SECURITY RISK ANALYSIS AND

MANAGEMENT
The risk analysis process gives management the
information it needs to make educated judgments
concerning information security. The procedure
identifies the existing security controls, calculates
vulnerabilities, and evaluates the effect of threats on each
area of vulnerability.
In most cases, the risk analysis procedure attempts to
strike an economic balance between the impact of risks
and the cost of security solutions intended to manage
them.
At the basis of selecting cost-effective protective
measures is the assumption that the cost of controlling
any risk should not exceed the maximum loss associated
with the risk.
For example, if the potential loss attributable to a risk is
estimated to be $100,000, the cost of the protective
measures intended to prevent that loss should not exceed
that amount.
In other cases, however, the decision to implement (or
not implement) countermeasures may be driven by the
importance of the system or its data or by mandates as
opposed to its cost.
In either case, the sum of averted risks must be
considered where a single remedy will reduce several
risks. The analyst must also consider the use and
interaction of multiple remedies. One remedy may
improve or negate the effectiveness of another.
These considerations form the basis for determining
which protective measures are the most appropriate.
After having evaluated the loss of each risk, assessments
can be made about the funds that can be allocated to
lessen the estimated annual losses to an acceptable level.

With information on loss before and after the application

of controls, cost evaluations will indicate which
countermeasures are most cost-effective.

When identifying the protective measures that should be

implemented, consideration should be given to the
greatest risks first.

The risk analysis methodology selected (including the

quantitative cost analysis methods) will likely suggest
the use of cost indicators or common denominators that
function to identify the most cost-effective security
solutions.

The following cost indicators provide a basis for

comparison among protective measures: ·
The payback period necessary to recover the costs
attributable to a protective measure ·
The expected annual cost avoidance (the reduction in
potential loss) attributable to a protective measure (the
amount of cost avoidance realized after the
countermeasure is installed and has achieved payback) ·

The amount of expected loss reduction provided the

counter-measure is implemented Security policy requires
the creation of an ongoing information management
planning process that includes planning for the security
of each organization's information assets. Risk
management is an ongoing, proactive program for
establishing and maintaining an acceptable
information system security posture.

Once an acceptable security posture is attained

[accreditation or certification], the risk management
program monitors it through every day activities and
follow-on security risk analyses.
In many cases, the rules, regulations, or policies that
govern the information security program will stipulate
when a follow-on risk analysis must be done.

The risk management steps include: ·

Assign and track corrective actions, as necessary, to
reduce residual risk to an acceptable level. ·
Continuously monitor the security posture A security risk
analysis is a procedure for estimating the risk to
computer related assets and loss because of manifested
threats.
The procedure first determines an asset's level of
vulnerability by identifying and evaluating the effect of
in-place countermeasures. An asset's level of
vulnerability to the threat population is determined solely
by countermeasures [controls/safeguards] that are in-
place at the time the risk analysis is done.
Next, detailed information about the asset is used to
determine the significance of the asset's vulnerabilities.
This includes how the asset is (or will be) used, data
sensitivity levels, mission criticality, inter-connectivity,
etc.
Finally, the negative impact [expected loss] to the asset is
estimated by examining various combinations of threats
and vulnerability areas.
The highlighted words in the above paragraphs point out
the more important terms associated with security risk
analysis. That is, assets, threats, vulnerability,
countermeasures, and expected loss. If we understand
how these various "things" relate to each other you will
understand the rationale behind a security risk analysis.

How do we know what our potential losses will be if we

do not do an analysis?
Should we spend the time and money to implement one
or more countermeasures if manifested threats are
unlikely?
Is the status quo acceptable?
A security risk analysis defines the current environment
and makes recommended corrective actions if the
residual risk is unacceptable. Risk analysis is a vital
part of any ongoing security and risk management
program.
The risk analysis process should be conducted with
sufficient regularity to ensure that each agency's
approach to risk management is a realistic response to
the current risks associated with its information assets.
Management must then decide on whether to accept the
residual risk or to implement the recommended actions.
Believe it or not, YOU do one or more risk analyses
every day of your life! Every time you cross the street or
pull out onto the highway you do an analysis of the
threats, vulnerabilities, and in-place countermeasures,
and decide if the risk of asset loss is acceptable. If it is,
you proceed. If not, you may put one or more additional
countermeasures in-place and analyze the risk again.

In order to discuss security risk analysis concepts we

must first establish a baseline of the related terms.
Then, we must define how the terms relate to each other
and how they are used to analyze risk. Risk Analysis
Terminology Asset - Anything with value and in need of
protection. Threat - An action or potential action with the
propensity to cause damage.
Vulnerability - A condition of weakness. If there were
no vulnerabilities, there would be no concern for threat
activity.
Countermeasure - Any device or action with the ability
to reduce vulnerability.
Expected Loss - The anticipated negative impact to
assets due to threat manifestation
impact- Losses as a result of threat activity are normally
expressed in one or more impact areas.

Four areas are commonly used; Destruction, Denial of

Service, Disclosure, and Modification. How "Things"
Work Together

A security risk analysis is an examination of the

interrelationships between assets, threats, vulnerabilities,
and countermeasures to determine the current level of
risk. The level of risk that remains after consideration of
all in-place countermeasures, vulnerability levels, and
related threats is called residual risk.
Ultimately, it is the residual risk that must be accepted
[as is] or reduced to a point where it can be accepted.

Any given threat in the population of threats is poised to

take advantage of system vulnerabilities, countermeasure
mreduce the level of vulnerability, the asset is what
needs to be protected, and the impacts are the result of
threat activity through residual risk.

Doing The Analysis Although the same "things" are

involved in a security risk analysis, many variations in
the procedure for determining residual risk are possible.
Likewise, the metric for expressing residual risk can vary
from good/bad or high/low to a statement that a certain
amount of money will be lost.

But, in the end, any security risk analysis should indicate

(1) the current level of risk, (2) the likely consequences,
and (3) what to do about it if the residual risk is too high.
What risk analysis methodology is best?
Which one will produce the desired results with the least
cost and time? Should the procedure be qualitative?,
quantitative? automated? manual?, or some combination
of these? All risk analysis methodologies enable system
users to compare possible losses to their agency with the
cost of countermeasures (a.k.a. safeguards or controls)
designed to protect against those losses. To be useful, a
risk analysis methodology should produce a quantitative
statement of the impact of a risk or the effect of specific
security problems. The three key elements in risk
analysis are; (1) A statement of impact or the cost of a
specific difficulty if it happens, (2) A measure of the
effectiveness of in-place countermeasures, and (3) A
series of recommendations to correct or minimize
identified problems. How many people will be needed?
For how long?
How much experience must they have, what type, and
what impact will their experience [or lack thereof] have?
Will the results suffer from inaccuracies, inconsistencies
in the information obtained?
What are the advantages of automation? Planning for
information security and risk management begins with
identifying the information assets, data sensitivity,
values, in-place countermeasures, applicable threats and
their frequency of occurrence, system (project)
configuration.

This information is later used to calculate vulnerabilities

and risks. The computer or network risk assessment
process consists of nine separate, but interrelated steps.
The following paragraphs provide a description of what's
involved in these 9 steps.

Identify and Valuate Assets

The first step for all risk assessments is to identify and
assign a value to the assets in
need of protection. The value of assets is a significant
factor in the decision to make
operational tradeoffs to increase asset protection. The
essential point is to list all things
that could be affected by a security problem.
These include: hardware, software, data,
people, documentation, and supplies.
An assets' value is based on its cost, sensitivity, mission
criticality, or a combination
of these. When the value is based on something other
than cost, it is usually converted
to money using a standard equivalency table. The asset
value will be used later in the
assessment process to determine the magnitude of loss
when threats occur.
Identify Applicable Threats
After identifying the assets that require protection, the
threats to those assets must be identified and examined to
determine for loss. This step involves the identification
and description of threats in the threat population that
seem appropriate for the system or network being
assessed, and estimating how often they are likely to
occur. These include: unauthorized access, disclosure of
information, denial of service, access points,
misconfigured systems, software bugs, insider threats, as
a minimum.

Threat Definition
A threat is a potential force that could degrade the
confidentiality (compromise),
accuracy (integrity), or avail-ability (denial of service) of
the system or network.
Threats can be human (intentional or unintentional) or
environmental (natural or
fabricated).

Identify/ Describe Vulnerabilities The level of risk is

determined by analyzing the interrelationship of threats
and vulnerabilities. A risk exists when a threat has a
corresponding vulnerability, but even high vulnerability
areas are of no consequence if no threats occur.
Vulnerability Definition A vulnerability is a condition
of weakness. A condition of weakness creates an
opportunity for exploitation by one or more threats.
The following axiom applies for vulnerabilities: Axiom
3: The level of vulnerability decreases as
countermeasures increase.

Postulation: The level of vulnerability to threats is

reduced by the implementation of countermeasures.
Some countermeasures have a greater propensity to
offset vulnerability than others.
The level of vulnerability and the relative value of each
counter-measure said to reduce it can be expressed
numerically Pair Threats and Vulnerabilities A threat is
any action with the potential to cause a negative impact.
If there were no threats to computer systems, there would
be no need to be concerned about computer system
vulnerabilities.
By linking or pairing threats with vulnerabilities the
potential for threat occurrence evaluation is tailored to
any particular environment.
Determine the Impact of Threat Occurrence When the
exploitation of a vulnerability occurs, the asset suffers an
impact (loss).

The losses are categorized in impact areas titled

Disclosure, Modification, Destruction, and Denial of
Service. Disclosure This is a confidentiality issue.
Greater emphasis is placed on this impact area when
sensitive or classified information is being processed.
Modification
 When an asset is changed from its original state by the
effect of threat manifestation it is called Modification..
Destruction
In this case the asset is damaged beyond practical use by
threat activity. Emphasis is placed on this impact area
when the complete loss of an asset is a more important
concern than its modification or temporary non-
availability.
Denial of Service
This impact is emphasized when threats are more likely
to cause a temporary loss of capability than total
destruction of modification. By emphasizing one or more
impact areas in the evaluation process, management can
focus their resources on reducing the impact in the area
that concerns them most.

In-Place Countermeasures
Credit must be given for all in-place countermeasures.
Identifying in-place countermeasures is part of the up
front data gathering process in any risk analysis process.
Countermeasures can be categorized as Technical or
Administrative with sub categories of each type as
follows: Preventive This type countermeasure is
designed to prevent damage or impact from an action or
event from occurring.
Detective These countermeasures provide some type of
notification that something has gone wrong. Corrective
Some countermeasures have the ability to correct
identified problems, such as the loss of a bit in a word.
Countermeasure Definition Countermeasures are the
protection measures that reduce the level of vulnerability
to threats. For recommendation purposes, they come in
two flavors; required and discretionary.
Both types of in-place countermeasures are identified as
part of the initial data gathering activity.
The following axiom applies to countermeasures: Axiom
4: All countermeasures have inherent vulnerabilities.
Postulation:
A vulnerability level of ZERO can never be obtained
since all countermeasures have vulnerabilities
themselves. For this reason, vulnerability can never be
zero, and thus risk can never be totally eliminated.
Required Countermeasures
All countermeasures in this category can be traced to
one or more written rules or regulations. The sensitivity
of data being stored and/or processed on a system or
network, and its mode of operation, determine which
regulations apply. This, in turn, determines the required
countermeasures.

Determine Residual Risks (Conclusions) Residual risk

refers to the level of risk that remains after giving credit
for the in-place countermeasures. Based on the nature of
countermeasures, as defined in Axiom 4 above, there will
always be residual risk. The issue becomes one of
determining whether or not the residual risk acceptable.
The residual risk takes the form of conclusions reached
from the assessment process.

The conclusions must identify: (1) Areas which have a

high vulnerability coupled with a likelihood of threat
occurrence, and (2) All required countermeasures that are
not in-place. The results of these steps provide the input
needed to begin the selection of additional
countermeasures.
 Identify Additional Countermeasures
(Recommendations) Once the residual risk has been
determined the next step is to identify the most effective
and least costly way to reduce risk to an acceptable level.
An operational trade-off must be made any time
additional countermeasures are implemented.
Tradeoffs can take the form of cost, convenience, time,
or a mix of these. The following axiom applies to
reducing risk: Axiom #5: An acceptable level of
vulnerability can be obtained through the implementation
of countermeasures. Postulation: There exists a mix of
countermeasures that can achieve any arbitrary level of
vulnerability.
.

Prepare a Risk Analysis Report

The risk analysis process helps to identify the

information assets at risk and attach a value to the risks.
Additionally, it identifies protective measures that
minimize the effects of risk and assigns a cost to each
countermeasure.
The risk analysis process also determines whether the
countermeasures are effective. After the analysis is
complete, a report documenting the risk assessment must
be prepared.
The biggest challenge in writing a security risk analysis
report is to bridge the gap between risk analysis jargon
and information management can understand and use for
decision making.
As a rule, management will focus on summary
information and only use technical details if they are
needed to support a decision or make a choice between
recommendations.
The risk analysis report serves as the vehicle for
presenting to management the findings of the risk
analysis process and recommendations for information
security.
It provides company or agency management with the
information needed to make intelligent and well-
informed decisions related to security issues.
The report should be forwarded to the agency or
company head for prompt review, approval, and action.

The report’s technical details should include, as a

minimum:
· Vulnerability levels
· Applicable threats and their frequency
· The use environment
· System connectivity
· Data sensitivity level(s)
· Residual risk, expressed on an individual vulnerability
basis
· Detailed Annual Loss Expectancy calculations

So, which methodology for security risk analysis is best;

qualitative?, quantitative?, or hybrid? Should the process
be manual or automated? The most basic function of any
security risk analysis process is to determine, as
accurately as possible, the risk to assets. Of course, the
procedure for determining the risk can be complex or
simple, depending on the asset and on the analysis
methodology used. The amount of risk can be expressed
as good/bad; high/low (qualitative), as a calculated
metric (quantitative), or a combination of the two
(hybrid).

The process of data collection, analysis, and preparing a

security risk analysis report involves many steps. It is
time consuming, expensive, and more often than not, a
collateral duty for the person(s) charged with getting it
done. Moreover, the requirement to do a security risk
analysis is cyclic in nature, e.g., initially, then once every
one to three years.