UNIT II

RISK MANAGEMENT AND

INFORMATION SECURITY

Introduction – An Overview of Risk

Management – Risk Identification – Risk
Assessment – Risk Control Strategies –
Selecting a Risk Control Strategy – Risk
Management Discussion Points –
Documenting Results – Recommended
Practices in Controlling Risk.
OBJECTIVES:

• To understand the basics of Information Security

• To identify the legal, ethical and professional issues
in Information Security
• To understand the aspects of risk management.
• To become aware of various standards in
information security.
• To review the technological aspects of Information
Security.
COURSE OUTCOMES:
Upon completion of the course, the students will be
able to
1. Identify and analyze the security threats and
attacks.
2. Outline risk management and information
security.
3. Apply device suitable security policies and
standards.
4. Experiment with intrusion detection and
prevention systems to ensure information security.
5. Discuss various matching and enrolment process
in biometrics
INSTITUTE VISION AND MISSION
VISION OF THE INSTITUTE:
To achieve a prominent position among the top technical
institutions.

MISSION OF THE INSTIITUTE:

M1: To bestow standard technical education par excellence
through state of the art infrastructure, competent faculty and
high ethical standards.
M2: To nurture research and entrepreneurial skills among
students in cutting edge technologies.
M3: To provide education for developing high-quality
professionals to transform the society.
DEPARTMENT VISION AND MISSION
VISION OF THE DEPARTMENT:
To create eminent professionals of Computer Science and
Engineering by imparting quality education.

MISSION OF THE DEPARTMENT:

M1: To provide technical exposure in the field of Computer
Science and Engineering through state of the art infrastructure
and ethical standards.
M2: To engage the students in research and development
activities in the field of Computer Science and Engineering.
M3: To empower the learners to involve in industrial and multi-
disciplinary projects for addressing the societal needs.
PROGRAM EDUCATIONAL OBJECTIVES (PEOs):
Our graduates shall
PEO1: Analyse, design and create innovative products for
addressing social needs.
PEO2: Equip themselves for employability, higher studies and
research.
PEO3: Nurture the leadership qualities and entrepreneurial skills
for their successful career
PROGRAM SPECIFIC OUTCOMES (PSOs):
Students will be able to
PSO1: Apply the basic and advanced knowledge in developing
software, hardware and firmware solutions addressing real life
problems.
PSO2: Design, develop, test and implement product-based
solutions for their career enhancement.
PROGRAM OUTCOMES:
PO1 Engineering knowledge
PO2 Problem analysis
PO3 Design/development of solutions
PO4 Conduct investigations of complex problems
PO5 Modern tool usage
PO6 The engineer and society
PO7 Environment and sustainability
PO8 Ethics
PO9 Individual and team work
PO10 Communication
PO11 Project management and finance
PO12 Life-long learning
INTRODUCTION
RISK:
The term risk is defined as the potential
future harm that may arise due to some
present action.

RISK MANAGEMENT
• It is the process of identifying, analysis and
controlling risks facing an organization.
• Risk management is the discipline of
identifying, monitoring and limiting risks.
 The following are the major hurdles faced by the
organizations to protect their information resources:

• Hundreds of potential threats exist

• Computing resources are situated at many different
locations
• Cost benefit analysis of the attack could not be done
before the occurrence of the attack
• Many individuals are involved in handling the
information assets.
• The methods to prevent the hazards are not
economical. So all organizations cannot implement
it.
Roles of communities of interest:
All communities of interest in the
organization are responsible for
implementing the security within the
organization:
• Information security professionals
• Information technology
• Management and users
An Overview of Risk Management
 Risks are come from accidents, natural disasters as
well as deliberate attacks.

 To build secure and successful information systems

you must first Know yourself and Know the
enemy.

 Know yourself: identify, examine, and understand

the information and systems currently in place

 Know the enemy: identify, examine, and

understand threats facing the organization
11
12
Risk management is the process of identifying risk, as
represented by vulnerabilities, to an organization’s information
assets and infrastructure, and taking steps to reduce this risk to
an acceptable level.

Risk management involves three major undertakings:

Risk identification, Risk assessment, and Risk control.
Risk identification is the examination and documentation of
the security posture of an organization’s information technology
and the risks it faces.
Risk assessment is the documentation of the extent to which
the organization’s information assets are exposed or at risk.
Risk control is the application of controls to reduce the risks to
an organization’s data and information systems.
Risk Identification
 Assets of the organization are the targets of various
threats and threat agents

 Risk management process of identifying and

controlling risks facing an organization

 Risk identification begins with identifying

organization’s assets and assessing their value

14
Components of Risk Identification

Figure 4-2 Components of Risk

Identification
15
1. Asset Identification & Valuation
• Includes all the elements of an
organization’s system, such as people,
procedures, data and information,
software, hardware, and networking
elements.
• Then, you classify and categorize the assets,
adding details.
• The risk identification process naturally
progresses into the Qualitative Risk
Analysis or Quantitative Analysis
17
People, Procedures, and Data Asset Identification
 Asset attributes for people: position
name/number/ID; supervisor; security clearance
level; special skills
 Asset attributes for procedures: description;
intended purpose; what elements it is tied to;
storage location for reference; storage location for
update
 Asset attributes for data: classification;
owner/creator/ manager; data structure size; data
structure used; online/offline; location; backup
procedures employed

18
 Hardware, Software, and Network Asset
Identification
 Name
 IP address
 MAC address
 Element type
 Serial Number
 Manufacturer Name
 Physical Location
 Logical Location
19
 2. Information Asset Classification
 Information owners responsible for
classifying their information assets
 Information classifications must be
reviewed periodically
 Most organizations do not need detailed level
of classification used by military or federal
agencies;
• Instead organizations may use other data
classification schemes
• Confidential
• Internal
• Public data
• Categories must be comprehensive and
mutually exclusive
 3. Information Asset Valuation
 Questions help develop criteria for asset
valuation

 Which information asset:

 is most critical to organization’s success?

 generates the most revenue/profitability?

 would be most expensive to replace or protect?

 would be the most embarrassing or cause

greatest liability if revealed?
23
Information assets valuation
5. Information Asset Prioritization

 Create weighting for each category based

on the answers to questions (Prioritize the
assets)

 Calculate relative importance of each asset

using weighted factor analysis

 List the assets in order of importance using a

weighted factor analysis worksheet

25
26
 5. Security Clearances
 The other side of the data classification
scheme is the personnel security clearance
structure.
 Each user of data must be assigned a single
authorization level that indicates the level of
classification he or she is authorized to view.
 Need - to know requirements policy.
 6. Management of Classified Data
 Management of classified data includes its storage,
distribution, portability, and destruction.
 A clean desk policy requires that employees secure
all information in appropriate storage containers at
the end of each day.
 Dumpster diving-> to retrieve information that
could embarrass a company or compromise
information security.
 Threat Identification (Identifying and
Prioritizing threats)
 Realistic threats need investigation; unimportant
threats are set aside
 Threat assessment:
 Which threats present danger to assets?
 Which threats represent the most danger to
information?
 How much would it cost to recover from attack?
 Which threat requires greatest expenditure to
prevent?
29
Table 4-3 Threats to Information Security5

30
 Vulnerability Identification
 Specific avenues threat agents can exploit to
attack an information asset are called
vulnerabilities
 Examine how each threat could be
perpetrated and list organization’s assets
and vulnerabilities
 At end of risk identification process, list of
assets and their vulnerabilities is achieved

31
 Vulnerability Identification
 The TVA Worksheet At the end of the risk
identification process, you should have a prioritized list
of assets and their vulnerabilities. threats-
vulnerabilities-assets(TVA)
 one or more vulnerabilities exist between the two, and
as these vulnerabilities are identified, they are
categorized as follows:
 T1V1A1—Vulnerability 1 that exists between Threat 1
and Asset 1
 T1V2A1—Vulnerability 2 that exists between Threat 1
and Asset 1
 T2V1A1—Vulnerability 1 that exists between Threat 2
and Asset 1 … and so on.
Technical Hardware failures or Power system failures are always
errors possible

Technological obsolescence If the asset is not periodically

reviewed and updated it may fail.

QOS Deviations On time delivery

Risk Assessment
 Risk assessment evaluates the relative risk for each
vulnerability through the process

 Risk assessment is the determination of quantitative or

qualitative value of risk related to the situation

 Quantitative value: Mathematical calculation based on

security metrics.

 Qualitative value: Significant quantity of relevant data is

not available

35
 Risk Determination
 For the purpose of relative risk
assessment, risk equals:
Formula for calculating risk:

Risk = (Value of information asset *

Likelihood of vulnerability occurrence)
*(100% - Percentage of risk already controlled
+ an element of uncertainty)

36
Value of Information Assets:
• Assigning weighted values to the
information assets is called
information values
• The scale could range from 1 to 100
• Some organizations use 1, 3 and 5 to
represent low, medium and high
valued assets
 Likelihood
 The probability that a specific vulnerability will be
the object of a successful attack
 Assign numeric value: number between 0.1 (low)
and 1.0 (high), or a number between 1 and 100
 Zero not used since vulnerabilities with zero
likelihood removed from asset/vulnerability list
 Use selected rating model consistently
 Use external references for values that have been
reviewed/adjusted for your circumstances

38
 Identify Possible Controls
 For each threat and associated vulnerabilities that
have residual risk, create preliminary list of
control ideas

 Residual risk is risk that remains to information

asset even after existing control has been applied

 There are three general categories of Risk controls:

 Policies
 Programs (Planning level document)
 Technologies (Executive level document)

39
 Access control
 Access control is the method by which systems
determine whether and how to admit a user into a
trusted area of the organization—that is,
information systems, restricted areas such as
computer rooms, and the entire physical location.
 There are number of approaches to control the
access.
 Access control can be: (Types)
 Discretionary
 Mandatory
 Non-discretionary
Mandatory access controls (MACs) u
use data classification schemes; they
give users and data owners limited
control over access to information
resources.
 With this type of control, the column of attributes
associated with a particular object (such as a printer) is
referred to as an access control list (ACL).
 Nondiscretionary controls are a strictly-enforced
version of MACs that are managed by a central
authority in the organization and can be based on an
individual’s role— role-based controls —or a
specified set of tasks (subject- or object-based) —
task-based controls.
 Discretionary access controls (DACs) are
implemented at the discretion or option of the data
user.
 Documenting the Results of Risk
Assessment
 Ranked vulnerability risk worksheet
 Worksheet details are:
 Asset, asset impact, vulnerability, vulnerability
likelihood, and risk-rating factor
 Ranked vulnerability risk worksheet is initial
working document for next step in risk management
process: assessing and controlling risk
Table 4-9 Ranked Vulnerability Risk Worksheet

46
 Deliverable Purpose
Information asset classification Assembles information about
worksheet information assets and their
impact
Weighted criteria analysis Assigns ranked value or impact
worksheet weight to each information asset
Ranked vulnerability risk Assigns ranked value of risk
worksheet rating for each uncontrolled
asset-vulnerability pair

Table 4-10 Risk Identification and Assessment

Deliverables
47
Recommended Practices in
Controlling Risk
 We must convince budget authorities to spend up to the
value of the asset to protect a particular asset from an
identified threat
 Each and every control or safeguard implemented will
impact more than one threat-asset pair
 Qualitative Measures
 Delphi Technique(The individual responses are compiled
and then returned to the individuals for another iteration)

Principles of Information Security, 4th Edition

Cost Avoidance
 It is the process of avoiding the financial impact of
an incident by implementing a access control.
 Includes:
 Cost Benefit analysis
 Organizational feasibility
 Operational Feasibility
 Technical Feasibility
 Political feasibility.
Feasibility Studies
 Before deciding on strategy, all information about
economic/noneconomic consequences of vulnerability of
information asset must be explored

 A number of ways exist to determine advantage of a

specific control

50
 Cost Benefit Analysis (CBA)

 Cost-Benefit Analysis (CBA) is a decision-making process

used to evaluate the financial and non-financial benefits
of a project, investment, or decision compared to its
costs. The goal is to determine whether the benefits
outweigh the costs.

51
 Cost Benefit Analysis (CBA)
 Steps in Cost-Benefit Analysis

1. Identify Costs & Benefits

o Direct Costs (e.g., salaries, equipment, materials)
o Indirect Costs (e.g., maintenance, training)
o Intangible Costs (e.g., environmental impact)
o Direct Benefits (e.g., revenue, cost savings)
o Indirect Benefits (e.g., brand reputation, efficiency)

52
 Cost Benefit Analysis (CBA)
1. Assign a Monetary Value
o Convert all benefits and costs into a common currency
for comparison.
2. Calculate Net Benefit
o Use the formula:
 Net Benefit=Total Benefits−Total Costs

4. Compare Results
o If Net Benefit > 0, the project is financially viable.
o If Net Benefit < 0, the project is not profitable.

53
Cost Benefit Analysis (CBA)

54
 Cost Benefit Analysis (CBA)
 Most common approach for deciding on information
security controls is economic feasibility of implementation

 CBA is begun by evaluating worth of assets to be

protected and the loss in value if those assets are
compromised

 The formal process to document this is called cost benefit

analysis or economic feasibility study

55
Cost Benefit Analysis (CBA) (continued)
 Once value of assets is estimated, potential loss from
exploitation of vulnerability is studied
 Process result is estimate of potential loss per risk
 Expected loss per risk stated in the following equation:
Annualized loss expectancy (ALE) equals
Single loss expectancy (SLE) TIMES
Annualized rate of occurrence (ARO)
 SLE is equal to asset value times exposure factor (EF)

56
The Cost Benefit Analysis (CBA) Formula
 CBA determines if alternative being evaluated is worth
cost incurred to control vulnerability
 CBA is most easily calculated using ALE from earlier
assessments, before implementation of proposed control:
CBA = ALE(prior) – ALE(post) – ACS
 ALE(prior) is annualized loss expectancy of risk before
implementation of control
 ALE(post) is estimated ALE based on control being in
place for a period of time
 ACS is the annualized cost of the safeguard

57
The Cost Benefit Analysis (CBA) Formula
 Scenario:
 A company wants to determine whether implementing a
new firewall is cost-effective in reducing the risk of
cyberattacks.
 Given Data:
• Annualized Loss Expectancy before control (ALE
prior) = $50,000
• Annualized Loss Expectancy after control (ALE post)
= $10,000
• Annualized Cost of Safeguard (ACS) = $15,000

58
The Cost Benefit Analysis (CBA) Formula
 CBA Calculation:
 CBA=ALE(prior)−ALE(post)−ACSCBA = ALE(prior) -
ALE(post) - ACSCBA=ALE(prior)−ALE(post)−ACS
CBA=50,000−10,000−15,000CBA = 50,000 - 10,000 -
15,000CBA=50,000−10,000−15,000 CBA=25,000CBA =
25,000CBA=25,000
 Since the CBA is positive ($25,000), the cost savings
from reducing risk outweigh the cost of implementing the
firewall. This indicates that implementing the firewall is a
financially beneficial decision.

59
The Cost Benefit Analysis (CBA) Formula
 Scenario:
 A retail company is considering implementing an
advanced biometric access control system to prevent
unauthorized access to its payment processing servers.
 Given Data:
• Annualized Loss Expectancy before control (ALE
prior) = $30,000
• Annualized Loss Expectancy after control (ALE post)
= $5,000
• Annualized Cost of Safeguard (ACS) = $30,000

60
The Cost Benefit Analysis (CBA) Formula
 CBA Calculation:
 CBA=ALE(prior)−ALE(post)−ACSCBA = ALE(prior) -
ALE(post) - ACSCBA=ALE(prior)−ALE(post)−ACS
CBA=30,000−5,000−30,000CBA = 30,000 - 5,000 -
30,000CBA=30,000−5,000−30,000 CBA=−5,000CBA = -
5,000CBA=−5,000Interpretation:
 Since the CBA is negative (-$5,000), the cost of
implementing the biometric access system is higher than
the savings from risk reduction. This suggests that the
investment may not be financially justifiable, and the
company should consider alternative, more cost-effective
security measures.
61
Evaluation, Assessment, and Maintenance
of Risk Controls
 Selection and implementation of control strategy is
not end of process
 Strategy and accompanying controls must be
monitored/reevaluated on on-going basis to
determine effectiveness and to calculate more
accurately the estimated residual risk
 Process continues as long as organization continues
to function
Figure 4-9 Risk Control Cycle

63
 Quantitative versus Qualitative Risk Control
Practices
 Performing the previous steps using actual values or
estimates is known as quantitative assessment
 Possible to complete steps using evaluation process
based on characteristics using non-numerical
measures; called qualitative assessment
 Utilizing scales rather than specific estimates
relieves organization from difficulty of determining
exact values
Benchmarking and Best Practices
 An alternative approach to risk management

 Benchmarking is process of seeking out and

studying practices in other organizations that one’s
own organization desires to duplicate

 One of two measures typically used to compare

practices:
 Metrics-based measures

 Process-based measures

65
Benchmarking and Best Practices
(continued)
 Standard of due care: when adopting levels of
security for a legal defense, organization shows it
has done what any prudent organization would do in
similar circumstances
 Due diligence: demonstration that organization is
diligent in ensuring that implemented standards
continue to provide required level of protection
 Failure to support standard of due care or due
diligence can leave organization open to legal
liability

66
 Benchmarking and Best Practices
(continued)
 Best business practices: security efforts that provide
a superior level of information protection

 When considering best practices for adoption in an

organization, consider:
 Does organization resemble identified target with best
practice?

 Are resources at hand similar?

 Is organization in a similar threat environment?

67
Problems with the Application of
Benchmarking and Best Practices
 Organizations don’t talk to each other (biggest
problem)

 No two organizations are identical

 Best practices are a moving target

 Knowing what was going on in information security

industry in recent years through benchmarking
doesn’t necessarily prepare for what’s next

68
 Baselining
 Analysis of measures against established standards.In
information security, baselining is comparison of security
activities and events against an organization’s future
performance.Useful during baselining to have a guide to the
overall process

 Baselining is an essential practice in information security. It

allows organizations to compare current performance against
historical data, industry standards, and predefined security
policies to ensure that risks are being effectively managed.
Regularly monitoring deviations from the baseline helps
identify security threats, gaps in defenses, and areas for
improvement, ultimately strengthening the organization's
overall security posture. 69
 RISK CONTROL STRATEGIES
Four basic strategies to control each of the risks that
result from these vulnerabilities.
 Apply safeguards that eliminate the remaining
uncontrolled risks for the vulnerability [Avoidance]
 Transfer the risk to other areas (or) to outside
entities[transference]
 Reduce the impact should the vulnerability be
exploited[Mitigation]
 Understand the consequences and accept the risk
without search control or mitigation[Acceptance]
 1. AVOIDANCE
 Attempts to prevent exploitation of the vulnerability
 Preferred approach; accomplished through
 Countering threats
 Removing asset vulnerabilities
 Limiting asset access and
 Adding protective safeguards
Three common methods of risk avoidance:
 Application of policy
 Training and education
 Applying technology
71
 2. Transference
 Transference is the search control approach that
attempts to shift risk to other assets, processes, or
organizations

 If lacking, organization should hire

individuals/firms that provide security
management and administration expertise

 Organization may then transfer risk associated

with management of complex systems to another
organization experienced in dealing with those risks
 3.Mitigation
 It is the control approach that attempts to reduce the
impact caused by the exploitation of vulnerability through
planning & preparation.
 Mitigation begins with the early detection that an attack is
in progress and the ability of the organization to respond
quickly, efficiently and effectively.
 Includes 3 types of plans.
1. Incident response plan (IRP) -Actions to take while
incident is in progress
2. Disaster recovery plan (DRP) - Most common mitigation
procedure.
3. Business continuity plan (BCP) - Continuation of business
activities if catastrophic event occurs.
 3.Mitigation
1. Incident response plan (IRP) -Actions to take while
incident is in progress

 A company experiences a data breach where an attacker

gains access to customer data.
 The IRP is triggered, and the team begins by identifying
the source of the breach and isolating the affected systems
to prevent further damage. The data is secured, and
communication with affected customers begins.
 3.Mitigation
2. Disaster recovery plan (DRP) - Most common mitigation
procedure.
 A company’s data center is destroyed due to a fire.
 The DRP is activated to restore business-critical
applications and data from offsite backups. In the
meantime, the company uses a secondary data center to
keep services running.
3. Business continuity plan (BCP) - Continuation of business
activities if catastrophic event occurs.
 A global pandemic causes widespread business closures.
 The BCP is activated, allowing employees to work
remotely. Customer service is moved to virtual channels,
and critical suppliers are contacted to ensure continuity of
product delivery.
Incident Response Plan (IRP)
 An Incident Response Plan is a written document,
formally approved by the senior leadership team,
that helps your organization before, during, and
after a confirmed or suspected security incident.

 For example, a system’s administrator may notice

that someone is copying information from the server
without authorization, signaling violation of policy
by a potential hacker or an unauthorized employee.
 Disaster Recovery Plan (DRP)
 Disaster recovery is the process of maintaining or
reestablishing vital infrastructure and systems
following a natural or human-induced disaster, such
as a storm or battle.
 DRP focuses more on preparations completed
before and actions taken after the incident,
 IRP focuses on intelligence gathering, information
analysis, coordinated decision making, and urgent,
concrete actions.
 4.Acceptance
 It is the choice to do nothing to protect a
vulnerability and do accept the outcome of its
exploitation.
 This strategy occurs when the organization has:
 Determined the level of risk.
 Estimated the potential damage that could occur
from attacks.
 Example
 1. Avoidance (Eliminating the Risk)
 Scenario: A company identifies that outdated software
used for financial transactions has a critical security
vulnerability.
Action: The company completely removes the outdated
software and switches to a new, secure platform.
Outcome: The risk is eliminated since the vulnerable
software is no longer in use.
 Example
 2. Transference (Shifting the Risk)
 Scenario: An e-commerce business is concerned about
financial fraud risks associated with online payments.
Action: The business outsources its payment processing
to a third-party payment gateway (e.g., PayPal or Stripe),
which assumes liability for fraud protection.
Outcome: The risk is transferred to the third-party
provider, reducing the company's direct exposure.
 Example
 4. Acceptance (Living with the Risk)
 Scenario: A small startup lacks the budget to implement
high-end cybersecurity measures against potential
phishing attacks.
Action: The company acknowledges the risk but decides
to accept it while focusing on employee training and
awareness rather than investing in expensive security
software.
Outcome: The risk remains, but the company
consciously decides to operate with this level of exposure.
 Each of these approaches depends on the organization’s
risk tolerance, budget, and business priorities.
 Example
 1. Avoidance (Eliminating the Risk)
 Scenario: A manufacturing company discovers that a
specific chemical used in production poses serious health
hazards to workers.
Action: The company discontinues the use of the
hazardous chemical and replaces it with a safer
alternative.
Outcome: The health risk is eliminated by completely
avoiding the use of the dangerous substance.
 Example
 2. Transference (Shifting the Risk)
 Scenario: A software development company is
concerned about potential legal liabilities due to software
bugs causing client losses.
Action: The company purchases professional liability
(errors and omissions) insurance to cover any potential
claims from software failures.
Outcome: The financial burden of lawsuits is transferred
to the insurance provider, reducing the company’s direct
exposure.
 Example
 3. Mitigation (Reducing the Impact)
 Scenario: A hospital's IT system is vulnerable to
ransomware attacks that could lock patient records.
Action: The hospital implements a robust backup and
disaster recovery system, ensuring that data can be
restored quickly in case of an attack.
Outcome: While ransomware attacks may still happen,
the hospital minimizes downtime and data loss.
 Example
 4. Acceptance (Living with the Risk)
 Scenario: A retail store in a low-crime area recognizes
that there is still a small chance of shoplifting.
Action: The store decides not to invest in expensive
surveillance systems but instead trains staff to be vigilant
and implement basic security measures.
Outcome: The store accepts the minimal risk of theft as a
manageable business cost.
 Each of these strategies is based on the nature of the
risk, available resources, and risk tolerance levels.
Example
 Example
 Answer Key:
1 → C (Avoiding outdated software eliminates risk)
2 → A (Insurance transfers financial risk to another entity)
3 → B (CCTV reduces the impact of shoplifting)
4 → D (The startup decides to live with the risk)
Evaluation, Assessment &
Maintenance of Risk Controls
 Once a control strategy has been implemented, it should
be monitored, & measured on an ongoing basis to
determine the effectiveness of the security controls and
the accuracy of the estimate of the Residual risk
 There is no exit from this cycle; it is a process that
continues for as long as the organization continues to
function.

Principles of Information Security, 4th Edition

Categories of Controls
 Controlling risk through avoidance, Mitigation or
Transference may be completed by implementing controls
or safeguards.
 Three ways to categorize controls have been identified.
 Control Function, Architectural layer, Strategy layer.

Principles of Information Security, 4th Edition

Categories of Controls
 1. Control Function
• Preventive Controls: Aim to stop an attack or incident
before it occurs.
• Example: Firewalls, access controls, encryption.
• Detective Controls: Identify an attack or security breach
after it happens.
• Example: Intrusion detection systems (IDS), security
audits, log monitoring.

Principles of Information Security, 4th Edition

Categories of Controls
 2. Architectural Layer
• Security controls should be applied across different
architectural layers of an IT system:
• Network Layer: Firewalls, VPNs, Intrusion Prevention
Systems (IPS).
• Application Layer: Secure coding practices, input
validation, authentication.
• Data Layer: Encryption, data masking, backup systems.
• Physical Layer: Surveillance cameras, biometric access,
security guards.

Principles of Information Security, 4th Edition

Categories of Controls
 3. Strategy Layer
 This layer focuses on the broader security approach or
strategy:
• Risk Avoidance: Removing risky components (e.g.,
deprecating an outdated system).
• Risk Mitigation: Reducing the risk impact (e.g., adding
multi-factor authentication).
• Risk Transference: Transferring the risk to third-party
providers (e.g., cyber insurance).

Principles of Information Security, 4th Edition

Architectural Layer
 The following entities are commonly regarded as distinct
layers in an organization’s:
 Organizational policy, External Networks, Extranets ( or
demilitarized zones ),Intranets ( WANs and LANs ).
 Network devices that interface network zones.(Switches,
Routers, firewalls and hubs)
 Systems [ Mainframe, Server, desktop]

Principles of Information Security, 4th Edition

Strategy Layer
 avoidance, mitigation, transference
 Characteristics of Secure Information:
 Confidentiality: The search control assures the
confidentiality of data when it is stored, processed, or
transmitted.
 An example of this type of control is the use of Secure
Sockets Layer (SSL) encryption technology to secure
Web content as it moves from Web server to browser.

Principles of Information Security, 4th Edition

 Integrity: The control assures that the information asset
properly, completely, and correctly receives, processes,
stores, and retrieves data in a consistent and correct
manner .
 Ex: Use of parity checks in data transmission protocols.
 Authentication: The search control assures that the entity
(person or computer) accessing information assets is in fact
the stated entity.
 Ex: The use of cryptographic certificates to establish SSL
connections, or the use of cryptographic hardware tokens
such as SecurID cards as a second authentication of identity.

Principles of Information Security, 4th Edition

 Authorization: The control assures that a user has been
specifically and explicitly authorized to access, update, or
delete the contents of an information asset.
 Ex: Use of access control lists and authorization groups in
the Windows networking environment. Another example is
the use of a database authorization scheme to verify the
designated users for each function.

Principles of Information Security, 4th Edition

 Selecting a Risk Control Strategy
 Level of threat and value of asset play major role
in selection of strategy

 Rules of thumb on strategy selection can be

applied:
 When a vulnerability exists

 When a vulnerability can be exploited

 When attacker’s cost is less than potential gain

 When potential loss is substantial

97
Rules of thumb
 When vulnerability (flaw or weakness) exists:
Implement security controls to reduce the likelihood
of a vulnerability being exercised.
 When vulnerability can be exploited: Apply layered
protections, architectural designs, and administrative
controls to minimize the risk.
 When the attacker’s cost is less than his potential
gain: Apply protections to increase the attacker’s cost.
 When potential loss is substantial: Apply design
principles, architectural designs, and technical and
non-technical protections to limit the extent of the
attack, thereby reducing the potential for loss.
Rules of thumb
 1. When a Vulnerability Exists → Apply Risk
Mitigation or Avoidance
 📌 Example:
• A company discovers a software vulnerability in its
customer database system.
• Action: The company patches the software to prevent
potential attacks (Mitigation).
• If no patch is available, the company discontinues the
vulnerable software (Avoidance).
Rules of thumb
 2. When a Vulnerability Can Be Exploited → Apply
Risk Mitigation or Transference
 📌 Example:
• A retail store's payment system is vulnerable to
hacking.
• Action: The store enhances encryption and security
monitoring (Mitigation).
• Additionally, it buys cyber insurance to cover financial
losses in case of an attack (Transference).
Rules of thumb
 3. When Attacker’s Cost is Less Than Potential Gain
→ Apply Strong Security Controls
 📌 Example:
• Hackers target a company’s email system to steal
confidential business data.
• Reason: The cost of phishing attacks is low, but stolen
information can be sold for a high profit.
• Action: The company enforces strict email filtering,
employee training, and two-factor authentication
(2FA) to increase the attacker's cost and reduce risk.
Rules of thumb
 When Potential Loss is Substantial → Apply Risk
Avoidance or Strong Mitigation
 📌 Example:
• A hospital stores sensitive patient data that, if leaked,
could result in huge legal and financial penalties.
• Action: The hospital invests in advanced
cybersecurity controls, encrypts all patient records,
and conducts regular security audits to prevent a
breach.
103
Control Function
 Safeguards designed to defend systems are either
preventive or detective.
 Preventive controls use a technical procedure, such
as encryption, or some combination of technical
means and enforcement methods.
 Detective controls – warn organizations of
violations of security principles, organizational
policies, or attempts to exploit vulnerabilities.

Principles of Information Security, 4th Edition

Control Function
 1. Preventive Controls
 Purpose:
Preventive controls are designed to stop a potential
threat or attack before it happens, often by limiting
access or making it difficult for attackers to exploit
vulnerabilities.
 Key Characteristics:
• Proactive: Focus on preventing the risk from
materializing.
• Technical or Procedural: Can involve a mix of both.

Principles of Information Security, 4th Edition

Control Function
 Examples of Preventive Controls:
• Encryption: Ensures that sensitive data is unreadable
without the proper decryption key, preventing unauthorized
access.
• Firewalls: Block malicious traffic from entering a network or
system.
• Access Control: Restricting access to systems, data, or
resources based on user roles.
• Two-Factor Authentication (2FA): Prevents unauthorized
access by requiring two forms of verification.
• Employee Training: Teaching staff about phishing and
security protocols to prevent social engineering attacks.
Principles of Information Security, 4th Edition
Control Function
 2. Detective Controls
 Purpose:
Detective controls are designed to identify and alert an
organization about security violations or attempts to
exploit vulnerabilities after they occur. They help
organizations respond quickly to mitigate damage.
 Key Characteristics:
• Reactive: Focus on detecting and alerting about security
events.
• Monitoring and Reporting: Track activities to catch
potential intrusions or anomalies.
Principles of Information Security, 4th Edition
Control Function
 Examples of Detective Controls:
• Intrusion Detection Systems (IDS): Monitors network traffic
for signs of suspicious activity or intrusions.
• Log Monitoring: Tracks system logs for unusual or
unauthorized activities that might indicate a breach.
• Security Information and Event Management (SIEM):
Collects and analyzes data from various sources to detect
abnormal activities.
• CCTV Surveillance: Detects unauthorized physical access or
potential breaches within the premises.
• Audit Trails: Keeps records of user activities for later review,
useful for identifying violations or breaches.
Principles of Information Security, 4th Edition
Residual Risk
 The residual risk is the amount of risk or
danger associated with an action or event
remaining after natural or inherent risks have
been reduced by risk controls

Principles of Information Security, 4th Edition

Residual Risk
 Residual risk is the risk that remains after implementing risk
controls (such as Avoidance, Mitigation, or Transference). It
represents the leftover exposure that cannot be entirely
eliminated.
 Formula for Residual Risk:
 Residual Risk=Inherent Risk−Implemented Risk Controls
 The original level of risk before any controls are applied.
• Implemented Risk Controls = Measures taken to reduce risk
(e.g., security systems, policies).

Principles of Information Security, 4th Edition

Principles of Information Security, 4th Edition
Documenting Results
 At minimum, each information asset-vulnerability
pair should have a documented control strategy
that clearly identifies any residual risk remaining
after the proposed strategy has been executed.

 Some organizations document the outcome of the

control strategy for each information asset-
vulnerability pair as an action plan

Principles of Information Security, 4th Edition

Risk Management Discussion
Points
 Not every organization has the collective will to
manage each vulnerability through the application
of controls
 Depending on the willingness to assume risk, each
organization must define its risk appetite
 Risk appetite defines the quantity and nature of
risk that organizations are willing to accept as they
evaluate the tradeoffs between perfect security and
unlimited accessibility

Principles of Information Security, 4th Edition

Risk Management Discussion
Points
 Risk Appetite is the level of risk an organization is
willing to accept while balancing security and
operational flexibility. It helps businesses make
informed decisions about which risks to avoid, mitigate,
transfer, or accept.

Principles of Information Security, 4th Edition

Risk Management Discussion
Points
 Example of Risk Appetite in Action
 1. High Risk Appetite (More Accessibility, Less Restriction)
• A social media platform allows users to create accounts with minimal
verification.
• This increases user engagement but also increases the risk of fake
accounts and spam.
• The company accepts this risk but implements basic moderation
policies.
 2. Low Risk Appetite (More Security, Less Accessibility)
• A financial institution requires multi-factor authentication (MFA) for
all transactions.
• This increases security but may cause inconvenience for users.
• The bank prioritizes security over ease of use because financial fraud risk
is high.
Principles of Information Security, 4th Edition
Risk Management Discussion
Points
 Example of Risk Appetite in Action
 1. High Risk Appetite (More Accessibility, Less Restriction)
• A social media platform allows users to create accounts with minimal
verification.
• This increases user engagement but also increases the risk of fake
accounts and spam.
• The company accepts this risk but implements basic moderation
policies.
 2. Low Risk Appetite (More Security, Less Accessibility)
• A financial institution requires multi-factor authentication (MFA) for
all transactions.
• This increases security but may cause inconvenience for users.
• The bank prioritizes security over ease of use because financial fraud risk
is high.
Principles of Information Security, 4th Edition
REFERENCES:
1. Michael E Whitman and Herbert J Mattord, "Principles
of Information Security", Course Technology, New Delhi,
Fourth Edition, 2012.
2. Nina Godbole, "Information Systems Security-Security
Management, Metrics, Frameworks and Best Practices",
Wiley India Pvt. Ltd., New Delhi, First Edition, 2009.

ONLINE REFERENCES:
3. https://nptel.ac.in/courses/106/106/106106129/
2. https://nptel.ac.in/courses/106/106/106106178/
3. https://nptel.ac.in/courses/106/106/106106157 /