Risk
Management
Risk Management
Internal Factors
External
Factors
Risk Mgmt Strategies are determined by both internal & external factors
Risk Tolerance or Appetite: The level of risk that management is comfortable with
Identification
Analysis
Evaluation
Avoid
Reduce
Transfer
Retain
Risk Communication
& Monitoring
Risk
Risk Assessment
Treatment
Establish
Scope &
Boundaries
Risk Appetite
Identify &
Assess Risks
Develop Risk
Mgmt Plan
Proactive
Monitoring
Implement Risk
Mgmt Plan
Security Evaluation:
Risk Assessment
Five Steps include:
1. Assign Values to Assets:
2.
3.
5.
4.
Treat Risk
Step 1:
Determine Value of Assets
Identify & Determine Value of Assets (Crown Jewels):
Assets include:
Tangible $
Sales
Risk:
Product A
Risk:
Product B
Product C
Risk:
Intangible: High/Med/Low
Replacement Cost=
Cost of loss of integrity=
Cost of loss of availability=
Cost of loss of confidentiality=
Replacement Cost=
Cost of loss of integrity=
Cost of loss of availability=
Cost of loss of confidentiality=
Replacement Cost=
Cost of loss of integrity=
Cost of loss of availability=
Cost of loss of confidentiality=
Fines/
Reg.
Loss
Market
Loss
Exp.
Yearly
Loss
1-10K
Recor
ds
$1M$20M
$1M$35M
$1M$5M
$10M
3-year
10M
Recor
ds
$20M
$20M
10K
Recor
ds
$5M
$10M
$1M$10M
$20M $2M
$10M
$5M
$200K
$200K
Step 1:
Determine Value of Assets
Asset Name
Laptop
$ Value
Direct Loss:
Replacement
$1,000
Equipment $10,000
$ Value
Consequential
Financial Loss
Work
book
Confidentiality,
Integrity, and
Availability Notes
Availability
(e.g., due to
fire or theft)
Terrorists
Industry
Spies
Insiders
Motivation
Challenge
Result
Unauthorized
access
Financial gain,
Fraud, computer
Disclosure/ destruction of crimes
info.
Destruction/ revenge/
DOS, info warfare
extortion
Competitive advantage
Info theft, econ.
exploitation
Opportunity, personal
Fraud/ theft,
issues
malware, abuse
Misinterpretation:
Behavioral:
Disgruntled employee,
uncontrolled processes,
poor network design,
improperly configured
equipment
Poorly-defined
procedures,
employee error,
Insufficient staff,
Inadequate mgmt,
Inadequate compliance
enforcement
Coding
Problems:
Security ignorance,
poorly-defined
requirements,
defective software,
unprotected
communication
Physical
Vulnerabilities:
Fire, flood,
negligence, theft,
no redundancy
Step 3:
Estimate Likelihood of Exploitation
Best sources:
Past experience
National & international standards & guidelines:
NIPC, OIG, FedCIRC etc.
Specialists and expert advice
Market research & analysis
If no good numbers emerge, estimates can be
used.
Likelihood of Exploitation:
Sources of Losses
Lost laptop/device 35%
Third party or outsourcer 21%
Electronic backup 19%
Paper records 9%
Malicious insider or code 9%
Hacked system 7%
Vulnerability Assessment
Quadrant Map
Snow emergency
Intruder
Work
book
Threat
(Probability)
Hacker/Criminal
Malware
Disgruntled Employee
Vulnerability
(Severity)
Flood
Spy
Fire
Terrorist
3.
4.
5.
Impact
Likelihood
Insignificant: No
1. Rare
meaningful impact
2. Unlikely: Not seen
Minor: Impacts a small
within the last 5 years
part of the business, <
3. Moderate: Occurred in
$1M
last 5 years, but not in
Major: Impacts company
last year
brand, >$1M
4. Likely: Occurred in last
Material: Requires
year
External reporting
5. Frequent: Occurs on a
>$200M
regular basis
Catastrophic: Failure or
downsizing of company
Risk = Impact * Likelihood
Impact
Material
(4)
Major
(3)
Minor
(2)
Insignificant
(1)
Rare(1)
Unlikely(2)
Moderate(3)
Likelihood
Likely (4)
Frequent(5)
$150K
x .1 =$15K
$1K
$10K
$100K
$1M
1K
200
100
50
10K
2K
1K
0.5K
100K
20K
10K
5K
1000K
200K
100K
50K
Quantitative
Risk
Work
book
Fire
$1M
Laptop
Stolen
$1K + $9K
(breach
notif)
Annualized
Rate of
Occurrence
(ARO)
.05
(20 years)
Annual Loss
Expectancy
(ALE)
0.2
(5 years)
$2K
$50K
Activity
Input
Company history
Intelligence agency
data: NIPC, OIG
Audit &
test results
Business Impact
Analysis
Data Criticality &
Sensitivity analysis
NIST Risk
Assessment
Methodology
System Characterization
Output
System/data criticality
System/data sensitivity
Identify Threats
Identify Vulnerabilities
List of threats
& vulnerabilities
Analyze Controls
Determine Likelihood
Likelihood Rating
Analyze Impact
Impact Rating
Determine Risk
Documented Risks
Recommend Controls
Recommended Controls
Document Results
Risk Assessment
Report
Control Types
Compensating
Control
Threat
Creates
Deterrent
Control
Reduces
likelihood of
Reduces
likelihood of
Corrective
Control
Attack
Vulnerability
Detective
Control
Decreases
Preventive
Control
Results
in
Impact
THREAT
Deterrent
control
R
i
s
k
P
r
o
b
a
b
i
l
i
t
y
Mitigating
control
Detective
control
Preventive
control
V
U
L
N
E
R
A
B
I
L
I
T
Y
Corrective
control
I
M
P
A
C
T
Residual
risk
ALE or
Score
Control
Cost of
Control
Stolen
Laptop
$1K
Encryption
($9K Breach
Notif. Law)
Disk Failure $3K per day
RAID
Hacker
$9K Breach
Notif. Law
Firewall
$60
$750
$1K
Extra Step:
Step 6: Risk Monitoring
Stolen Laptop
In investigation
HIPAA Incident
Response
$200K
Cost overruns
$400K
Flaws in Physical
security
Training occurred
$200K
Training
90
80
70
Stolen Laptop
Virus/Worm
% Misuse
60
50
40
30
20
10
0
Year 1 Year 2 Year 3 Year 4
Risk Management
Risk Management is aligned with business
strategy & direction
Risk mgmt must be a joint effort between
all key business units & IS
Business-Driven (not Technology-Driven)
Steering Committee:
Sets risk management priorities
Define Risk management objectives to
achieve business strategy
IT Security Practitioners
Implement security requirem
into IT systems: network,
system, DB, app, admin.
Security Trainers
Develop appropriate
training materials, including
risk assessment, to
educate end users.
Due Diligence
Due Diligence = Did careful risk assessment (RA)
Due Care = Implemented recommended controls from RA
Liability minimized if reasonable precautions taken
Question
Risk Assessment includes:
1. The steps: risk analysis, risk treatment, risk
acceptance, and risk monitoring
2. Answers the question: What risks are we
prone to, and what is the financial costs of
these risks?
3. Assesses controls after implementation
4. The identification, financial analysis, and
prioritization of risks, and evaluation of controls
Question
Risk Management includes:
1. The steps: risk analysis, risk treatment, risk
acceptance, and risk monitoring
2. Answers the question: What risks are we
prone to, and what is the financial costs of
these risks?
3. Assesses controls after implementation
4. The identification, financial analysis, and
prioritization of risks, and evaluation of controls
Question
The FIRST step in Security Risk
Assessment is:
1. Determine threats and vulnerabilities
2. Determine values of key assets
3. Estimate likelihood of exploitation
4. Analyze existing controls
Question
1.
2.
3.
4.
Question
1.
2.
3.
4.
Question
1.
2.
3.
4.
Question
1.
2.
3.
4.
Question
1.
2.
3.
4.
Question
1.
2.
3.
4.
ALE is:
The average cost of loss of this asset, for a
single incident
An estimate using quantitative risk
management of the frequency of asset loss due
to a threat
An estimate using qualitative risk management
of the priority of the vulnerability
ALE = SLE x ARO
Vocabulary to study
Questions?
Jamie Ramon MD
Doctor
Chris Ramon RD
Dietician
Terry
Medical Admin
Pat
Software Consultant
Medical DB
Daily Operation (DO)
Medical Malpractice (M)
HIPAA Liability (H)
Notification Law Liability (NL)
$ Value
$ Value
Confidentiality, Integrity,
Direct Loss: Consequentia and Availability Notes
l Financial
Replacement
Loss
C? I? A?
$ Value
$ Value
Confidentiality, Integrity,
Direct Loss: Consequentia and Availability Notes
l Financial
Replacement
Loss
Medical DB
DO+M_H+NL
C IA
Up to one
year
Up to
$100K
Up to
$500K
Up to 5
years
Up to 10
years
Offense
Wrongful disclosure of
individually identifiable health
information
committed under false
pretenses
with intent to sell, achieve
personal gain, or cause
malicious harm
Then consider bad press, state audit, state law penalties, civil lawsuits, lost claims,
2
1 year
Threaten Business
Threat
(Probability)
Hacker/Criminal
Loss of Electricity
Snow Emergency
Malware
Pandemic
Failed Disk
Tornado/Wind Storm
Stolen Laptop
5 years
(.2)
10 years
(.1)
Vulnerability
(Severity)
Flood
20 years
(.05)
50 years
(.02)
Earthquake
Social Engineering
Intruder
Fire
Threat
(ARO)