Lec 4

Download as pdf or txt
Download as pdf or txt
You are on page 1of 30

Risk Management

Ms. Nabeela Bibi


Cybersecurity Risk Management
Cybersecurity risk management is an ongoing process of identifying,
analyzing, evaluating, and addressing your organization’s cybersecurity
threats.
• When it comes to managing risk, organizations generally follow a four-
step process beginning with identifying risk.
• Risk Assessment based on the likelihood of threats exploiting
vulnerabilities and the potential impact.
• Risks are prioritized, with organizations choosing from a variety of
mitigation strategies.
• The fourth step, monitoring, is structured to risk response and controls
current despite a continually shifting environment.
Risk Assessment
• An
information security risk assessment is the process of identifying, resolving
and preventing security problems
• Yourorganisation’s risk assessor will identify the risks that your organisation
faces and conduct a risk assessment
• Therisk assessment will often be asset based, whereby risks are assessed relative
to your information assets. It will be conducted across the whole organisation.
Asset: Paper document:
Relationship • Threat: fire;
• Vulnerability: document is not stored in a
between fire-proof cabinet (risk related to the loss
of availability of the information)
assets, • Threat: fire;
threats and • Vulnerability: there is no backup of the
document (potential loss of availability)
vulnerabilitie • Threat: unauthorized access;
s • Vulnerability: document is not locked in a
cabinet (potential loss of confidentiality)
Threats and
Vulnerabilities: How
much is enough?

If a small company has Should be manageable:


90 assets, 18 threats, Most daunting threats
and for each threat at and most important
least 9 vulnerabilities ? vulnerabilities
Risk Assessment
It will identify the possible threats and vulnerabilities and
how those will impact the asset and business

The risk value for an asset has to be determined


by identifying the possible threats that can impact the
CIA of the asset, how much impact will it cause, what is
the frequency of the impact and the asset value.

RISK ?
The probability of an unwanted and / or unexpected
event to occur

Risk Value = Asset Value x Business Impact x


Probability of occurrence of threat
7

Risk
Let us take the digital document (NDA) as an example.
We need to list down the threats to this Document.

Assessment
Disk failure

Virus

Unauthorized access

Audit logs not maintained

Power failures

Data corruption / data loss

Natural calamities
Risk Assessment
IDENTIFY SCOPE
OF THE SYSTEM
First step is to define the scope
the system to list down the assets
of an organization.
Asset Value

Asset value can be defined by looking at confidentiality, integrity


and availability of an asset.

Asset value = Confidentiality + Availability + Integrity


Asset Value
For Example: Let us take the NDA of the organization
XYZ. Let us define a scale of 1-5 to record and assign
a value to the owners and custodians views.

Question: What if an intruder or another employee


of a lower access level gets to read confidential top
management NDAs?

Answer: It is very critical. Since the top


management manages many critical matters through
NDAs.
So, the confidentiality value is 4
Asset Value
Question: What if an intruder or another employee tries
to modify the contents of the NDAs and the
document delivered to other party is something different. For
ex: The CEO defines the penalty of Rs.1,00,000 in case
of privacy of the procurement contract breach. Someone in
between tampers the document and changes the amount to
Rs.1000 and also defines and waiver criteria .

Answer: It is very critical.

So, the integrity value is also 4.


Asset Value
Question: What happens if there is a hardware/disk
failure and the NDA document is not available to the
organization?
Answer: It is not very critical. Since there is a
mechanism of redundancy and the parallel servers are
up and running with sufficient backups available for
every day.

So, the availability value is 2.

Asset value = Confidentiality + Availability + Integrity


NDA Document Value= 4+4+2 =10
Identify Threats
Dangers that have the potential to
impact CIA if adequate controls are
not in place.

• Human Threats
• Technical threats
• Environmental threats
Vulnerability • Logically, without a vulnerability there is no risk.
• Are these vulnerabilities carried over from year to year without review and
Identification just accepted?
Risk
Vulnerability

Asset Threat
Existing Control Identificati
on
• To ensure control effectiveness and
sustainability it must be part of the overall
governance process.
• The control frameworks such as:
• COBIT 5 for Security,
• ISO/IEC 27001,
• NIST Cyber security Framework (and
NIST SP 800-53 controls mentioned
previously)
provide excellent controls to choose from at
the governance and detailed control levels.
DETERMINE BUSINESS IMPACT SEVERITY

Impacts may include Management is


This step assumes intangibles e.g., responsible to
that the unauthorized disclosure of implement preventive,
information, destruction of detective and
vulnerability has data, loss of systems, loss of corrective controls
been exploited. reputation, loss of market depending on multiple
share and the value of the variables.
asset compromised.

The possibilities of failures are likely to be assessed in terms of their impacts in areas such as safety,
finances, marketing, business reputation, legal compliance and quality assurance.
Business Impact
• BIA is based on time. If there is a server
crash, let's take the NDA documents as
per the example above, how much
time can the organization go without an
NDAs. This is derived by doing the
business impact analysis.

• Scale 1-5
• Since NDA documents are critical to the
organization, we shall take 4 as the BIA
value
Probability of
Occurrence of Threat
•The probability of occurrence is required to
understand the frequency at which such
failures occur.
• This is based upon previous experiences and also
looking at the current implementation.
Probability of
Occurrence of
Threat
•This is based upon previous experiences
and also looking at the
current implementation.
•The probability of occurrence is measured
on a scale of 0.1 to 1.
•Let us consider the probability of
occurrence to be rated at medium i.e. 0.4
for NDA documents (based on the
situation)
Determine Risk Level

1 Risk is typically determined by examining


likelihood of occurrence and the impact.

2 Once these controls are applied, the risk


remaining is the residual risk.

The organization should implement controls until


3 the residual risk is at an acceptable level and
management is willing to formally accept the risk.
Risk
Assessment
Now
Risk Value = Asset Value x
Business Impact x Probability
of occurrence of threat

Risk Value= 10 * 4 * 0.4 = 16


Risk Management

Risk management options:

• Treat: Risk Modification


• Terminate: Risk avoidance
• Tolerate: Risk retention
• Transfer: Risk sharing

You can eliminate the risk only through


avoidance, but the typical goal is to reduce
the level of risk to something acceptable.
Risk Management
RISK RISK
MODIFICATION RETENTION
this option is the most
common, and it includes it means your organization
implementation of accepts the risk without
safeguards (controls) – like doing anything about it. This
fire-suppression systems, option should be used only
etc. if the mitigation cost would
be higher than the damage
an incident would incur.

RISK
RISK SHARING
AVOIDANCE this means you transfer the
risk to another party
stop performing certain
Unfortunately, this option
tasks or processes if they
does not have any influence
incur such risks that are
on the incident itself, so the
simply too big to mitigate
best strategy is to use this
with any other options
option together with options 1)
and 2).
Before You Start the Risk Treatment

When selecting new controls, basically there are three types of controls:​

1 2 3
Defining New Rules: Implementing New Changing the Organizational
Rules are documented through Technology: Structure:
plans, policies, procedures, For example, backup systems, In some cases, you will need to
instructions, etc., although you disaster recovery locations for introduce a new job function,
don’t have to document some alternative data centers, etc. or change the responsibilities
less complex processes. of an existing position.
Risk Treatment
Asset Threat Vulnerability Treatment option Means of implementation

1) Decrease risk + Purchase fire extinguisher + buy


Server Fire No fire extinguisher
2) Share risk insurance policy against fire

Access by
Inadequate
Laptop unauthorized 1) Decrease risk Write Password Policy
password
persons

Hire second system administrator


System Leaving the
No replacement 1) Decrease risk who will learn everything the first
administrator company
one does
Residual Risk

Residual risk is different from total risk, which is the


risk a company faces if it chooses not to implement
any type of safeguard.

A company may choose to take on total risk if the


cost/benefit analysis results indicate this is the best
course of action.

For example: If there is a small likelihood that a


company’s web servers can be compromised and the
necessary safeguards to provide a higher level of
protection cost more than the potential loss in the
first place, the company will choose not to implement
the safeguard, choosing to deal with the residual risk.
Security Controls
Thank You!

You might also like