1. CST 481/598 Many thanks to Jeni Li

2.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability of a threat  The probability of a vulnerability  The potential impact  A measurable quantity

3. o Technical o Information Security o Business o Where measured o How Measured o Who cares – stakeholders regulatory requirements, corporate governance o CIA – Confidentiality, Integrity, Availability

4.  "An asset is a resource controlled by the enterprise as a result of past events and from which future economic benefits are expected to flow to the enterprise.”  IOW, the stuff that has value to your company and its ability to conduct its business operations

5.  Information  Customer records  Sales leads  Intellectual property  Business transaction records  Systems  Workstations, servers, network infrastructure  People  Staff, clientele  Products (may be outside our scope)

6.  The magnitude of a potential loss  The seriousness of an event

7.  A weakness that provides the opportunity for a threat to occur  Examples  Operating system vulnerabilities  Exploitable Web applications  Staff members susceptible to social engineering  Server room located directly below the bathrooms?

8.  A possible danger that might exploit a vulnerability  Anything that could cause harm to your assets  May be accidental or intentional

9.  Accidental  Natural disasters  Earthquake, fire, flood, lightning  True accidents  Unintentional misuse or damage by employees  Other unintended threats  Power grid outage

10.  Intentional (aka, malicious)  Caused by a threat agent  Examples  Corporate espionage  Terrorist attack  Hacktivism

11.  An individual or group that will implement the threat. Needs the following factors:  Motivation  Why does the attacker want to attack?  Capability  Skills and resources  Opportunity  Physical or electronic access to the target  Catalyst  Something that causes the attacker to act

12.  Nation state sponsored  Terrorist  Pressure (activist) group  Commercial organization  Criminal group  Hacker group  Disgruntled insider

13.  The path or tool used by a threat agent  Examples  Spam, instant messaging, a specific worm  Sniffer, keystroke logger, dumpster diving  Pipe bomb, truck bomb

14.  Factors that influence the threat agent not to carry out the attack against the target

15.  Factors that encourage the threat agent to carry out the attack against the target

16.  Measures taken to eliminate or mitigate risk  Examples  Physical security (e.g., locks, barriers)  Personnel security (e.g., background checks, training)  Procedural security (e.g., policies/other documents)  Technical security (hardware, software)  Must be cost-effective  Sometimes the best control is no control at all

17.  Identification  Assessment  Treatment plan  Development  Implementation  Review/evaluation

18.  Assets  Vulnerabilities  Threats  Threat vectors  Threat agents

19.  Estimate or measure the risk  Can be qualitative or quantitative  Qualitative is good for comparing risks  Quantitative is good for determining ROI

20. (probability of event) x (impact of event) = risk

21.  EC: Adequacy of Existing Controls 1 (excellent) to 7 (none)  L: Likelihood of the Risk Occurring 1 (may never occur) to 5 (is expected to occur)  I: Impact/Consequence 1 (minimal to no impact) to 5 (total destruction) Risk = (7*EC + 3*L + 4*I)/84

22.  Asset value (AV)  Exposure factor (EF)  Single loss expectancy (SLE)  Annualized rate of occurrence (ARO)  Annualized loss expectancy (ALE)

23.  Asset value: What’s it worth to you?  Tangible and intangible  If we lost this asset, we would lose $...  Exposure factor: How bad would it be?  Percentage of asset loss caused by a threat  0 to 100%  Annualized rate of occurrence  How many times per year could it happen?  Once in 5 years = 1/5

24.  Single loss expectancy  SLE = AV x EF  Annualized loss expectancy  ALE = ARO x SLE

25.  ALE before safeguard/control  ALE after safeguard/control  Cost to deploy safeguard/control  ALE b – ALE a – Cost = Value of safeguard  Careful how you define those costs!

26.  How will you handle each risk?  Avoidance (get out of the business)  Mitigation (apply a safeguard/control)  Retention (live with it)  Transfer (buy insurance)

27.  Multi-Attribute Risk Assessment,  Security Attribute Evaluation Method  Monte Carlo analysis  CCTA Risk Analysis/Management Method (CRAMM)  Enterprise risk management  … and so on

28.  Confidentiality  Integrity  Availability  Non-repudiability

29.  Uses the CIA model  Identify information assets  Build an information criticality matrix  Identify systems  Build a systems criticality matrix  Determine most critical systems  Identify safeguards/controls