Risk Management

“Once we know our weaknesses, they cease to do us any harm”

What is risk??
“Investing in stocks carries a risk...”

“Bad hygiene carries a risk…”

“Car speeding carries a risk…”

“An outdated anti-virus software carries a risk…”

Risk
• likelihood that a chosen action or activity (including the choice of inaction) will
lead to a loss (undesired outcome)
Risks in Information Technology
• risks which arise from an organization’s use of info. technology (IT)
Terminologies
• Asset – anything that needs to be protected because it has value and
contributes to the successful achievement of the organization’s
objectives.
• Threat - any circumstance or event with the potential to cause harm
to an asset and result in harm to organization
• Vulnerability - the weakness in an asset that can be exploited by
threat
• Risk – probability of a threat acting upon a vulnerability causing harm
to an asset
Risks in Information Technology
Interplay between risk & other Info. Sec
concepts
Risk management
• The process of identifying risk, as represented by vulnerabilities, to an organization’s
information assets and infrastructure, and taking steps to reduce this risk to an acceptable
level
• Risk management involves three undertakings:
• Risk identification – the examination and documentation of the security posture of an organization’s
information technology and the risks it faces.
• Risk assessment – is the determination of the extent to which the organization’s information assets
are exposed or at risk
• Risk control – the application of controls to reduce the risks to an organization’s data and information
systems.
Risk management
Risk Identification
Components of Risk Identification
Plan and Organize the Process
• Can be done by beginning to organize a team, and must consist of representatives of all
affected groups and/or departments.
Categorize System Components
System Components Categories
• People – comprised of employees and non-employees.
• Employees – composed of two sub-categories; Those who hold trusted roles and have greater
responsibility and accountability and staffs who have assignments without special privileges.
• Non-Employees – include contractors, consultants, members of other organizations which the
organization has trust relationship, and strangers.

• Procedures – comprised of two categories

• IT and business standard procedures – standard operating procedures that contains non sensitive
data
• IT and business sensitive procedures – procedures that may enable a threat agent to craft an attack
against an organization

• Data – management of information in all its states: Transmission, Processing and Storage.
Categorize System Components
• Software – May be assigned to one of these three categories: Applications, Operating System,
and Security Components.
• Hardware – Composed of two categories: Usual systems devices and their peripherals, and
devices that are part of information security control systems.
Asset Identification
People, Procedures, and Data
Identification
• People
• Position Name / Id Numbers (Avoid names and stick to identifying positions, roles, or functions).
• Examples: Supervisor, Security clearance level (Level 1, Level 2, etc)

• Procedures
• Description; Intended Purpose; relationship to software, hardware, and networking elements; Storage
location for reference; Storage location for update.
• Examples: Billing procedure – Bills the client…. Etc. paypal, cherry credits;

• Data
• Classification; Owner, creator, and manager; Size of data structure; data structure used, online or
offline, location, etc.
Hardware, Software and Network Asset
Identification
• Name – Use the common device or program name. Naming should not convey critical info to
attackers. Example: A server with a name of “CASH1” or “DB _FINANCE” would be a bad name.
• Asset Tag – unique number assigned during acquisition process
• Media Access Control (MAC) Address – sometimes called electronic serial numbers. The MAC
address number is used by the network operating system to identify a specific network device
• Software Version
• Serial Number – Unique identifier of a specific device.
• Manufacturer Name
• Manufacturer model or Part number
Classify and Prioritize
Assets
Data Classification
Data can be classified into 4 levels:
• Public – Information for general public dissemination, such as an advertisement or public release.
• For Official Use Only – Information that is not particularly sensitive, but not for public release, such as
internal communications.
• Sensitive – Information important to the business that could embarrass the company or cause loss to
market share if revealed.
• Classified – Information of the utmost secrecy to the organization, disclosure of which could severly
impact the well-being of the organization
Asset Ranking
• Assets should be ranked so that most valuable assets gets high priority when managing risks.
These questions help us consider when determining asset value / rank.
1. Which information asset is most critical to overall success of organization?
Example: Web servers vs Regular Desktop Computers
Web servers – critical
Regular Desktop computers – not critical
2. Which information asset generates the most revenue?
3. Which information asset generates the highest profitability?
Example: A company which sells books and beauty products
4. Which information asset is most expensive to replace?
5. Which information asset’s loss or comprise would be most embarrassing or cause greatest
liability?
Weighted Factor Analysis Worksheet
Activity
• You are assigned to be a team leader of the Risk Reduction and Management Team. You are tasked
to Categorize, Classify and Prioritize the company's assets. The following are the list of the
company's assets:
Trash Cans Water Treatment Facility Cisco Router Employee 0132 System Administrator
Finance Officer Server 1(Financial) Server 2(Backup) `Computer 5 Microsoft Office
Guest 01 Customer Billing (inbound) Help Service employee (table in database)

You are required to:

Categorize these assets in terms of People (Employees / Non Employees) , Procedures, Data, Software,
Hardware (System Device and Peripherals / Networking Components)

After categorizing these assets, create a weighted factor analysis worksheet with the following criteria
Impact to Revenue (30) Impact to Operations (30) Impact to Public Image (20)
Impact to Environment (10)
Identifying and
Prioritizing Threats
Threat identification and prioritization
• Any organization faces a wide variety of threats
• To keep risk management ‘manageable’ …
• realistic threats must be identified and further investigated, while unimportant
threats should be set aside
Question used to prioritize threats
• Which threats present a danger to organization’s assets in its
current environment
• Goal: reduce the risk management’s scope and cost.
• Which threats represent the most danger … ?
• Goal: provide a rough assessment of each threat’s potential impact
given current level of organization’s preparedness.
• ‘Danger’ might be a measured of:
1. Severity – Overall damage that the threat could create
2. Probability – of the threat attacking this particular organization
Question used to prioritize threats
• How much would it cost to recover from a successful attack?
• Which threats would require greatest expenditure to prevent?
• Once threats are prioritized, each asset should be reviewed against each threat to
create a specific list of vulnerabilities.
Example
• An organization that is located in a fault line. It has no internet connectivity. Most of
it’s employees lacks proper training in using technology. What could be the top 3
threats that this organization face?
• Forces of nature
• Human error / failure
• Technological obsolescence
Vulnerability Analysis
Vulnerability Analysis
• Vulnerability - flaw or weakness in an info asset in its design, control or security
procedure that can be exploited accidentally or deliberately.
- sheer existence of a vulnerability does not mean harm will be
caused – threat agent is required
- vulnerabilities are characterized by the level of tech. skill
required to exploit them
Vulnerability Analysis
TVA Worksheet - at the end of risk identification procedure, organization should
derive threats-vulnerabilities- assets (TVA) workshet
- this worksheet is a starting point for risk assessment phase.
- combines prioritized lists of assets and threats
> Prioritized list of assets is placed along x-axis, with most important
assets on the left
> Prioritized list of threats is placed along y-axis, with most
dangerous threats at the top
> Resulting grid enables a simplistic vulnerability assessment
TVA Worksheet
If one or more vulnerabilities exist
between T1 and A1, they can be
categorized as:
T1V1A1 – Vulnerability 1 that exists
between Threat 1 and Asset 1
T1V2A1 – Vulnerability 2 that exists
between Threat 1 and Asset 1
Risk Assessment
Summary of Vulnerability Analysis
Risk Assessment
Risk Assessment – provides relative numerical risk ratings (scores) to each specific vulnerabity
- in risk management, it is not the presence of a of a vulnerability that really
matters, but the associated risk!
Likelihood - the probability that a specific vulnerability will be the object of a successful
attack.
- in risk assessment, you assign a specific numeric value to likelihood ranging from
0.1 – 1.0.
Risk Formula
 Risk Formula

𝑹=( 𝑷 ∗ 𝑽 ) − ( ( 𝑷 ∗ 𝑽 ) ∗ 𝑪𝑪 ) +( ( 𝑷 ∗ 𝑽 ) ∗ 𝑼𝑲 )

Likelihood Asset Value Current Controls Uncertainty

 𝑹=( 𝑷 ∗ 𝑽 ) − ( ( 𝑷 ∗ 𝑽 ) ∗ 𝑪𝑪 ) +( ( 𝑷 ∗ 𝑽 ) ∗ 𝑼𝑲 )
Asset A
Has a value of 50.
Has one vulnerability, with a likelihood of 1.0.
No current control for this vulnerability.
Your assumptions and data are 90% accurate.

Vulnerability 1

𝑅=( 1.0 ∗50 ) − ( ( 1.0∗ 50 ) ∗ 0 ) +( ( 1.0 ∗ 50 ) ∗0.1)

𝑅=( 50 ) − ( 5 0 ∗ 0 )+(5 0 ∗ 0.1)
𝑅=( 50 ) −0 +5
𝑅=55
 𝑹=( 𝑷 ∗ 𝑽 ) − ( ( 𝑷 ∗ 𝑽 ) ∗ 𝑪𝑪 ) +( ( 𝑷 ∗ 𝑽 ) ∗ 𝑼𝑲 )
Asset B
Has a value of 100.
Has two vulnerabilities:
* vulnerability #2 with a likelihood of 0.5, and a current control that addresses 50%
of its risk;
* vulnerability #3 with a likelihood of 0.1 and no current controls.
Your assumptions and data are 80% accurate
Vulnerability 2
𝑅=( 0.5 ∗ 100 ) − ( ( 0.5 ∗ 100 ) ∗ 0.5 ) +( ( 0.5 ∗ 100 ) ∗ 0.2)
𝑅=50 − ( ( 50 ) ∗ 0.5 ) +( (50 ) ∗ 0.2)
𝑅=50 −25+10 ¿
𝑅=35
 𝑹=( 𝑷 ∗ 𝑽 ) − ( ( 𝑷 ∗ 𝑽 ) ∗ 𝑪𝑪 ) +( ( 𝑷 ∗ 𝑽 ) ∗ 𝑼𝑲 )
Asset B
Has a value of 100.
Has two vulnerabilities:
* vulnerability #2 with a likelihood of 0.5, and a current control that addresses 50%
of its risk;
* vulnerability #3 with a likelihood of 0.1 and no current controls.
Your assumptions and data are 80% accurate
Vulnerability 3
𝑅=( 0.1 ∗100 ) − ( ( 0.5 ∗100 ) ∗ 0 ) +( ( 0.5 ∗100 ) ∗ 0.2)
𝑅=10 − ( ( 10 ) ∗ 0 ) +(10 ∗ 0.2)
𝑅=10 −0+ 2
𝑅=12
Wrapping it up
Risk Assessment
Documenting Results of Risk Assessment
1. Information asset classification worksheet
2. Weighted asset worksheet
3. Weighted threat worksheet
4. TVA Worksheet
5. Ranked vulnerability risk worksheet
◦ Extension of TVA Worksheet, showing only the assets and relevant vulnerabilities
◦ Assign a risk-rating ranked value for each uncontrolled asset-vulnerability pair
Risk Control
Risk Control
Basic Strategies to Control Risks:
◦ Avoidance
 Do not Proceed with the activity or system that carries this risk
◦ Control / Defend
 By implementing suitable controls, lower the chances of the vulnerability being exploited
◦ Transference
 share responsibility for the risk with a third party
◦ Mitigation
 reduce impact should an attack still exploit the vulnerability
◦ Acceptance
 understand consequences and acknowledge risks without any attempt to control or
mitigate
Risk Control
Avoidance – strategy that results in complete abandonment of activities or
systems due to overly excessive risk
- usually results in loss of convenience or ability to perform some
function that is useful to the organization
- the loss of this capacity is traded off against the reduced risk
profile
Risk Control
Control / Defend – risk control strategy that attempts to prevent exploitation
of vulnerability by means of following techniques
oApplication of Technology
Implementation of security controls and safeguards, such as: anti-virus
software, firewall, secure HTTP and FTP servers, etc.
oPolicy
e.g. insisting on safe procedures
oTraining and Education
change in technology and policy must be coupled with employee’s training
and education.
Risk Control
Transference – risk control strategy that attempts to shift risk to other assets,
other processes or other organizations
- if the organization does not have adequate security experience,
hire individuals or firm provide expertise
- e.g., by hiring a Web consulting firm. Risks associated with
domain name registration, Web presence, Web service, … are passed
onto organization with more experience
Risk Control
Mitigation – risk control strategy that attempts to reduce the likelihood or
impact caused by a vulnerability – includes 3 plans
Risk Control
Acceptance – strategy that assumes NO action towards protecting an
information asset – instead, accept outcome
Risk Control
Acceptance – strategy that assumes NO action towards protecting an
information asset – instead, accept outcome
Risk Control
Risk Tolerance - risk that organization is willing to accept after implementing
risk-mitigation controls
Residual Risk - risk that has not been completely removed, reduced or
planned for, after (initial) risk-mitigation controls have been
employed
Risk Handling
Decision Process –
helps choose one
among four risk
control strategies