Risk Management

Information Security
Chapter 4

Principles of Information Security, Michael E., Whitman & Mattord, H. J.,

Information Security
Information Asset Valuation,
• Identifying and Prioritizing Threats,
• Vulnerability Identification
• Risk Control Strategies. Feasibility Studies, Cost Benefit
Analysis (CBA), Evaluation, Assessment, and
Maintenance of Risk Controls.
2
Risk Management
• Vulnerabilities , to an organization’s s information assets and
infrastructure
• Risk management is the process of identifying risk, taking
steps to reduce this risk to an acceptable level.
• involves three major undertakings:

Information Security
• Risk identification
• Risk assessment
• Risk control

3
Risk Management
• Risk identification : examination and documentation of the
security posture of an organization’s information technology
and the risks it faces.
• Risk assessment: determination of the extent to which the
organization’s information assets are exposed or at risk.

Information Security
• Risk control : controls measure to reduce the risks to an
organization’s data and information system

4
Risk Management
• An observation made over 2,400 years ago by Chinese General
Sun Tzu Wu has direct relevance to information security today.

• “ If you know the enemy and know yourself, you need not fear
the result of a hundred battles. If you know yourself but not

Information Security
the enemy, for every victory gained you will also suffer a
defeat. If you know neither the enemy nor yourself, you will
succumb in every battle.”

5
Component of Risk
Management

Information Security
6
Risk Identification
• A risk management strategy requires that information security
professionals know their organizations’ information assets
identify, classify, and prioritize them.
• Once the organizational assets have been identified, a threat
assessment process identifies and quantifies the risks facing

Information Security
each asset.

7
Risk Identification

Information Security
8
Categorizing the Components
of an Information System

Information Security
9
 Classify Assets

Information Security
10
Prioritizing Assets

Information Security
11
Risk Assessment
• When you have identified the organization’s information
assets and the threats and vulnerabilities, you can evaluate
the relative risk for each of the vulnerabilities.
• Risk assessment assigns a risk rating or score to each
information asset.

Information Security
12
Stages of Risk Assessment

Information Security
13
Likelihood
• Likelihood is the probability that a specific vulnerability will be
the object of a successful attack.
• In risk assessment, you assign a numeric value to likelihood.
• The National Institute of Standards and Technology
recommends in Special Publication 800-30 assigning a number

Information Security
between 0.1 (low) and 1.0 (high).
• Examples:
1. The likelihood that any given e-mail contains a virus or worm
has been researched.
2. The number of network attacks can be forecast based on
how many assigned network addresses the organization has
14
Calculate Relative Risk Factor
OR Risk Determination

Information Security
15
Calculate Relative Risk Factor
OR Risk Determination
• Example:
• Information asset A has a value score of 50 and has one
vulnerability. Vulnerability 1 has a likelihood of 1.0 with no
current controls. You estimate that assumptions and data are
90 percent accurate.

Information Security
16
Risk Control Strategies
• Once the project team for information security development
has created the ranked vulnerability worksheet, the team
must choose one of five basic strategies to control each of the
risks that result from these vulnerabilities.
• The five strategies are

Information Security
1. Defend
2. Transfer
3. Mitigate
4. Accept
5. Terminate.

17
Risk Control Strategies:
Defend
• Attempts to prevent the exploitation of the vulnerability.
• Accomplished by means of countering threats, removing
vulnerabilities from assets, limiting access to assets, and
adding protective safeguards.
• There are three common methods used to defend:

Information Security
1. Application of policy
2. Education and training
3. Application of technology

18
Risk Control Strategies :
Implementing the Defend Strategy
• Eliminate a threat
• Organizations can mitigate risk to an asset by countering the
threats it faces or by eliminating its exposure.
• Another defend strategy is the implementation of security
controls and safeguards to deflect attacks on systems and

Information Security
therefore minimize the probability that an attack will be
successful.

19
Risk Control Strategies:
Transfer
• Attempts to shift risk to other assets, other processes, or other
organizations.
• Accomplished by rethinking how services are offered, revising
deployment models, outsourcing to other organizations, purchasing
insurance, or implementing service contracts with providers.

Information Security
• For example, many organizations want Web services, including Web
presences, domain name registration, and domain and Web
hosting. Rather than implementing their own servers and hiring
their own Webmasters, Web systems administrators, and
specialized security experts, savvy organizations hire an ISP or a
consulting organization to provide these products and services for
them.
• This allows the organization to transfer the risks associated with the
20
management of these complex systems to another organization
that has experience in dealing with those risks
Transfer
• In the popular book In Search of Excellence, management
consultants Tom Peters and Robert Waterman present a series
of case studies of high-performing corporations. One of the
eight characteristics of excellent organizations is that they
“stick to their knitting … They stay reasonably close to the

Information Security
business they know.”. This means that Kodak, a manufacturer
of photographic equipment and chemicals, focuses on
photographic equipment and chemicals, while General Motors
focuses on the design and construction of cars and trucks.
Neither company spends strategic energies on the technology
of Web site development—for this expertise, they rely on
consultants or contractors.
21
Mitigate
• Attempts to reduce the impact caused by the exploitation of
vulnerability through planning and preparation.
• This approach requires the creation of three types of plans:
1. The incident response plan
2. The disaster recovery plan

Information Security
3. The business continuity plan
• Each of these plans depends on the ability to detect and
respond to an attack as quickly as possible and relies on the
quality of the other plans.
• Mitigation begins with the early detection that an attack is in
progress and a quick, efficient, and effective response.
22
Accept
• The accept control strategy is the choice to do nothing to
protect a vulnerability and to accept the outcome of its
exploitation.
• The only industry-recognized valid use of this strategy occurs
when the organization has done the following:

Information Security
• Determined the level of risk
• Assessed the probability of attack
• Estimated the potential damage that could occur from attacks
• Performed a thorough cost benefit analysis
• Evaluated controls using each appropriate type of feasibility
• Decided that the particular function, service, information, or
asset did not justify the cost of protection 23
Terminate
• Directs the organization to avoid those business activities that
introduce uncontrollable risks.

Information Security
24
Selecting a Risk Control
Strategy
• There are a number of ways to determine the advantage of a
specific control.
• Feasibility Study
• Cost Benefit Analysis(CBA)

Information Security
25
Cost Benefit Analysis
• Organizations are urged to begin the Cost Benefit Analysis by
evaluating the worth of the information assets to be protected
and the loss in value if those information assets were
compromised by the exploitation of a specific vulnerability.
• Consider the economic feasibility of implementing information

Information Security
security controls and safeguards.
• Number of alternatives for solving a problem may exist, they
may not all have the same economic feasibility.
• An organization should not spend more to protect an asset
than the asset is worth.
• The formal decision making process is called a cost benefit
analysis or an economic feasibility study. 26
Cost Benefit Analysis
• Cost includes:
• Cost of development or acquisition (purchase cost) of
hardware, software, and services Training fees (cost to train
personnel)
• Cost of implementation (cost to install, configure, and test

Information Security
hardware, software, and services)
• Service costs (vendor fees for maintenance and upgrades)
• Cost of maintenance (labor expense to verify and continually
test, maintain, and update)

27
Cost Benefit Analysis
• Benefit: is the value that an organization realizes by using
controls to prevent losses associated with a specific
vulnerability.
• Asset valuation: is the process of assigning financial value or
worth to each information asset.

Information Security
• A single loss expectancy (SLE): is the calculation of the value
associated with the most likely loss from an attack.
• It is a calculation based on the value of the asset and the
exposure factor (EF), which is the expected percentage of loss
that would occur from a particular attack, as follows:
• SLE = asset value * exposure factor (EF)
where EF equals the percentage loss that would occur from a 28
given vulnerability being exploited.
Cost Benefit Analysis
• Once each asset’s worth is known, the next step is to ascertain
how much loss is expected from a single expected attack, and
how often these attacks occur.
• Once those values are established, the equation can be
completed to determine the overall lost potential per risk. This

Information Security
is usually determined through an annualized loss expectancy
(ALE), which is calculated from the (Annual Rate of
occurrence) ARO and SLE, as shown here:
• ALE = SLE* ARO

29
The Cost Benefit Analysis
(CBA) Formula
• The CBA is most easily calculated using the ALE from earlier
assessments before the implementation of the proposed
control, which is known as ALE(prior). Subtract the revised
ALE, estimated based on the control being in place, known as
ALE(post).

Information Security
• Complete the calculation by subtracting the annualized cost
of the safeguard (ACS).

• CBA = ALE(prior) - ALE(post) - ACS

30
Evaluation, Assessment and
Maintenance of Risk Control
• The selection and implementation of a control strategy is not
the end of a process;
• The Control strategy, and its accompanying controls, must be
monitored and re-evaluated on an ongoing basis to determine
their effectiveness and to calculate more accurately the

Information Security
estimated residual risk.

31
 Questions

Information Security
32