rick Coffey, City University
-
Generic Risk Management Process
Identify Identify potential risk
Analyze Quantify risks into actionable priorities
Plan Develop risk mitigation plans
Track Monitor risk indicators and mitigation plans
Control Correct deviations from plan
Communicate Communicate Communicate
Courtesy: Rick Coffey, City University
-
Courtesy: Rick Coffey, City University
Continuous Process
(Not Rocket Science)
Identify - what can go wrong
Analyze Decide whats important
Plan Plan to mitigate targeted risks
Monitor Plans - Track
Take appropriate action
Control
Source: SEI Risk Management Paradigm
-
Step 1. System Characterization
Step 7. Risk Determination
Step 8.Control
Recommendations
Step 9.Results
Documentation
Step 2. Threat Identification
Step 5. Likelihood Determination
Step 3. Vulnerability Identification
Step 6. Impact Analysis
Step 4. Control Analysis
NIST Risk Management Process
Courtesy: Rick Coffey, City University
http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf http://csrc.nist.gov/publications/nistpubs/800-37.../sp800-37-rev1-final.pdf
-
Key Points About The NIST
Risk Management Process
This is one of many RA/RM models.
It is only a model!! in the real world, we need to do what makes sense for us and our organizations
(FLEXIBILITY)
Courtesy: Rick Coffey, City University
-
The diffusion of technology and commoditization of information
transforms it into a resource equal in importance to the traditionally
important resources of land, labor and capital Peter Drucker
-
History of Risk Management
-
Historical Aspects
The revolutionary idea that sets the boundaries between modern times and the ancient times is the ascendancy over risks:
The idea that the future is much more than a wish of the gods and that man are not passive before nature
Until man discovered how to overcome this boundary, the future was merely a mirror from the past or an obscure oracle that held the monopoly over predicted events
Source: Against the Gods: The Remarkable Story of Risk, Peter Bernstein
-
How It All Started
risk comes from ancient Italian risicare, meaning to dare
In that sense, risk is an option , and not fate
Freedom to choose the actions we dare to take
TO DARE IS STILL THE BEST WAY TO LIVE
-
How It All Started
Study of risks began in the Renaissance, when people released themselves from the constraints of the past and openly challenged sacred beliefs
It was an era when the world was discovered and greatly explored, and the a lot of resources were found
In a time of religious turbulence and the beginning of capitalism, science was vigorous and the approach to the future was bold
-
1654 The Enigma of Mrs
The Chevalier de Mr, with a keen taste for games, challenged the famous mathematician Blaise Pascal to decipher an enigma that had been exposed by Luca Pacioli 200 years before
How to split a bet on a game that had been interrupted when one player was winning?
The example used in the original publication referred to a game of balla where six goals were required to win the game. If the game ended normally, the winner would take all. But what if the game stopped when one player was in the lead by five goals to three?
Pascal asked Pierre de Fermat for help, and the result of that collaboration was pure intellectual dynamite
Led to the discovery of probability theory, the mathematical core of the concept of risk
-
Laying The Foundation
The solution to the Enigma of Pacioli for the first time enabled people to make decisions and predict the future with the help of numbers
Previously, people were able to make decisions, defend their concerns and do business, but without a real understanding of risks or decision making
As time went by, mathematicians transformed the probability theory into a powerful tool to organize, interpret and use information
-
18th Century Advances
Mathematicians competed to invent new life expectancy charts
Shipping insurances had emerged as a promising and sophisticated business in London
Gottfried von Leibniz stated: Nature establishes standards that originate the return of events, but only in the majority of cases", leading Bernoulli to discover the Law of Large Numbers and statistical sampling
-
1738 The Bell Curve
Abraham de Moivre, an English mathematician of French extraction, introduces the normal distribution as an approximation for binomial distributions as sample sizes become larger
Provided researchers with a critical tool for linking sample statistics with probability statements
-
Bernoulli and The Law of Large Numbers
Jacob Bernoulli proved that a random sampling of items from a population has the same characteristics, on average, as the population
He used coin flips to illustrate his point by noting that the proportion of heads (and tails) approached 50% as the number of coin tosses increased
In the process, he laid the foundation for generalizing population properties from samples, a practice that now permeates both the social and economic sciences
-
1763 Bayesian Statistics
Bayes published a simple way of updating existing beliefs in the light of new evidence
In Bayesian statistics, the existing beliefs are called prior probabilities and the revised values after considering the new evidence are called posterior or conditional probabilities
Bayes provided a powerful tool for researchers who wanted to use probabilities to assess the likelihood of negative outcomes, and to update these probabilities as events unfolded
In addition, Bayes rule allows us to start with subjective judgments about the likelihood of events occurring and to modify these judgments as new data or information is made available about these events
-
The Use of Data
In 1662, John Graunt created one of the first mortality tables by counting for every one hundred children born in London, each year from 1603 to 1661, how many were still living In the course of constructing the table, Graunt not only refined the use of statistical
tools and measures with large samples but also considered ways of dealing with data errors
He estimated that while 64 out of every 100 made it to age 6 alive, only 1 in 100 survived to be 76
In an interesting aside, Graunt estimated the population of London in 1663 to be only 384,000, well below the then prevailing estimate of six to seven million
He was eventually proved right, and Londons population did not exceed 6 million until three centuries later
In 1693, Edmund Halley, the British mathematician, constructed the first life table from observations and devised a method for valuing life annuities Halley pointed out that the government, that was selling life annuities to citizens at
that time, was pricing them too low and was not setting the price independently of the age of the annuitant
-
The Insurance View of Risk
As early as 1000 BC, the Babylonians developed a system where merchants who borrowed money to fund shipments could pay an extra amount to cancel the loan if the shipment was stolen
The Greeks and the Romans initiated life insurance with benevolent societies which cared for families of society members, if they died
However, the development of the insurance business was stymied by the absence of ways of measuring risk exposure
The advances in assessing probabilities and the subsequent development of statistical measures of risk laid the basis for the modern insurance business
-
The 1950s The Markowitz Revolution By 1950, investors in financial markets were using measures
of risk based on past prices and accounting information, in conjunction with broad risk categories, based on security type and issuer reputation, to make judgments about risk
However, there was no consensus on how best to measure risk and the exact relationship between risk and expected return
Markowitz changed the way we think about risk by linking the risk of a portfolio to the co-movement between individual assets in that portfolio diversification
-
Key Developments in Risk Analysis and Evolution of Risk Measures
Key Event Time
Frame Risk Measure
Used
Risk considered to be either fated and thus impossible to change or divine providence, in which case it could be altered only through prayer or sacrifice
Pre- 1494
None or gut feeling
Luca Pacioli posits his puzzle with two gamblers in a coin tossing game
1494
Pascal and Fermal solve the Pacioli puzzle and lay foundations for probability estimation and theory
1654 Computed
Probabilities
Graunt generates life table using data on births and deaths in London
1662
Bernoulli states the law of large numbers, providing the basis for sampling from large populations
1711 Sample-based probabilities de Moivre derives the normal distribution as an approxi-mation to
the binomial and Gauss & Laplace refine it 1738
continued
-
Key Developments in Risk Analysis and Evolution of Risk Measures
Key Event Time
Frame Risk Measure
Used
Bayes publishes his treatise on how to update prior beliefs as new information is acquired
1763
Insurance business develops and with it come actuarial measures of risk, based on historical data
1800s Expected loss
Bachelier examines stock and option prices on Paris exchanges and defends his thesis that prices follow a random walk
1900 Price variance
Standard Statistics Bureau, Moodys and Fitch start rating corporate bonds using accounting information
1909-15 Bond & Stock
Ratings
John von Neumann, Stanislaw Ulam and Nicholas Metropolis coin the term Monte Carlo method , while working on nuclear weapon projects at Los Alamos (Monte Carlo methods are a class of computational algorithms that rely on repeated random sampling to compute their results)
1940s
continued
-
Key Developments in Risk Analysis and Evolution of Risk Measures
Key Event Time
Frame Risk Measure
Used
Markowitz lays statistical basis for diversification and generates efficient portfolios for different risk levels
1952
Variance added to portfolio Sharpe and Lintner introduce a riskless asset and show that
combinations of it and a market portfolio (including all traded assets) are optimal for all investors; the CAPM is born
1964
Risk and return models based upon alternatives to normal distribution - Power law, asymmetric and jump process distributions
1960s Market beta
Using the no arbitrage argument, Ross derives the arbitrage pricing model; multiple market risk factors are derived from the historical data
1976 Factor betas
Macroeconomic variables examined as potential market risk factors, leading the multi-factor model
1986 Macroeconomic
betas
Fama and French, examining the link between stock returns and firm-specific factors conclude that market cap and book to price at better proxies for risk than beta or betas
1992 Proxies
-
What is Risk Management?
Risk management is a scientific approach to the problem of dealing with the pure risks facing individuals and organizations
It evolved from corporate insurance management, which focused on the risk of accidental loss to assets and income of the organization
-
History of Modern Risk Management The general use of the term risk management began in the
early 1950s
One of the early discussions of risk management in the academic literature appeared in a 1956 Harvard Business Review article ("Risk Management: New Phase of Cost Control, by Russell Gallagher)
Gallagher proposed that someone within the organization should be responsible for managing the organizations pure risks
-
Development of Risk Management
Evolution from corporate insurance buying
Year Milestone
1929 Corporate insurance buyers met informally in Boston to discuss mutual problems
1931 American Management Association establishes Insurance Division
1932 Insurance Buyers of New York formed
1950 National Association of Insurance Buyers formed
-
Development of Risk Management
Emergence of risk management was a revolution that signaled a dramatic shift in philosophy
It occurred when the attitude toward insurance changed and insurance lost its traditional status as the standard approach for dealing with risk
Question: why the change occurred when it did?
-
The Shift in Philosophy
The insurance managers function was to buy insurance
While these buyers attempted to get the most coverage for the insurance dollar, they could hardly be criticized for buying insurance that was their job
Something other than mere evolution triggered the shift
The shift coincided with a reappraisal of business school curriculum in the U.S. in 1950s and 1960s: the introduction of
operations research and
management science
-
Operations research and management science
Originated in World War II
Developed through engineering applications in post-war military and aerospace programs
Emphasized cost-benefit analysis, expected value, and a scientific approach to decision-making under uncertainty
Led to a shift from descriptive to normative decision theory
-
Insurance Faculty and the Shift
Insurance faculty were among the first to embrace decision theory
Many were trained in actuarial science
Most had an inventory of interesting questions relating to decision making under uncertainty
They not only questioned the central role that had been granted to insurance, but developed the theoretical justification for the challenge
-
Insurance Buyers and the Shift
Some insurance buyers intuitively (and independently) reached the same conclusions about the supremacy of insurance in dealing with risk as academics who applied the new decision models
Many concepts of modern risk management that originated in academia were taken over and applied in the corporate world
-
Origins of Risk Management
Risk management grew out of a merger of engineering applications in the military and aerospace programs , financial theory, and insurance
-
Risk Management Defined
Risk management is a scientific approach to dealing with pure risks by anticipating possible accidental losses and designing and implementing procedures that minimize the occurrence of loss or the financial impact of the losses that do occur
-
Nature of Risk Management
Scientific approach to dealing with pure risks
Broader than insurance management
Differs from insurance management in philosophy
-
Scientific Approach
Risk management depends on rules (laws) derived from the general knowledge of experience, through deduction, and from precepts drawn from other disciplines, especially decision theory
Although risk management is not a science in the same sense as the physical sciences, this does not preclude its use of the scientific method
-
Distinguishing Characteristics
Broader than insurance management
Because it evolved from insurance management, risk management is concerned primarily with insurable risk
However, the risk managers responsibility is broader, and includes both insurable and uninsurable pure risks
-
Risk Management Tools
Risk Control
Avoidance
Reduction
Risk Financing
Retention
Transfer
-
Executive Director, Risk Management UW
-
Risk Management Process
1. Determination of objectives
2. Identification of risks
3. Evaluation of risks
4. Consideration of alternatives selection of the tool
5. Implementing the decision
6. Evaluation and review
-
Evaluation of Risks
Critical Severe financial impact (e.g., losses that could result in bankruptcy)
Important Moderate financial impact (e.g., losses that would require resort to credit)
Unimportant Modest financial impact (e.g., losses that could be met from existing assets or cash flow)
-
Misconceptions About Risk Management
Two misconceptions have developed concerning risk management:
1. The risk management concept is applicable principally to large organizations
2. The risk management approach seeks to minimize the role of insurance
-
What is Information Risk Management?
-
Information Risk Management
Information risk management is directed towards assessing, mitigating (to an acceptable level) and monitoring risks associated with information
The principle goal of an organizations risk management process should be to protect the organization and its ability to perform their mission, not just its IT assets
-
IRM Activities
Assessing
Mitigating Monitoring
-
Principle Goal of IRM Process
Organization
Mission
IT Assets
-
IRM Methodologies (Sample)
National Institute of Standards & Technology (NIST) Methodology
OCTAVE
FRAP
Risk Watch
ISO (introduced last week)
-
NIST
800-30, Risk Management Guide for Information Technology Systems
http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf Foundation for development of effective RM program containing both
definitions Includes definitions and practical guidance for assessing and mitigating
risks identified within IT system Also provides information on selecting cost-effective security controls Goal is to help organizations to better manage IT-related mission risks
Small, to-the-point, and scalable from a single server to an entire IT enterprise
Quants hate it, but for quals and Government, its good enough
Private sector
-
NIST 800-30: Seven Key Roles
Senior Management Ultimate responsibility for mission accomplishment
Chief Information Officer Responsible for agencys IT planning, budgeting, and performance including its InfoSec components
System and Information Owner Responsible for ensuring proper controls are in place to address integrity, confidentiality and availability of the IT system and the data they own
Business and Functional Managers Responsible for business operations and IT procurement process and also play a key role in risk management
ISSO Responsible for the organizations security program including risk management
IT Security Practitioners Responsible for proper implementation of security system in the IT system
Security Awareness Trainers Develop training materials and incorporate risk assessment into training programs to educate the end users
-
NIST 800-30 Definitions: Security Primitives
Threat the potential for a threat source to exercise a specific vulnerability
Examples?
Vulnerability a weakness that can be accidentally triggered or intentionally exploited
Examples?
Risk a function of the likelihood of a given threat source exercising a particular potential vulnerability and the resulting impact of that adverse event on the organization
-
NIST 800-30 Definitions: Controls System controls risk reducing measures
Management Controls Focus on the stipulation of information protection policy, guidelines and standards which are carried out through operational procedures to fulfill the organizations mission and guidelines
Technical Controls Technical configurations for risk mitigation
Operational Control A set of guidelines or controls to ensure that the security procedures governing the use of the organizations IT assets and resources are properly enforced and implemented in accordance with the organizations goals and mission
-
NIST 800-30 Risk Mitigation Options
Risk Assumption To accept the potential risk and continue operating the IT system or to implement controls to lower the risk to an acceptable level
Risk Avoidance To avoid the risk by eliminating the risk cause and/or consequence
Risk Limitation To limit the risk by implementing controls that minimize the adverse impact of a threats exercising a vulnerability
Risk Planning To manage risk by developing a risk mitigation plan that prioritizes, implements, and maintains controls
Research and Acknowledgment To lower the risk of loss by acknowledging the vulnerability or flaw and researching controls to correct the vulnerability
Risk Transference To transfer the risk by using other options to compensate for the loss, such as purchasing insurance
-
NIST 800-30 Risk Mitigation Methodology
-
Octave
Software Engineering Institute (SEI) at Carnegie Mellon University
Stands for Operationally Critical, Threat, Asset and Vulnerability Evaluation (OCTAVE) process
Goal is to help organizations improve their ability to manage and protect themselves from information security risks
Workshop-based
Premise: an organization understands the risk better than a tool and decisions will be made by the organization rather than by a tool
-
Octave 3 Phases of Workshops
Process 1: Identify Senior Management Knowledge
Process 2: (multiple) Identify Operational Area Management Knowledge
Process 3: (multiple) Identify Staff Knowledge
Process 4: Create Threat Profiles
Process 5: Identify Key Components
Process 6: Evaluate Selected Components
Process 7: Conduct Risk Analysis
Process 8: Develop Protection Strategy (workshop A: strategy
development) (workshop B: strategy review, revision, approval)
Phase 1
Phase 2 Phase 3
-
FRAP
Peltier
Qualitativebut faster and simpler
Facilitator + small group of subject matter experts
Steps
Brainstorming to ID threats
Assign impact of probability score to each threat
ID and assign controls/safeguards
Management summary
-
FRAP Definitions
Threat undesirable event that could impact business objectives or mission of the target asset(s)
Examples?
Probability how likely an event will occur
H/M/L
Impact potential effect a risk ma have on asset(s)
H/M/L
Control/Safeguard measure taken to detect, prevent, mini9mize, or eliminate risk
Examples?
-
Risk Watch
http://www.riskwatch.com
Tool
Uses expert knowledge database to walk the user through a risk assessment
Reports on compliance and advice on managing the risks
Includes statistical information to support quantitative risk assessment
ROI
Several products, each focused along different compliance needs
-
Risk Watch Products
Risk Watch for HIPAA Compliance
Risk Watch for Hospital Security
Risk Watch for Banks (& Financial Institutions)
Risk Watch for Hospital Security & California 1257.7
Risk Watch for Credit Unions & NCUA
Risk Watch for Physical, Corporate & Homeland Security
Risk Watch for Information Systems & ISO 27001
Risk Watch for University & College Security
Risk Watch for PCI (Payment Card) Compliance
Risk Watch Benchmarking Tools for Corporate Security
Risk Watch for NERC Compliance
Risk Watch for NEI 04-04 (Nuclear Cybersecurity Compliance)
Risk Watch Benchmarking Tools for Information Systems
-
Risk should be managed to an acceptable level, based on the enterprises risk appetite with decision-making guided by a risk assessment model. A structured, consistent and repeatable process for making the risk/reward calculation helps to ensure that it is done consistently across the organization Mastering the Risk/Reward Equation: Optimizing Information Risks to Maximize Business Innovation Rewards, an industry initiative sponsored by RSA (http://www.rsa.com/innovation/docs/CISO_RPT_0808.pdf)
Addressed in current state of the art?
-
Key Concepts
Risk Management
Dictionary definition: activity directed towards assessing, mitigating (to an acceptable level) and monitoring of risk
Alternative definition: a process aimed at an efficient balance between realizing opportunities for gains and minimizing vulnerabilities and losses
Which is more relevant in the context of the risk/reward equation associated with information risk?
-
Key Concepts
Risk Assessment The determination of quantitative or qualitative value of risk related to information
Security Controls Activities or technology solutions that address risk (or mitigate it to an acceptable level)
Governance Set of responsibilities and practices exercised by the enterprise board of directors and executive management with the goal of providing strategic direction, ensuring objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprises resources are used responsibly
Compliance Either a state of being in accordance with established guidelines, specifications, or legislation (e.g. GLBA, HIPAA, SOX, PCI etc.) or the process of becoming so
-
Key Concepts
Policy High level statement of executive managements intent or direction
Standards Metrics, allowable boundaries or the process used to determine whether processes meet policy requirements
Procedures Detailed descriptions of the steps necessary to perform specific operations to conform with applicable standards
Guidelines Suggested actions or recommendations related to an area of InfoSec policy that is intended to supplement a procedure Unlike Standards, implementation of Guidelines may be at the
discretion of the organization
-
Todays organizations are concerned about GRC:
Governance
(Enterprise) Risk Management
Compliance
-
HOMEWORK: Download / Study NIST Special Publications Download, Study and Compare/Contrast NIST Risk Management guidelines discussed in Special Publications 800-30, -
37, -39 and -53 You will be working individually. You will download and skim several NIST Special Publications, extracting key concepts:
NIST Special Publication 800-30 Risk Management Guide for Information Technology Systems Technology Systems
(http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf)
NIST Special Publication 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach
(http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf)
NIST Special Publication 800-39 Managing Information Security Risk Organization, Mission, and Information System View
(http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf)
NIST Special Publication 800-53 Recommended Security Controls for Federal Information Systems and Organizations
(http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf)
We will engage in discussions about these