2.

Information Serurity Risk

Assessment Basics
 Contents
What is Risk???
Information Security Assessment Overview
Risk Assessment Framework
Data Collection and Analysis
Asset Scoping
Preparation of Threat and Vulnerabilities Catalogs
System Risk Computations
Impact Analysis Scheme
Final Risk Score
 What is Risk???
 Risk is a quantitative measure of the potential
damage caused by a specific threat.

 In other words, Risk is the potential of gaining or

losing something of value.
 Information Security Assessment
Overview
 Risk management is the process of analyzing
exposure to risk and determining how to best handle
such exposure.
 Issues important to top management typically
receive lot of attention from many quarters. Since
top management cares about risk management, a
number of popular IT risk-management frameworks
have emerged.
 Risk Assessment Framework
 A framework is a structure for supporting something
else.
 Several formal IT risk-assessment frameworks have
emerged over the years to help guide security and risk
executives through the process. These include:
 the National Institute of Standards and Technology's (NIST)
Risk Management Framework (RMF)
 Operationally Critical Threat, Asset and Vulnerability Evaluation
(OCTAVE)
 ISO 27000 series
 National Institute of Standards and
Technology's (NIST)
 IT risk is defined as the risk associated with the use of
information systems in an organization.
 NIST recognizes that risk management is not an exact science.
It is the best collective judgment of people at all ranks and
functions within an organization about suitable measures to
protect the organization.
 The 800-39 framework recommends that senior leadership be
involved in IT risk management, and that IT risk management
be integrated in the design of business processes.
 National Institute of Standards and
Technology's (NIST)
 4 components of IT Risk Management -

Arrows illustrates the

communication flow
1. Risk Frame
 The risk frame establishes the context for risk management
by describing the environment in which risk-based decisions
are made. This clarifies to all members in the organization the
various risk criteria used in the organization.
 These criteria include:
i. assumptions about the risks that are important,
ii. responses that are considered practical,
iii. levels of risk considered acceptable,
iv. priorities and trade-offs when responding to risks.
 Risk framing also identifies any risks that are to be managed
by senior leaders/executives.
2. Risk Assessment
 The risk assessment component identifies and aggregates the
risks facing the organization.
 Risk - a quantitative measure of the potential damage from a
threat.
 Risk assessment develops these quantitative estimates by
identifying the threats, vulnerabilities in the organization
and the harm to the organization if the threats exploit
vulnerabilities.
3. Risk Response
 Risk response addresses how organizations respond to risks
once they are determined from risk assessments.
 Risk response helps in the development of a consistent,
organization-wide, response to risk that is consistent with the
risk frame.
 Following standard business procedures, risk response
consists of
i. developing alternative courses of action for responding to risk,
ii. evaluating these alternatives,
iii. selecting appropriate courses of action,
iv. implementing risk responses based on selected courses of action.
4. Risk Monitoring
 Risk monitoring evaluates the effectiveness of the
organization's risk-management plan over time.
 Risk monitoring involves
i. verification that planned risk response measures are implemented
ii. verification that planned risk responses satisfy the requirements
derived from the organization's missions, business functions,
regulations, and standards
iii. determination of the effectiveness of risk response measures
iv. identification of required changes to the risk-management plan as a
result of changes in technology and the business environment.
 OCTAVE
 A popular initiative of the SEI is the OCTAVE methodology for
information security management.
 OCTAVE stands for Operationally Critical Threat, Asset,
Vulnerability Evaluation.
 OCTAVE uses a three-phased approach to examine
organizational and technology issues, assembling a
comprehensive picture of the organization's information
security needs.
 OCTAVE
The three phases are:
Phase 1: identifying critical assets and the threats to those
assets
Phase 2: identifying the vulnerabilities, both organizational
and technological, that expose those threats,
creating risk to the organization
Phase 3: developing a practice-based protection strategy and
risk mitigation plans to support the organization's
mission and priorities
OCTAVE
 ISO 27000 Series
 The International Standards Organization (ISO) has
reserved the ISO 27000 series of standards (i.e.,
standards starting with the digits 27) for information
security matters.
 All processes follow Deming's Plan-Do-Check-Act
(PDCA) model.
 ISO 27000 Series
 As of December 2012, this series includes six standards
ranging from ISO 27001 to ISO 27006.
 These standards cover the following topics:
 ISO 27001: The standard that specifies the requirements for an
information security management system (ISMS)
 ISO 27002: The standard that specifies a set of controls to meet the
requirements specified in ISO 27001
 ISO 27003: Guidance for the implementation of an ISMS
 ISO 27004: Measurement and metrics for an ISMS
 ISO 27005: The standard for information security risk management
 ISO 27006: The standard that provides guidelines for the accreditation
of organizations that offer ISMS certification
 Data Collection and Analysis
 Data collection is by far the most rigorous and
most encompassing activity in an information
security risk assessment project.
 “PLANNING”
 It is of critical importance that the team prepare
properly to ensure that data is collected in a
structured manner.
 Data Collection
 One part of proper preparation is to decide what
data collection mechanisms are going to be used.
 Data collection mechanisms can be divided into
two categories:
 Collectors,
 Containers.
 Collectors
 Collectors are simply the means to obtain data from
a source.
 Data Sources are -  Collectors are -
 System Profiles.  Document Request
 Control Profiles. Lists.
 Surveys.
 Audit Reports.
 Interviews.
 Vulnerability
Assessments.  Workshops.
 Various Information
Security Events and
Metrics.
 Containers
 Containers are resources where the collected data is
stored.
 Containers could be in the form of a database, a
spreadsheet, flat files, or even paper documents.
 Structuring the data means identifying the high-level
data elements and encapsulating them into the
container.
 Structuring your data with that end result
in mind will make substantiation of your
findings much easier.
Data Collection Flow
 Data Analysis
 Analyzing information involves examining it in ways that
reveal the relationships, patterns, trends, etc. that can be
found within it.
 The point, in terms of your evaluation, is to get an
accurate assessment in order to better understand your
work and its effects on those you’re concerned with, or in
order to better understand the overall situation.
 There are two kinds of data
 Quantitative Data and
 Qualitative Data.
 Quantitative Data
 Quantitative data are typically collected directly as
numbers. For ex.
 Test Scores
 The frequency of specific behaviours or conditions.
 Data can also be collected in forms other than numbers,
and turned into quantitative data for analysis.
 Quantitative data is usually subjected to statistical
procedures such as calculating the mean or average
number of times an event or behaviour occurs.
Quantitative Data
 Qualitative Data
 Unlike numbers or “hard data,” qualitative information tends to
be “soft,” meaning it can’t always be reduced to something
definite. That is in some ways a weakness, but it’s also a
strength.
 Qualitative data can sometimes be changed into numbers,
usually by counting the number of times specific things occur in
the course of observations or interviews, or by assigning
numbers or ratings to dimensions (e.g., importance,
satisfaction, ease of use).
 It may also show you patterns – in behaviour, physical or social
environment, or other factors – that the numbers in your
quantitative data don’t.
Qualitative Data Analysis
Quantitative Data VS Qualitative Data
Asset Scoping
 Preparation of Threat and
Vulnerabilities Catalogs
 One of the primary steps in performing data
analysis for specific systems is to prepare threat
and vulnerability catalogs.
 Threats and vulnerabilities are cornerstone
concepts with respect to any discussion about
risk.
 Threat Catalog
 A threat catalog is very simply a generic list of
threats that are considered common information
security threats.
 These threats are events, sources, actions, or
inactions that could potentially lead to harm of
your organization’s information security assets.
 As security professionals, it is tempting to just
start writing down threats facing our organization
based on our own knowledge.
 Threat Catalog
 A threat catalog is very simply a generic list of
threats that are considered common information
security threats.
 The following is a list of threat catalogs that can
be used as references:
 BITS Calculator—A very comprehensive list of over
600 threats. This is freely available from the BITS
website.
 Microsoft Threat Model—A list of 36 threats focusing
on application security risks. This is freely available
from the Microsoft website.
 Threat Catalog
 NIST SP800-30—A high level list of 5 human threat
sources with 32 corresponding threat actions. This is
freely available from the NIST website.
 ISO 27005—A high level list of 8 threat types with 43
corresponding threats in Annex C of the document.
This document is available for a fee.
 BSI Base IT Security Manual—A list of 370 threats.
This is freely available from the BSI website.
 Vulnerability Catalog
 The vulnerability catalog is simply a list of
vulnerabilities that affect or could affect an
organization.
 There are two ways to go about building the
catalog:
 Current vulnerabilities
 Hypothetical vulnerabilities
 Current Vulnerability
 The current vulnerabilities catalog should be a list
of vulnerabilities currently affecting the
organization.
 Remember, one of the first activity is
consolidating observations and findings from the
various documents that were previously collected.
 This listing can easily serve as your listing of
current vulnerabilities.
 Hypothetical Vulnerability
 The hypothetical vulnerabilities catalog is a list of
vulnerabilities that are unverified but could affect the
organization.
 These vulnerabilities can be determined based on the
concerns brought up in various meetings and executive
interviews and scenarios derived from the threat listings.
 Why put a hypothetical vulnerability in the catalog?
 A risk assessment is not an audit and just because you did not find
evidence of the existence of a vulnerability, it does not mean that
it does not exist.
 This is consistent with the concept of risk assessments being
focused on probabilities.
 System Risk Computation
 It goes as follows -
1. Identify the Threats.
2. Identify the Vulnerabilities.
3. Determine the Impact.
4. Determine the Controls.
5. Determine the Likelihood.
 Impact Analysis Scheme
 In this activity, we will begin formulating the mechanism
for computation of impact.
 Impact is one of the primary components for computing
risk.
 An impact analysis scheme provides a means to provide a
repeatable process for the calculation of impact.
 In order to compute for impact, it is important to take into
consideration the data elements that would illustrate the
confidentiality, integrity and availability aspects of the
system being assessed.
Example
 Final Risk Score
RISK = IMPACT × LIKELIHOOD

Impact Score—This is obtained by considering the potential

impact of the threat to the confidentiality, integrity, and
availability of the system by assigning scores for each of them.
The category with the highest impact becomes the impact score
for the threat and vulnerability pair.

Likelihood Score—This is obtained by assigning scores for the

exposure , frequency, and control for each of the threat and
vulnerability pairs.
Example