IS Security &

Risk Management
Organized By :
Tjahjo Adiprabowo Ir, M. Eng.

IV. Risk Management

1.

Risk Assessment

2.

Risk Mitigation

3.

9 Steps Methodology

Approach for Control Implementation

Control Categories
Cost Benefit Analysis
Residual Risk

Evaluation and Assessment

Good Security Practice

Keys for Success

4.1 Risk Assessment

Is the first process in the risk management

methodology.
Is used to determine the extent of

the potential threat and

the risk
associated with an IT system
throughout its SDLC.

The output of this process helps to identify

appropriate controls for

reducing risk or
eliminating risk
during the risk mitigation process.

Risk

Risk is a function of :

The likelihood

Of a given threat-sources
Exercising a particular potential vulnerability

And the resulting impact

Of that adverse event on the organization

Likelihood
To determine the likelihood of a future adverse
event,
Threats to an IT system must be analyzed in
conjunction with :

the potential vulnerability and

the controls in place
for the IT system

Impact

Impact refers to the magnitude of harm that could

be caused by a threats exercise of a vulnerability.
The level of impact is governed by the potential
mission impacts.

Risk Assessment Methodology

Step 1 : System Characterization

1.
1.

2.

Step 2 : Threat Identification

2.
1.
2.

1.

2.
3.

Vulnerability Sources
System Security Testing
Development of Security Requirements Checklist

Step 4 : Control Analysis

4.
1.
2.
3.

Control Methods
Control Categories
Control Analysis Technique

Step 5 : Likelihood Determination

Step 6 : Impact Analysis
Step 7 : Risk Determination

5.
6.
7.
1.
2.

9.

Threat-Source Identification
Motivation and Threat Actions

Step 3 : Vulnerability Identification

3.

8.

System-Related Information
Information-Gathering Techniques

Risk-Level Matrix
Description of Risk Level

Step 8 : Control Recommendation

Step 9 : Result Documentation

I/O of Step 1 System

Characterization

Input

Hardware
Software
System Interfaces
Data and Information
People
System mission

Output

System Boundary
System Functions
System and Data Criticality
System and Data Sensitivity

I/O of Step 2 Threat Identification

Input

History of system attack

Data from intelligence agencies, mass media

Output

Threat Statement

I/O of Step 3 Vulnerability

Identification

Input

Reports from prior risk assessments

Any audit comments
Security requirements
Security test results

Output

List of Potential Vulnerabilities

I/O of Step 4 Control

Analysis

Input

Current controls
Planned controls

Output

List of Current and Planned Controls

I/O of Step 5 Likelihood

Determination

Input

Threat-source motivation
Threat capacity
Nature of vulnerability
Current controls

Output

Likelihood Rating

I/O of Step 6 Impact Analysis

List of impact :

Input

Loss of Integrity
Loss of Availability
Loss of Confidentiality
Mission impact analysis
Asset criticality assessment
Data criticality
Data sensitivity

Output

Impact Rating

Integrity

The security goal that generates the requirement for protection

against either intentional or accidental attempts to violate data
integrity or system integrity.
data integrity :
the property that data has when it has not been altered in an
unauthorized manner.
system integrity :
the quality that a system has when it performs its intended
function in an unimpaired manner, free from unauthorized
manipulation.

Availability

The security goal that generates the requirement for

protection against

Intentional or accidental attempts to

perform unauthorized deletion of data or
otherwise cause a denial of service or data
Unauthorized use of system resources.

Confidentiality

The security goal that generates the

requirement for protection from intentional or
accidental attempts to perform unauthorized
data reads.
Confidentiality covers data in storage, during
processing, and in transit.

I/O of Step 7 Risk Determination

Input

Likelihood of threat exploitation

Magnitude of impact
Adequacy of planned or current controls

Output

Risks and Associated Risk Levels

I/O of Step 8 Control

Recommendations

Input

Results of Risk Determination Step.

Output

Recommended Controls

I/O of Step 9 Results

Documentation

Input

Results of Control Recommendation Step

Output

Risk Assessment Report

Risk Assessment Methodology Flowchart

Step 1 : System Characterization

Identifies the boundaries of the IT systems :

Resources
Information
That constitute the system

Establishes the scope of the risk assessment effort

Delineates the operational authorization boundaries
Provides information essential to defining the risk

System-Related Information

Identifying risk for an IT system requires a

keen understanding of the systems
processing environment.

System-Related Information
Classification

Hardware
Software
System interfaces (e.g., internal and external
connectivity)
Data and information
Persons who support and use the IT system
System mission (e.g., the processes performed
by the IT system)
System and data criticality (e.g., the systems
value or importance to an organization)
System and data sensitivity

Information related to the

operational environment (1 of 3)

The functional requirements of the IT system

Users of the system
System users who provide technical support to the IT system
Application users who use the IT system to perform business
functions
System security policies governing the IT system
Organizational policies
Regulatory requirements
Laws
Industry practices
System security architecture
Current network topology
network diagram

Information related to the

operational environment (2 of 3)

Information storage protection that safeguards

Flow of information pertaining to the IT system

System interfaces
System input and output flowchart

Technical controls used for the IT system

System and data availability

System and data integrity
System and data confidentiality

Built-in or add-on security product that supports identification and authentication

Discretionary or mandatory access control
Audit
Residual information protection
Encryption methods

Management controls used for the IT system

Rules of behavior
Security planning

Information related to the

operational environment (3 of 3)

Operational controls used for the IT system

Personnel security
Backup
Contingency
Resumption and recovery operations
System maintenance
Off-site storage
User account establishment and deletion procedures
Controls for segregation of user functions :

Physical security environment of the IT system

Privileged user access

Standard user access

Facility security
Data center policies

Environmental security implemented for the IT system processing environment, e.g.,

controls for :

Humidity
Water
Power
Pollution
Temperature
Chemicals

For a system that is in the

initiation or design phase

System information can be derived from the design

or requirements document.
It is necessary to define :

Key security rules

Key security attributes
Planned for the future IT system

System design documents and the system security

plan can provide useful information about the
security of an IT system that is in development

For an operational IT system

Data is collected about the IT system in its

production environment, including data on:

System configuration
System connectivity
Documented and undocumented procedures
Documented and undocumented practices

The system description can be based on the

security provided :

By the underlying infrastructure

On future security plans for the IT system

Information-Gathering Techniques
Any, or a combination, of the following
techniques can be used in gathering
information relevant to the IT system within
its operational boundary :
Questionnaire
On-site Interviews
Document Review
Use of Automated Scanning Tool.

Questionnaire

To collect relevant information concerning:

Should be distributed to

The management controls

The operational controls
Planned or used for the IT system

The applicable technical and non-technical

management personnel who are designing or
supporting the IT system.

The questionnaire could also be used during

on-site visits and interviews.

On-site Interviews

Interviews with :

Collect useful information about IT system :

How the system is operated and managed

Observe and gather information about :

IT system support
Management personnel

Physical security of the IT system

Environmental security of the IT system
Operational security of the IT system

Achieve a better understanding of the operational characteristics of an

organization.
For systems still in the design phase :

On-site visit would be face-to-face data gathering exercises

On-site visit could provide the opportunity to evaluate the physical
environment
In which the IT system will operate

Document Review

Good information about the security controls used by and planned for the IT
system :

Policy documents

System documentation

System user guide

System administrative manual
System design and requirement document
Acquisition document

Security-related documentation

Legislative documentation
Directives

Previous audit report

Risk assessment report
System test results
System security plan
Security policies

Information regarding system and data criticality and sensitivity :

An organizations mission impact analysis

An organizations asset criticality assessment

Use of Automated Scanning

Tool

Proactive technical methods can be used to

collect system information efficiently.
For example :

A network mapping tool :

Can identify the services that run on a large group of

hosts
Can provide a quick way of building individual profiles
of the target IT systems.

Output from Step 1

Characterization of the IT system assessed

A good picture of the IT system environment
Delineation of system boundary

Risk Assessment Methodology Flowchart

Step 2 : Threat Identification

Threat :

Vulnerability :

The potential for a particular threat-source to successfully exercise a

particular vulnerability
Weakness that can be accidentally triggered or intentionally
exploited.

Threat-source :

Any circumstance or event with the potential to cause harm to an IT

system.

Intent and method targeted at the intentional exploitation of a

vulnerability
A situation and method that may accidentally trigger a vulnerability

A threat-source does not present a risk when there is no

vulnerability that can be exercised.
Items that must be considered in determining the likelihood of a
threat :

Threat-sources
Potential vulnerabilities
Existing controls

Threat-Source Identification

The goal of this step is :

To identify the potential threat-sources

To compile a threat statement listing potential
threat-sources
That are applicable to the IT system being
evaluated.

Common Threat-Sources

Natural Threats

Floods
Earthquakes
Tornadoes
Landslides
Avalanches
Electrical storms
And other such events

Human Threats

Events that are either enabled by or caused by human beings, such as :

Unintentional acts

Deliberate actions

Inadvertent data entry

Network based attacks
Malicious software upload
Unauthorized access to confidential information

Environmental Threats

Long-term power failure

Pollution
Chemicals
Liquid leakage

In assessing threat-sources

It is important to consider

All potential threat-sources

Its processing environment

For example :

An IT system located in a desert

Low likelihood of natural flood

A bursting pipe can quickly flood a computer room

Humans can be threat-sources through :

Intentional acts :

A malicious attempt to gain unauthorized access to an IT system in

order to compromise system and data integrity, availability, or
confidentiality
A benign attempt to bypass system security

For example : a programmers writing a Trojan horse program.

Unintentional acts :

Negligence
errors

Motivation and Threat Actions

Motivation and the resources for carrying out

an attack make humans potentially
dangerous threat-sources.
This information will be useful to
organizations :

Studying their human threat environments

Customizing their human threat statements

Additional information

Reviews of the history of system break-ins

Security violation reports
Incident reports
Interviews with

System administrators
Help desk personnel
User community
During information gathering

Will help identify human threat-sources

Human Threat-Source

Hacker, cracker
Computer criminal
Terrorist
Industrial espionage

Companies
Foreign governments
Other government interests

Insiders

Poorly trained
Disgruntled
Malicious
Negligent
Dishonest
Terminated employees

Hacker, Cracker

Motivation :

Challenge
Ego
Rebellion

Threat Actions :

Hacking
Social engineering
System intrusion, break-ins
Unauthorized system access

Computer Criminal

Motivation :
Destruction on information
Illegal information disclosure
Monetary gain
Unauthorized data alteration
Threat Actions :
Computer crime

Fraudulent act

Cyber stalking
Replay
Impersonation
Interception

Information bribery
Spoofing
System intrusion

Terrorist

Motivation :

Blackmail
Destruction
Exploitation
Revenge

Threat Actions :

Bomb/Terrorism
Information warfare
System attack
Distributed denial of service
System penetration
System tampering

Industrial Espionage

Motivation :
Competitive advantage
Economic espionage
Threat Actions :
Economic exploitation
Information theft
Intrusion on personal privacy
Social engineering
System penetration
Unauthorized system access

Access to classified information

Access to proprietary information
Access to technology-related information

Insiders

Motivation :

Curiosity
Ego
Intelligence
Monetary gain
Revenge
Unintentional errors and omissions :

Data entry error

Programming error

Insiders

Threat Actions :
Assault on an employee
Blackmail
Browsing of proprietary information
Computer abuse
Fraud and theft
Information bribery
Input of falsified, corrupted data
Malicious code :

Virus
Logic bomb
Trojan horse

Sale of personal information

System bugs
System intrusion
System sabotage
Unauthorized system access

After the potential threat-sources

have been identified

An estimate of the

Motivation
Resources
Capabilities
That may be required to carry out a successful
attack

Should be developed
In order to determine the likelihood of a
threats exercising a system vulnerability.

After the potential threat-sources

have been identified

The threat statement, or the list of potential threatsources

Should be tailored
To the individual organization and its processing
environment

Information on natural threats

End-user computing habits.

Floods
Earthquakes
Storms

Should be readily available.

Additional information

Known threats have been identified by many

government and private organizations.
Intrusion detection tools also are becoming more
prevalent.
Government and industry organizations continually
collect data on security events.
Sources of information :

Intelligence agencies
Mass media, particularly web-based resources such as
SecurityFocus.com, SecurityWatch.com, SANS.org

Improving the ability to realistically asses threats.

Output from Step 2

A threat statement containing a list of threatsources that could exploit system

vulnerabilities

Risk Assessment Methodology Flowchart

Step 3 : Vulnerability Identification

The goal of this step is :

To develop a list of system vulnerabilities

Flaws
Weaknesses

That could be exploited by the potential threatsources.

Vulnerability

A flaw or weakness
In :
System security procedures
Design
Implementation
Internal control
That could be exercised
Accidentally triggered
Intentionally exploited
Result in
A Security breach
A violation
Of the systems security policy

Example of Vulnerability/Threat
Pair 1 of 4

Vulnerability :

Threat-source :

Terminated employees system identifiers (ID) are

not removed from the system
Terminated employees

Threat Action :

Dialing into the companys network and accessing

company proprietary data

Example of Vulnerability/Threat
Pair 2 of 4

Vulnerability :

Threat-source :

Company firewall allows inbound telnet, and guest ID is

enabled on XYZ server
Unauthorized users :
Hackers
Terminated employees
Computer criminals
Terrorists

Threat Action :

Using telnet to XYZ server and browsing system files with

the guest ID

Example of Vulnerability/Threat
Pair 3 of 4

Vulnerability :

Threat-source :

The vendor has identified flaws in the security design of the

system; however, new patches have not been applied to
the system
Unauthorized users :
Hackers
Disgruntled employees
Computer criminals
Terrorists

Threat Action :

Obtaining unauthorized access to sensitive system files

based on known system vulnerabilities.

Example of Vulnerability/Threat
Pair 4 of 4

Vulnerability :

Threat-source :

Data center uses water sprinklers to suppress fire;

tarpaulins to protect hardware and equipment from water
damage are not in place
Fire
Negligent persons

Threat Action :

Water sprinklers being turned on in the data center

Recommended Methods

For identifying system vulnerabilities are the

use of :

Vulnerability sources
The performance of system security testing
The development of a security requirements
checklist

Variety of the vulnerability

identification

The IT system has not yet been designed

The IT system is being implemented
The IT system is operational

If the IT system has not yet been

designed

The search for vulnerabilities should focus on

:

The organizations security policies

The planned security procedures
The system requirement definitions
The vendors or developers security product
analyses

If the IT system is being

implemented

The identification of vulnerabilities should be

expanded to include more specific
information :

The planned security features described in the

security design documentation
The results of system certification test and
evaluation

If the IT system is operational

The process of identifying vulnerabilities

should include an analysis of

The IT system security features

The IT system security controls
The IT system technical and procedural
Used to protect the system

Vulnerability Sources

Can be identified via the informationgathering techniques

A review of other industry sources
The Internet
Documented vulnerability sources

Documented Vulnerability Sources

Previous risk assessment documentation of the IT system assessed

Reports :

The IT systems audit

System anomaly
Security review
System test and evaluation

Vulnerability lists
Security advisories
Vendor advisories
Commercial computer incident/emergency response teams and post
lists
Information Assurance Vulnerability Alerts and bulletins for military
systems
System software security analyses

System Security Testing

Proactive methods, employing system

testing, can be used to identify system
vulnerability efficiently, depending on :

The criticality of the IT system

Available resources :

Allocated funds
Available technology
Persons with the expertise to conduct the test

Test Method

Automated vulnerability scanning tool

Security test and evaluation (ST&E)
Penetration testing
The results will help identify a systems
vulnerabilities.

Automated Vulnerability Scanning

Tool

It is used to scan a group of hosts or a network for

known vulnerable services :

System allows anonymous File Transfer Protocol (FTP)

Some of the potential vulnerabilities identified by the

automated scanning tool may not represent real
vulnerabilities in the context of the system
environment.

Some of these scanning tools rate potential vulnerabilities

without considering the sites environments and
requirements.

ST & E

It includes the development and execution of a test plan

Test script
Test procedures
Expected test results
The purpose is :
To test the effectiveness of the security controls of an IT system
as they have been applied in an operational environment
To ensure that the applied controls :

Meet the approved security specification for the software and

hardware
Implement the organizations security policy
Meet industry standards

Penetration Testing

It can be used to complement the review of security controls

It can ensure that different facets of the IT system are secured.
It can be used to assess an IT systems ability to :
Withstand intentional attempts
Circumvent system security
The objective is to :
Test the IT system from the viewpoint of a threat-source
Identify potential failures in the IT system protection schemes.

Development of Security
Requirements Checklist

During this step, the risk assessment personnel

determine whether the security requirements

Stipulated for the IT system

Collected during system characterization

Are being met by existing or planned security

controls.
The system security requirements can be presented
in table form, with each requirement accompanied
by an explanation of how the system design or
implementation does or does not satisfy that security
control requirement.

Security Requirement
Checklist

Contains the basic security standard that can be used to

systematically
evaluate
identify
The vulnerability of
Assets

personnel
hardware
software
information

Non automated procedures

Processes
Information transfers
associated with a given IT system in the following security areas :

Management
Operational
Technical

Security Criteria
of Management Security

Assignment of responsibilities
Continuity of support
Incident response capability
Periodic review of security controls
Personnel clearance and background investigations
Risk assessment
Security and technical training
Separation of duties
System authorization and reauthorization
System or application security plan

Security Criteria
of Operational Security

Control of airborne contaminants (smoke, dust,

chemicals)
Controls to ensure the quality of the electrical power
supply.
Data media access and disposal
External data distribution and labeling
Facility protection (e.g., computer room, data center,
office)
Humidity control
Workstations, laptops, and stand-alone personal
computers

Security Criteria
of Technical Security

Communication (e.g., dial-in, system

interconnection, routers)
Cryptography
Discretionary access control
Identification and authentication
Intrusion detection
Object reuse
System audit

Outcome & Sources

The outcome of this process is the security requirements

checklist.
Sources that can be used in compiling such a checklist include :
System security plan of the IT system assessed.
The organizations security policies, guidelines and standards.
Industry practices.
The result of the checklist can be used as input for an evaluation
of compliance and noncompliance.
This evaluation process identifies :
System weaknesses
Process weaknesses
Procedural weaknesses
That represent potential vulnerabilities.

Output from Step 3

A list of the system vulnerabilities

(observations) that could be exercised by the
potential threat-sources.

Risk Assessment Methodology Flowchart

Step 4 : Control Analysis

Goal :

analyze the controls

that have been implemented,

or are planned for implementation,
by the organization

to minimize
or eliminate
the likelihood (or probability) of a threats
exercising a system vulnerability.

Example of Control Analysis

A vulnerability

if there is a low level of

threat-source interest
or capability

or if there are effective security controls

is not likely to be exercised

or the likelihood is low

that can eliminate,

or reduce the magnitude of ,

harm.

Control Methods

Technical controls
Non-technical controls

Technical Controls

Are safeguards that are incorporated into :

Computer hardware
Software
Firmware :

Access control mechanisms

Identification and authentication mechanisms
Encryption methods
Intrusion detection software

Non-Technical Controls

Are management and operational controls

such as :

Security policies
Operational procedures
Security of :

Personnel
Physic
Environment

Control Categories

Preventive controls
Detective controls

Preventive Controls

Inhibit attempts to violate security policy

Include such controls as :

access control enforcement,

encryption,
authentication.

Detective Controls

Warn of violations or attempted violations of

security policy
Include such controls as :

audit trails,
intrusion detection methods,
checksums.

Control Analysis Technique

Efficient and systematic control analysis :

Development of a security requirements checklist

Can be used to validate :

Use of an available checklist

It is essential to update such checklists to reflect

changes in an organizations control environment :

Security noncompliance
Security compliance

Changes in security policies

Changes in security methods
Changes in security requirements

To ensure the checklists validity

Output from Step 4

List of current or planned controls

Used for the IT systems

To mitigate the likelihood of a vulnerabilitys

being exercised and
To reduce the impact of such an adverse
event.

Risk Assessment Methodology Flowchart

Step 5 : Likelihood
Determination

To derive an overall likelihood rating

that indicates the probability
that a potential vulnerability may be exercised
within the associated threat environment,
the following factors must be considered :

Threat-source motivation and capability

Nature of the vulnerability
Existence and effectiveness of current controls

Likelihood Level

High
Medium
Low

Likelihood Definitions

Likelihood Level : High

Likelihood Definition :

The threat-source is highly motivated and

sufficiently capable, and controls to prevent the
vulnerability from being exercised are ineffective

Likelihood Definitions

Likelihood Level : Medium

Likelihood Definition :

The threat source is motivated and capable, but

controls are in place that may impede successful
exercise of the vulnerability.

Likelihood Definitions

Likelihood Level : Low

Likelihood Definition :

The threat-source lacks motivation or capability,

or controls are in place to prevent, or at least
significantly impede, the vulnerability from being
exercised.

Output from Step 5

Likelihood rating :

High
Medium
Low

Risk Assessment Methodology Flowchart

Step 6 : Impact Analysis

The necessary information needed :
System mission

System and data criticality

(e.g., the processes performed by the IT system)

(e.g., the systems value or importance to an
organization)

System and data sensitivity.

Mission Impact Analysis

It prioritizes the impact levels

associated with the compromise of an
organizations information assets
based on a qualitative or quantitative
assessment
of the sensitivity and criticality of those
assets.

Asset criticality assessment

Identifies and prioritizes the sensitive and

critical organization information assets :

Hardware
Software
Systems
Services
Related technology assets

That support organizations critical missions.

Responsibility

The system & information owners are the

ones responsible for determining the impact
level for their own system and information.
Consequently, in analyzing impact, the
appropriate approach is to interview the
system & information owner(s).

Security goals
The adverse impact of a security event can be
described in terms of LOSS or
DEGRADATION of any, or a combination of
any, of the following three security goals :
Integrity
Availability
Confidentiality

Loss of Integrity

System & data integrity refers to the requirement that

information be protected from improper modification.
Integrity is lost if unauthorized changes are made to the
data or IT system by either intentional or accidental acts.
If the loss of system or data is not corrected, continued use
of the contaminated system or corrupted data could result
in inaccuracy, fraud, or erroneous decisions.
Violation of integrity may be the first step in a successful
attack against system availability or confidentiality.
For all these reasons, loss of integrity reduces the
assurance of an IT systems.

Loss of Availability

If a mission critical IT system is unavailable to

its end users, the organizations mission may
be affected.
Example :

Loss of system functionality

Loss of system operational effectiveness
Result in loss of productive time
Impeding the end users performance of their
functions in supporting the organizations mission.

Loss of Confidentiality

System & data confidentiality refers to the protection

of information from unauthorized disclosure.
The impact of unauthorized disclosure of
confidential information can range :

From the jeopardizing of national security

To the disclosure of Privacy Act data.

Unauthorized, unanticipated, or unintentional

disclosure could result in :

Loss of public confidence

Embarrassment
Legal action against the organization

Impacts Categories

Some tangible impacts can be measured quantitatively in :

Lost revenue
The cost of repairing the system
The level of effort required to correct problems caused by a
successful threat action
Other impacts e.g :
Loss of public confidence
Loss of credibility
Damage to an organizations interest
Cannot be measured in specific units, but can be qualified or
described in terms of :
High impacts
Medium impacts
Low impacts

Magnitude of Impact
Definitions

Qualitative Impact Analysis

The main advantage :

It prioritizes the risks and identifies areas for

immediate improvement in addressing the
vulnerabilities.

The disadvantage :

It does not provide specific quantifiable

measurements of the magnitude of the impacts
Therefore making a cost-benefit analysis of any
recommended controls difficult.

Quantitative Impact Analysis

The major advantage :

It provides a measurement of the impacts magnitude

Which can be used in the cost-benefit analysis of
recommended controls.

The disadvantage :

Depending on the numerical ranges used to express the

measurement,
The meaning of the quantitative impact analysis may be
unclear,
Requiring the result to be interpreted in a qualitative
manner.

Additional Factors

Estimation of the frequency of the threatsources exercise of the vulnerability over a

specific time period (e.g., 1 year).
Approximate cost for each occurrence of the
threat-sources exercise of the vulnerability.
Weighted factor based on a subjective
analysis of the relative impact of a specific
threats exercising a specific vulnerability.

Output from Step 6

Magnitude of impact :

High
Medium
Low

Risk Assessment Methodology Flowchart

Step 7 : Risk Determination

The purpose of this step is to assess the level

of risk to the IT system.

Risk Determination
Components

The determination of risk for a particular

threat/vulnerability pair can be expressed as
a function of :

The likelihood of a given threat-sources

attempting to exercise a given vulnerability.
The magnitude of the impact should a threatsource successfully exercise the vulnerability.
The adequacy of planned or existing security
controls for reducing or eliminating risks.

Risk Level Matrix

Mission risk = threat likelihood ratings X

threat impact ratings
Next table shows how the overall risk ratings
might be determined based on inputs from
the threat likelihood and threat impact
categories.
The next matrix is a 3 x 3 matrix of threat
likelihood (High, Medium, and Low) and
threat impact (High, Medium, and Low).

Matrix Dimension

Depending on the sites requirements and the

granularity of the risk assessment desired,
some sites may use a 4 x 4 or 5 x 5 matrix.
The latter can include a Very Low / Very High
threat likelihood and a Very Low / Very High
threat impact to generate a Very Low / Very
High risk level.
A Very High risk level may require possible
system shutdown or stopping of all IT system
integration and testing efforts.

Determination of Risk Levels

The next sample matrix shows how the overall risk

levels of High, Medium, and Low are derived.
The determination of these risk levels or ratings may
be subjective.
The rationale for this justification can be explained in
terms of the probability assigned for each threat
likelihood level and a value assigned for each
impact level.
For example :

The probability assigned for each threat likelihood level is

1.0 for High, 0.5 for Medium, 0.1 for Low.
The value assigned for each impact level is 100 for High,
50 for Medium, and 10 for Low.

Sample of Risk Level Matrix

Table

Description of Risk Level

The next table describes the risk levels

shown in the previous matrix.
This risk scale, with its ratings of High,
Medium, and Low, represents the degree or
level of risk to which an IT system, facility, or
procedure might be exposed if a given
vulnerability were exercised.
The risk scale also presents actions that
senior management, the mission owners,
must take for each risk level.

Risk Scale and Necessary

Actions Table

Output from Step 7

Risk Level :

High
Medium
Low

Risk Assessment Methodology Flowchart

Step 8 : Control
Recommendations

During this step of process, controls that could

mitigate or eliminate the identified risks, as
appropriate to the organizations operations, are
provided.
The goal of the recommended controls is to reduce
the level of risk to the IT system and its data to an
acceptable level.
The control recommendations are the results of the
risk assessment process and provide input to the
risk mitigation process, during which the
recommended procedural and technical security
controls are evaluated, prioritized, and implemented.

Factors should be considered

Effectiveness of recommended options (e.g.,

system compatibility)
Legislation and regulation
Organizational policy
Operational impact
Safety and reliability

Additional consideration

It should be noted that not all possible recommended

controls can be implemented to reduce loss.
To determine which ones are required and appropriate for a
specific organization, a cost-benefit analysis should be
conducted for the proposed recommended controls, to
demonstrate that the costs of implementing the controls
can be justified by the reduction in the level of risk.
The operational impact (e.g., effect on system
performance) and feasibility (e.g., technical requirements,
user acceptance) of introducing the recommended option
should be evaluated carefully during the risk mitigation
process.

Output from step 8

Recommendation of control(s) and alternative

solutions to mitigate risk.

Risk Assessment Methodology Flowchart

Step 9 : Results
Documentation

Once the risk assessment has been

completed :

Threat-sources and vulnerabilities identified

Risks assessed
Recommended controls provided

The result should be documented in an

official report or briefing.

Considerations

A risk assessment report is a management report

that helps senior management, the mission owners,
make decisions on policy, procedural, budget, and
system operational and management changes.
A risk assessment report should be presented as a
systematic and analytical approach to assessing risk
so that senior management will understand the risks
and allocate resources to reduce and correct
potential losses.
For this reasons, some people prefer to address the
threat/vulnerability pairs as observations instead of
findings in the risk assessment report.

Output from Step 9

Risk assessment report that :

describes the threats and vulnerabilities,

measures the risk, and
provides recommendations for control
implementation.

Risk Assessment Methodology Flowchart

Good Luck