Information Systems Risk Management CMGT 442 Information Systems Risk Management Philip Robbins – November 28, 2012 (Week 3) University of Phoenix Mililani Campus

Objectives: Week 3 Risk Assessment (Part 2) Review Week 1 & 2: Concepts LT Activity: Week 3 & Week 4 Article Readings Discuss Homework Assignments & Class Videos Week 3: Quantitative Risk Analysis vs. Qualitative Risk Assessments Review NIST SP 800-39 Review Week 3: Questions Assignments: IDV & LT Papers Quiz #3 2

Learning Team Activity Activity: Review Week 3 & 4 ‘Article’ Readings 15 minutes: Read Articles 10 minutes: Answer article questions 10 minutes: Present your article to the class Submit for credit. 3

LT Activity: Week 3 Article Readings Barr (2011). Federal Business Continuity Plans - Do you think the private sector must employ something similar to the Federal Government’s Continuity of Operations Process (COOP) as an integral part of their enterprise risk management plan? Ledford (2012). FISMA - Do you think the Federal Information Security Management Act (FISMA) might provide the basis for a standard framework for enterprise risk management adaptable to the private sector? 4

LT Activity: Week 4 Article Readings Ainworth (2009). The BCP Process - Might an effective risk management plan be considered a process that may restore all systems, businesses, processes, facilities, and people? Barr (2011). Good Practice for Information Security - What changes would you recommend for the Information Security Forum’s 2007 Standard? - Which of these changes must be incorporated into the enterprise’s risk management plan? 5

REVIEW: IDV Assignments #1 & #2 #1: Risks associated with an industry. #2: Organization that has recently been compromised. - Focus on risks from Information Systems and how we manage those risks. - This involves understanding what Information Systems are and how they work. - Risks are all around you. (Class Videos) 6

Break? This is probably time for a break…

QUICK REVIEW: Week 1 What is Information Systems Risk Management? - Information Systems Risk Management is the process of identifying, assessing, and reducing (mitigating) risks to an acceptable level. 8

QUICK REVIEW: Week 2 What are the components of Information Systems Risk? - Threats & Threat Agents - Vulnerabilities (Weakness) - Controls (Safeguards) - Impact 9

REVIEW: MAC Levels

REVIEW: Classification (i.e. SECRET & higher) (i.e. PII, FOUO) (i.e. UNCLASS)

REVIEW: Controls / Safeguards Control checklists exist depending on your MAC and classification of your network enclave: “DoDI 8500.2” Information Assurance Implementation checklists

REVIEW: Controls / Safeguards

REVIEW: Control Checklists

REVIEW: Scorecard

REVIEW: Information Assurance Services Taken from DoD 8500.2 16

REVIEW: Plan of Actions & Milestones Non-compliant (NC) controls / findings are listed on a POA&M.

REVIEW: Quantitative Risk Analysis Red risks are the ones we should spend the most resources on. Green ones we may accept without mitigation, possibly. Source:  CISM® Review Manual 2009, © 2008, ISACA. All rights reserved. Used by permission. Cism09 exhibit 2.12

REVIEW: Qualitative Risk Matrix SEVERE HIGH MEDIUM LOW Catastrophic (5) Material (4) Major (3) Minor (2) Insignificant (1) RISK Impact Red risks are the ones we should spend the most resources on. Green ones we may accept without mitigation, possibly. Source:  CISM® Review Manual 2009, © 2008, ISACA. All rights reserved. Used by permission. Cism09 exhibit 2.12 Rare(1) Unlikely(2) Moderate(3) Likely (4) Frequent(5) Probability (Vulnerability | Threat)

REVIEW: Exploitation & Severity Risk Severity Discovery Low (Bad) Denial Low-Medium Exposure Medium Exfiltration Medium-High Deception High Takeover Severe (Worse) Discussion: Map exploitation type to an Information Security Service.

REVIEW: Risk Responses Severity Exploitation Frequency High Accept / Transfer Avoid Low Accept Red risks are the ones we should spend the most resources on. Green ones we may accept without mitigation, possibly. Source:  CISM® Review Manual 2009, © 2008, ISACA. All rights reserved. Used by permission. Cism09 exhibit 2.12

REVIEW: Risk Responses Risk Avoidance Halt or stop activity causing risk Risk Transference Transfer the risk (i.e. buy insurance) Risk Mitigation Reduce impact with controls/safeguards Risk Acceptance Understand consequences and accept risk Red risks are the ones we should spend the most resources on. Green ones we may accept without mitigation, possibly. Source:  CISM® Review Manual 2009, © 2008, ISACA. All rights reserved. Used by permission. Cism09 exhibit 2.12

REVIEW: Total vs. Residual Risk When a company chooses not to implement a safeguard (if they accept the risk) then they accept the total risk. The leftover risk after applying countermeasures is called the residual risk. No matter what controls you place to protect an asset, it will never be 100% secure. Risk is never zero, thus, there is always some form of residual risk.

Week 3: Risk Assessment (Part 2) Objectives - What is Quantitative Risk Analysis? - What is Qualitative Risk Assessment? - Positives (pros) and Negatives (cons) of each. - Which method is preferred?

Value of Information and Assets Risk Management It’s important to understand the value of your information and information systems. So what is my information worth? - Value can be measured both Quantitatively and Qualitatively.

Two Types of Approaches Quantitative Analysis Qualitative Assessment - Tangible impacts can be measured Quantitatively in lost revenue, repair costs, or resources. - Other impacts (i.e. loss of public confidence or credibility, etc.) can be qualified in terms of High, Medium, or Low impacts.

Let’s start …with Quantitative analysis. - Warning: There is MATH… much more math. =(

Quantitative Analysis Quantitative analysis attempts to assign real values to all elements of the risk analysis process. - Asset value - Safeguards / Controls - Threat frequency - Probability of incident

Quantitative Analysis Purely Quantitative Risk Analysis is impossible. There are always unknown values. There are always “Qualitative” values. What is the value of a reputation? …but what if you focused on Information Security Services as a unit of measurement? Quantitative analysis can be automated with software and tools. - Requires large amounts of data to be collected.

Quantitative Analysis: Step-by-Step Assign value to your information. Estimate cost for each asset and threat combination. Perform a Threat Analysis – determine the probability of exploitation. Derive the overall loss potential per year. Reduce, Transfer, Avoid, or Accept the Risk.

Step 1: Assign Value to Assets What is my information assets worth? - What is my costs to obtain? - How much money does an asset bring in? - What is its value to my competitors? - How much would it cost to re-create? - Are there possible legal liabilities to account for?

Step 2: Estimate Loss Potential For each threat, we need to determine how much a successful compromise could cost: - Physical damage - Loss of productivity - Cost for repairs Amount of Damage - “Single Loss Expectancy” per asset and threat* Example: if you have a virus outbreak and each outbreak costs $50K in lost revenue and repair costs. Your SLE = $50K

Step 2: Estimate of Loss potential When determining SLE, you may hear the term EF (exposure factor). Loss then becomes a percentage of the assets value (AV). - This is where EF comes in… SLE = AV X EF

Step 3: Perform a Threat Analysis Figure out the likelihood of a threat incident. - Analyze vulnerabilities and rate of exploits. - Analyze probabilities of threats to your location and systems. - Review historical records of incidents. Annualized Rate of Occurrence (ARO) Example: If the chance of a virus outbreak in any month is = 75%, then ARO = .75 * 12 (1 year) = 9 occurrences per year

Step 4: Derive the ALE Derive the Annual Loss Expectancy ALE = SLE * ARO Example: Cost of a virus outbreak is $50K (SLE) X 9 occurrences per year (ARO) ------------------------------------------------------------------ $450K cost total (ALE)

Step 5: Risk Response Risk Avoidance Halt or stop activity causing risk Risk Transference Transfer the risk (i.e. buy insurance) Risk Mitigation Reduce impact with controls/safeguards Risk Acceptance Understand consequences and accept risk

Reducing Risk When deciding whether to implement controls, safeguards, or countermeasures: you SHOULD be concerned about saving costs. It doesn’t make sense to spend more to protect an asset that’s worth less! So how do we determine if it’s worth it? …

Reducing Risk Reducing risks through controls / safeguards / countermeasures makes sense when: If the cost (per year) of a countermeasure is more than the ALE, don’t implement it.

Definitions The Annualized Rate of Occurrence (ARO) is the likelihood of a risk occurring within a year. The Single Loss Expectancy (SLE) is the dollar value of the loss that equals the total cost of the risk. The ALE is calculated by multiplying the ARO by the SLE: ALE = ARO x SLE

Review of Quantitative Analysis Assign value to information & assets: Asset Value (AV) Estimate: Single Loss Expectancy (SLE) Estimate: Likelihood of Threats (ARO) Calculate: Annual Loss Expectancy (ALE) Risk Response: Reduce, Transfer, Avoid or Accept.

Class Exercise: Quantitative Analysis You own a data warehouse valued at $1,000,000 USD (information & infrastructure included). If the threat of a fire breaking out were to occur, it is expected that 40% of warehouse (including the data) would be damaged/lost. The chance of a fire breaking out for this type of warehouse is known to be 8% annually.

Let’s move on to …Qualitative assessments.

Qualitative Risk Assessment Instead of assigning specific values… We walk through different scenarios, rank and prioritize based on threats and counter measures. Techniques includes: - Judgment - Best practices - Intuition (gut feelings) - Experience

Qualitative Assessments Specific techniques include: - Delphi method (opinions provided anonymously) - Brainstorming - Storyboarding - Focus groups - Surveys - Questioners - Interviews / one-on-one meetings … very subjective

Qualitative Assessment SEVERE HIGH MEDIUM LOW Remember this? Risk Catastrophic (5) Material (4) Major (3) Minor (2) Insignificant (1) RISK Impact Red risks are the ones we should spend the most resources on. Green ones we may accept without mitigation, possibly. Source:  CISM® Review Manual 2009, © 2008, ISACA. All rights reserved. Used by permission. Cism09 exhibit 2.12 Rare(1) Unlikely(2) Moderate(3) Likely (4) Frequent(5) Compromise

Qualitative Assessment Risk Severity Exploitation Frequency High Accept / Transfer Avoid Low Accept Red risks are the ones we should spend the most resources on. Green ones we may accept without mitigation, possibly. Source:  CISM® Review Manual 2009, © 2008, ISACA. All rights reserved. Used by permission. Cism09 exhibit 2.12

Review of Q vs. Q (NIST SP 800-30) Quantitative Advantage Provides a measurement of the impacts’ magnitude. Quantitative Disadvantage Meaning of the analysis may be unclear, requiring the results to be interpreted in a qualitative manner. Qualitative Advantage Prioritizes the risks, identifying areas for immediate improvement. Qualitative Disadvantage Does not provide specific quantifiable measurements of the impacts magnitude.

What is the Difference between Q vs. Q? Quantitative Advantage Impact is quantified (measurable). Quantitative Disadvantage Analysis involves complex calculations and can be confusing and resource intensive. vs. Qualitative Advantage Impact is clear & easy to understand. Qualitative Disadvantage No unit of measure; assessment is subjective (Low-Med-High).

What is the Difference between Q vs. Q? Which approach is preferred when it comes to Information Systems Risk Management? Why? - Let’s discuss…

Break? This is probably time for a break…

Quiz: Week 3 10-15 minutes

IDV and LT Assignments for Week #3 Laptops at UOPX - Explain your thought process behind risk management as a new information system is introduced to an existing network. Constraints involved with Information Sharing - Identify and discuss the risk components involved and possible constraints that may add to your risk. - Outlined formats are OK. 52

We’ll review these questions & more next week to prep Week 3 Review Questions We’ll review these questions & more next week to prep for the final exam… 53