INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi Berra
Introduction To keep up with the competition, organizations must design and create a safe environment in which business processes and procedures can function
Risk Control Strategies Choose one of four basic strategies: Avoidance Transference Mitigation Acceptance
Avoidance The risk control strategy that attempts to prevent the exploitation of the vulnerability Examples
Transference The control approach that attempts to shift the risk to other assets, other processes, or other organizations Examples
Mitigation The control approach that attempts to reduce the damage caused by exploitation of vulnerability – Using planning and preparation – Depends upon the ability to detect and respond to an attack as quickly as possible Types of Mitigation Plans
Acceptance Do nothing to protect an information asset – To accept the loss when it occurs
Managing Risk Risk appetite (also known as risk tolerance) The reasoned approach to risk is one that balances the expense (in terms of finance and the usability of information assets) against the possible losses if exploited
Managing Risk – Residual Risk Residual Risk is a combined function of: – Threats, vulnerabilities and assets, less the effects of the safeguards in place Goal of information security is not to bring residual risk to zero
Managing Risk – Residual Risk Once a control strategy has been selected and implemented: – The effectiveness of controls should be monitored and measured on an ongoing basis determines effectiveness and accuracy of the residual risk estimate
Managing Risk (cont’d.) Source: Course Technology/Cengage Learning Figure 9-1 Residual risk
Managing Risk – Risk Control Risk control involves selecting one of the four risk control strategies Should the organization ever accept the risk?
Risk Acceptance Source: Course Technology/Cengage Learning Figure 9-2 Risk-handling action points
Risk Control Cycle Source: Course Technology/Cengage Learning Figure 9-3 Risk control cycle
Feasibility and Cost-Benefit Analysis There are a number of ways to determine the advantage or disadvantage of a specific control The primary means are based on the value of the information assets that it is designed to protect Economic feasibility – Evaluating the worth of the information assets to be protected and the loss in value if those information assets are compromised
Cost-Benefit Analysis: Cost Factors that affect the cost of a safeguard – Cost of development or acquisition of hardware, software, and services – Training fees – Cost of implementation – Service and maintenance costs
Cost-Benefit Analysis: Benefit The value to the organization of using controls to prevent losses associated with a specific vulnerability
Cost-Benefit Analysis: Asset Valuation The process of assigning financial value or worth to each information asset Involves estimation of real and perceived costs associated with the design, development, installation, maintenance, protection, recovery, and defense against loss and litigation
An organization must be able to place a dollar value on each information asset it owns Potential loss is that which could occur from the exploitation of vulnerability or a threat occurrence Cost-Benefit Analysis: Asset Valuation
Cost-Benefit Analysis Calculation CBA determines whether or not a control alternative is worth its associated cost CBAs may be calculated before a control or safeguard is implemented Or calculated after controls have been implemented and have been functioning for a time
Cost-Benefit Analysis Calculation CBA = ALE(prior) – ALE(post) – ACS – ALE (prior to control) is the annualized loss expectancy of the risk before the implementation of the control – ALE (post-control) is the ALE examined after the control has been in place for a period of time – ACS is the annual cost of the safeguard
Example of Cost-Benefit Analysis Calculation Dropping an iPad and breaking the screen Asset value: $700 Exposure factor: 50% SLE = $700 x 50% = $350 ARO = 25% chance of damaging ALE (prior) = 25% x $350 = $87.50 ALE (post) = 5% x $350 = $17.50 CBA (cost of case = $30) CBA = ALE(prior) – ALE(post) – ACS CBA = – – = $40
Example of Cost-Benefit Analysis Calculation Unprotected customer database Asset value: $200,000 Exposure factor: 50% SLE = $200,000 x 50% = $50,000 ARO = 75% chance of occurring ALE (prior) = 75% x $200,000 = $50,000 ALE (post) = 10% x $200,000 = $20,000 CBA (ACS = $5,000) CBA = ALE(prior) – ALE(post) – ACS CBA = $50,000 – $20,000 – $5,000 = $25,000
Other Methods of Establishing Feasibility Organizational feasibility analysis Operational feasibility Technical feasibility Political feasibility
Alternatives to Feasibility Analysis Benchmarking Due care and due diligence Best business practices Gold standard Government recommendations Baseline
Risk Management and Employees “Only two things are finite, the universe and human stupidity, and I’m not sure about the former.” - Albert Einstein Types of Employees and Security Knowledge Those who know Those who don’t Those who think they know but don’t
Recommended Risk Control Practices Organizations typically look for a more straightforward method of implementing controls This preference has prompted an ongoing search for ways to design security architectures that go beyond the direct application of specific controls for specific information asset vulnerability
Recommended Risk Control Practices Qualitative/Quantitative Approach Octave Methods Microsoft Risk Management Approach FAIR
Qualitative and Hybrid Measures Quantitative assessment Qualitative assessment Hybrid assessment
OCTAVE Method The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Method Variations of the OCTAVE method – The original OCTAVE method – OCTAVE-S – OCTAVE-Allegro
Microsoft Risk Management Approach Four phases in the Microsoft InfoSec risk management process: – Assessing risk – Conducting decision support – Implementing controls – Measuring program effectiveness
Figure A-1 Security Risk Management Guide Source: Course Technology/Cengage Learning Microsoft Risk Management Approach
Basic FAIR analysis is comprised of four stages: Stage 1 - Identify scenario components Stage 2 - Evaluate loss event frequency Stage 3 - Evaluate probable loss magnitude(PLM) Stage 4 - Derive and articulate Risk Unlike other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using scales with value ranges, for example very high to very low Factor analysis of Information Risk (FAIR)
FAIR (cont’d.) Management of Information Security, 3rd ed. Figure 9-4 Factor analysis of information risk (FAIR) Source: Course Technology/Cengage Learning (Based on concepts from Jack A. Jones)