Chapter 5

Risk Management
 Learning Objectives

• Upon completion of this material, you should be

able to:
– Define risk management, risk identification, and risk
control
– Describe how risk is identified and assessed
– Assess risk based on probability of occurrence and
likely impact
– Explain the fundamental aspects of documenting risk
via the process of risk assessment

Abdul K Mustafa, Winter 2016

 Learning Objectives (cont’d.)
– Describe the various risk mitigation strategy options
– Identify the categories that can be used to classify
controls
– Recognize the conceptual frameworks for evaluating
risk controls and formulate a cost benefit analysis
– Describe how to maintain and perpetuate risk
controls

Abdul K Mustafa, Winter 2016

 Introduction

• Organizations must design and create safe

environments in which business processes and
procedures can function
• Risk management: process of identifying and
controlling risks facing an organization
• Risk identification: process of examining an
organization’s current information technology
security situation
• Risk control: applying controls to reduce risks to
an organization’s data and information systems

Abdul K Mustafa, Winter 2016

 An Overview of Risk Management

• Know yourself: identify, examine, and understand

the information and systems currently in place
• Know the enemy: identify, examine, and
understand threats facing the organization
• Responsibility of each community of interest within
an organization to manage risks that are
encountered

Abdul K Mustafa, Winter 2016

 Figure 5-1 Components of Risk Management

Abdul K Mustafa, Winter 2016

 The Roles of the Communities of
Interest
• Information security, management and users, and
information technology all must work together
• Communities of interest are responsible for:
– Evaluating the risk controls
– Determining which control options are cost effective
for the organization
– Acquiring or installing the needed controls
– Ensuring that the controls remain effective

Abdul K Mustafa, Winter 2016

 Risk Management Discussion Points

• Organization must define level of risk it can live

with
• Risk appetite: defines quantity and nature of risk
that organizations are willing to accept as trade-offs
between perfect security and unlimited accessibility
• Residual risk: risk that has not been completely
removed, shifted, or planned for

Abdul K Mustafa, Winter 2016

 Figure 5-3 Residual risk
Abdul K Mustafa, Winter 2016
 Risk Identification

• Risk management involves identifying, classifying,

and prioritizing an organization’s assets
• A threat assessment process identifies and
quantifies the risks facing each asset
• Components of risk identification
– People
– Procedures
– Data
– Software
– Hardware
Abdul K Mustafa, Winter 2016
 Plan and Organize the Process

• First step in the Risk Identification process is to

follow your project management principles
• Begin by organizing a team with representation
across all affected groups
• The process must then be planned out
– Periodic deliverables
– Reviews
– Presentations to management
• Tasks laid out, assignments made and timetables
discussed
Abdul K Mustafa, Winter 2016
 Figure 5-4 Components of Risk Identification

Abdul K Mustafa, Winter 2016

 Asset Identification and Inventory

• Iterative process; begins with identification of

assets, including all elements of an organization’s
system (people, procedures, data and information,
software, hardware, networking)
• Assets are then classified and categorized

Abdul K Mustafa, Winter 2016

 Table 5-1 Categorizing the Components of an Information System

Abdul K Mustafa, Winter 2016

 People, Procedures, and Data Asset
Identification
• Human resources, documentation, and data
information assets are more difficult to identify
• Important asset attributes:
– People: position name/number/ID; supervisor;
security clearance level; special skills
– Procedures: description; intended purpose; what
elements it is tied to; storage location for reference;
storage location for update
– Data: classification; owner/creator/ manager; data
structure size; data structure used; online/offline;
location; backup procedures employed
Abdul K Mustafa, Winter 2016
 Hardware, Software, and Network
Asset Identification
• What information attributes to track depends on:
– Needs of organization/risk management efforts
– Preferences/needs of the security and information
technology communities
• Asset attributes to be considered are: name; IP
address; MAC address; element type; serial
number; manufacturer name; model/part number;
software version; physical or logical location;
controlling entity
• Automated tools can identify system elements for
hardware, software, and network components
Abdul K Mustafa, Winter 2016
 Data Classification and Management

• Variety of classification schemes used by corporate

and military organizations
• Information owners responsible for classifying their
information assets
• Information classifications must be reviewed
periodically
• Most organizations do not need detailed level of
classification used by military or federal agencies;
however, organizations may need to classify data
to provide protection

Abdul K Mustafa, Winter 2016

 Data Classification and Management
(cont’d.)
• Security clearance structure
– Each data user assigned a single level of authorization
indicating classification level
– Before accessing specific set of data, employee must
meet need-to-know requirement
• Management of Classified Data
– Confidential --Top Secret --Unclassified
– Internal --Secret
– External --Sensitive
• Storage, distribution, portability, and destruction of
classified data
• Clean desk policy
• Dumpster diving

Abdul K Mustafa, Winter 2016

 Data Classification and Management
(cont’d.)

Abdul K Mustafa, Winter 2016

Classifying and Prioritizing Information
Assets
• Many organizations have data classification
schemes (e.g., confidential, internal, public data)
• Classification of components must be specific to
allow determination of priority levels
• Categories must be comprehensive and mutually
exclusive

Abdul K Mustafa, Winter 2016

 Information Asset Valuation

• Questions help develop criteria for asset valuation

• Which information asset:
– Is most critical to organization’s success?
– Generates the most revenue/profitability?
– Would be most expensive to replace or protect?
– Would be the most embarrassing or cause greatest
liability if revealed?

Abdul K Mustafa, Winter 2016

 Figure 5-7: Sample Inventory Worksheet

Abdul K Mustafa, Winter 2016

 Information Asset Valuation (cont’d.)

• Information asset prioritization

– Create weighting for each category based on the
answers to questions
– Calculate relative importance of each asset using
weighted factor analysis
– List the assets in order of importance using a
weighted factor analysis worksheet

Abdul K Mustafa, Winter 2016

 Table 5-2 Example of a Weighted Factor Analysis Worksheet
Notes: EDI: Electronic Data Interchange
SSL: Secure Sockets Layer

Abdul K Mustafa, Winter 2016

 Identifying and Prioritizing Threats

• Realistic threats need investigation; unimportant

threats are set aside
• Threat assessment:
– Which threats present danger to assets?
– Which threats represent the most danger to
information?
– How much would it cost to recover from attack?
– Which threat requires greatest expenditure to
prevent?

Abdul K Mustafa, Winter 2016

 Table 5-3 Threats to Information Security8

Abdul K Mustafa, Winter 2016

 Vulnerability Identification

• Specific avenues threat agents can exploit to attack

an information asset are called vulnerabilities
• Examine how each threat could be perpetrated and
list organization’s assets and vulnerabilities
• Process works best when people with diverse
backgrounds within organization work iteratively in
a series of brainstorming sessions
• At end of risk identification process, list of assets
and their vulnerabilities is achieved

Abdul K Mustafa, Winter 2016

 Weighted ranks of threats to
information security
Categories of threats ranked by greatest to least 2010 2003
threat ranking ranking
Espionage or trespass 1 4
Software attacks 2 1
Human error or failure 3 3
Theft 4 7
Compromises to intellectual property 5 9
Sabotage or vandalism 6 5
Technical software failures or errors 7 2
Technical hardware failures or errors 8 6
Forces of nature 9 8
Deviation in quality of service 10 10
Technological obsolescence 11 11
Information extortion 12 12
 CSI survey results for types of attack
or misuse (2000-2011)
Type of attack or misuse 2010/11 2008 2006 2004 2002 2000
Malware injection (revised after 2008) 67% 50% 65% 78% 85% 85%
Being fraudulently represented as 39% 31% (new
sender of phishing message category)
Laptop/mobile hardware theft/loss 34% 42% 47% 49% 55% 60%
Bots/zombies in organization 29% 20% (new category)
Insider abuse of internet access or 25% 44% 42% 59% 78% 79%
email
Denial of service 17% 21% 25% 39% 40% 27%
Unauthorized access or privilege 13% 15%
escalation by insider
Password sniffing 11% 9%
System penetration by outsider 11%
Exploit of client web browser 10%
Abdul K Mustafa, Winter 2016
 TVA worksheet
• Threats vulnerabilities-assets (TVA) worksheet:
– A document that shows a comparative ranking of
prioritized assets against prioritized threats, with an
indication of any vulnerabilities in the asset/threat pairing.
• Threats-vulnerabilities-assets (TVA) triples:
– A pairing of an asset with a threat and an asset
identification of vulnerabilities that exist between the two.
This pairing is often expressed in the format TxVyAz,
where there may be one or more vulnerabilities between
Threat X and Asset Z. For example, T1V1A2 would
represent Threat 1 to Vulnerability 1 on Asset 2.

Abdul K Mustafa, Winter 2016

 TVA worksheet

Table 5-8: Sample TVA spreadsheet

Abdul K Mustafa, Winter 2016

 Risk Assessment

• Risk assessment evaluates the relative risk for

each vulnerability
• Assigns a risk rating or score to each information
asset
• The goal at this point: create a method for
evaluating the relative risk of each listed
vulnerability

Abdul K Mustafa, Winter 2016

 Likelihood

• The probability that a specific vulnerability will be

the object of a successful attack
• Assign numeric value: number between 0.1 (low)
and 1.0 (high), or a number between 1 and 100
• Zero not used since vulnerabilities with zero
likelihood are removed from asset/vulnerability list
• Use selected rating model consistently
• Use external references for values that have been
reviewed/adjusted for your circumstances

Abdul K Mustafa, Winter 2016

 Risk Determination

• For the purpose of relative risk assessment:

– Risk EQUALS
– TIMES Loss frequency
– TIMES Loss magnitude
– PLUS an element of uncertainty

Risk = Loss Frequency * Loss Magnitude + Uncertainty

Abdul K Mustafa, Winter 2016

 Formula
RISK is

The probability of a successful attack on the organization

(Loss Frequency = Likelihood * Attack Success Probability

Multiplied by

The Expected Loss from a Successful Attack

(Loss Magnitude = Asset Value * Probability Loss

Plus

The Uncertainty Of Estimates of All Stated Values

Abdul K Mustafa, Winter 2016
 Exercise 1
• Information asset A is an online e-commerce database.
Industry reports indicate a 10 per-cent chance of an attack
this year, based on an estimate of one attack every 10 years.
The information security and IT departments report that if
the organization is attacked, the attack has a 50 percent
chance of success based on current asset vulnerabilities and
protection mechanisms. The asset is valued at a score of 50
on a scale of 0 to 100, and information security and IT staff
expect that 100 percent of the asset would be lost or
compromised by a successful attack. You estimate that the
assumptions and data are 90 percent accurate.
Abdul K Mustafa, Winter 2016
 Exercise 2
• Information asset B is an internal personnel database behind
a firewall. Industry reports indicate a 1 percent chance of an
attack. The information security and IT departments report
that if the organization is attacked, the attack has a 10
percent chance of success based on current asset
vulnerabilities and protection mechanisms. The asset is
valued at a score of 25 on a scale of 0 to 100, and information
security and IT staff expect that 50 percent of the asset would
be lost or compromised by a successful attack, because not all
of the asset is stored in a single location. You estimate that
the assumptions and data are 90 percent accurate.
Abdul K Mustafa, Winter 2016
 Assessing Risk Acceptability

• For each threat and associated vulnerabilities that

have residual risk, create preliminary list of control
ideas
• Residual risk is risk that remains to information
asset even after existing control has been applied
• There are three general categories of controls:
– Policies
– Programs
– Technologies

Abdul K Mustafa, Winter 2016

 Documenting the Results of Risk
Assessment
• Final summary comprised in ranked vulnerability
risk worksheet
• Worksheet details asset, asset impact,
vulnerability, vulnerability likelihood, and risk-rating
factor
• Ranked vulnerability risk worksheet is initial
working document for next step in risk
management process: assessing and controlling
risk

Abdul K Mustafa, Winter 2016

 Loss Loss
Frequency Magnitude

Table 5-9 Ranked Vulnerability Risk Worksheet

Abdul K Mustafa, Winter 2016

Deliverable Purpose

Information asset classification worksheet Assembles information about information

assets and their impact

Weighted criteria analysis worksheet Assigns ranked value or impact weight to

each information asset

Ranked vulnerability risk worksheet Assigns ranked value of risk rating for
each uncontrolled asset-vulnerability pair

Table 5-10 Risk Identification and Assessment Deliverables

Abdul K Mustafa, Winter 2016

 Risk Control Strategies

• Once ranked vulnerability risk worksheet complete,

must choose one of five strategies to control each
risk:
– Defend
– Transfer
– Mitigate
– Accept
– Terminate

Abdul K Mustafa, Winter 2016

 Defend

• Attempts to prevent exploitation of the vulnerability

• Preferred approach
• Accomplished through countering threats,
removing asset vulnerabilities, limiting asset
access, and adding protective safeguards
• Three common methods of risk avoidance:
– Application of policy
– Training and education
– Applying technology

Abdul K Mustafa, Winter 2016

 Transfer

• Control approach that attempts to shift risk to other

assets, processes, or organizations
• If lacking, organization should hire individuals/firms
that provide security management and
administration expertise
• Organization may then transfer risk associated with
management of complex systems to another
organization experienced in dealing with those
risks

Abdul K Mustafa, Winter 2016

 Mitigate

• Attempts to reduce impact of vulnerability

exploitation through planning and preparation
• Approach includes three types of plans
– Incident response plan (IRP): define the actions to
take while incident is in progress
– Disaster recovery plan (DRP): most common
mitigation procedure
– Business continuity plan (BCP): encompasses
continuation of business activities if catastrophic
event occurs

Abdul K Mustafa, Winter 2016

 Accept

• Doing nothing to protect a vulnerability and

accepting the outcome of its exploitation
• Valid only when the particular function, service,
information, or asset does not justify cost of
protection

Abdul K Mustafa, Winter 2016

 Terminate

• Directs the organization to avoid those business

activities that introduce uncontrollable risks
• May seek an alternate mechanism to meet
customer needs

Abdul K Mustafa, Winter 2016

 Selecting a Risk Control Strategy

• Level of threat and value of asset play major role in

selection of strategy
• Rules of thumb on strategy selection can be
applied:
– When a vulnerability exists
– When a vulnerability can be exploited
– When attacker’s cost is less than potential gain
– When potential loss is substantial

Abdul K Mustafa, Winter 2016

 Figure 4-8 Risk Handling Decision Points
Abdul K Mustafa, Winter 2016
 Top 10 Information Security Mistakes
Made by Employees
1. The not-so-subtle Post-it Note.
2. We know better than you.
3. Leaving the machine on
4. Opening e-mail attachments
5. Poor password selection.
6. Loose lips sink ships.
7. Laptops have legs.
8. Poorly enforced security policies.
9. Failing to consider the staff.
10. Being slow to update Horowitz, Alan. "Top 10 Security Mistakes".
Computerworld. N.p., July 9, 2001
Abdul K Mustafa, Winter 2016
 Feasibility Studies

• Before deciding on strategy, all information about

economic/noneconomic consequences of
vulnerability of information asset must be explored
• A number of ways exist to determine advantage of
a specific control

Abdul K Mustafa, Winter 2016

 Cost Benefit Analysis (CBA)

• Begun by evaluating worth of assets to be

protected and the loss in value if they are
compromised
• The formal process to document this is called cost
benefit analysis or economic feasibility study
• Items that affect cost of a control or safeguard
include: cost of development or acquisition; training
fees; implementation cost; service costs; cost of
maintenance
• Benefit: value an organization realizes using
controls to prevent losses from a vulnerability
Abdul K Mustafa, Winter 2016
 Cost Benefit Analysis (CBA) (cont’d.)

• Asset valuation: process of assigning financial

value or worth to each information asset
• Process result is estimate of potential loss per risk
• Expected loss per risk stated in the following
equation:
– Annualized loss expectancy (ALE) =
single loss expectancy (SLE) ×
annualized rate of occurrence (ARO)
• SLE = asset value × exposure factor (EF)

Abdul K Mustafa, Winter 2016

 The Cost Benefit Analysis (CBA)
Formula
• CBA determines if alternative being evaluated is
worth cost incurred to control vulnerability
– CBA most easily calculated using ALE from earlier
assessments, before implementation of proposed
control:
• CBA = ALE(prior) – ALE(post) – ACS
– ALE(prior) is annualized loss expectancy of risk
before implementation of control
– ALE(post) is estimated ALE based on control being
in place for a period of time
– ACS is the annualized cost of the safeguard
Abdul K Mustafa, Winter 2016
 Evaluation, Assessment, and
Maintenance of Risk Controls
• Selection and implementation of control strategy is
not end of process
• Strategy and accompanying controls must be
monitored/reevaluated on ongoing basis to
determine effectiveness and to calculate more
accurately the estimated residual risk
• Process continues as long as organization
continues to function

Abdul K Mustafa, Winter 2016

 Figure 4-9 Risk Control Cycle

Abdul K Mustafa, Winter 2016

 Quantitative versus Qualitative Risk
Control Practices
• Performing the previous steps using actual values
or estimates is known as quantitative assessment
• Possible to complete steps using evaluation
process based on characteristics using
nonnumerical measures; called qualitative
assessment
• Utilizing scales rather than specific estimates
relieves organization from difficulty of determining
exact values

Abdul K Mustafa, Winter 2016

 Benchmarking and Best Practices

• An alternative approach to risk management

• Benchmarking: process of seeking out and
studying practices in other organizations that one’s
own organization desires to duplicate
• One of two measures typically used to compare
practices:
– Metrics-based measures
– Process-based measures

Abdul K Mustafa, Winter 2016

 Benchmarking and Best Practices
(cont’d.)
• Standard of due care: when adopting levels of
security for a legal defense, organization shows it
has done what any prudent organization would do
in similar circumstances
• Due diligence: demonstration that organization is
diligent in ensuring that implemented standards
continue to provide required level of protection
• Failure to support standard of due care or due
diligence can leave organization open to legal
liability

Abdul K Mustafa, Winter 2016

 Benchmarking and Best Practices
(cont’d.)
• Best business practices: security efforts that
provide a superior level of information protection
• When considering best practices for adoption in an
organization, consider:
– Does organization resemble identified target with
best practice?
– Are resources at hand similar?
– Is organization in a similar threat environment?

Abdul K Mustafa, Winter 2016

 Benchmarking and Best Practices
(cont’d.)
• Problems with the application of benchmarking and
best practices
– Organizations don’t talk to each other (biggest
problem)
– No two organizations are identical
– Best practices are a moving target
– Knowing what was going on in information security
industry in recent years through benchmarking
doesn’t necessarily prepare for what’s next

Abdul K Mustafa, Winter 2016

 Benchmarking and Best Practices
(cont’d.)
• Baselining
– Analysis of measures against established standards
– In information security, baselining is comparison of
security activities and events against an
organization’s future performance
– Useful during baselining to have a guide to the
overall process

Abdul K Mustafa, Winter 2016

 Other Feasibility Studies

• Organizational: examines how well proposed IS

alternatives will contribute to organization’s
efficiency, effectiveness, and overall operation
• Operational: examines user and management
acceptance and support, and the overall
requirements of the organization’s stakeholders
• Technical: examines if organization has or can
acquire the technology necessary to implement
and support the control alternatives
• Political: defines what can/cannot occur based on
consensus and relationships
Abdul K Mustafa, Winter 2016
 Documenting Results

• At minimum, each information asset-threat pair

should have documented control strategy clearly
identifying any remaining residual risk
• Another option: document outcome of control
strategy for each information asset-vulnerability
pair as an action plan
• Risk assessment may be documented in a topic-
specific report

Abdul K Mustafa, Winter 2016

 Recommended Risk Control Practices

• Convince budget authorities to spend up to value of

asset to protect from identified threat
• Final control choice may be balance of controls
providing greatest value to as many asset-threat
pairs as possible
• Organizations looking to implement controls that
don’t involve such complex, inexact, and dynamic
calculations

Abdul K Mustafa, Winter 2016

 Summary

• Risk identification: formal process of examining and

documenting risk in information systems
• Risk control: process of taking carefully reasoned
steps to ensure the confidentiality, integrity, and
availability of components of an information system
• Risk identification
– A risk management strategy enables identification,
classification, and prioritization of organization’s
information assets
– Residual risk: risk remaining to the information asset
even after the existing control is applied
Abdul K Mustafa, Winter 2016
 Summary (continued)

• Risk control: five strategies are used to control

risks that result from vulnerabilities:
– Defend
– Transfer
– Mitigate
– Accept
– Terminate

Abdul K Mustafa, Winter 2016

 Summary (continued)

• Selecting a risk control strategy

– Cost Benefit Analysis
– Feasibility Study
• Qualitative versus Quantitative Risk Control
– Best Practices and Benchmarks
– Organizational Feasibility, Operational Feasibility,
Technical Feasibility, and Political Feasibility
• Risk Appetite: organizational risk tolerance
• Residual risk: risk remaining after application of risk
controls
Abdul K Mustafa, Winter 2016