7 ITE403 Whitman Ch05 W5C2

Principles of Information Security
Chapter 5
Risk Management
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected website for
classroom use.

Course Learning Outcome for this Week

• CLO2: Distinguish different types of security
• CLO3: Analyze different concepts of security risks
• CLO5: Assess costs of proposed security measures
– Be aware of risk and its impact on security
– Calculate risk in decision on what measures to use
– Evaluate assets and their cost
• Further Reading in this Chapter:
– The open FAIR Approach
– Risk Control
– Selecting a Control Strategy
– Justifying Controls
• Activity:
– Worksheet: Calculating Risk
permitted in a license distributed with a certain product or service or otherwise on a password-protected website
for classroom use.

Learning Objectives
• Upon completion of this material, you should be able to:
– Assess risk based on probability of occurrence and likely
expected impact
– Explain the fundamental aspects of documenting risk via the
process of risk assessment
for classroom use.

Specifying Asset Vulnerabilities
• Specific avenues that threat agents can exploit to attack

an information asset are called vulnerabilities.
• Examine how each threat could be perpetrated and list
the organization’s assets and vulnerabilities.
• Process works best when people with diverse
backgrounds within organization work iteratively in a
series of brainstorming sessions.
• At the end of the risk identification process, prioritized
list of assets with their vulnerabilities is achieved.
– Can be combined with weighted list of threats to form
threats-vulnerabilities-assets (TVA) worksheet
for classroom use.

Table 5-7 vulnerability assessment of a

hypothetical DMZ router (1 of 2)
Threat Possible vulnerabilities
Compromises to intellectual property • Copyrighted works developed in-house and stored on intranet servers can
be copied without permission unless the router is configured to limit access
from outsiders.
• Works copyrighted by others can be stolen: your organization is liable for
that loss to the copyright holder.
Espionage or trespass • This information asset (router) may have little intrinsic value, but other
assets protected by this device could be attacked if it does not perform
correctly or is compromised.
Forces of nature • All information assets in the organization are subject to forces of nature
unless suitable controls are provided.
Human error of failure • Employees or contractors may cause on outage if configuration errors are
made.
Information extortion • If attackers bypass the router or compromise it and then enter your
network, they may encrypt your data in place. They may not have stolen it,
but unless you pay them to acquire the encryption key, the data is inert and
no longer of value to you.
Deviation in quality of service • Power system failures are always possible. Unless suitable electrical power
conditioning is provided, failure is probable over time.
• ISP connectivity failures can interrupt internet bandwidth.
for classroom use.

Table 5-7 vulnerability assessment of a

hypothetical DMZ router (2 of 2)
Threat Possible vulnerabilities
Sabotage or vandalism • The internet protocol is vulnerable to denial of service.

• This device may be subject to defacement or cache poisoning.
Software attacks • The internet protocol is vulnerable to denial of service. Outsider IP
fingerprinting activities can reveal sensitive information unless suitable
controls are implemented.
Technical hardware failures or errors • Hardware can fail and cause an outage.
Technical software failures or errors • Vendor-supplied routing software could fail and cause an outage.
Technological obsolescence • If this asset is not reviewed and periodically updated, it may fall too far behind
its vendor support model to be kept in service.
Theft • Data has value and can be stolen. Routers are important network devices;
their controls are critical layers in your defense in depth. When data is copied
in place, you may not know it has been stolen.
for classroom use.

Table 5-8 Sample TVA Spreadsheet
for classroom use.
Risk Assessment
• Risk assessment evaluates the relative risk for each

vulnerability.
• It assigns a risk rating or score to each information
asset.
• Planning and organizing risk assessment
– The goal at this point is to create a method for evaluating
the relative risk of each listed vulnerability.
for classroom use.

Figure 5-8 Major stages of risk

assessment
for classroom use.
Determining the Loss Frequency
• It describes an assessment of the likelihood of an attack

combined with expected probability of success.
• Use external references for values that have been
reviewed/adjusted for your circumstances.
• Assign numeric value to likelihood, typically annual
value.
– Targeted by hackers once every five years
– Annualized likelihook of attack: 1/5, 20 percent
• Determining an attack’s success probability by
estimating a quantitative value (e.g., 10 percent) for the
likelihood of a successful attack; value subject to
uncertainty.
for classroom use.

Evaluating Loss Magnitude
• The next step is to determine how much of an

information asset could be lost in a successful attack.
– Also known as loss magnitude or asset exposure
• Combines the value of information asset with the
percentage of asset lost in the event of a successful
attack.
• Difficulties involve:
– Valuating an information asset
– Estimating the percentage of information asset lost during
best-case, worst-case, and most likely scenarios
for classroom use.

Calculating Risk
• For the purpose of relative risk assessment, risk equals:

– Loss frequency TIMES loss magnitude
– MINUS the percentage of risk mitigated by current controls
– PLUS an element of uncertainty
for classroom use.

Figure 5-9 Factors of risk
for classroom use.
Assessing Risk Acceptability
• For each threat and associated vulnerabilities that have

residual risk, create ranking of relative risk levels.
• Residual risk is the left-over risk after the organization
has done everything feasible to protect its assets.
• If risk appetite is less than the residual risk, it must look
for additional strategies to further reduce the risk.
– If risk appetite is greater than the residual risk, it must
proceed to the latter stages of risk control.
for classroom use.
Documenting the Results of Risk Assessment
• The final summarized document is the ranked

vulnerability risk worksheet.
• Worksheet describes asset, asset relative value,
vulnerability, loss frequency, and loss magnitude.
• Ranked vulnerability risk worksheet is the initial working
document for the next step in the risk management
process: assessing and controlling risk.
for classroom use.

Table 5-9 Ranked vulnerability risk worksheet

Asset relative Loss
Asset vulnerability Loss frequency
value magnitude
Customer service
request via e-mail 55 E-mail disruption due to hardware failure 0.2 11
(inbound)
Customer order via
100 Lost orders due to web server hardware failure 0.1 10
SSL (inbound)
Customer order via Lost orders due to web server or ISP service
100 0.1 10
SSL (inbound) failure
Customer service
request via e-mail 55 E-mail disruption due to SMTP mail relay attack 0.1 5.5
(inbound)
Customer service
request via e-mail 55 E-mail disruption due to ISP service failure 0.1 5.5
(inbound)
Customer order via Lost orders due to web server denial-of-service
100 0.025 2.5
SSL (inbound) attack
Customer order via
100 Lost orders due to web server software failure 0.01 1
SSL (inbound)
for classroom use.
Table 5-10 Risk identification and
Assessment Deliverables
Deliverable Purpose
Information asset classification Assembles information about information assets
worksheet and their value to the organization
Assigns a ranked value or impact weight to each
Weighted criteria analysis worksheet
information asset
Assigns a ranked value or risk rating for each
Ranked vulnerability risk worksheet
uncontrolled asset-vulnerability pair
for classroom use.
The Open FAIR Approach to Risk Assessment
• Identify scenario components

• Evaluate loss event frequency
• Evaluate probable loss magnitude
• Derive and articulate risk
for classroom use.

Summary
• We will sum this lecture after the worked examples that

are presented in the next presentation
for classroom use.

7 ITE403 Whitman Ch05 W5C2

Uploaded by

Copyright:

Available Formats

7 ITE403 Whitman Ch05 W5C2

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

7 ITE403 Whitman Ch05 W5C2

Uploaded by

Copyright:

Available Formats

Principles of Information Security

Course Learning Outcome for this Week

Specifying Asset Vulnerabilities

• Specific avenues that threat agents can exploit to attack

Table 5-7 vulnerability assessment of a

Table 5-7 vulnerability assessment of a

Threat Possible vulnerabilities

Sabotage or vandalism • The internet protocol is vulnerable to denial of service.

Table 5-8 Sample TVA Spreadsheet

• Risk assessment evaluates the relative risk for each

Figure 5-8 Major stages of risk

• It describes an assessment of the likelihood of an attack

Evaluating Loss Magnitude

• The next step is to determine how much of an

• For the purpose of relative risk assessment, risk equals:

Figure 5-9 Factors of risk

• For each threat and associated vulnerabilities that have

Documenting the Results of Risk Assessment

• The final summarized document is the ranked

Table 5-9 Ranked vulnerability risk worksheet

• Identify scenario components

• We will sum this lecture after the worked examples that

You might also like