Real-World Examples

of Risk Assessment

http://pralab.diee.unica.it 194
 Introduc)on
• Standards, frameworks and guidelines (ISO, NIST, etc.) do not
define nor suggest specific risk assessment techniques
• Several techniques have been developed over the years for
different application scenarios:
– process industries
– financial institutions
– civil and environmental engineering
– information security
– ...
• In practice, each organization may need to adapt one or more
existing techniques to its context and needs
(see IEC/ISO 27005:2018 – Risk assessment techniques)

http://pralab.diee.unica.it 195
 Introduction
Two real-world examples of risk assessment related to
informa7on security are presented in the following, in two
different applica7on fields:
– monetary loss for a company or enterprise due to specific adverse
events against a given asset: the Annual Loss Expectancy
– the AgID risk management tool for the Italian public administra7on

http://pralab.diee.unica.it 196
 Monetary loss: Annual Loss Expectancy
A simple, quantitative risk assessment technique applicable to
assess risk in terms of monetary loss.

An example:
– company XYZ suffers on average one data breach per month
– the average monetary loss (impact) of each data breach is 15,000
euros
– the cost of an identified countermeasure is 30,000 euros
Is the investment for the identified countermeasure worth the
corresponding risk reduction?

http://pralab.diee.unica.it 197
 Monetary loss: Annual Loss Expectancy

For a given adverse event against a given asset, one should

evaluate:
– the Single Loss Expectancy (SLE) caused by a single occurrence of the
event of interest
– the Annual Rate of Occurrence (ARO) of the adverse event

The Annual Loss Expectancy (ALE) is defined as:

ALE = SLE×ARO

http://pralab.diee.unica.it 198
 Monetary loss: Annual Loss Expectancy
To evaluate ALE:
1. analyze event frequency, probability and impact, and the
effectiveness of countermeasures
2. evaluate the asset monetary value
3. evaluate the exposure factor (the percentage loss of the asset value
due to the occurrence of the event of interest)
4. compute SLE:
SLE = asset monetary value×exposure factor
6. evaluate ARO
7. evaluate ALE: ALE = SLE×ARO

http://pralab.diee.unica.it 199
 Annual Loss Expectancy: an example
• Company XYZ suffers on average one data breach per month –
information source:
– intrusion detection system of the same company
– historical data about similar companies
– ...
• The average monetary loss (impact) of each data breach is
15,000 euros
• The cost of an identified countermeasure is 30,000 euros

Is the investment for the identified countermeasure worth the

corresponding risk reduction?

http://pralab.diee.unica.it 200
 Annual Loss Expectancy: an example
• Company XYZ suffers on average one data breach per month
• The average monetary loss (impact) of each data breach is
15,000 euros
• The cost of an idenGfied countermeasure is 30,000 euros

SLE = 15,000 euros

ARO = 12
ALE = 15,000 euros/month×12 months/year
= 180,000 euros/year

The investment on risk miGgaGon is amorGzed in 2 months,

prevenGng subsequent losses of 15,000 euros per month.

http://pralab.diee.unica.it 201
 The AgID risk management tool for the Italian PA

Agenzia per l'Italia digitale – Agency for Digital Italy (AgID),

https://www.agid.gov.it/
– technical agency of the Presidency of the Council of Ministers
– main purpose: to guarantee the achievement of the Italian digital
agenda objectives and contribute to the diffusion of information and
communication technologies, with the aim of fostering innovation and
economic growth
– main role: coordinating public administrations (PAs) in the
implementation of the Three-Year Plan for information technology
– AgID supports digital innovation and promotes the dissemination of
digital skills, also in collaboration with international, national and local
institutions and bodies

http://pralab.diee.unica.it 202
 The AgID risk management tool for the Italian PA
Cyber Risk Management – A tool for cyber risk assessment and
treatment
h=ps://www.sicurezzait.gov.it
Main goals:
– supporFng PAs (Ministries, schools, municipaliFes, etc.) in understanding
their cyber risk profiles, fostering awarness
– naFon-wide risk management service for PAs: staFsFcs, naFonal
vulnerability database, integraFon with CERT-PA managed by AgID
(h=ps://www.cert-pa.it)
Risk management tool: web applicaFon
– mo/va/ons: adapFng standard RM frameworks and methodologies to the
needs of the Italian PA
– main frameworks and standards are tailored to enterprises and industries
with a "closed" structure and full control of their own informaFon systems
– Italian PA bodies can instead make use of services provided by other PA
bodies with no knowledge of their working and risk profiles

http://pralab.diee.unica.it 203
 The AgID risk management tool for the Italian PA

Starting points
– data about cyber risk in PAs collected by CERT-PA (vulnerabilities, etc.)
– standard frameworks and methodologies for risk management
(see https://www.sicurezzait.gov.it/cyber/?page_id=2):
ISO/IEC 27000 family, ISO 31000, IEC/ISO 31010,
ISF IRAM 2 (more info from ENISA and ISF web sites),
NIST guidelines
– minimal information security measures defined by AgID for Italian PAs

http://pralab.diee.unica.it 204
 The AgID risk management tool for the Italian PA

AgID's view of PA structure

(https://www.sicurezzait.gov.it/cyber/?page_id=14)
– PA body (ente): set of services run by that body to external (citizens,
enterprises, etc.) or internal users (other PA bodies, or itself)
• vertical service: directly provided to citizens (e.g., payment of a specific
tax to the municipality) of to its own employees
• horizontal service: provided to other PAs
– every service is considered as asset in itself

An example of vertical service for universities:

central authentication service

http://pralab.diee.unica.it 205
 The AgID risk management tool for the Italian PA

The AgID risk management tool in the above context

– web applica;on with authen;ca;on managed by SPID – Public Digital
Iden;ty System, hBps://www.agid.gov.it/index.php/en/plaForms/spid
– guiding users in each risk assessment step:
• defining the features of, and assigning a cri*cality profile to each service
• assessing poten;al impacts of each service in case of loss of
confiden*ality, integrity and availability
• iden;fying threats and security controls
• assessing the level of risk
• seHn up a risk treatment plan
• monitoring the risk treatment plan over ;me

http://pralab.diee.unica.it 206
 The AgID risk management tool for the Italian PA

Scope of the tool

– existing services: assessing the risk level, planning treatment actions
– services under development: assessing risk by simulation, proactive
correction of the identified vulnerabilities
– services to be developed: assessing risk by simulation, defining
security requirements

http://pralab.diee.unica.it 207
 The AgID risk management tool for the Italian PA

Main steps
1) analysis of the context (services)
2) impact assessment (qualita?ve, worst-case)
• confiden?ality / integrity / availability – economical and financial
• opera?onal
• reputa?onal
• legal (considerando sempre il caso peggiore), e sempre qualita?vo
3) risk assessment: dynamic ques?onnaire based on the previous
answers (up to 130 ques?ons on security domains: privacy, physical
and logical accesses, staff management, etc. – including "don't
know" answer, not envisaged in RM standards and frameworks)
4) risk treatment plan

http://pralab.diee.unica.it 208
 The AgID risk management tool for the Italian PA

Output of the tool:

– detailed risk profile and likelihood of threat events
– definition of risk acceptance criteria
– suggested actions for risk treatment and plan (GANTT chart), including
other bodies to get the required resources

http://pralab.diee.unica.it 209
 The AgID risk management tool for the Italian PA

Roles involved in the AgID risk management process

– management: overall responsibility of the whole process, spreading
risk culture to the whole organization
– service owner: person in charge of one or more services
– risk owner (or risk manager): person in charge of leading and
monitoring the risk management tasks according to AgID guidelines;
may be supportd by one or more risk specialists
– security expert: person in charge of identifying and implementing
security measures of three kinds: technical (related to information
systems), organizational or procedural, physical.
Examples: system administrator (network, data base, operating
system), physical security manager, IT security consultant, etc.

http://pralab.diee.unica.it 210