Risk Management

1. 1 Risk Management

2. 2 Risk Management Risk controls Control categories Cost-benefit analysis Risk control methods

3. 3 Risk Controls There are four main types: Avoidance Transference Mitigation Acceptance Strategy selection methods: Evaluation Assessment Maintenance

4. 4 Risk Controls Avoidance refers to either reducing or eliminating threats posed by identified vulnerabilities Methods available are: Apply policy already in place Provide training to key personnel Educate all involved about the vulnerability Implement security controls

5. 5 Risk Controls Transference refers to shifting the risk to other entities of the organizations Example: When the inventory system is under attack, move the inventory update process to another server where the partners have access to update. Using additional validation techniques the data is then transferred to the main server connected to the sales terminals.

6. 6 Risk Controls Mitigation refers to minimizing the impact of an attack or the exposure to a known threat Methods for mitigation are: Incident response plan Disaster recovery plan Business continuity plan Incident response plan involves: An identified set of steps to be taken during a disaster Acquire intelligence on the nature of attack Analyze information

7. 7 Risk Controls Disaster recovery plan involves: Procedures for recovering lost data Procedures for resumption of service Take systems offline to assess damage and protect data Business continuity plan involves: Procedures to activate the backup site (hot, warm, or cold) Procedures for resumption of telecommunication among the key personnel

8. 8 Risk Controls Acceptance involves: Knowing the level of risk assumed from an attack Estimate the potential loss Perform a cost-benefit analysis Evaluate controls in place Cost required to protect an asset does not justify the damage caused by an attack

9. 9 Control Categories Rules of thumb: Implement security controls to address known vulnerabilities (e.g., people sharing passwords. Security control could be only one login per userid) Cost of protection exceeds cost of asset being protected (e.g., sales information is confidential but not critical. Slow the response rate on dial-in lines, drop connections periodically). Goal is to make it inconvenient for the hacker to keep trying Potential loss is significant (e.g., check processing system could be exposed. Augment procedures for check issuance and limit the check value under normal conditions to less than $1,000)

10. 10 Control Categories Control function Preventive (policy change, access control) Detective (IDS, audit trail) Architectural control Connection between internal and external networks Access to extranets Use of DMZs Allowed applications

11. 11 Control Categories Information Security control involves: Confidentiality Integrity Availability Authentication Authorization Accountability Privacy

12. 12 Cost � Benefit Analysis Difficult to evaluate value of information Consequently, difficult to evaluate value of cost of protection Cost includes: Equipment Software Training Implementation Maintenance

13. 13 Cost � Benefit Analysis Benefit is the value to the organization coming from the security system Value could be intrinsic or acquired due to the security provided to information Value could also be calculated by the cost of replacing the information system in place Value to owners Value to competitors Loss of productivity Loss of revenue

14. 14 Cost � Benefit Analysis Single loss expectancy (SLE) is the loss from a single attack SLE = AV * EF where AV denotes asset value and EF denotes exposure factor Annual Loss Expectancy (ALE) is the loss expected from all threats during one year ALE = SLE * ARO where ARO denotes annual rate of occurrence (i.e. the number of times a particular type of loss is likely to occur in one year)

15. 15 Cost � Benefit Analysis Example: AV is $100,000. EF is 10% (i.e. that a hacker would disable 10% of the services on the company�s website). Hence, SLE = 100000 * .1 = 10000. Assume that the loss due to the vulnerability is likely to occur once in two years. Hence ARO = � = 0.5 and so ALE = 10000 * .5 = 5000 The above example shows that unless the protection is increased to address the vulnerability, the business is expected to lose $5,000 per year This amount is then used in calculating the cost of protection to see if there is a benefit in protecting the system or not.

16. 16 Cost � Benefit Analysis CBA = ALE (pre-control) � ALE (post-control) � ACS where CBA is the cost-benefit analysis amount and ACS is the Annual Cost to Safeguard In calculating CBA the organization should view security as an investment and not as an expense ROI should not be the only factor in evaluating security investments Many of the security investment benefits are intangible, such as goodwill generated due to the reliability of the operational system

17. 17 Risk control methods Qualitative measure could be on a scale of 1 to 10 for assessing the value of information that needs to be protected. This usually refers to an individual developing the ranking. Delphi technique method is a qualitative method, except that the qualitative value is averaged out from a group of people giving their rankings rather an individual providing the ranking OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) method developed by CERT is another tool available for risk valuation

18. 18 References Management of Information Security by M.E.Whitman and H.J.Mattord, Course Technology, 2004 OCTAVE http://www.cert.org/octave/