Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
TEL2813/IS2621TEL2813/IS2621 Security ManagementSecurity Management
Risk Management: Identifying and Assessing Risk
April 1, 2008
1
IntroductionInformation security departments are created primarily to manage IT riskManaging risk is one of the key responsibilities of every manager within the organizationorganizationIn any well-developed risk management program, two formal processes are at work: p g , p
Risk identification and assessment Risk control
2
Knowing Our Environment
Identify, Examine and Understand information and how it is processed, stored, and transmitted
Initiate an in-depth risk management programRisk management is a process
f d d l h d dmeans - safeguards and controls that are devised and implemented are not install-and-forget devices
3
Knowing the EnemyIdentify, examine, and understand
the threatsManagers must be prepared
to fully identify those threats that pose risks to the organization and the security of its informationorganization and the security of its information assets
Risk management is the processof assessing the risks to an organization’s information and determining how those risks can be controlled or mitigatedg
4
Risk ManagementThe process concerned with identification, measurement, control and minimization of security risks in information ysystems to a level commensurate with the value of the assets protected (NIST)
IdentifyIdentifythe
Risk Areas
Re-evaluatethe Risks Assess the
RisksRisk Management
Implement RiskManagement
ActionsDevelop RiskM t
ManagementCycle
Risk Assessment
Risk Control (Mitigation)Actions ManagementPlan
( g )
5
Accountability for Risk Management
All communities of interest must work together:
Evaluating risk controlsEvaluating risk controlsDetermining which control options are cost-effective Acquiring or installing appropriate controlsAcquiring or installing appropriate controlsOverseeing processes to ensure that controls remain effective Id tif i i kIdentifying risksAssessing risksSummarizing findingsg g
6
Risk Identification Process
7
Risk Identification
Risk identification begins with the process of self-examinationbegins with the process of self examination
Managers identify the organization’s informationidentify the organization s information assets, classify them into useful groups andclassify them into useful groups, and prioritize them by their overall importance
8
Creating an Inventory of Information Assets
Identify information assets, includingpeople procedures data and informationpeople, procedures, data and information, software, hardware, and networking elements
Should be done without pre-judging value of each assetvalue of each asset
Values will be assigned later in the process
9
Organizational Assets
10
Identifying Hardware, Software, and Network Assets
Inventory process requires a certain amount of planningamount of planning Determine which attributes of each of these information assets should bethese information assets should be tracked
Will depend on the needs of theWill depend on the needs of the organization and its risk management effortsits risk management efforts
11
Attributes for AssetsPotential attributes:Potential attributes:
NameIP addressIP addressMAC addressAsset typeAsset typeManufacturer nameManufacturer’s model or part number
Software version, update revision,
Physical locationLogical locationLogical locationControlling entity
12
Identifying People, Procedures, and Data Assets
Whose Responsibility ?managers who possess the necessarymanagers who possess the necessary knowledge, experience, and judgment
RecordingRecordinguse reliable data-handling process
13
Suggested AttributesPeople
Position name/number/ID
ProceduresDescriptionIntended purposename/number/ID
Supervisor name/number/ID
Intended purposeSoftware/hardware/networking elements to which it is tiedSecurity clearance
levelSpecial skills
which it is tied Location where it is stored for referencepLocation where it is stored for update purposes
14
Suggested Attributes
DataClassificationOwner/creator/managerSize of data structureData structure usedOnline or offlineLocationBackup procedures
15
Classifying and Categorizing Assets
Determine whether its asset categories are meaningful
After initial inventory is assembled,
Inventory should also reflect sensitivity and security priority assigned to each assetA classification scheme categorizes these
f b d hinformation assets based on their sensitivity and security needs
16
Classifying and Categorizing Assets (Continued)
Categoriesdesignates level of protection needed for a particular information asset
Classification categories must be h i d t ll l icomprehensive and mutually exclusive
Some asset types, such as personnel, l l f hmay require an alternative classification scheme
that would identify the clearance needed to use the asset typeyp
17
Assessing Values for Information AssetsAssign a relative valueAssign a relative value
to ensure that the most valuable information assets are given the highest priority, for example:
h h h l h f hWhich is the most critical to the success of the organization? Which generates the most revenue? Which generates the highest profitability?Which generates the highest profitability? Which is the most expensive to replace? Which is the most expensive to protect? Whose loss or compromise would be the most ose oss o co p o se ou d be t e ostembarrassing or cause the greatest liability?
Final step in the RI process is to list the assets in order of importanceassets in order of importance
Can use a weighted factor analysis worksheet18
Sample Asset Classification Worksheet
19
Weighted Factor Analysis Worksheet (NIST SP 800-30)
20
Data Classification Model
Data owners must classify information assets for which they are responsible and review the classifications periodicallyExample:
PublicFor official use onlyS i iSensitiveClassified
21
Data Classification ModelU.S. military classification scheme
more complex categorization system than the h f t tischemes of most corporations
Uses a five-level classification scheme as defined in Executive Order 12958:defined in Executive Order 12958:
Unclassified DataSensitive But Unclassified (SBU) DataConfidential DataSecret DataTop Secret DataTop Secret Data
22
Security ClearancesPersonnel Security Clearance Structure:
Complement to data classification scheme Each user of information asset is assigned an authorization level that indicates level of information classification he or she can access
Most organizations have developed a set of roles and corresponding security clearances
I di id l i d i t th t l tIndividuals are assigned into groups that correlate with classifications of the information assets they need for their work
23
Security Clearances (Continued)
Need-to-know principle:Regardless of one’s security clearance anRegardless of one s security clearance, an individual is not allowed to view data simply because it falls within that individual’s level of clearance Before he or she is allowed access to a specific set of data, that person must also need-to-know the data as well
24
Management ofClassified Information Assets
Managing an information asset includes considering the storage, distribution, portability, and destruction of that information asset
Information asset that has a classification d i ti th th l ifi d blidesignation other than unclassified or public:
Must be clearly marked as such Must be available only to authorized individualsMust be available only to authorized individuals
25
Management ofClassified Information Assets
Clean Desk policyTo maintain confidentiality of classified ydocuments, managers can implement a clean desk policy
D t ti f iti t i lDestruction of sensitive materialWhen copies of classified information are no longer valuable or too many copiesno longer valuable or too many copies exist, care should be taken to destroy them properly to discourage dumpster divingp p y g p g
26
Threat IdentificationAny organization typically faces a wide variety of threatsIf you assume that every threat can and willIf you assume that every threat can and will attack every information asset, then the project scope becomes too complexTo make the process less unwieldy, manage separately
each step in the threat identification andeach step in the threat identification and vulnerability identification processes
27
Identify And Prioritize Threats and Threat Agents
Each threat presents a unique challengeMust be handled with specific controls thatMust be handled with specific controls that directly address particular threat and threat agent’s attack strategy
Threat assessmenteach threat must be examined toeach threat must be examined to determine its potential to affect targeted information asset
28
Threats to Information Security
29
Threats to Information Security (whitman survey)
30
Weighted Ranking of Threat-Driven ExpendituresTop Threat-Driven Expenses Rating
Deliberate software attacks 12.7Acts of human error or failure 7 6Acts of human error or failure 7.6Technical software failures or errors 7.0Technical hardware failures or errors 6.0QoS deviations from service providers 4.9Deliberate acts of espionage or trespass 4.7Deliberate acts of theft 4.1Deliberate acts of sabotage or vandalism 4.0T h l i l b l 3 3Technological obsolescence 3.3Forces of nature 3.0Compromises to intellectual property 2.2Deliberate acts of information extortion 1.0Deliberate acts of information extortion 1.0
31
Vulnerability AssessmentSteps revisited
Identify the information assets of the organization and Document some threat assessment criteriaDocument some threat assessment criteria, Begin to review every information asset for each threat
Leads to creation of list of vulnerabilities that remain potential risks to organizationrisks to organization
At the end of the risk identification process, a list of assets and their vulnerabilities has been developed
The goal: to evaluate relative risk of each listed vulnerabilityg y
32
Risk Identification Estimate Factors
Risk isThe likelihood of the occurrence of a vulnerabilityy
Multiplied byThe value of the information assetThe value of the information asset
MinusThe percentage of risk mitigated by current controlsThe percentage of risk mitigated by current controls
PlusThe uncertainty of current knowledge of the vulnerabilityThe uncertainty of current knowledge of the vulnerability
33
LikelihoodLikelihood
of the threat occurring is the estimation of the probability that a threat will succeed in achievingprobability that a threat will succeed in achieving an undesirable event is the overall rating - often a numerical value on a defined scale (such as 0.1 – 1.0) - of thedefined scale (such as 0.1 1.0) of the probability that a specific vulnerability will be exploited
Using the information documented during theUsing the information documented during the risk identification process,
assign weighted scores based on the value of each information asset i e 1-100 low-med-high etcinformation asset, i.e. 1-100, low-med-high, etc
34
Assessing Potential LossTo be effective, the likelihood values must be assigned by asking:
Which threats present a danger to this organization’s assets in the given environment?Which threats represent the most danger to the organization’s g ginformation?How much would it cost to recover from a successful attack?Which threats would require the greatest expenditure to prevent?Which threats would require the greatest expenditure to prevent?Which of the aforementioned questions is the most important to the protection of information from threats within this organization?
35
Mitigated Risk / UncertaintyIf it is partially controlled,
Estimate what percentage of the vulnerability has b t ll dbeen controlled
Uncertaintyis an estimate made by the manager usingis an estimate made by the manager using judgment and experienceIt is not possible to know everything about every vulnerabilityvulnerabilityThe degree to which a current control can reduce risk is also subject to estimation error
36
Risk Determination ExampleAsset A has a value of 50 and has vulnerability #1,
likelihood of 1.0 with no current controlsassumptions and data are 90% accurateassumptions and data are 90% accurate
Asset B has a value of 100 and has two vulnerabilities
V l bilit #2Vulnerability #2 likelihood of 0.5 with a current control that addresses 50% of its risk
Vulnerability # 3Vulnerability # 3 likelihood of 0.1 with no current controls
assumptions and data are 80% accuratea u p o a d da a a 80% a u a
37
Risk Determination Example
Resulting ranked list of risk ratings for the three vulnerabilities is as follows:the three vulnerabilities is as follows:
Asset A: Vulnerability 1 rated as 55 = (50 × 1.0) – 0% + 10%(50 1.0) 0% + 10%
Asset B: Vulnerability 2 rated as 35 = (100 × 0.5) – 50% + 20%( )
Asset B: Vulnerability 3 rated as 12 = (100 × 0.1) – 0 % + 20%( )
38
Identify Possible Controls
For each threat and its associated vulnerabilities that have residual risk, create a preliminary list of control ideasThree general categories of controls g gexist:
PoliciesProgramsTechnical controls
39
Access ControlsAccess controls specifically
address admission of a user into a trusted area of the organizationthe organization
These areas can include information systems, physically restricted areas such as computer rooms, and even the organization in its entirety
Access controls usually consist of a combination of policies, programs, and technologiestechnologies
40
Types of Access Controls
Mandatory Access Controls (MACs): Required qStructured and coordinated with a data classification schemeWhen implemented, users and data owners have limited control over their access to information resourcesinformation resourcesUse data classification scheme that rates each collection of information
41
Types of Access Controls (Continued)
Access Control MatrixAccess Control ListAccess Control List
the column of attributes associated with a particular object is called an access controlparticular object is called an access control list (ACL)
CapabilitiesCapabilitiesThe row of attributes associated with a particular subjectparticular subject
42
Types of Access Controls (Continued)
Nondiscretionary controls are determined by a central authority in the organization
Can be based on roles—called role-based controls—or on a specified set of tasks—called task-based controlsTask-based controls can, in turn, be based on lists maintained on subjects or objectsRole-based controls are tied to the role that aRole based controls are tied to the role that a particular user performs in an organization, whereas task-based controls are tied to a particular assignment or responsibilityparticular assignment or responsibility
43
Types of Access Controls (Continued)
Discretionary Access Controls (DACs) are implemented at the discretion or option of the data userdata user
The ability to share resources in a peer-to-peer configuration allows
l d ibl idusers to control and possibly provide access to information or resources at their disposal
The users can allow general, unrestricted access, or specific individuals or sets of individuals to access these resourcesthese resources
44
Documenting the Results of Risk Assessment
The goal of the risk management process:Identify information assets and their vulnerabilities Rank them according to the need for protection
In preparing this list, collectwealth of factual information about the assets andwealth of factual information about the assets and the threats they faceinformation about the controls that are already in lplace
The final summarized document is the ranked vulnerability risk worksheetvulnerability risk worksheet
45
Ranked Vulnerability Risk Worksheet
46
Documenting the Results of Risk Assessment (Continued)
What are the deliverables from this stage of the risk management project?stage of the risk management project? The risk identification process should designatedesignate
what function the reports serve, who is responsible for preparing them andwho is responsible for preparing them, and who reviews them
47
Risk Identification and Assessment Deliverables
48
Risk Management:Assessing and Controlling Riskg g
Risk Control StrategiesChoose basic risk control strategy :
Avoidance:applying safeguards that eliminate or reduce the remaining uncontrolled risks for the vulnerability
Transference:Transference:shifting the risk to other areas or to outside entities
Mitigation:reducing the impact should the vulnerability be exploited
Acceptance:understanding the consequences and accept the riskunderstanding the consequences and accept the risk without control or mitigation
Avoidance
Attempts to prevent the exploitation of the vulnerabilityyAccomplished through:
Application of policyApplication of policyApplication of training and educationCountering threatsCountering threatsImplementation of technical security controls and safeguardscontrols and safeguards
TransferenceAttempts to shift the risk to other assets, other processes, or other organizationsMay be accomplished by
Rethinking how services are offeredRevising deployment modelsOutsourcing to other organizationsP h i iPurchasing insuranceImplementing service contracts with providers
MitigationAttempts to reduce the damage caused by the exploitation of vulnerability
by means of planning and preparation, Includes three types of plans:
Disaster recovery plan (DRP)Disaster recovery plan (DRP)Incident response plan (IRP)Business continuity plan (BCP)y p ( )
Depends upon the ability to detect and respond to an attack as
i kl iblquickly as possible
Summaries of Mitigation Plans
Acceptance
Acceptance is the choice to do nothing to protect an information asset and to accept the loss when it occursThis control, or lack of control, assumes that it may be a prudent business decision to
E i l iExamine alternatives Conclude the cost of protecting an asset does not justify the security expendituredoes not justify the security expenditure
Acceptance (Continued)Only valid use of acceptance strategy occurs when organization has:
Determined level of risk to information assetDetermined level of risk to information assetAssessed probability of attack and likelihood of a successful exploitation of vulnerabilityApproximated ARO of the exploitApproximated ARO of the exploitEstimated potential loss from attacksPerformed a thorough cost benefit analysisEvaluated controls using each appropriate type of feasibilityDecided that the particular asset did not justify the
t f t ticost of protection
Risk Control Strategy Selection
Risk control involves selecting one of the four risk control strategies for the vulnerabilities present within the organization
Acceptance of riskIf the loss is within the range of losses the organization can absorb, or if the attacker’s gain is less than expected costs ofif the attacker s gain is less than expected costs of the attack,
Otherwise, one of the other control strategies , gwill have to be selected
Risk Handling Action Points
Risk Control Strategy SelectionSome rulesWhen a vulnerability exists:
Implement security controls to reduce the likelihood of a vulnerability being exercisedvulnerability being exercised
When a vulnerability can be exploited:Apply layered controls to minimize the risk or prevent occurrenceoccurrence
When the attacker’s potential gain is greater than the costs of attack:
Apply protections to increase the attacker’s cost or reduce theApply protections to increase the attacker’s cost, or reduce the attacker’s gain, using technical or managerial controls
When potential loss is substantial:A l d i t l t li it th t t f th tt k th bApply design controls to limit the extent of the attack, thereby reducing the potential for loss
Evaluation, Assessment, And Maintenance Of Risk Controls
Once a control strategy has been selected and implementedand implemented
Effectiveness of controls should be monitoredand measured on an ongoing basis to g g
Determine its effectiveness Accuracy of estimated risk that will remain after all planned controls are in place
The Risk Control Cycle
Categories of Controls
Implementing controls or safeguardsTo control risk by means of
avoidance, mitigation, transferencetransference
Controls can be one of four categories:Control functionControl functionArchitectural layerStrategy layerInformation security principle
Control FunctionPreventive controls
Stop attempts to exploit a vulnerability by implementing enforcement of an organizationalimplementing enforcement of an organizational policy or a security principle Use a technical procedure, or some combination of technical means and enforcement methodstechnical means and enforcement methods
Detective controls Alerts about violations of security principles, organizational policies or attempts to exploitorganizational policies, or attempts to exploit vulnerabilities Use techniques such as audit trails, intrusion detection and configuration monitoringdetection, and configuration monitoring
Architectural LayerSome controls apply to one or more layers of an organization’s technical architecturePossible architectural layers include the following:
Organizational policyOrganizational policyExternal networks / Extranets Demilitarized zonesIntranetsNetwork devices that interface network zones SystemsSystemsApplications
Strategy Layer
Controls are sometimes classified by the risk control strategy they operate within:risk control strategy they operate within:
AvoidanceMitigationMitigationTransference
Note that the acceptance strategy is notNote that the acceptance strategy is not an option since it involves the absence of controlscontrols
Information Security PrincipleRisk controls operate within one or more of the commonly accepted information security
i i lprinciples:ConfidentialityIntegrityIntegrityAvailabilityAuthenticationAuthorizationAccountabilityPrivacyPrivacy
Feasibility Studies and CostFeasibility Studies and Cost Benefit AnalysisInformation about the consequences of the vulnerability must be exploredthe vulnerability must be explored
Before deciding on the strategy for a specific vulnerability,vulnerability,
Determine advantage or disadvantage of a specific controla specific control
Primary means are based on the value of information assets that control is designed toinformation assets that control is designed to protect
Cost Benefit Analysis (CBA)
Economic Feasibility criterion most commonly used when evaluating a project that implements information security controls and safeguards
Should begin a CBA by evaluatingShould begin a CBA by evaluatingWorth of the information assets to be protected Loss in value if those information assets areLoss in value if those information assets are compromised
Cost Benefit Analysis or Economic Feasibility Study
CostIt is difficult
to determine the value of information, to determine the cost of safeguarding itto determine the cost of safeguarding it
Some of the items that affect the cost of a control or safeguard include:
Cost of development or acquisition of hardware, software, and servicesTraining fees gCost of implementation Service costs Cost of maintenanceCost of maintenance
Benefit
Benefit is the value to the organization of using controls to prevent losses associated with a specific vulnerability
Usually determined by Valuing the information asset or assets exposed by vulnerability Determining how much of that value is at risk andDetermining how much of that value is at risk and how much risk there is for the asset
This is expressed as pAnnualized Loss Expectancy (ALE)
Asset ValuationAsset valuation isAsset valuation is
a challenging process of assigning financial value or worth to each information asset
Value of information differs Within organizations and between organizationsB d i f ti h t i ti d i dBased on information characteristics and perceived value of that information
Valuation of assets involves:Valuation of assets involves:Estimation of real and perceived costs associated with design, development, installation, maintenance, protection recovery and defense against loss andprotection, recovery, and defense against loss and litigation
Asset Valuation ComponentsSome of the components of asset valuation include:
Value retained from the cost of creating the information assetValue retained from past maintenance of the information assetValue retained from past maintenance of the information assetValue implied by the cost of replacing the informationValue from providing the informationValue acquired from the cost of protecting the informationValue acquired from the cost of protecting the informationValue to ownersValue of intellectual propertyVal e to ad e sa iesValue to adversariesLoss of productivity while the information assets are unavailableLoss of revenue while information assets are unavailable
Asset Valuation Approaches
Organization must be able to place a dollar value on each information assets itdollar value on each information assets it owns, based on:
How much did it cost to create or acquire?How much did it cost to create or acquire?How much would it cost to recreate or recover?recover?How much does it cost to maintain?How much is it worth to the organization?How much is it worth to the organization?How much is it worth to the competition?
Asset Valuation Approaches (Continued)
Potential loss is that which could occur from the exploitation of vulnerability or a threat occurrenceThe questions that must be asked include:
What loss could occur, and what financial impact would it have?What would it cost to recover from the attack inWhat would it cost to recover from the attack, in addition to the financial impact of damage?What is the single loss expectancy for each risk?g p y
Asset Valuation Techniquesl l ( )Single loss expectancy (SLE):
value associated with most likely loss from an attackBased on estimated asset value and expectedBased on estimated asset value and expected percentage of loss that would occur from attack:SLE = asset value (AV) x exposure factor (EF)
EF = the percentage loss that would occur from a given vulnerability being exploited
Annualized rate of occurrence (ARO)( )probability of an attack within a given time frame, annualized per year
Annualized loss expectancy (ALE)Annualized loss expectancy (ALE)ALE = SLE x ARO
The Cost Benefit Analysis (CBA) FormulaCBA determines whether or not a control alternative is worth its associated costCBAs may be calculated
Before a control or safeguard is implemented to determine if the control is worth implementingdetermine if the control is worth implementing OR
After controls have been implemented and have pbeen functioning for a time:
CBA = ALE(prior) – ALE(post) – ACS
The Cost Benefit Analysis (CBA) Formula
ALE(prior to control) is the annualized loss expectancy of the risk before the implementation of the control
ALE(post control) is h d f h l h bthe ALE examined after the control has been in
place for a period of time
ACS isACS is the annual cost of the safeguard
Other Feasibility ApproachesOrganizational feasibility analysis
examines how well the proposed information security alternatives will contribute to operation of an organization
Operational (behavioral) feasibility analysis
Addresses user acceptance and support, management acceptance and support, and
ll i t f i ti ’overall requirements of organization’s stakeholders
Other Feasibility Approaches
Technical feasibility analysisexamines whether or not the organizationexamines whether or not the organization has or can acquire the technology to implement and support the alternatives
Political feasibility analysisdefines what can and cannot occur baseddefines what can and cannot occur based on the consensus and relationships between the communities of interest
BenchmarkingBenchmarking:
Seeking out and studying practices of other organizations that produce desired resultsorganizations that produce desired results Measuring differences between how organizations conduct business
When benchmarking an organization typicallyWhen benchmarking, an organization typically uses one of two measures to compare practices:
Metrics-based measures comparisons based on numerical standards
Process-based measures generally less focused on numbers and are more strategic
Benchmarking (Continued)
In the field of information security, two categories of benchmarks are used:categories of benchmarks are used:
Standards of due care and due diligence, and Best practicesBest practices
Within best practices, the gold standard is a subcategory of practices that area subcategory of practices that are typically viewed as “the best of the best”
Due Care and Due DiligenceFor legal reasons, an organization may be forced to adopt a certain minimum level of securitysecurityDue Care
adopt levels of security for legal defense, d h h h h d hneed to show that they have done what any
prudent organization would do in similar circumstances
D diliDue diligence demonstration that organization is persistent in ensuring implemented standards continue to g pprovide required level of protection
Applying Best Practicesdd h f llAddress the following questions:Does your organization resemble the organization that is implementing the best practice under p g pconsideration?Is your organization in a similar industry? Does your organization face similar challenges? o you o ga a o a a a gIs your organizational structure similar to the organization from which you are modeling the best practices? pCan your organization expend resources that are in line with the requirements of the best practice? Is your organization in a similar threat environmentIs your organization in a similar threat environment as the one cited in the best practice?
Problems with Benchmarking and Best PracticesOrganizations don’t talk to each other
No two organizations are identical
Best practices are a moving target
Simply knowing what was going on a few years ago does not necessarily indicate what to do nextto do next
Risk Appetite
Risk appetitedefines the quantity and nature of risk thatdefines the quantity and nature of risk that organizations are willing to accept, as they evaluate the trade-offs between perfect security and unlimited accessibility
Reasoned approach to risk is one that ppbalances expense against possible losses if exploited
Residual RiskWhen vulnerabilities have been controlled as much as possible, there is often remaining risk th t h t b l t l t d fthat has not been completely accounted for residual riskResidual Risk:Residual Risk:
Risk from a threat less the effect of threat-reducing safeguards plusRisk from a vulnerability less the effect of vulnerability-reducing safeguards plusRisk to an asset less the effect of asset value-s to a asset ess t e e ect o asset a uereducing safeguards
Residual Risk
The significance of residual risk must be judged within the context of anmust be judged within the context of an organization’s risk appetite
The goal of information securityThe goal of information security is not to bring residual risk to zero, but to bring it in line with an organization’sbut to bring it in line with an organization s risk appetite
Documenting Results
When risk management program has been completed,
Series of proposed controls are preparedEach justified by one or more feasibility or
ti li ti hrationalization approaches
At minimum, each information asset-threat pair should have a documented control strategy thatshould have a documented control strategy that
Clearly identifies any residual risk remaining after the proposed strategy has been executedp p gy
Documenting Results
Some organizations document outcome of control strategy for eachoutcome of control strategy for each information asset-threat pair in an action plan
Includes:Concrete tasks, each with accountabilityConcrete tasks, each with accountability assigned to an organizational unit or to an individual
Recommended Risk Control Practices
Each time a control is added to the matrix
It changes the ALE for the associated asset vulnerability as well as othersOne safeguard can decrease risk associated with all subsequent control evaluationsevaluations
May change the value assigned or calculated in a prior estimate.
Qualitative Measures
Quantitative assessment performs asset valuation with actual values or estimatesvaluation with actual values or estimatesAn organization could determine that it cannot put specific numbers on thesecannot put specific numbers on these valuesOrganizations could use qualitativeOrganizations could use qualitative assessments instead, using scales instead of specific estimatesof specific estimates
Delphi Approach
A group rates and ranks assetsThe individual responses are compiledThe individual responses are compiled and sent back to the groupReevaluate and redo the rating/rankingReevaluate and redo the rating/rankingIterate till agreements reached
The OCTAVE MethodOperationally Critical Threat, Asset, and Vulnerability EvaluationSM (OCTAVESM) Method:
Defines essential components of a comprehensiveDefines essential components of a comprehensive, systematic, context-driven, self-directed information security risk evaluation
By following OCTAVE Method organization canBy following OCTAVE Method, organization can make information-protection decisions based on risks to
confidentiality, integrity, and availability of critical information technology assetstechnology assets
Operational or business units and IT department work together to address information security needs of the organizationorganization
Phases of The OCTAVE Method
Phase 1: Build Asset-Based Threat ProfilesOrganizational evaluation Key areas of expertise within organization are examined to elicit important knowledge about:
I f ti tInformation assetsThreats to those assetsSecurity requirements of assetsy qWhat organization is currently doing to protect its information assets
W k i i ti l li i dWeaknesses in organizational policies and practice
Phases of The OCTAVE Method (Continued)
Phase 2: Identify Infrastructure Vulnerabilities
Evaluation of information infrastructure Key operational components of informationKey operational components of information technology infrastructure are examined for weaknesses (technology vulnerabilities) that can lead to unauthorized action
Phases of The OCTAVE Method (Continued)
Phase 3: Develop Security Strategy and PlansRisks are analyzed in this phase Information generated by organizational and information infrastructure evaluations (Phases 1 and 2) is analyzed to:2) is analyzed to:
Identify risks to organization Evaluate risks based on their impact to theEvaluate risks based on their impact to the organization’s mission
Organization protection strategy and risk mitigation l f th hi h t i it i k d l dplans for the highest priority risks are developed
Important Aspects of the OCTAVE MethodThe OCTAVE Method:
Self directedRequires analysis team to conduct evaluation and analyze information
Basic tasks of the team are to:Basic tasks of the team are to:Facilitate knowledge elicitation workshops of Phase 1Gather any necessary supporting data Analyze threat and risk informationDevelop a protection strategy for the organizationDevelop mitigation plans to address risks to theDevelop mitigation plans to address risks to the organization’s critical assets
Important Aspects of the OCTAVE Method (Continued)
OCTAVE Method:Uses workshop-based approach for gathering p pp g ginformation and making decisionsRelies upon the following major catalogs of i f tiinformation:
Catalog of practices: collection of good strategic and operational security practicesp y pThreat profile: range of major sources of threats that an organization needs to consider Catalog of vulnerabilities: collection ofCatalog of vulnerabilities: collection of vulnerabilities based on platform and application
Phases & Processes of the OCTAVE Method
Each phase of the OCTAVE Method contains two or more processes. Each process is made of activities. Phase 1: Build Asset-Based Threat Profiles
Process 1: Identify Senior Management Knowledge Process 2: Identify Operational Area Management KnowledgeKnowledge Process 3: Identify Staff Knowledge Process 4: Create Threat ProfilesProcess 4: Create Threat Profiles
Phases & Processes of the OCTAVE Method (Continued)
Phase 2: Identify Infrastructure VulnerabilitiesVulnerabilities
Process 5: Identify Key ComponentsProcess 6: Evaluate Selected ComponentsProcess 6: Evaluate Selected Components
Phase 3: Develop Security Strategy and PlansPlans
Process 7: Conduct Risk AnalysisP 8 D l P t ti St tProcess 8: Develop Protection Strategy
Preparing for the OCTAVE Method
Obtain senior management sponsorship of OCTAVESelect analysis team members. Train analysis teamySelect operational areas to participate in OCTAVESelect participantsCoordinate logisticsgBrief all participants
The OCTAVE Method
For more information, you can download the OctaveSM method implementation guide from www.cert.org/octave/omig.htmlg/ / g
SummaryIntroduction
Risk Control Strategiesg
Risk Control Strategy Selection
Categories of ControlsCategories of Controls
Feasibility Studies and Cost-Benefit Analysis
Ri k M Di i P iRisk Management Discussion Points
Recommended Risk Control Practices
The OCTAVE Method
Cost-Benefit Analysis, Net Present Value Model,l f d lInternal Rate of Return Model
Return on Investment(Based on Book by Gordon and Loeb)( y )
Cost-benefit framework
CBA widely accepted economic principle forwidely accepted economic principle for managing organizational resourcesRequires cost of activity compared with theRequires cost of activity compared with the benefit
Cost > Benefit?Cost < Benefit?Cost = Benefit?
Cyber security CostOperating Cost
Expenditure that will benefit a single period’s ti ( fi l )operations (one fiscal year)
E.g., cost of patching software to correct breaches in the fiscal year
lCapital InvestmentExpenditure that will benefit for several periods (Appears in balance sheet)(Appears in balance sheet)E.g., purchase of an IDS system (+ personnel cost)
Expect to work at least next few yearsExpect to work at least next few years
Cyber security CostCapital investments lose their economic values
Portion of the investment that has been lostPortion of the investment that has been lost during a particular period is charged to that period
In practice, h di i i i i h f dthe distinction is not straightforward
Some argue Most Cyber security expenditure are operating costsHowever, they have spill over effect – hence could be treated as capital investment
Middle ground!!Middle ground!!
Cyber security Cost : In practice
Most org. treat cyber security expenditure as Operating costs
Accounting and tax rules allow/motivateAccounting and tax rules allow/motivateBy expensing these costs in the year of expenditure, tax savings are realized immediately
Distinction is good (recommended)Distinction is good (recommended)From planning perspective
A good approachView all as capital investments with varying time horizonsOC becomes a special case of CIp
Cost (C) vs. Benefit (B)
Assume B and C can be assessed for different level of cyber security activities
Organization’s goals should beImplement security procedures up to the point where (B-C) is maximumImplementing beyond that point meansImplementing beyond that point means
The incremental costs > the incremental benefitsNet benefit beyond that maximum point is negative
Cost (C) vs. Benefit (B)
Cost-Benefit principleKeep increasing security activities as longKeep increasing security activities as long as the incremental benefits exceed their incremental costs
If security activities can be increased in small amountssmall amounts
Such activities should be set at the point where the incremental (cost = benefit)( )
Total cost (C)
Cost vs BenefitTotal cost/
Total Benefit Total Benefit (B)
Net BenefitSecurity activities are increasing at decreasing rate
There are diminishing associated
Security ActivitiesSA*
There are diminishing associated marginal benefits
Can assume that C hasFixed portion (irrespective of levels ActivitiesSA
Net Benefit
Fixed portion (irrespective of levels of activities)Variable portion (varies with the level of activities)
Security Activities
)Assume to initially increase at decreasing rate and then increase at increasing rate
Activities
SA*Would increase security activities till SA*Would increase security activities till SA*
Net Present Value Model
C and B can be quantified in terms of Net Present Value (NPV)Net Present Value (NPV)NPV
Financial tool for comparting anticipatedFinancial tool for comparting anticipated benefits and costs voer different time periodsperiodsGood way to put CBA into practice
Net Present Value Model
To compute NPV, First discount all anticipated benefits and pcosts to today’s value or present value (PV)NPV = PV – Initial cost of the project
Key aspect of NPV modelCompare the discounted cash flows
i t d ith th f t b fit dassociated with the future benefits and costs to the initial cost of an investment
All costs are in monetary unitAll costs are in monetary unit
Net Present Value Model
∑=
+−+−=n
t
ttto kCBCNPV
1
)1/()(
NPV model is most easily considered in terms of incremental investments
Co: Cost of initial investment
Bt and Ct: ti i t d b fit d t Realistic situation is
Some level of security is already in place (e.g., basic firewalls, access controls)
anticipated benefits and costs, resp., in time period t from the additional security activities
k: )It can be used to compare the incremental costs with incremental benefits associated with increases in SA
Discount rate, which is usually considered an organization’s cost of capitalIt indicates the minimum rate a
j t d t i dproject needs to earn in order that the organization’s value will not be reduced
Net Present Value Model
NPV greater than zeroAccept the incremental security activitiesAccept the incremental security activities
NPV less than zeroReject the incremental security activitiesReject the incremental security activities
NPV = zeroIndifference
k can be used to model risk
Internal Rate of Return (IRR) Model
Also known as economic rate of returnIRR: Is the discount rate that makes the NVP = zero, thus:Decision
IRR k t th SA
∑=
+−=n
t
ttto IRRCBC
1
)1/()(
IRR > k, accept the SAIRR < k, rejectIRR = k, indifferenceIRR k, indifference
To select security investmentsNVP ranking is preffered than IRR ranking
Must-do Projects
Some SA are required by law and hence must be donemust be done
Irrespective of IRR/NVP
ExampleExampleHIPAA compliance requirements
Safeguards must be in place to provideSafeguards must be in place to provide authorized access to patient informationMany outsource SAy
Example 1
Organization wants a new IDSInitial investment is $200,000$ ,
Beginning of the first periodExpected to have a two-year useful lifeAnnual increment benefits generated from the investment is estimated = $400,000Ann al inc emental ope ating cost fo theAnnual incremental operating cost for the system is estimated to be $100,000.Discount rate: 15%Discount rate: 15%
Example 1
What happens if useful life is oneWhat happens if useful life is oneuseful life is one
year?useful life is one
year?
Example 1
Example 2
Initial investment is $280,000Beginning of the first period
Expected to have a two-year useful lifeAnnual increment benefits generated from gthe investment is estimated = $400,000Annual incremental operating cost for the system is estimated to be $100,000.Discount rate: 15%
Example 2
What happens if useful life is oneWhat happens if useful life is oneuseful life is one
year?useful life is one
year?
Example 2
More on kHigher k means lower NVP
Attractiveness of SA will be related to kAttractiveness of SA will be related to kMost corporations use
weighted-average cost of capital (WC) inweighted average cost of capital (WC) in discounting future cash flowsFor risky projects, some premiums may be y p j p yaddedE.g., WC = 15 and k = 20
Example 1 and 2
Return on InvestmentROI is essentially
Last period’s annual profits divided bydivided by
cost of the investment required to generate the profitROI viewed as
Hi t i l f f d f l ti tHistorical measure of performance used for evaluating past investments
NPV & IRRPerformance measures used to make decisions about potential new investmentsUnlike IRR, ROI technically does not consider time value of moneymoney
Return on InvestmentROIs for the two examples
Example 1: 300K/200K * 100% = 150%Example 2: 300K/280K * 100% = 107%Example 2: 300K/280K 100% = 107%
ROI assumes thatThe investment will continue to produce returns of $300 for year 2 3 4 & beyondyear 2, 3, 4 & beyondDramatically overstates the economic rate of return.The more that the returns persist, the better the ROI is an approximation of the IRRapproximation of the IRR
If 300K net benefit could go on forever, the ROI = IRR
Survey shows,Many managers are using ROI acronyms to represent IRRMany managers are using ROI acronyms to represent IRR
Survey