Risk Identification

&
Assessment

Submitted

To : Dr Loai Tawalbeh
From : Muna Ahmed

١٤٤٢/٠٢/١٠ 1
 Main topics
 What is Risk & Risk management?
 Risk Management Cycle
 Risk Identification
 Primary sources of Risk Items
 What is Risk Assessment ?
 How to assess the risks ?
 Risk Assessment methodologies
 Methods of Risk Assessment
 Who is responsible in risk assessment?
 Two Case Studies
 Conclusion
١٤٤٢/٠٢/١٠ 2
 What is Risk & Risk
?Management
 Risk : The is an object, person or other entity that
represent a danger, harm or loss to an asset

 Risk Management : Is the process of Identifying ,

assessing and evaluating the level of risk facing the
organization , specifically the threats to the
information stored and using by organization for
achieving business objectives, and then deciding
what countermeasures, if any, to take in reducing risk
to an acceptable level, based on the value of the
information resource to the organization

١٤٤٢/٠٢/١٠ 3
 Risk Life Cycle
Exploits

Threat Agent
Leads to

Vulnerability

Risk

Asset Can damage

Exposures
And cause an

Safeguard
Can be
١٤٤٢/٠٢/١٠ countermeasured by a 4
 Risk Management Cycle

Risk Assessment
Identify Risks

•The Processes are organized

Assess Risks • Each Step output considered
as an input for the next step
Define Desired
Results
The Process
is iteration Select Strategy

Risk Control
Implement
Strategy

Monitor

Evaluate and
Adjust
١٤٤٢/٠٢/١٠ 5
١٤٤٢/٠٢/١٠ 6
 Risk Identification
What is the purpose of this phase ?
 The aims of this phase is to identify , classify and
prioritizing the organization’s information assets
( Know ourselves) and identify all important types
and sources of risk and uncertainty (know our
enemy), associated with each of the investment
objectives.

 This is a crucial phase. If a risk is not identified it

cannot be evaluated and managed

١٤٤٢/٠٢/١٠ 7
 Information Assets
IS
Components

People Procedures Data SW HW

-Non Standard System

Employees employees Procedures\
Transmission Application
Devises

People at
Authorized Sensitive
trusted Process OS Net Work
Staff Procedures
organizations

Security
Other staff Strangers Storage
Component

١٤٤٢/٠٢/١٠ 8
Primary sources network
based attacks
of Risk Items ,virus infection
unauthorized access

Human Threats

floods
Earthquakes
hurricanes

& Outside Environmental

Natural Threats Threats

,Power failure
pollution

١٤٤٢/٠٢/١٠ 9
Risk Assessment

 For each identified component & risk, which

has a 'clearly significant' or 'possibly
significant' position, each should be assess to
establish qualitatively and Estimate the value

١٤٤٢/٠٢/١٠ 10
? What is Risk Assessment
 Assessing risk is the process of determining the likelihood of
the threat being exercised against the vulnerability and the
resulting impact from a successful compromise , i.e determine
the relative risk for each of the vulnerabilities

 Risk assessment assigns a risk rating or score to each specific

information asset, useful in evaluating the relative risk and
making comparative ratings later in the risk control process

• Although all elements of the risk management cycle are important,

risk assessments provide the foundation for other elements of the
cycle. In particular, risk assessments provide a basis for
establishing appropriate policies and selecting cost-effective
techniques to implement these policies

١٤٤٢/٠٢/١٠ 11
 Methods of Risk Assessment
There are various methods assessing risk,

First : Quantitative risk assessment :

generally estimates values of Information Systems components as ;
information, systems, business processes, recovery costs, etc.,

risk can be measured in terms of direct and indirect costs , based on

(1) the likelihood that a damaging event will occur
(2) the costs of potential losses
(3) the costs of mitigating actions that could be taken.

١٤٤٢/٠٢/١٠ 12
econd : Qualitative Risk Assessment

This approach can be taken by defining

 Risk in more subjective and general terms such as high,
medium, and low.
 In this regard, qualitative assessments depend more on the
expertise, experience, and judgment of those conducting the
assessment.

 Qualitative risk assessments typically give risk results of “High”,

“Moderate” and “Low”. However, by providing the impact and
likelihood definition tables and the description of the impact, it is
possible to adequately communicate the assessment to the
organization’s management.

١٤٤٢/٠٢/١٠ 13
Third :Quantitative and Qualitative

 It is also possible to use a combination of

quantitative and qualitative method

١٤٤٢/٠٢/١٠ 14
 Quantitative risk measurement is the standard way of measuring
risk in many fields, such as insurance, but it is not commonly used
to measure risk in information systems.

 Two of the reasons claimed for this are

 1) the difficulties in identifying and assigning a value of all
components
 2) Moral Effects couldn’t measured by quantitative
measurements
 2) the lack of statistical information that would make it
possible to determine frequency.

 Thus, most of the risk assessment tools that are used today for
information systems are measurements of qualitative risk.

١٤٤٢/٠٢/١٠ 15
How to assess the risks
Risk is assessed by following the following
steps :
 Identifying threats
 Identifying vulnerabilities Evaluate
impact
for each
 Relating Threats to Vulnerabilities determining therisk
likeliho
od
 determining the likelihood Relating
to Vuln Threats
erabilit
 Evaluate impact for each risk Identifying ies
vulner
abilitie
s
Identif
ying th
reats

١٤٤٢/٠٢/١٠ 16
Identifying Risk

١٤٤٢/٠٢/١٠ 17
Identifying Vulnerabilities
 Identifying Vulnerabilities : how each of the threats that are
possible or likely could be perpetrated , and list the organization’s
assets and their vulnerabilities

 Vulnerabilities can be identified by numerous means.

 Different methodologies for identifying vulnerabilities.

 start with commonly available vulnerability lists.
 Then, working with the system owners or other individuals with
knowledge of the system or organization, start to identify the
vulnerabilities that apply to the system.
 Specific vulnerabilities can be found by reviewing vendor web sites and
public vulnerability archives, such as Common Vulnerabilities and
Exposures (CVE - http://cve.mitre.org) or the National Vulnerability
Database (NVD - http://nvd.nist.gov).
١٤٤٢/٠٢/١٠ 18
Relating Threats to Vulnerabilities

 Not every threat-action/threat can be

exercised against every vulnerability.

 For example, a threat of “flood” obviously

applies to a vulnerability of “lack of
contingency planning”, but not to a
vulnerability of “failure to change default
authenticators.”
١٤٤٢/٠٢/١٠ 19
 Defining Likelihood

Likelihood is :
 the estimation of the probability that a threat will succeed in
achieving an undesirable event
 is the overall rating - often a numerical value on a defined scale
(such as 0.1 – 1.0) - of the probability that a specific vulnerability
will be exploited

 Sample Likelihood Definitions

١٤٤٢/٠٢/١٠ 20
Defining Impact
 impact (Value)
 Using the information documented during the risk
identification process, assign weighted scores based on
the value of each information asset, i.e.1-100, low-med-
high, etc

Sample Impact Definitions

١٤٤٢/٠٢/١٠ 21
 However, in order the risk assessment to be
meaningful, reusable and easily communicated,
specific ratings should be produced for the entire
organization as below example .

Examples of Organizational Effect

١٤٤٢/٠٢/١٠ 22
 Sample Risk Determination Matrix

١٤٤٢/٠٢/١٠ 23
Some Common Risk
Assessment methodologies
 The following methodologies and tools were developed for
managing risks in information systems:

 National Institute of Standards & Technology (NIST)

Methodology
 OCTAVE®
 FRAP
 COBRA
 Risk Watch

 The First one will be explained

١٤٤٢/٠٢/١٠ 24
National Institute of Standards &
Technology
 (NIST) Methodology
 NIST Special Publication (SP) 800-30, Risk
Management Guide for Information Technology
Systems is the US Federal Government’s standard.

 This methodology is primarily designed to be

qualitative and is based upon skilled security
analysts working with system owners and technical
experts to thoroughly identify, evaluate and manage
risk in IT systems.
١٤٤٢/٠٢/١٠ 25
 The NIST methodology consists of 9 steps each has
inputs and out puts:
 • Step 1: System Characterization
 • Step 2: Threat Identification
 • Step 3: Vulnerability Identification
 • Step 4: Control Analysis
 • Step 5: Likelihood Determination
 • Step 6: Impact Analysis
 • Step 7: Risk Determination
 • Step 8: Control Recommendations
 • Step 9: Results Documentation
١٤٤٢/٠٢/١٠ 26
١٤٤٢/٠٢/١٠ 27
? Who do the Assessment
 A risk assessment is carried out by a team of people who have
knowledge of specific areas of the business.

 It is the responsibility of each community of interest to manage

risks

 Each community has a role to play:

 Information Security - best understands the threats and attacks
that introduce risk into the organization
 Management and Users – play a part in the early detection and
response process - they also insure sufficient resources are
allocated
 Information Technology – must assist in building secure systems
and operating them safely

١٤٤٢/٠٢/١٠ 28
 Summary of Risk Assessment Practices and
Related Benefits

١٤٤٢/٠٢/١٠ 29
 Case Study

Risk Assessment
”Regulatory Organization“

١٤٤٢/٠٢/١٠ 30
Regulatory Organization
The organization’s objectives in its’ risk management plan are : :
 To face any risk
 concerned with loss of customer confidence, as well as monetary and productivity
losses.

 Risk assessments have always been a part of doing business that leads to determine the
level of risk associated with a business function or process in order to determine the
applicable security controls.

 The organization consists of a

 central office who issues organization wide information security risk assessment
guidelines and establishes minimum control requirements

 regional offices throughout the United States with , who facilitates the process in its
geographic area; and individual business units are responsible for conducting the
assessments.

 The organization’s policy guidelines require

 business units to conduct risk assessment at least once a year.
 when a new business operation is established or when significant operational changes
occur.

١٤٤٢/٠٢/١٠ 31
Risk Assessment Process

١٤٤٢/٠٢/١٠ 32
Conducting and Documenting the Assessment

The central office has incorporated these elements into a set of detailed
guidelines for conducting information security risk assessments ,
complementary training manual elaborating on the guidelines and
١٤٤٢/٠٢/١٠ 33
providing more detailed step-by-step procedures.
 Determining Risk Level

 The team's first step is to evaluate possible threats

to information security that may affect the unit's
operations.

 The team assigns a risk level of high, moderate, or

low for each area of vulnerability to show the
possible effect of damage if the threat were to occur.

 The team uses a matrix to assist in its analysis of

risk as shown in the following table:
١٤٤٢/٠٢/١٠ 34
 35
Risk Assessment
Matrix

١٤٤٢/٠٢/١٠
Risk Assessment Table
 After completing the matrix, the team summarizes its findings by
assigning a composite risk level to each of the five areas of
vulnerability on the matrix.

١٤٤٢/٠٢/١٠ 36
Identifying Needed Controls Based
on Predetermined Requirements

 After determining the overall risk level for

each area of vulnerability, the team identifies
the minimum applicable controls that are
prescribed in its organizational guidelines.

١٤٤٢/٠٢/١٠ 37
Reporting and Ensuring That
Agreed Actions Are Taken
 After determining the minimum set of
controls, the team compares those required
controls with controls already in place and
identifies any gaps.

 The team prepares a short statement

summarizing the outcome and documenting
its decisions and decision making process. It
then provides the regional office a copy of the
risk assessment table.
١٤٤٢/٠٢/١٠ 38
 Case Study

Information Security Plan (“Plan”)

“Arizona State University’s
”safeguards

١٤٤٢/٠٢/١٠ 39
 Goals of Security Plan
 Main Goal :Protect information and data

 Details Goals :
 Protect the security and confidentiality of Protected Information;
 Protect against anticipated threats or hazards to the security or integrity of
such information
 Protect against unauthorized access to or use of Protected Information
 Provides for mechanisms to: Identify and assess the risks that may threaten
Protected Information maintained by Arizona State University;
 Designate employees responsible for coordinating the program;
 Design and implement a safeguards program
 Manage the selection of appropriate service providers
 Adjust the plan to reflect changes in technology, the sensitivity of Protected
Information, and internal or external threats to information security; and
reference related policies, standards, and guidelines.

١٤٤٢/٠٢/١٠ 40
 Identification and Assessment of
Risks to Customer Information
 Arizona State University recognizes that it has both internal
and external risks. These risks include, but are not limited to:

 Unauthorized access of protected Information by someone Human

other than the owner of the covered data and information internal & (
 Unauthorized access of covered data and information by )External
employees
 Unauthorized requests for covered data and information
 Unauthorized access through hardcopy files or reports
 Unauthorized transfer of covered data and information
through third parties
 Compromised system security as a result of system access
by an unauthorized person
ntal
Work Environme
ess ,
 Interception of data during transmission As wrong in Proc
 Loss of data integrity net work errors
al (
 Errors introduced into the system )internal & Extern
 Corruption of data or systems

 Physical loss of data in a disaster Natu

ra l
١٤٤٢/٠٢/١٠ 41
 Arizona State University recognizes that this may not be a
complete list of the risks associated with the protection of
Protected Information.

 Since technology growth is not static, new risks are created

regularly. Accordingly, the University Technology Office and the
Office of Student Affairs will actively participate with and seek
advice from an advisory committee made up of university
representatives for identification of new risks.

 Arizona State University believes current safeguards used by the

University Technology Office are reasonable and, in light of
current risk assessments are sufficient to provide security and
confidentiality to Protected Information maintained by the
University.

١٤٤٢/٠٢/١٠ 42
Who has the responsibility of
assessing the risk
 The University Technology Officer, in consultation with an advisory
committee, is responsible for the maintenance of information security
and privacy.

 The advisory committee will include representatives from the

departments primarily responsible for safeguarding Protected
Information.

 Each department responsible for safeguarding Protected Information

will provide an annual update report indicating the status of its
safeguarding procedures.

 The Coordinators, in conjunction with the advisory committee, are

responsible for assessing the risks associated with unauthorized
transfers of Protected Information and implementing procedures to
minimize those

١٤٤٢/٠٢/١٠ 43
Design and Implementation of Safeguards Program

 Minimizing risk and safeguarding covered data and information security can be
achieved by Employee Management and Training

 Physical Security can be achieved by limiting access to only those employees who
have a business reason to know such information and requiring signed
acknowledgement of the requirement to keep Protected Information private

 Information systems include network and software design, as well as information

processing, storage, transmission, retrieval, and disposal. Arizona State University
has policies, standards, and guidelines governing the use of electronic resources
and firewall and wireless policies

 The University maintain effective systems to prevent, detect, and respond to

attacks, intrusions and other system failures. Such systems may include
maintaining and implementing current anti-virus software; checking with software
vendors and others to regularly obtain and install patches to correct software
vulnerabilities; maintaining appropriate filtering or firewall technologies …

١٤٤٢/٠٢/١٠ 44
 Conclusion

١٤٤٢/٠٢/١٠ 45
 Summary notes
The knowledge of the following are important to do the useful risk
assessment

 who was responsible for initiating and conducting risk

assessments
 who was to participate
 what steps were to be followed
 how disagreements were to be resolved
 what approvals were needed
 how assessments were to be documented
 how documentation was to be maintained
 to whom reports were to be provided.

١٤٤٢/٠٢/١٠ 46
 Very Important Note
 Since risks and threats change over time, it is
important that organizations periodically
reassess risks and reconsider the suitability
and effectiveness of the policies and controls
they have selected.

١٤٤٢/٠٢/١٠ 47