MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

SUBJECT NAME: INFORMATION SECURITY SUBJECT

CODE: CS T83

Prepared By:
Mr. S.BALAJI, AP/CSE

Verified by: Approved by:

UNIT- III
SECURITY ANALYSIS: Risk Management: Identifying and Assessing Risk -
Assessing and Controlling Risk - Trends in Information Risk Management -
Managing Risk in an Intranet Environment.

INFORMATION SECURITY Page|1

DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

OVERVIEW OF RISK MANAGEMENT

Risk management is the process of identifying risk, as represented by
vulnerabilities, to an organization’s information assets and infrastructure, and taking steps
to reduce this risk to an acceptable level. Each of the three elements in the C.I.A. triangle,
is an essential part of every IT organization’s ability to sustain long-term competitiveness.
When an organization depends on IT-based systems to remain viable, information security
and the discipline of risk management must become an integral part of the economic basis
for making business decisions. These decisions are based on trade-offs between the costs of
applying information systems controls and the benefits realized from the operation of
secured, available systems.

Risk management involves three major undertakings:

 Risk Identification,
 Risk Assessment, and
 Risk Control
 Risk identification is the examination and documentation of the security posture of an
organization’s information technology and the risks it faces.
 Risk assessment is the determination of the extent to which the organization’s
information assets are exposed or at risk.
 Risk control is the application of controls to reduce the risks to an organization’s data
and information systems.

The various components of risk management and their relationship to each other are
shown in Figure.

INFORMATION SECURITY Page|2

DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

Consider for a moment the similarities between information security and warfare.
Information security managers and technicians are the defenders of information. Defenses
are built in layers, by placing safeguard upon safeguard. The defenders attempt to prevent,
protect, detect, and recover from a seemingly endless series of attacks. Moreover, those
defenders are legally prohibited from deploying offensive tactics, so the attackers have no
need to expend resources on defense. In order to be victorious, you, a defender, must know
yourself and know the enemy.

Know Yourself
First, you must identify, examine, and understand the information and systems currently
in place within your organization. This is self-evident. To protect assets, which are defined
here as information and the systems that use, store, and transmit information, you must
know what they are, how they add value to the organization, and to which vulnerabilities
they are susceptible. Once you know what you have, you can identify what you are already
doing to protect it. Just because a control is in place does not necessarily mean that the
asset is protected. Frequently, organizations implement control mechanisms but then
neglect the necessary periodic review, revision, and maintenance. The policies, education
and training programs, and technologies that protect information must be carefully
maintained and administered to ensure that they remain effective.

Know the Enemy

Having identified your organization’s assets and weaknesses, you move on to Sun
Tzu’s second step: Know the enemy. This means identifying, examining, and understanding
INFORMATION SECURITY Page|3
DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

the threats facing the organization. You must determine which threat aspects most directly
affect the security of the organization and its information assets, and then use this
information to create a list of threats, each one ranked according to the importance of the
information assets that it threatens.

The Roles of the Communities of Interest

Each community of interest has a role to play in managing the risks that an
organization encounters. Because the members of the information security community best
understand the threats and attacks that introduce risk into the organization, they often take
a leadership role in addressing risk. Management and users, when properly trained and
kept aware of the threats the organization faces, play a part in the early detection and
response process.

Management must also ensure that sufficient resources (money and personnel) are
allocated to the information security and information technology groups to meet the
security needs of the organization. Users work with the systems and the data and are
therefore well positioned to understand the value these information assets offer the
organization and which assets among the many in use are the most valuable. The
information technology community of interest must build secure systems and operate them
safely. For example, IT operations ensure good backups to control the risk from hard drive
failures. The IT community can provide both valuation and threat perspectives to
management during the risk management process.

All of the communities of interest must work together to address all levels of risk,
which range from disasters that can devastate the whole organization to the smallest
employee mistakes.

The three communities of interest are also responsible for the following:
 Evaluating the risk controls
 Determining which control options are cost effective for the organization
 Acquiring or installing the needed controls
 Ensuring that the controls remain effective

It is essential that all three communities of interest conduct periodic management reviews.
The first focus of management review is asset inventory. On a regular basis,
management must verify the completeness and accuracy of the asset inventory. In addition,
organizations must review and verify the threats to and vulnerabilities in the asset
INFORMATION SECURITY Page|4
DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

inventory, as well as the current controls and mitigation strategies. They must also review
the cost effectiveness of each control and revisit the decisions on deployment of controls.
Furthermore, managers at all levels must regularly verify the ongoing effectiveness of every
control deployed.
For example, a sales manager might assess control procedures by walking through
the office before the workday starts, picking up all the papers from every desk in the sales
department. When the workers show up, the manager could inform them that a fire had
been simulated and all of their papers destroyed, and that each worker must now follow the
disaster recovery procedures to assess the effectiveness of the procedures and suggest
corrections.

INFORMATION SECURITY Page|5

DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

RISK IDENTIFICATION
 A risk management strategy calls on us to “know ourselves” by identifying,
classifying, and prioritizing the organization’s information assets.
 These assets are the targets of various threats and threat agents and our goal is to
protect them from these threats.
 Next comes threat identification:
– Assess the circumstances and setting of each information asset.
– Identify the vulnerabilities and begin exploring the controls that might be used
to manage the risks.

Components of risk identification

a) Asset Identification, Valuation and Prioritization

 This iterative process begins with the identification of assets, including all of the
elements of an organization’s system: people, procedures, data and information,
software, hardware, and networking elements.
 Then, we classify and categorize the assets adding details as we dig deeper into the
analysis.

INFORMATION SECURITY Page|6

DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

Categorizing the Components of an Information System

People, Procedures, and Data Asset Identification

 Unlike the tangible hardware and software elements, the human resources,
documentation, and data information assets are not as readily discovered and
documented.
 These assets should be identified, described, and evaluated by people using knowledge,
experience, and judgment.
 As these elements are identified, they should also be recorded into some reliable data
handling process.

Asset Information for People

 For People:
– Position name/number/ID – try to avoid names and stick to identifying positions, roles,
or functions
– Supervisor
– Security clearance level
– Special skills

Asset Information for Procedures

 For Procedures:
– Description
INFORMATION SECURITY Page|7
DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

– Intended purpose
– What elements is it tied to
– Where is it stored for reference
– Where is it stored for update purposes

Asset Information for Data

 For Data:
– Classification
– Owner/creator/manager
– Size of data structure
– Data structure used – sequential, relational
– Online or offline
– Where located
– Backup procedures employed

Hardware, Software, and Network Asset Identification

 What attributes of each of these information assets should be tracked?
 When deciding which information assets to track, consider including these asset
attributes:
 Name
 IP address
 MAC address
 Element type
 Serial number
 Manufacturer name
 Manufacturer’s model number or part number
 Software version, update revision, or FCO number
 Physical location
 Logical location
 Controlling entity

Automated Asset Inventory Tools

Automated tools can sometimes identify the system elements that make up hardware,
software, and network components. For example, many organizations use automated asset
inventory systems. The inventory listing is usually available in a database or can be
exported to a database for custom information on security assets. Once stored, the

INFORMATION SECURITY Page|8

DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

inventory listing must be kept current, often by means of a tool that periodically refreshes
the data.
When you move to the later steps of risk management, which involve calculations of
loss and projections of costs, the case for the use of automated risk management tools for
tracking information assets becomes stronger. At this point in the process, however, simple
word processing, spreadsheet, and database tools can provide adequate record keeping.

b) Information Asset Classification

 Many organizations already have a classification scheme.
 Examples of these kinds of classifications are:
– confidential data
– internal data
– public data
 Informal organizations may have to organize themselves to create a useable data
classification model.
 The other side of the data classification scheme is the personnel security clearance
structure.

c) Information Asset Valuation and Prioritization

 Each asset is categorized
 Questions to assist in developing the criteria to be used for asset valuation:
– Which information asset is the most critical to the success of the organization?
– Which information asset generates the most revenue?
– Which information asset generates the most profitability?
– Which information asset would be the most expensive to replace?
– Which information asset would be the most expensive to protect?
– Which information asset would be the most embarrassing or cause the greatest
liability if revealed?
 Create a weighting for each category based on the answers to the previous questions
Which factor is the most important to the organization?
 Once each question has been weighted, calculating the importance of each asset is
straightforward.
 List the assets in order of importance using a weighted factor analysis worksheet.

INFORMATION SECURITY Page|9

DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

Example of a Weighted Factor Analysis Worksheet

d) Data Classification and Management

 A variety of classification schemes are used by corporate and military organizations.
 Information owners are responsible for classifying the information assets for which they
are responsible.
 Information owners must review information classifications periodically.
 The military uses a five-level classification scheme but most organizations do not need
the detailed level of classification used by the military or federal agencies.

e) Security Clearances
 The other side of the data classification scheme is the personnel security clearance
structure.
 Each user of data in the organization is assigned a single level of authorization
indicating the level of classification.
 Before an individual is allowed access to a specific set of data, he or she must meet
the need-to-know requirement.
 This extra level of protection ensures that the confidentiality of information is
properly maintained.

f) Management of Classified Data

 Includes the storage, distribution, portability, and destruction of classified
information
– Must be clearly marked as such
– When stored, it must be unavailable to unauthorized individuals
– When carried should be inconspicuous, as in a locked briefcase or portfolio
INFORMATION SECURITY P a g e | 10
DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

 Clean desk policies require all information to be stored in its appropriate storage
container at the end of each day.
 Proper care should be taken to destroy any unneeded copies.
 Dumpster diving can prove embarrassing to the organization.

g) Threat Identification
 Each of the threats identified so far has the potential to attack any of the assets
protected.
 This will quickly become more complex and overwhelm the ability to plan.
 To make this part of the process manageable, each step in the threat identification and
vulnerability identification process is managed separately, and then coordinated at the
end of the process.

Threats to Information Security

h) Identify and Prioritize Threats
 Each threat must be further examined to assess its potential to impact organization -
this is referred to as a threat assessment
 To frame the discussion of threat assessment, address each threat with a few questions:
– Which threats present a danger to this organization’s assets in the given
environment?
– Which threats represent the most danger to the organization’s information?
– How much would it cost to recover from a successful attack?

INFORMATION SECURITY P a g e | 11
DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

– Which of these threats would require the greatest expenditure to prevent?

i) Vulnerability Identification
 Examine how each of the threats that are possible or likely could be perpetrated and
list the organization’s assets and their vulnerabilities
 The process works best when groups of people with diverse backgrounds within the
organization work iteratively in a series of brainstorming sessions
 At the end of the process, an information asset / vulnerability list has been developed
– this list is the starting point for the next step, risk assessment

RISK ASSESSMENT
Now that you have identified the organization’s information assets and the threats
and vulnerabilities,
you can evaluate the relative risk for each of the vulnerabilities. This process is called risk
assessment.
Risk assessment assigns a risk rating or score to each information asset. While this number
does not mean anything in absolute terms, it is useful in gauging the relative risk to each
vulnerable information asset and facilitates the development of comparative ratings later in
the risk control process.

Major Stages of Risk Assessment

 The goal of this process has been to identify the information assets of the organization
that have specific vulnerabilities and create a list of them, ranked for focus on those
most needing protection first.
INFORMATION SECURITY P a g e | 12
DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

 In preparing this list we have collected and preserved factual information about the
assets, the threats they face, and the vulnerabilities they experience.
 We should also have collected some information about the controls that are already in
place.
 Risk Identification Estimate Factors
– Likelihood
– Value of Information Assets
– Percent of Risk Mitigated
– Uncertainty

Likelihood
Likelihood is the probability that a specific vulnerability will be the object of a
successful attack. In risk assessment, you assign a numeric value to likelihood.
Many asset/vulnerability combinations have sources for likelihood, for example:
 The likelihood of a fire has been estimated actuarially for each type of structure.
 The likelihood that any given e-mail contains a virus or worm has been researched.
 The number of network attacks can be forecast based on how many assigned network
addresses the organization has.

Risk Determination
For the purpose of relative risk assessment:
risk = (value (or impact) of information asset ´ likelihood of vulnerability
occurrence) ´ (100% - percentage of risk already controlled + an element of
uncertainty)

Identify Possible Controls

 For each threat and its associated vulnerabilities that have any residual risk, create a
preliminary list of control ideas.

INFORMATION SECURITY P a g e | 13
DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

 Residual risk is the risk that remains to the information asset even after the existing
control has been applied.
 There are three general categories of controls: policies, programs, and
technologies.
 Policies are documents that specify an organization’s approach to security.
 There are four types of security policies:
 general security policies,
 program security policies,
 issue-specific policies,
 systems-specific policies.

Access Controls
 Access controls are used to determine if and how to admit a user into a trusted area of
the organization. These areas can include information systems, physically restricted
areas such as computer rooms and the organization in its entirety.
 Access controls usually consist of a combination of policies, program and technologies.
 There are a number of approaches to controlling access
– Access controls can be mandatory, discretionary or nondiscretionary.

Types of Access Controls

 Discretionary Access Controls (DAC) are implemented at the discretion or option of
the data user.
 Mandatory Access Controls (MACs) are structured and coordinated with a data
classification scheme, and are required.
 Nondiscretionary Controls are those determined by a central authority in the
organization and can be based on that individual’s role (Role-Based Controls) or a
specified set of duties or tasks the individual is assigned (Task-Based Controls) or can be
based on specified lists maintained on subjects or objects.

Lattice-based Control
 Another type of nondiscretionary access is lattice-based control, where a lattice
structure (or matrix) is created containing subjects and objects, and the boundaries
associated with each pair is contained.
 This specifies the level of access each subject has to each object.
 In a lattice-based control the column of attributes associated with a particular object are
referred to as an access control list or ACL.
INFORMATION SECURITY P a g e | 14
DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

 The row of attributes associated with a particular subject (such as a user) is referred to
as a capabilities table.

Documenting Results of Risk Assessment

 The goal of this process has been to identify the information assets of the
organization that have specific vulnerabilities and create a list of them, ranked for focus
on those most needing protection first.
 In preparing this list we have collected and preserved factual information about the
assets, the threats they face, and the vulnerabilities they experience.
 We should also have collected some information about the controls that are already
in place.

Risk Control Strategies

When organizational management determines that risks from information security
threats are creating a competitive disadvantage, they empower the information technology
and information security communities of interest to control the risks. Once the project team
for information security development has created the ranked vulnerability worksheet, the
team must choose one of five basic strategies to control each of the risks that result from
these vulnerabilities.

The four strategies are avoidance, transference, mitigation, and acceptance.

 When risks from information security threats are creating a competitive
disadvantage, the information technology and information security communities of
interest take control of the risks
INFORMATION SECURITY P a g e | 15
DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

 Four basic strategies are used to control the risks that result from vulnerabilities:
– Apply safeguards (avoidance)
– Transfer the risk (transference)
– Reduce the impact (mitigation)
– Inform themselves of all of the consequences and accept the risk without control or
mitigation (acceptance)

Avoidance
 Avoidance attempts to prevent the exploitation of the vulnerability.
 This is the preferred approach, as it seeks to avoid risk in its entirety rather than
dealing with it after it has been realized.
 Accomplished through countering threats, removing vulnerabilities in assets, limiting
access to assets, and/or adding protective safeguards.
 Three areas of control:
– Application of policy
– Training and education
– Application of technology

Transference
 Transference is the control approach that attempts to shift the risk to other assets, other
processes, or other organizations.
 If an organization does not already have quality security management and
administration experience, it should hire individuals or firms that provide such expertise.
 This allows the organization to transfer the risk associated with the management of
these complex systems to another organization with established experience in dealing
with those risks.

Mitigation
 Mitigation attempts to reduce the impact of exploitation through planning and
preparation.
 Three types of plans:
– disaster recovery planning (DRP)
– business continuity planning (BCP)
– incident response planning (IRP)
 The most common of the mitigation procedures is the disaster recovery plan or DRP.

INFORMATION SECURITY P a g e | 16
DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

 The actions to take while the incident is in progress are defined in the incident response
plan or IRP.
 Longer term issues are handled in the business continuity plan or BCP.

Acceptance
 Acceptance of risk is doing nothing to close a vulnerability and to accept the outcome of
its exploitation.
 Acceptance is valid only when:
– Determined the level of risk
– Assessed the probability of attack
– Estimated the potential damage
– Performed a thorough cost benefit analysis
– Evaluated controls using each appropriate feasibility
– Decided that the particular function, service, information, or asset did not
justify the cost of protection
 Risk appetite describes the degree to which an organization is willing to accept risk as a
trade-off to the expense of applying controls.
Selecting a Risk Control Strategy
Risk control involves selecting one of the five risk control strategies for each
vulnerability. The flowchart in Figure guides you through the process of deciding how to
proceed with one of the five strategies.

INFORMATION SECURITY P a g e | 17
DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

Mitigation Strategy Selection

 The level of threat and value of the asset play a major role in the selection of strategy
 The following rules of thumb can be applied in selecting the preferred strategy:
– When a vulnerability can be exploited, apply layered protections, architectural
designs, and administrative controls to minimize the risk or prevent this
occurrence.
– When the attacker’s cost is less than his/her potential gain apply protections to
increase the attacker’s cost.
– When potential loss is substantial, apply design principles, architectural
designs, and technical and non-technical protections to limit the extent of the
attack, thereby reducing the potential for loss.

Categories of controls
 Controlling risk through avoidance, mitigation, or transference may be accomplished
by implementing controls or safeguards.
 One approach to selecting controls is by category:
– Control Function
– Architectural Layer
– Strategy Layer
– Information Security Principles

INFORMATION SECURITY P a g e | 18
DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

Control Function
 Controls or safeguards designed to defend the vulnerability are either preventive or
detective.
 Preventive controls stop attempts to exploit vulnerability by implementing enforcement
of an organizational policy or a security principle, such as authentication or
confidentiality.
 Detective controls warn of violations of security principles, organizational policies, or
attempts to exploit vulnerabilities.
 Detective controls use techniques such as audit trails, intrusion detection, or
configuration monitoring.

Architectural Layer
 Some controls apply to one or more layers of an organization’s technical architecture.
 Among the architectural layer designators in common use are:
– organizational policy
– external networks
– extranets (or demilitarized zones)
– Intranets (WAN and LAN)
– network devices that interface network zones (switches, routers, firewalls, and
hubs)
– systems (computers for mainframe, server or desktop use)
– applications

Strategy Layer
 Controls are sometimes classified by the risk control strategy they operate within:
– avoidance
– mitigation
– transference

Information Security Principles

 Controls operate within one or more of the commonly accepted information security
principles:
– Confidentiality
– Integrity
– Availability
– Authentication
– Authorization
INFORMATION SECURITY P a g e | 19
DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

– Accountability
– Privacy

Feasibility Studies and the Cost Benefit Analysis

 Before deciding on the strategy for a specific vulnerability all information about the
economic and non-economic consequences of the vulnerability facing the information
asset must be explored.
 Fundamentally we are asking -
“What are the actual and perceived advantages of implementing a control contrasted
with the actual and perceived disadvantages of implementing the control?”

Cost Benefit Analysis (CBA)

 The most common approach for a project of information security controls and
safeguards is the economic feasibility of implementation.
 Begins by evaluating the worth of the information assets to be protected and the loss
in value if those information assets are compromised.
 It is only common sense that an organization should not spend more to protect an
asset than it is worth.
 The formal process to document this is called a cost benefit analysis or an economic
feasibility study.

CBA: Cost Factors

 Some of the items that impact the cost of a control or safeguard include:
– Cost of development or acquisition
– Training fees
– Cost of implementation
– Service costs
– Cost of maintenance

CBA: Benefits
 Benefit is the value that the organization recognizes by using controls to prevent losses
associated with a specific vulnerability.
 This is usually determined by valuing the information asset or assets exposed by the
vulnerability and then determining how much of that value is at risk.

CBA: Asset Valuation

INFORMATION SECURITY P a g e | 20
DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

 Asset valuation is the process of assigning financial value or worth to each information
asset.
 The valuation of assets involves estimation of real and perceived costs associated with
the design, development, installation, maintenance, protection, recovery, and defense
against market loss and litigation.
 These estimates are calculated for each set of information bearing systems or
information assets.
 There are many components to asset valuation.

CBA: Loss Estimates

 Once the worth of various assets is estimated examine the potential loss that could
occur from the exploitation of vulnerability or a threat occurrence.
 This process results in the estimate of potential loss per risk.
 The questions that must be asked here include:
– What damage could occur, and what financial impact would it have?
– What would it cost to recover from the attack, in addition to the costs above?
– What is the single loss expectancy for each risk?

CBA: ALE & ARO

 The expected value of a loss can be stated in the following equation:
– Annualized Loss Expectancy (ALE) =
Single Loss Expectancy (SLE) x Annualized Rate of Occurrence (ARO)
where:
– SLE = asset value x exposure factor (EF)
 ARO is simply how often you expect a specific type of attack to occur, per year.
 SLE is the calculation of the value associated with the most likely loss from an attack.
 EF is the percentage loss that would occur from a given vulnerability being exploited.

CBA: Formula
 CBA is whether or not the control alternative being evaluated is worth the associated
cost incurred to control the specific vulnerability.
 While many CBA techniques exist, for our purposes, the CBA is most easily calculated
using the ALE from earlier assessments.
 CBA = ALE(prior) – ALE(post) – ACS
Where:
– ALE prior is the Annualized Loss Expectancy of the risk before the implementation
of the control.
INFORMATION SECURITY P a g e | 21
DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

– ALE post is the ALE examined after the control has been in place for a period of
time.
– ACS is the Annual Cost of the Safeguard.

Evaluation, Assessment, and Maintenance of Risk Controls

 Once a control strategy has been implemented, the effectiveness of controls should
be monitored and measured on an ongoing basis to determine the effectiveness of the
security controls and the accuracy of the estimate of the residual risk.

INFORMATION SECURITY P a g e | 22
DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

Quantitative Versus Qualitative Risk Control Practices

 The many steps described previously were performed using actual values or estimates.
This is known as a quantitative assessment.
 However, an organization could decide that it cannot put specific numbers on these
values.
 Fortunately, it is possible to repeat these steps using an evaluation process, called
qualitative assessment that does not use numerical measures.

Benchmarking and Best Practices

Benchmarking is the process of seeking out and studying the practices used in
other organizations that produce results you would like to duplicate in your organization.
An organization typically benchmarks itself against other institutions by selecting a
measure upon which to base the comparison. The organization then measures the
difference between the way it conducts business and the way the other organizations
conduct business.
When benchmarking, an organization typically uses one of two measures:
– Metrics-based measures are comparisons based on numerical standards.
– Process-based measures examine the activities performed in pursuit of its goal,
rather than the specifics of how goals were attained.

Metrics-based measures are comparisons based on numerical standards, such as:

 Numbers of successful attacks
 Staff-hours spent on systems protection
 Dollars spent on protection
 Numbers of security personnel
 Estimated value in dollars of the information lost in successful attacks
 Loss in productivity hours associated with successful attacks

Due Care/Due Diligence

 When organizations adopt levels of security for a legal defense, they may need to
show that they have done what any prudent organization would do in similar
circumstances - this is referred to as a standard of due care.
 Due diligence is the demonstration that the organization is diligent in ensuring that
the implemented standards continue to provide the required level of protection.
 Failure to support a standard of due care or due diligence can open an organization
to legal liability.

INFORMATION SECURITY P a g e | 23
DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

Best Business Practices

 Security efforts that provide a superior level of protection of information are referred
to as best business practices.
 Best security practices (BSPs) are security efforts that are among the best in the
industry.
 When considering best practices for adoption in your organization, consider the
following:
– Does your organization resemble the identified target?
– Are the resources you can expend similar?
– Are you in a similar threat environment?

Other Feasibility studies

Organizational Feasibility
 Organizational feasibility examines how well the proposed information security
alternatives will contribute to the efficiency, effectiveness, and overall operation of an
organization.
 Above and beyond the impact on the bottom line, the organization must determine
how the proposed alternatives contribute to the business objectives of the organization.

Operational Feasibility
 Addresses user acceptance and support, management acceptance and support, and the
overall requirements of the organization’s stakeholders.
 Sometimes known as behavioral feasibility, because it measures the behavior of users.
 One of the fundamental principles of systems development is obtaining user buy-in on a
project and one of the most common methods for obtaining user acceptance and support
is through user involvement obtained through three simple steps:
– Communicate
– Educate
– Involve

Technical Feasibility
 The project team must also consider the technical feasibilities associated with the
design, implementation, and management of controls.

INFORMATION SECURITY P a g e | 24
DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

 Examines whether or not the organization has or can acquire the technology necessary
to implement and support the control alternatives.

Political Feasibility
 For some organizations, the most significant feasibility evaluated may be political.
 Within organizations, political feasibility defines what can and cannot occur based on the
consensus and relationships between the communities of interest.
 The limits placed on an organization’s actions or behaviors by the information security
controls must fit within the realm of the possible before they can be effectively
implemented, and that realm includes the availability of staff resources.

TRENDS IN INFORMATION RISK MANAGEMENT

1. The unintended consequences of state intervention
Organizations need to extend their risk management focus from pure information
confidentiality, integrity and availability to include risks such as those to reputation and
customer channels, and recognize the unintended consequences from activity in
cyberspace.
By preparing for the unknown, organizations will have the flexibility to withstand
unexpected, high impact security events."

2. Big data will lead to big problems

Organizations are increasingly embedding big data in their operations and decision-
making process. But it's essential to recognize that there is a human element to data
analytics. Organizations that fail to respect that human element will put themselves at
risk by overvaluing big data output, noting that poor integrity of the information sets
could result in analyses that lead to poor business decisions, missed opportunities, brand
damage and lost profits.

3. Mobile applications and the IoT

Smartphones and other mobile devices are creating a prime target for malicious actors
in the Internet of Things (IoT).

INFORMATION SECURITY P a g e | 25
DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

The rapid uptake of bring-your-own-device (BYOD), and the introduction of wearable

technologies to the workplace, will increase an already high demand for mobile apps for
work and home in the coming year.
To meet this increased demand, developers working under intense pressure and on
razor-thin profit margins will sacrifice security and thorough testing in favor of speed of
delivery and low cost, resulting in poor quality products more easily hijacked by
criminals or hacktivists.

4. Cybercrime causes the perfect threat storm

Cybercrime topped the list of threats in 2015, and it's not going away in 2016.
Cybercrime, along with an increase in hacktivism, the surge in cost of compliance to
deal with the uptick in regulatory requirements and the relentless advances in
technology against a backdrop of under investment in security departments, can all
combine to cause the perfect threat storm. Organizations that adopt a risk management
approach to identify what the business relies on most will be well placed to quantify the
business case to invest in resilience.
Cyberspace is an increasingly attractive hunting ground for criminals, activists and
terrorists motivated to make money, cause disruption or even bring down corporations
and governments through online attacks. Organizations must be prepared for the
unpredictable so they have the resilience to withstand unforeseen, high impact events.

5. Skills gap becomes an abyss for information security

The information security professionals are maturing just as the increasing sophistication
of cyber-attack capabilities demand more increasingly scarce information security
professionals. While cybercriminals and hacktivists are increasing in numbers and
deepening their skillsets, the "good guys" are struggling to keep pace. CISOs need to
build sustainable recruiting practices and develop and retain existing talent to improve
their organization's cyber resilience.
The problem is going to grow worse in future as hyper connectivity increases. CISOs
will have to become more aggressive about getting the skill sets the organization needs.

MANAGING RISK IN AN INTRANET ENVIRONMENT

Intranets help organisations manage and deliver information in better ways, reducing a
wide range of business risks. They also help organisations respond to natural disasters.
 Improve the delivery of policies A valuable first step can be to bring policies together
into a small number of sections, structured in a usable way, with well-written content.

INFORMATION SECURITY P a g e | 26
DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

Further improvements can then be made to the underlying management of policies, as

well as how they are delivered to staff.
 Seek out risk ‘owners’ In any larger organisation, there will be senior managers who
are the ‘owners’ of key business risks, including legal, financial and compliance.
Establish good relations with these managers, and use these to identify and formalise
business risks, and find opportunities for the intranet to help.
 Discuss risks with service delivery areas Similarly, managers in key service delivery
areas will generally have a good understanding of the business risks that threaten them.
Work with them to find ways that the intranet can mitigate these risks.
 Establish a disaster response plan for the intranet Help the organisation to quickly
respond to a disaster by enabling remote intranet access for staff, establishing good
communication channels, and ensuring the resilience of intranet infrastructure.
 Align intranet strategy to business risks Document an explicit business risks
register, and outline how the intranet can help to mitigate these risks. Align intranet
business cases and project plans to key business risks.

INFORMATION SECURITY P a g e | 27
DEPARTMENT OF CSE