CST 481/598 Many thanks to Jeni Li

 Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability of a threat  The probability of a vulnerability  The potential impact  A measurable quantity

o Technical o Information Security o Business o Where measured o How Measured o Who cares – stakeholders regulatory requirements, corporate governance o CIA – Confidentiality, Integrity, Availability

 "An asset is a resource controlled by the enterprise as a result of past events and from which future economic benefits are expected to flow to the enterprise.”  IOW, the stuff that has value to your company and its ability to conduct its business operations

 Information  Customer records  Sales leads  Intellectual property  Business transaction records  Systems  Workstations, servers, network infrastructure  People  Staff, clientele  Products (may be outside our scope)

 The magnitude of a potential loss  The seriousness of an event

 A weakness that provides the opportunity for a threat to occur  Examples  Operating system vulnerabilities  Exploitable Web applications  Staff members susceptible to social engineering  Server room located directly below the bathrooms?

 A possible danger that might exploit a vulnerability  Anything that could cause harm to your assets  May be accidental or intentional

 Accidental  Natural disasters  Earthquake, fire, flood, lightning  True accidents  Unintentional misuse or damage by employees  Other unintended threats  Power grid outage

 Intentional (aka, malicious)  Caused by a threat agent  Examples  Corporate espionage  Terrorist attack  Hacktivism

 An individual or group that will implement the threat. Needs the following factors:  Motivation  Why does the attacker want to attack?  Capability  Skills and resources  Opportunity  Physical or electronic access to the target  Catalyst  Something that causes the attacker to act

 Nation state sponsored  Terrorist  Pressure (activist) group  Commercial organization  Criminal group  Hacker group  Disgruntled insider

 The path or tool used by a threat agent  Examples  Spam, instant messaging, a specific worm  Sniffer, keystroke logger, dumpster diving  Pipe bomb, truck bomb

 Factors that influence the threat agent not to carry out the attack against the target

 Factors that encourage the threat agent to carry out the attack against the target

 Measures taken to eliminate or mitigate risk  Examples  Physical security (e.g., locks, barriers)  Personnel security (e.g., background checks, training)  Procedural security (e.g., policies/other documents)  Technical security (hardware, software)  Must be cost-effective  Sometimes the best control is no control at all

 Identification  Assessment  Treatment plan  Development  Implementation  Review/evaluation

 Assets  Vulnerabilities  Threats  Threat vectors  Threat agents

 Estimate or measure the risk  Can be qualitative or quantitative  Qualitative is good for comparing risks  Quantitative is good for determining ROI

(probability of event) x (impact of event) = risk

 EC: Adequacy of Existing Controls 1 (excellent) to 7 (none)  L: Likelihood of the Risk Occurring 1 (may never occur) to 5 (is expected to occur)  I: Impact/Consequence 1 (minimal to no impact) to 5 (total destruction) Risk = (7*EC + 3*L + 4*I)/84

 Asset value (AV)  Exposure factor (EF)  Single loss expectancy (SLE)  Annualized rate of occurrence (ARO)  Annualized loss expectancy (ALE)

 Asset value: What’s it worth to you?  Tangible and intangible  If we lost this asset, we would lose $...  Exposure factor: How bad would it be?  Percentage of asset loss caused by a threat  0 to 100%  Annualized rate of occurrence  How many times per year could it happen?  Once in 5 years = 1/5

 Single loss expectancy  SLE = AV x EF  Annualized loss expectancy  ALE = ARO x SLE

 ALE before safeguard/control  ALE after safeguard/control  Cost to deploy safeguard/control  ALE b – ALE a – Cost = Value of safeguard  Careful how you define those costs!

 How will you handle each risk?  Avoidance (get out of the business)  Mitigation (apply a safeguard/control)  Retention (live with it)  Transfer (buy insurance)

 Multi-Attribute Risk Assessment,  Security Attribute Evaluation Method  Monte Carlo analysis  CCTA Risk Analysis/Management Method (CRAMM)  Enterprise risk management  … and so on

 Confidentiality  Integrity  Availability  Non-repudiability

 Uses the CIA model  Identify information assets  Build an information criticality matrix  Identify systems  Build a systems criticality matrix  Determine most critical systems  Identify safeguards/controls