Lecture 2 Risk Control

www.tvtc.gov.
sa
Risk Management: Controlling Risk

❑Introduction to risk control
❑Managing Risk
❑Recommended Alternative Risk Treatment
Practices
Introduction to Risk control

In the early days of information technology (IT), corporations used IT systems to gain advantages over
their competition. Managers discovered that establishing a competitive business model, method, or
technique based on superior IT allowed an organization to provide a product or service that was
superior in some decisive way, thus creating a competitive advantage. But this is seldom true today.
The current IT industry has evolved from this earlier model to one in which almost all competitors
operate using similar levels of automation.
Because competitive technology is now readily available, almost all organizations are willing to make
the investment to react quickly to changes in the market. In today's highly competitive environment,
managers realize that investing in IT systems at a level that merely maintains the status quo is no
longer sufficient to gain a competitive advantage. In fact, even the implementation of new
technologies does not necessarily enable an organization to gain or maintain a competitive lead.
Instead, the concept of competitive disadvantage has emerged as a critical factor as organizations
strive not to fall behind technologically. Effective IT- enabled organizations now quickly absorb
emerging technologies, not to gain or maintain the traditional competitive advantage, but to avoid
the possibility of losing market share when faltering systems make it impossible to maintain the
current standard of service.
organizations must design and create a secure environment in which business processes and
procedures can function and evolve effectively. This environment must maintain confidentiality and
privacy and assure the integrity and availability of organizational data. These objectives are met via
the application of the principles of risk management.
As shown in Figure 2-1, after the risk management (RM)
process team has identified, analyzed, and evaluated the level
of risk currently inherent in its information assets (risk
assessment), it then must treat the risk that is deemed
unacceptable when it exceeds its risk appetite. As risk
treatment begins, the organization has a list of information
assets with currently unacceptable levels of risk; the
appropriate strategy must be selected and then applied for
each asset.
In this lecture, you will learn how to assess risk treatment
strategies, estimate costs, weigh the relative merits of the
available alternatives, and gauge the benefits of various
treatment approaches.
Treating risk begins with an understanding of what risk
treatment strategies are and how to formulate them. The
chosen strategy may include applying additional or newer
controls to some or all of the assets and vulnerabilities found
in the tables prepared before in Identifying and assessing risk.
Risk control Strategies

When management has determined that the risks from information security threats are unacceptable,
or when laws and regulations mandate such action, they empower the information technology and
information security communities of interest to control the risks. Once the project team for
information security development has created the ranked vulnerability worksheet, it must choose one
of the following five approaches for controlling the risks that result from the vulnerabilities:
❑ Defense: Applying controls and safeguards that eliminate or reduce the remaining uncontrolled risk
❑ Transference: Shifting risks to other areas or to outside entities
❑ Mitigation: Reducing the impact to information assets should an attacker successfully exploit a
vulnerability
❑ Acceptance: Understanding the consequences of choosing to leave an information asset's
vulnerability facing the current level of risk, but only after a formal evaluation and intentional
acknowledgment of this decision
❑ Termination: Removing or discontinuing the information asset from the organization's operating
environment
Defense
The defense approach attempts to prevent the exploitation of the vulnerability. This is the preferred
approach and is accomplished by means of countering threats, removing vulnerabilities in assets, limiting
access to assets, and adding protective safeguards. This approach is sometimes referred to as avoidance.
There are three common methods of risk defense: defense through application of policy, defense through
application of training and education programs, and defense through application of technology.
The application of policy allows management to mandate that certain procedures are always followed.
For example, if the organization needs to control password use more tightly, a policy requiring passwords
on all IT systems can be implemented. Note that policy alone may not be enough and that effective
management always couples changes in policy with training and education and/or the application of
technology. Policy must be communicated to employees. In addition, new technology often requires
training. Awareness, training, and education are essential if employees are to exhibit safe and controlled
behavior. In the real world of information security, technical solutions are usually required to assure that
risk is reduced.
Transferal
The transferal approach attempts to shift the risk to other assets, other processes, or other organizations.
This may be accomplished through rethinking how services are offered, revising deployment models,
outsourcing to other organizations, purchasing insurance, or implementing service contracts with
providers.
When an organization does not have the correct balance of information security skills, it should consider
hiring or making outsourcing arrangements with individuals or firms that provide such expertise. This
allows the organization to transfer the risks associated with the management of these complex systems to
another organization that has experience in dealing with those risks. A side benefit of specific contract
arrangements is that the provider is responsible for disaster recovery and, through service-level
agreements, can be made responsible for guaranteeing server and Web site availability. However,
outsourcing is not without its own risks. It is up to the owner of the information asset, IT management, and
the information security team to ensure that the disaster recovery requirements of the outsourcing
contract are sufficient and have been met before they are needed for recovery efforts. If the outsourcer
fails to meet the contract terms, the consequences may be far worse than expected.
Mitigation
The mitigation approach attempts to reduce the impact caused by the exploitation of vulnerability
through planning and preparation. This approach includes contingency planning and its four
functional components: the business impact analysis, the incident response plan, the disaster
recovery plan, and the business continuity plan.
Each of these components of the contingency plan depends on the ability to detect and respond to
an attack as quickly as possible and relies on the existence and quality of the other plans.
Mitigation begins with the early detection that an attack is in progress and the ability of the
organization to respond quickly, efficiently, and effectively.
Acceptance
Acceptance is the choice to do nothing to protect an information asset and to accept the outcome of its
potential exploitation. This may or may not be a conscious business decision. The only industry-recognized
valid use of this strategy occurs when the organization has done the following:
● Determined the level of risk
● Assessed the probability of attack
● Estimated the potential damage that could occur from an attack
● Performed a thorough cost-benefit analysis
● Evaluated controls using each appropriate type of feasibility
● Decided that the particular function, service, information, or asset did not justify the cost of protection
This control, or rather lack of control, is based on the conclusion that the cost of protecting an asset does not
justify the security expenditure. In this case, management may be satisfied with taking its chances and saving
the money that would normally be spent on protecting this asset. If every vulnerability identified in the
organization is handled through acceptance, it may reflect an organization’s inability to conduct proactive
security activities and an apathetic approach to security in general.
Termination
Like acceptance, termination is based on the organization’s need or choice to leave an asset
unprotected. Here, however, the organization does not wish the information asset to remain at risk
and so removes it from the environment that represents risk. Sometimes, the cost of protecting an
asset outweighs its value. In other cases, it may be too difficult or expensive to protect an asset,
compared to the value or advantage that asset offers the company. In either case, termination must
be a conscious business decision, not simply the abandonment of an asset, which would technically
qualify as acceptance.
Managing Risk
As described in Lecture 1, risk appetite is the quantity and nature of risk that organizations are willing to
accept as they evaluate the trade-offs between perfect security and unlimited accessibility. For instance,
a financial services company, regulated by government and conservative by nature, seeks to apply every
reasonable control and even some invasive controls to protect its information assets. Other less closely
regulated organizations may also be conservative and thus seek to avoid the negative publicity and
perceived loss of integrity caused by the exploitation of a vulnerability.
A business executive might direct the installation of a set of firewall rules that are far more stringent
than necessary, simply because being hacked would jeopardize his or her organization's reputation in the
market. Other organizations may take on dangerous risks because of ignorance. The reasoned approach
to risk is one that balances the expense (in terms of finance and the usability of information assets)
against the possible losses, if exploited.
Feasibility and Cost-benefit Analysis

Before deciding on the treatment strategy for a specific TVA triplet, an organization should explore all
readily accessible information about the economic and noneconomic consequences of an exploitation of
the vulnerability, when the threat causes a loss to the asset. This exploration attempts to answer the
question, "What are the actual and perceived advantages of implementing a control as opposed to the
actual and perceived disadvantages?" In other words, the organization is simply trying to answer the
question, "Before we spend any more time, money, or resources on additional protection mechanisms to
protect this asset, is it worth it?" The costs associated with the various risk treatment strategies may help
the organization decide which option to choose.
Most organizations can spend only a reasonable amount of time and money on InfoSec, although the
definition of reasonable varies from organization to organization, even from manager to manager.
Organizations can begin this type of economic feasibility analysis by valuing the information assets and
determining the loss in value if those information assets became compromised. Common sense dictates
that an organization should not spend more to protect an asset than it is worth. This decision-making
process is called a cost-benefit analysis (CBA) or an economic feasibility study.
Other Methods of Establishing Feasibility
Earlier in this Lecture, the concept of economic feasibility was employed to justify proposals for InfoSec controls. The
next step in measuring how ready an organization is for the introduction of these controls is to determine the
proposal's organizational, operational, technical, and political feasibility. Organizational Feasibility Organizational
feasibility examines how well the proposed InfoSec alternatives will contribute to the efficiency, effectiveness, and
overall operation of an organization. In other words, the proposed control approach must contribute to the
organization's strategic objectives. Does the implementation align well with the strategic planning for the information
systems, or does it require deviation from the planned expansion and management of the current systems? The
organization should not invest in technology that changes its fundamental ability to explore certain avenues and
opportunities.
For example, suppose that a university decides to implement a new firewall. It takes a few months for the technology
group to learn enough about the firewall to configure it completely. A few months after the implementation begins, it
is discovered that the firewall as configured does not permit outgoing Web-streamed media. If one of the goals of the
university is the pursuit of distance-learning opportunities, a firewall that prevents that type of communication has
not met the organizational feasibility requirement and should be modified or replaced.
Alternatives to Feasibility Analysis
Rather than using CBA or some other feasibility reckoning to justify risk treatments, an organization
might look to alternative models. A short list of alternatives is provided here:
o Benchmarking is the comparison of organizational effectiveness, efficiency, and productivity
against an established measure. External benchmarking is the process of seeking out and
studying the practices used in other organizations that produce the results you desire in your
organization. Internal benchmarking, also known as baselining, involves comparing measured
past performance (the baseline) against actual performance for the assessed category. In both
external and internal benchmarking, the comparison of the two performance states may reveal
shortfalls in the organization's performance (known as the gap). A gap analysis allows the
organization to create a plan for moving the organization closer to the ideal level of
performance. When benchmarking, an organization typically uses either metrics-based or
process-based measures.
o Due care and due diligence describe an organization's actions when it adopts a certain
minimum level of security- that is, what any prudent organization would do in similar
circumstances.
o Best business practices are considered those thought to be among the best in the industry,
balancing the need to access information with adequate protection .
o The gold standard is for those ambitious organizations in which the best business practices
are not sufficient. They aspire to set the standard for their industry and are thus said to be in
pursuit of the gold standard.
o Government recommendations and best practices are useful for organizations that operate
in industries regulated by governmental agencies. Government recommendations, which
are, in effect, requirements, can also serve as excellent sources for information about what
some organizations m ay be doing, or are required to do, to control InfoSec risks.
Recommended Alternative Risk Treatment Practices

Assume that a risk assessment has determined it is necessary to protect a particular asset's
vulnerabilities from a particular threat, at a cost of up to $50 ,000 . Unfortunately most budget
authorities focus on the up to and then try to cut a percentage off the total figure to save the
organization money. This tendency underlines the importance of developing strong justifications for
specific action plans and of providing concrete estimates in those plans.
Between the difficult task of valuing information assets and the dynamic nature of the ALE (annualized
loss expectancy) calculations, it is no wonder that organizations typically look for a more straightforward
method of implementing controls. This preference has prompted an ongoing search for ways to design
security architectures that go beyond the direct application of specific controls for specific information
asset vulnerability. The following sections cover some of these alternatives.
Qualitative and Hybrid Asset Valuation Measures
Many of the approaches to asset valuation described previously attempt to use actual values or estimates
to create a quantitative assessment. In some cases, an organization might be unable to determine these
values. Fortunately, risk assessment steps can be executed using estimates based on a qualitative
assessment, as mentioned in Lecture 1. For example, instead of placing a value of once every 10 years for
the ARO (asset retirement obligation), the organization might list all possible attacks on a particular set of
information and rate each in terms of its probability of occurrence- high, medium, or low. The qualitative
approach uses labels to assess value rather than numbers.
A more granular approach, the semi-qualitative or hybrid assessment, tries to reduce some of the
ambiguity of qualitative measures without resorting to the unsubstantiated estimations used for
quantitative measures. Hybrid assessment uses scales rather than specific estimates. For example, the
scales discussed for likelihood and impact in Lecture 1 use ordinal rankings from o (not applicable threat)
to 5 (almost certain) for likelihood and o (not applicable) to s (severe) for impact. Of course, organizations
may prefer other scales, such as 1- 10 or 1- 100. These same scales can be used in any situation requiring a
value, even in asset valuation. For example, instead of estimating that a particular piece of information is
worth $1 million, you might value information on a scale of 1- 100, where 1 indicates relatively worthless
information and 100 indicates extremely critical information.
Delphi Technique
How do you calculate the values and scales used in qualitative and quantitative assessment? An
individual can pull the information together based on personal experience, but, as the saying goes, "two
heads are better than one" - and a team of heads is better than two. The Delphi technique, is a process
whereby a group rates or ranks a set of information. The individual responses are compiled and then
returned to the group for another iteration. This process continues until the entire group is satisfied with
the result. This technique can be applied to the development of scales, asset valuation, asset or threat
ranking, or any scenario that can benefit from the input of more than one decision maker.
The OCTAVE Methods
The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Method is an InfoSec risk
evaluation methodology that allows organizations to balance the protection of critical information assets
against the costs of providing protective and detection controls. This process, which is illustrated in Figure
2-2, can enable an organization to measure itself against known or accepted good security practices and
then establish an organization-wide protection strategy and InfoSec risk mitigation plan. The process has
three variations:
❑ The original OCTAVE Method, which forms the basis for the OCTAVE body of knowledge and which was
designed for large organizations (300 or more users).
❑ OCTAVE-S, for smaller organizations of about 100 users.
❑ OCTAVE-Allegro, a streamlined approach for InfoSec assessment and assurance.

Figure 2-2
OCTAVE overview
Microsoft Risk Management Approach
Microsoft has recently updated its Security Risk Management Guide, which provides the company's approach
to the risk management process. Because this version is comprehensive, easily scalable, and repeatable, it is
summarized here. Microsoft asserts that risk management is not a stand-alone subject and should be part of a
general governance program to allow the organizational general-management community of interest to
evaluate the organization's operations and make better, more informed decisions. The purpose of the risk
management process is to prioritize and manage security risks. Microsoft presents four phases in its security
risk management process:
1. Assessing risk
2. Conducting decision support
3. Implementing controls
4. Measuring program effectiveness
These four phases, which are described in detail in Figure 2-3, provide an overview of a program that is similar
to the methods presented earlier in the text, including the OCTAVE Method. Microsoft, however, breaks the
phases into fewer, more manageable pieces.
Figure 2-3
Microsoft's security risk
management guide
FAIR
Factor Analysis of Information Risk (FAIR), a risk management framework , can help organizations
understand, analyze, and measure information risk. The outcomes are more cost-effective
information risk management, greater credibility for the InfoSec profession, and a foundation from
which to develop a scientific approach to information risk management. The FAIR framework, as
shown in Figure 2-4, includes:
• A taxonomy for information risk
• Standard nomenclature for information risk terms
• A framework for establishing data collection criteria
• Measurement scales for risk factors
• A computational engine for calculating risk
• A modeling construct for analyzing complex risk scenarios
Basic FAIR analysis comprises 10 steps in four stages:
Stage 1- Identify Scenario Components
1. Identify the asset at risk.
2. Identify the threat community under consideration.
Stage 2- Evaluate Loss Event Frequency (LEF)
3. Estimate the probable Threat Event Frequency (TEF).
4. Estimate the Threat Capability (TCap).
5. Estimate Control Strength (CS). Stage 3- Evaluate Probable Loss Magnitude (PLM)
6. Derive Vulnerability (Vuln). 8. Estimate worst-case loss.
7. Derive Loss Event Frequency (LEF). 9. Estimate probable loss.
Stage 4- Derive and Articulate Risk
10. Derive and articulate risk.
Figure 2-4 Factor Analysis of Information Risk (FAIR)

Unlike other risk management frameworks, FAIR relies on the qualitative assessment of many risk
components, using scales with value ranges- for example, very high to very low.
➢ In 2011, FAIR became the cornerstone of a commercial consulting venture, CXOWARE, which
built FAIR into an analytical software suite called Risk Calibrator.
➢ In 2014, FAIR was adopted by the Open Group as an international standard for risk management
and re branded as Open FAIR™. Shortly thereafter, the publicly viewable information on the FAIR
Wiki site was taken down and all Web links to the archival material were redirected to the Fair
Institute Web site or the Open Group Standards e-commerce site.
➢ In 2015, CXOWARE was rebranded as Risk Lens, and the FAIR Institute was established.
ISO 27005:2011 Information Technology-Security Techniques Information Security Risk Management

The ISO 27000 series includes a standard for the performance of risk management ISO 27005, which
includes a five -stage risk management methodology, as shown in Figure 2-5:
1. Risk assessment- Within the definition of risk assessment are stages similar to those discussed in
Lecture 1, risk assessment encompasses risk analysis and risk evaluation. Risk analysis is further
broken down into risk identification and risk estimation (based on likelihood and impact). The tasks
performed in each step are essentially identical to those described in Lecture 1, with risk estimation
from ISO 27005 encompassing the same tasks as risk analysis in this text.
2. Risk treatment- As discussed earlier in this Lecture, the standard strategies to deal with
unacceptable levels of residual risk, such as risk reduction (defense), risk retention (acceptance), risk
avoidance (termination), and risk transfer (transference).
3. Risk acceptance- A review of the proposed risk

treatment strategies and recommendations between the
RM process team and the organization's governance
group. For items for which the residual risk is at or below
the organization's risk appetite, the groups confirm that
they will live with (accept) the current level of risk.
4. Risk communication- Discussion between the RM

process team and the governance group as to the
effectiveness of the RM process, the implementation of
other selected treatment strategies, and communication
of the implementation plans to other stakeholders.
5. Risk monitoring and review- The ongoing evaluation of

the internal and external environments and other factors
that may influence the RM process.
Figure 2-5 ISO 27005 information security risk management process
NIST Risk management model

The National Institute of Standards and Technology {NIST} has modified its fundamental
approach to systems management and certification/accreditation to one that follows the
industry standard of effective risk management.
NIST SP 800-39: "Managing Information Security Risk: Organization, Mission, and Information
System View"
This NIST document describes a process that organizations can use to frame risk decisions, assess
risk, respond to risk when identified, and then monitor risk for ongoing effectiveness and
continuous improvement to the risk management process. The intent is to offer a complete and
organization-wide approach that integrates risk management into all operations and decisions.
Framing risk establishes the organization's context for risk-based decision making with the intent
of establishing documented processes for a risk management strategy that enables assessing,
responding to, and monitoring risk. The risk frame identifies boundaries for risk responsibilities
and delineates key assumptions about the threats and vulnerabilities found in the organization's
operating environment.
Assessing risk within the context of the organizational risk frame requires the identification of
threats, vulnerabilities, consequences of exploitation leading to losses, and the likelihood of such
losses. Risk assessment relies on a variety of tools, techniques, and underlying factors. These factors
include organizational assumptions about risk, a variety of constraints within the organization and its
environment, the roles and responsibilities of the organization's members, how and where risk
information is collected and processed, the particular approach to risk assessment in the
organization, and the frequency of periodic reassessments of risk.
Organizations will respond to risk once it is determined by risk assessments.
Risk response should provide a consistent and organization-wide process based on developing
alternative responses, evaluating those alternatives, selecting appropriate courses of action
consistent with organizational risk appetites, and implementing the selected course(s) of action.
Risk monitoring over time requires the organization to verify that planned risk response measures
are implemented and that the ongoing effectiveness of risk response measures has been achieved. In
addition, organizations should describe how changes that may impact the ongoing effectiveness of
risk responses are monitored.
Other Methods
The few methods described in this section are by no means all of the available methods. In fact, many
other organizations compare methods and provide recommendations for risk management tools that
the public can use. A few are listed here:
❑ Mitre- Mitre is a nonprofit organization designed to support research and development groups that
have received federal funding. In their systems engineering guide, Mitre presents a risk management
plan that uses a fourstep approach of (1) risk identification, (2) risk impact assessment, (3) risk
prioritization analysis, and (4) risk mitigation planning, implementation, and progress monitoring.
❑ European Network and Information Security Agency (ENISA)-This agency of the European Union
ranks 12 tools using 22 different attributes. It also provides a utility on its Web site that enables
users to compare risk management methods or tools.
❑ New Zealand's IsecT Ltd.- An independent governance, risk management, and compliance
consultancy, IsecT maintains the ISO 27001 Security Web site describes a large number of risk
management methods.
Selecting the Best Risk Management Model
Most organizations already have a set of risk management practices in place. The model followed is often
an adaptation of a model mentioned earlier in this Lecture. For organizations that have no risk
management process in place, starting such a process may be somewhat intimidating.
A recommended approach is that the people assigned to implement a risk management program should
begin by studying the models presented earlier in this Lecture and identifying what each offers to the
envisioned process. Once the organization understands what each risk management model offers, it can
adapt one that is a good fit for the specific needs at hand. Other organizations may hire a consulting firm to
provide or even develop a proprietary model.
Many of these firms have made an effort to adapt approaches based on popular risk management models
and have gained expertise in customizing them to suit specific organizations.
This approach is most certainly not the least expensive option, but it guarantees that the organization
can obtain a functional risk management model as well as good advice and training for how to put it
into use. When faced with the daunting task of building a risk management program from scratch, it
may be best to talk with other security professionals, perhaps through professional security
organization meetings like ISSA, to find out how others in the field have approached this problem. Not
only will you learn what models they prefer, you may also find out why they selected a particular
model. While your peers may not disclose proprietary details about their models and how they use
them, they may at least be able to point you in a direction. No two organizations are identical, so what
works well for one organization may not work well for others.
Futon Alkharashi
[email protected]

Lecture 2 Risk Control

Uploaded by

Copyright:

Available Formats

Lecture 2 Risk Control

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lecture 2 Risk Control

Uploaded by

Copyright:

Available Formats

www.tvtc.gov.

Risk Management: Controlling Risk

Introduction to Risk control

Risk control Strategies

Feasibility and Cost-benefit Analysis

Recommended Alternative Risk Treatment Practices

The OCTAVE Methods

❑ OCTAVE-S, for smaller organizations of about 100 users.

❑ OCTAVE-Allegro, a streamlined approach for InfoSec assessment and assurance.

Figure 2-4 Factor Analysis of Information Risk (FAIR)

ISO 27005:2011 Information Technology-Security Techniques Information Security Risk Management

3. Risk acceptance- A review of the proposed risk

4. Risk communication- Discussion between the RM

5. Risk monitoring and review- The ongoing evaluation of

NIST Risk management model

Selecting the Best Risk Management Model

You might also like