SlideShare a Scribd company logo

Information Security Planning and Risk Analysis

A
abacusgtuc

The document outlines a framework for security planning and risk analysis in the context of computer security, detailing the elements involved in risk assessment, management, and communication. It distinguishes between quantitative and qualitative approaches to analyzing risks, emphasizing the importance of identifying assets, threats, vulnerabilities, and implementing control measures. Key points include the need for collaboration among security experts and management, as well as the significance of clear communication of risk analysis results.

Technology
1 of 32
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
Slide #1 Security Planning and Risk Analysis CS461/ECE422 Computer Security I Fall 2010
Slide #2 Overview • Elements of Risk Analysis • Quantitative vs Qualitative Analysis • One Risk Analysis framework
Slide #3 Reading Material • Chapter 1.6 of Computer Security • Information Security Risk Analysis, by Thomas R. Peltier – On reserve at the library – Chapters 1 and 2 on compass site – Identifies basic elements of risk analysis and reviews several variants of qualitative approaches
Slide #4 What is Risk? • The probability that a particular threat will exploit a particular vulnerability – Not a certainty. – Risk impact – loss associated with exploit • Need to systematically understand risks to a system and decide how to control them.
Slide #5 What is Risk Analysis? • The process of identifying, assessing, and reducing risks to an acceptable level – Defines and controls threats and vulnerabilities – Implements risk reduction measures • An analytic discipline with three parts: – Risk assessment: determine what the risks are – Risk management: evaluating alternatives for mitigating the risk – Risk communication: presenting this material in an understandable way to decision makers and/or the public
Slide #6 Risk Management Cycle From GAO/AIMD-99-139
Slide #7 Basic Risk Analysis Structure • Evaluate – Value of computing and information assets – Vulnerabilities of the system – Threats from inside and outside – Risk priorities • Examine – Availability of security countermeasures – Effectiveness of countermeasures – Costs (installation, operation, etc.) of countermeasures • Implement and Monitor
Slide #8 Who should be Involved? • Security Experts • Internal domain experts – Knows best how things really work • Managers responsible for implementing controls
Slide #9 Identify Assets • Asset – Anything of value – Physical Assets • Buildings, computers – Logical Assets • Intellectual property, reputation
Slide #10 Example Critical Assets • People and skills • Goodwill • Hardware/Software • Data • Documentation • Supplies • Physical plant • Money
Slide #11 Vulnerabilities • Flaw or weakness in system that can be exploited to violate system integrity.
Slide #12 Example Vulnerabilities •Physical •V01 Susceptible to unauthorized building access •V02 Computer Room susceptible to unauthorized access •V03 Media Library susceptible to unauthorized access •V04 Inadequate visitor control procedures •(and 36 more) •Administrative •V41 Lack of management support for security •V42 No separation of duties policy •V43 Inadequate/no computer security plan policy •V47 Inadequate/no emergency action plan •(and 7 more) •Personnel •V56 Inadequate personnel screening •V57 Personnel not adequately trained in job •... •Software •V62 Inadequate/missing audit trail capability •V63 Audit trail log not reviewed weekly •V64 Inadequate control over application/program changes Communications •V87 Inadequate communications system •V88 Lack of encryption •V89 Potential for disruptions •... •Hardware •V92 Lack of hardware inventory •V93 Inadequate monitoring of maintenance personnel •V94 No preventive maintenance program •… •V100 Susceptible to electronic emanations
Slide #13 Threats • Set of circumstances that has the potential to cause loss or harm • Attacks against key security services – Confidentiality, integrity, availability • Threats trigger vulnerabilities – Accidental – Malicious
Slide #14 Example Threat List •T01 Access (Unauthorized to System - logical) •T02 Access (Unauthorized to Area - physical) •T03 Airborne Particles (Dust) •T04 Air Conditioning Failure •T05 Application Program Change (Unauthorized) •T06 Bomb Threat •T07 Chemical Spill •T08 Civil Disturbance •T09 Communications Failure •T10 Data Alteration (Error) •T11 Data Alteration (Deliberate) •T12 Data Destruction (Error) •T13 Data Destruction (Deliberate) •T14 Data Disclosure (Unauthorized) •T15 Disgruntled Employee •T16 Earthquakes •T17 Errors (All Types) •T18 Electro-Magnetic Interference •T19 Emanations Detection •T20 Explosion (Internal) •T21 Fire, Catastrophic •T22 Fire, Major •T23 Fire, Minor •T24 Floods/Water Damage •T25 Fraud/Embezzlement •T26 Hardware Failure/Malfunction •T27 Hurricanes •T28 Injury/Illness (Personal) •T29 Lightning Storm •T30 Liquid Leaking (Any) •T31 Loss of Data/Software •T32 Marking of Data/Media Improperly •T33 Misuse of Computer/Resource •T34 Nuclear Mishap •T35 Operating System Penetration/Alteration •T36 Operator Error •T37 Power Fluctuation (Brown/Transients) •T38 Power Loss •T39 Programming Error/Bug •T40 Sabotage •T41 Static Electricity •T42 Storms (Snow/Ice/Wind) •T43 System Software Alteration •T44 Terrorist Actions •T45 Theft (Data/Hardware/Software) •T46 Tornado •T47 Tsunami (Pacific area only) •T48 Vandalism •T49 Virus/Worm (Computer) •T50 Volcanic Eruption
Slide #15 Characterize Threat-Sources Method Opportunity Motive Cracker Network access Terrorist Network, infiltration Insider Knowledge Complete access Ego, revenge, money Threat Source Standard scripts, new tools Challenge, ego , rebellion Access to talented crackers Ideological, destruction, fund raising
Slide #16 Dealing with Risk • Avoid risk – Implement a control or change design • Transfer risk – Change design to introduce different risk – Buy insurance • Assume risk – Detect, recover – Plan for the fall out
Slide #17 Controls • Mechanisms or procedures for mitigating vulnerabilities – Prevent – Detect – Recover • Understand cost and coverage of control • Controls follow vulnerability and threat analysis
Slide #18 Example Controls •C01 Access control devices - physical •C02 Access control lists - physical •C03 Access control - software •C04 Assign ADP security and assistant in writing •C05 Install-/review audit trails •C06 Conduct risk analysis •C07Develop backup plan •C08 Develop emergency action plan •C09 Develop disaster recovery plan •... •C21 Install walls from true floor to true ceiling •C22 Develop visitor sip-in/escort procedures •C23 Investigate backgrounds of new employees •C24 Restrict numbers of privileged users •C25 Develop separation of duties policy •C26 Require use of unique passwords for logon •C27 Make password changes mandatory •C28 Encrypt password file •C29 Encrypt data/files •C30 Hardware/software training for personnel •C31Prohibit outside software on system •... •C47 Develop software life cycle development program •C48 Conduct hardware/software inventory •C49 Designate critical programs/files •C50 Lock PCs/terminals to desks •C51 Update communications system/hardware •C52 Monitor maintenance personnel •C53 Shield equipment from electromagnetic interference/emanations •C54Identify terminals
Slide #19 Risk/Control Trade Offs • Only Safe Asset is a Dead Asset – Asset that is completely locked away is safe, but useless – Trade-off between safety and availability • Do not waste effort on efforts with low loss value – Don’t spend resources to protect garbage • Control only has to be good enough, not absolute – Make it tough enough to discourage enemy
Slide #20 Types of Risk Analysis • Quantitative – Assigns real numbers to costs of safeguards and damage – Annual loss exposure (ALE) – Probability of event occurring – Can be unreliable/inaccurate • Qualitative – Judges an organization’s relative risk to threats – Based on judgment, intuition, and experience – Ranks the seriousness of the threats for the sensitivity of the asserts – Subjective, lacks hard numbers to justify return on investment
Slide #21 Quantitative Analysis Outline 1. Identify and value assets 2. Determine vulnerabilities and impact 3. Estimate likelihood of exploitation 4. Compute Annual Loss Exposure (ALE) 5. Survey applicable controls and their costs 6. Project annual savings from control
Slide #22 Quantitative • Risk exposure = Risk-impact x Risk- Probability – Loss of car: risk-impact is cost to replace car, e.g. $10,000 – Probability of car loss: 0.10 – Risk exposure or expected loss = 10,000 x 0.10 = 1,000 • General measured per year – Annual Loss Exposure (ALE)
Slide #23 Quantitative • Cost benefits analysis of controls • Risk Leverage to evaluate value of control – ((risk exp. before control) – (risk exp. after))/ (cost of control) • Example of trade offs between different deductibles and insurance premiums
Slide #24 Qualitative Risk Analysis • Generally used in Information Security – Hard to make meaningful valuations and meaningful probabilities – Relative ordering is faster and more important • Many approaches to performing qualitative risk analysis • Same basic steps as quantitative analysis – Still identifying asserts, threats, vulnerabilities, and controls – Just evaluating importance differently
Slide #25 Example 10 Step QRA • Step 1: Identify Scope – Bound the problem • Step 2: Assemble team – Include subject matter experts, management in charge of implementing, users • Step 3: Identify Threats – Pick from lists of known threats – Brainstorm new threats – Mixing threats and vulnerabilities here...
Slide #26 Step 4: Threat prioritization • Prioritize threats for each asset – Likelihood of occurrence • Define a fixed threat rating – E.g., Low(1) … High(5) • Associate a rating with each threat • Approximation to the risk probability in quantitative approach
Slide #27 Step 5: Loss Impact • With each threat determine loss impact • Define a fixed ranking – E.g., Low(1) … High(5) • Used to prioritize damage to asset from threat
Slide #28 Step 6: Total impact • Sum of threat priority and impact priority 5 3 2 Theft 7 5 2 Water 8 5 3 Fire Risk Factor Impact Priority Threat Priority Threat
Slide #29 Step 7: Identify Controls/Safeguards • Potentially come into the analysis with an initial set of possible controls • Associate controls with each threat • Starting with high priority risks – Do cost-benefits and coverage analysis (Step 8) • Maybe iterate back to Step 6 – Rank controls (Step 9)
Slide #30 Safeguard Evaluation • Threat Possible Safeguard Fire 8 Fire supression system $15,000.00 Tornado 8 Business Continuity Plan $75,000.00 7 Business Continuity Plan $75,000.00 Theft 5 Risk Factor Safeguard cost Water Damage
Slide #31 Step 10: Communicate Results • Most risk analysis projects result in a written report – Generally not read – Make a good executive summary – Beneficial to track decisions. • Real communication done in meetings an presentations
Slide #32 Key Points • Key Elements of Risk Analysis – Assets, Threats, Vulnerabilities, and Controls • Quantitative vs qualitative • Not a scientific process – Companies will develop their own procedure – Still a good framework for better understanding of system security

More Related Content

PPT
Cs461 06.risk analysis (1)
neeraj.sihag
 
PPTX
Information Security Risk Management and Compliance.pptx
Abraraw Zerfu
 
PPTX
Security risk management
Prachi Gulihar
 
PPTX
unit 2informationsecuritynotesyyyyy.pptx
SaranyaS85986
 
PPT
Risk Assessment And Management
vikasraina
 
PPTX
ISAA PPt
RishabhAgrawal695188
 
PDF
Microsoft InfoSec for cloud and mobile
Vijayananda Mohire
 
PPT
Project risk analysis
Nur E Alam Siddike
 
Cs461 06.risk analysis (1)
neeraj.sihag
 
Information Security Risk Management and Compliance.pptx
Abraraw Zerfu
 
Security risk management
Prachi Gulihar
 
unit 2informationsecuritynotesyyyyy.pptx
SaranyaS85986
 
Risk Assessment And Management
vikasraina
 
ISAA PPt
RishabhAgrawal695188
 
Microsoft InfoSec for cloud and mobile
Vijayananda Mohire
 
Project risk analysis
Nur E Alam Siddike
 

Similar to Information Security Planning and Risk Analysis (20)

PDF
CISSP 8 Domains.pdf
dotco
 
PPTX
MIS: Information Security Management
Jonathan Coleman
 
PPT
1. security management practices
7wounders
 
PPTX
Information security management (bel g. ragad)
Rois Solihin
 
PPTX
Physical Security Assessment
Faheem Ul Hasan
 
PDF
Defense In Depth Using NIST 800-30
Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
PPT
INFORMATION SECURITY STUDY GUIDE for STUDENTS
henlydailymotion
 
PPT
ch01.ppt
samsam693199
 
PPT
educational content, educational contented educational content
Olajide Kuku
 
PPT
information security presentation topics
Olajide Kuku
 
PPT
CISSP Certified Information System Security Professional_009.ppt
careerbdaugx
 
PPTX
Step by-step for risk analysis and management-yaser aljohani
yaseraljohani
 
PPTX
Step by-step for risk analysis and management-yaser aljohani
Yaser Alrefai
 
PDF
New Age Red Teaming - Enterprise Infilteration
Shritam Bhowmick
 
PPTX
IT Security & Risk
Tanujpandey5
 
PPTX
EBRE TABOR UNIVERSITY Gafat Institute of Technology Department of Information...
shambelworku8
 
PPTX
Cyber Security # Lec 3
Kabul Education University
 
PPS
Ch 1 assets
Dheeraj Sadawarte
 
PPTX
CISSP Chapter 1 Risk Management
Karthikeyan Dhayalan
 
PPT
Introduction_to_Security_Assessments.ppt
sudsdeep
 
CISSP 8 Domains.pdf
dotco
 
MIS: Information Security Management
Jonathan Coleman
 
1. security management practices
7wounders
 
Information security management (bel g. ragad)
Rois Solihin
 
Physical Security Assessment
Faheem Ul Hasan
 
Defense In Depth Using NIST 800-30
Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
INFORMATION SECURITY STUDY GUIDE for STUDENTS
henlydailymotion
 
ch01.ppt
samsam693199
 
educational content, educational contented educational content
Olajide Kuku
 
information security presentation topics
Olajide Kuku
 
CISSP Certified Information System Security Professional_009.ppt
careerbdaugx
 
Step by-step for risk analysis and management-yaser aljohani
yaseraljohani
 
Step by-step for risk analysis and management-yaser aljohani
Yaser Alrefai
 
New Age Red Teaming - Enterprise Infilteration
Shritam Bhowmick
 
IT Security & Risk
Tanujpandey5
 
EBRE TABOR UNIVERSITY Gafat Institute of Technology Department of Information...
shambelworku8
 
Cyber Security # Lec 3
Kabul Education University
 
Ch 1 assets
Dheeraj Sadawarte
 
CISSP Chapter 1 Risk Management
Karthikeyan Dhayalan
 
Introduction_to_Security_Assessments.ppt
sudsdeep
 
Ad

More from abacusgtuc (7)

PPTX
Variable, Functions, Scoping and Variable Conversion
abacusgtuc
 
PPTX
CHAPTER 2 (Data types,Variables) in Visual Basic Programming
abacusgtuc
 
PPTX
Introduction to Visual Basic Programming
abacusgtuc
 
PPT
network-security_for cybersecurity_experts
abacusgtuc
 
PDF
Cybersecurity_Security_architecture_2023.pdf
abacusgtuc
 
PDF
ch04_network-vulnerabilities-and-attacks.pdf
abacusgtuc
 
PPT
psychology of everyday things_and_design_concepts.ppt
abacusgtuc
 
Variable, Functions, Scoping and Variable Conversion
abacusgtuc
 
CHAPTER 2 (Data types,Variables) in Visual Basic Programming
abacusgtuc
 
Introduction to Visual Basic Programming
abacusgtuc
 
network-security_for cybersecurity_experts
abacusgtuc
 
Cybersecurity_Security_architecture_2023.pdf
abacusgtuc
 
ch04_network-vulnerabilities-and-attacks.pdf
abacusgtuc
 
psychology of everyday things_and_design_concepts.ppt
abacusgtuc
 
Ad

Recently uploaded (20)

PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
A Presentation on Artificial Intelligence
memembruh336
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
KodekX | Application Modernization Development
KodekX
 
Modernizing your data center with Dell and AMD
Principled Technologies
 

Information Security Planning and Risk Analysis

  • 1. Slide #1 Security Planning and Risk Analysis CS461/ECE422 Computer Security I Fall 2010
  • 2. Slide #2 Overview • Elements of Risk Analysis • Quantitative vs Qualitative Analysis • One Risk Analysis framework
  • 3. Slide #3 Reading Material • Chapter 1.6 of Computer Security • Information Security Risk Analysis, by Thomas R. Peltier – On reserve at the library – Chapters 1 and 2 on compass site – Identifies basic elements of risk analysis and reviews several variants of qualitative approaches
  • 4. Slide #4 What is Risk? • The probability that a particular threat will exploit a particular vulnerability – Not a certainty. – Risk impact – loss associated with exploit • Need to systematically understand risks to a system and decide how to control them.
  • 5. Slide #5 What is Risk Analysis? • The process of identifying, assessing, and reducing risks to an acceptable level – Defines and controls threats and vulnerabilities – Implements risk reduction measures • An analytic discipline with three parts: – Risk assessment: determine what the risks are – Risk management: evaluating alternatives for mitigating the risk – Risk communication: presenting this material in an understandable way to decision makers and/or the public
  • 6. Slide #6 Risk Management Cycle From GAO/AIMD-99-139
  • 7. Slide #7 Basic Risk Analysis Structure • Evaluate – Value of computing and information assets – Vulnerabilities of the system – Threats from inside and outside – Risk priorities • Examine – Availability of security countermeasures – Effectiveness of countermeasures – Costs (installation, operation, etc.) of countermeasures • Implement and Monitor
  • 8. Slide #8 Who should be Involved? • Security Experts • Internal domain experts – Knows best how things really work • Managers responsible for implementing controls
  • 9. Slide #9 Identify Assets • Asset – Anything of value – Physical Assets • Buildings, computers – Logical Assets • Intellectual property, reputation
  • 10. Slide #10 Example Critical Assets • People and skills • Goodwill • Hardware/Software • Data • Documentation • Supplies • Physical plant • Money
  • 11. Slide #11 Vulnerabilities • Flaw or weakness in system that can be exploited to violate system integrity.
  • 12. Slide #12 Example Vulnerabilities •Physical •V01 Susceptible to unauthorized building access •V02 Computer Room susceptible to unauthorized access •V03 Media Library susceptible to unauthorized access •V04 Inadequate visitor control procedures •(and 36 more) •Administrative •V41 Lack of management support for security •V42 No separation of duties policy •V43 Inadequate/no computer security plan policy •V47 Inadequate/no emergency action plan •(and 7 more) •Personnel •V56 Inadequate personnel screening •V57 Personnel not adequately trained in job •... •Software •V62 Inadequate/missing audit trail capability •V63 Audit trail log not reviewed weekly •V64 Inadequate control over application/program changes Communications •V87 Inadequate communications system •V88 Lack of encryption •V89 Potential for disruptions •... •Hardware •V92 Lack of hardware inventory •V93 Inadequate monitoring of maintenance personnel •V94 No preventive maintenance program •… •V100 Susceptible to electronic emanations
  • 13. Slide #13 Threats • Set of circumstances that has the potential to cause loss or harm • Attacks against key security services – Confidentiality, integrity, availability • Threats trigger vulnerabilities – Accidental – Malicious
  • 14. Slide #14 Example Threat List •T01 Access (Unauthorized to System - logical) •T02 Access (Unauthorized to Area - physical) •T03 Airborne Particles (Dust) •T04 Air Conditioning Failure •T05 Application Program Change (Unauthorized) •T06 Bomb Threat •T07 Chemical Spill •T08 Civil Disturbance •T09 Communications Failure •T10 Data Alteration (Error) •T11 Data Alteration (Deliberate) •T12 Data Destruction (Error) •T13 Data Destruction (Deliberate) •T14 Data Disclosure (Unauthorized) •T15 Disgruntled Employee •T16 Earthquakes •T17 Errors (All Types) •T18 Electro-Magnetic Interference •T19 Emanations Detection •T20 Explosion (Internal) •T21 Fire, Catastrophic •T22 Fire, Major •T23 Fire, Minor •T24 Floods/Water Damage •T25 Fraud/Embezzlement •T26 Hardware Failure/Malfunction •T27 Hurricanes •T28 Injury/Illness (Personal) •T29 Lightning Storm •T30 Liquid Leaking (Any) •T31 Loss of Data/Software •T32 Marking of Data/Media Improperly •T33 Misuse of Computer/Resource •T34 Nuclear Mishap •T35 Operating System Penetration/Alteration •T36 Operator Error •T37 Power Fluctuation (Brown/Transients) •T38 Power Loss •T39 Programming Error/Bug •T40 Sabotage •T41 Static Electricity •T42 Storms (Snow/Ice/Wind) •T43 System Software Alteration •T44 Terrorist Actions •T45 Theft (Data/Hardware/Software) •T46 Tornado •T47 Tsunami (Pacific area only) •T48 Vandalism •T49 Virus/Worm (Computer) •T50 Volcanic Eruption
  • 15. Slide #15 Characterize Threat-Sources Method Opportunity Motive Cracker Network access Terrorist Network, infiltration Insider Knowledge Complete access Ego, revenge, money Threat Source Standard scripts, new tools Challenge, ego , rebellion Access to talented crackers Ideological, destruction, fund raising
  • 16. Slide #16 Dealing with Risk • Avoid risk – Implement a control or change design • Transfer risk – Change design to introduce different risk – Buy insurance • Assume risk – Detect, recover – Plan for the fall out
  • 17. Slide #17 Controls • Mechanisms or procedures for mitigating vulnerabilities – Prevent – Detect – Recover • Understand cost and coverage of control • Controls follow vulnerability and threat analysis
  • 18. Slide #18 Example Controls •C01 Access control devices - physical •C02 Access control lists - physical •C03 Access control - software •C04 Assign ADP security and assistant in writing •C05 Install-/review audit trails •C06 Conduct risk analysis •C07Develop backup plan •C08 Develop emergency action plan •C09 Develop disaster recovery plan •... •C21 Install walls from true floor to true ceiling •C22 Develop visitor sip-in/escort procedures •C23 Investigate backgrounds of new employees •C24 Restrict numbers of privileged users •C25 Develop separation of duties policy •C26 Require use of unique passwords for logon •C27 Make password changes mandatory •C28 Encrypt password file •C29 Encrypt data/files •C30 Hardware/software training for personnel •C31Prohibit outside software on system •... •C47 Develop software life cycle development program •C48 Conduct hardware/software inventory •C49 Designate critical programs/files •C50 Lock PCs/terminals to desks •C51 Update communications system/hardware •C52 Monitor maintenance personnel •C53 Shield equipment from electromagnetic interference/emanations •C54Identify terminals
  • 19. Slide #19 Risk/Control Trade Offs • Only Safe Asset is a Dead Asset – Asset that is completely locked away is safe, but useless – Trade-off between safety and availability • Do not waste effort on efforts with low loss value – Don’t spend resources to protect garbage • Control only has to be good enough, not absolute – Make it tough enough to discourage enemy
  • 20. Slide #20 Types of Risk Analysis • Quantitative – Assigns real numbers to costs of safeguards and damage – Annual loss exposure (ALE) – Probability of event occurring – Can be unreliable/inaccurate • Qualitative – Judges an organization’s relative risk to threats – Based on judgment, intuition, and experience – Ranks the seriousness of the threats for the sensitivity of the asserts – Subjective, lacks hard numbers to justify return on investment
  • 21. Slide #21 Quantitative Analysis Outline 1. Identify and value assets 2. Determine vulnerabilities and impact 3. Estimate likelihood of exploitation 4. Compute Annual Loss Exposure (ALE) 5. Survey applicable controls and their costs 6. Project annual savings from control
  • 22. Slide #22 Quantitative • Risk exposure = Risk-impact x Risk- Probability – Loss of car: risk-impact is cost to replace car, e.g. $10,000 – Probability of car loss: 0.10 – Risk exposure or expected loss = 10,000 x 0.10 = 1,000 • General measured per year – Annual Loss Exposure (ALE)
  • 23. Slide #23 Quantitative • Cost benefits analysis of controls • Risk Leverage to evaluate value of control – ((risk exp. before control) – (risk exp. after))/ (cost of control) • Example of trade offs between different deductibles and insurance premiums
  • 24. Slide #24 Qualitative Risk Analysis • Generally used in Information Security – Hard to make meaningful valuations and meaningful probabilities – Relative ordering is faster and more important • Many approaches to performing qualitative risk analysis • Same basic steps as quantitative analysis – Still identifying asserts, threats, vulnerabilities, and controls – Just evaluating importance differently
  • 25. Slide #25 Example 10 Step QRA • Step 1: Identify Scope – Bound the problem • Step 2: Assemble team – Include subject matter experts, management in charge of implementing, users • Step 3: Identify Threats – Pick from lists of known threats – Brainstorm new threats – Mixing threats and vulnerabilities here...
  • 26. Slide #26 Step 4: Threat prioritization • Prioritize threats for each asset – Likelihood of occurrence • Define a fixed threat rating – E.g., Low(1) … High(5) • Associate a rating with each threat • Approximation to the risk probability in quantitative approach
  • 27. Slide #27 Step 5: Loss Impact • With each threat determine loss impact • Define a fixed ranking – E.g., Low(1) … High(5) • Used to prioritize damage to asset from threat
  • 28. Slide #28 Step 6: Total impact • Sum of threat priority and impact priority 5 3 2 Theft 7 5 2 Water 8 5 3 Fire Risk Factor Impact Priority Threat Priority Threat
  • 29. Slide #29 Step 7: Identify Controls/Safeguards • Potentially come into the analysis with an initial set of possible controls • Associate controls with each threat • Starting with high priority risks – Do cost-benefits and coverage analysis (Step 8) • Maybe iterate back to Step 6 – Rank controls (Step 9)
  • 30. Slide #30 Safeguard Evaluation • Threat Possible Safeguard Fire 8 Fire supression system $15,000.00 Tornado 8 Business Continuity Plan $75,000.00 7 Business Continuity Plan $75,000.00 Theft 5 Risk Factor Safeguard cost Water Damage
  • 31. Slide #31 Step 10: Communicate Results • Most risk analysis projects result in a written report – Generally not read – Make a good executive summary – Beneficial to track decisions. • Real communication done in meetings an presentations
  • 32. Slide #32 Key Points • Key Elements of Risk Analysis – Assets, Threats, Vulnerabilities, and Controls • Quantitative vs qualitative • Not a scientific process – Companies will develop their own procedure – Still a good framework for better understanding of system security