Lecture 07

Risk
Management

How Much to Invest in Security?

How much is too much?
Firewall
Intrusion Detection/Prevention
Guard
Biometrics
Virtual Private Network
Encrypted Data &
Transmission
Card Readers
Policies & Procedures
Audit & Control Testing
Antivirus / Spyware
Wireless Security

How much is too little?

Hacker attack
Internal Fraud
Loss of Confidentiality
Stolen data
Loss of Reputation
Loss of Business
Penalties
Legal liability
Theft

Security is a Balancing Act between Security Costs & Losses

Risk Management

Internal Factors

External
Factors

Risk Mgmt Strategies are determined by both internal & external factors
Risk Tolerance or Appetite: The level of risk that management is comfortable with

Risk Management Process

What to investigate?
What to consider?

Identification

What assets & risks exist?

Analysis

What does this risk cost?

What priorities shall we set?

Evaluation

What controls can we use?

Avoid

Reduce

Transfer

Accept Residual Risk

Retain

Risk Communication
& Monitoring

Risk
Risk Assessment
Treatment

Establish
Scope &
Boundaries

Risk Appetite

Do you operate your computer with or without antivirus

software?
Do you have antispyware?
Do you open emails with forwarded attachments from
friends or follow questionable web links?
Have you ever given your bank account information to a
foreign emailer to make $$$?

What is your risk appetite?

If liberal, is it due to risk acceptance or ignorance?
Companies too have risk appetites, decided after
evaluating risk
In risk management, risk appetite is the
level of risk an organization is prepared to
accept.

Continuous Risk Mgmt Process

Risk
Appetite

Risks change with time as

business & environment changes
Controls degrade over time
and are subject to failure
Countermeasures may open
new risks

Identify &
Assess Risks

Develop Risk
Mgmt Plan

Proactive
Monitoring

Implement Risk
Mgmt Plan

Security Evaluation:
Risk Assessment
Five Steps include:
1. Assign Values to Assets:

2.

Determine Loss due to Threats & Vulnerabilities

3.

Weekly, monthly, 1 year, 10 years?

Compute Expected Loss

5.

Confidentiality, Integrity, Availability

Estimate Likelihood of Exploitation

4.

Where are the Crown Jewels?

Loss = Downtime + Recovery + Liability + Replacement

Risk Exposure = Probability of risk occurring x total loss if risk
occurs

Treat Risk

Survey & Select New Controls

Reduce, Transfer, Avoid or Accept Risk
Risk Leverage = (Risk exposure before reduction) (risk
exposure after reduction) / (cost of risk reduction)

Step 1:
Determine Value of Assets
Identify & Determine Value of Assets (Crown Jewels):
Assets include:

IT-Related: Information/data, hardware, software, services,

documents, personnel
Other: Buildings, inventory, cash, reputation, sales opportunities

What is the value of this asset to the company?

How much of our income can we attribute to this asset?
How much would it cost to recover this?
How much liability would we be subject to if the asset
were compromised?

Determine Cost of Assets

Costs

Tangible $

Sales

Risk:
Product A
Risk:
Product B

Product C

Risk:

Intangible: High/Med/Low
Replacement Cost=
Cost of loss of integrity=
Cost of loss of availability=
Cost of loss of confidentiality=
Replacement Cost=
Cost of loss of integrity=
Cost of loss of availability=
Cost of loss of confidentiality=
Replacement Cost=
Cost of loss of integrity=
Cost of loss of availability=
Cost of loss of confidentiality=

Matrix of Loss Scenario

(taken from CISM Exhibit 2.16)
Size
of
Loss

Repu- Lawtation suit

Loss

Fines/
Reg.
Loss

Market
Loss

Exp.
Yearly
Loss

Hacker steals customer

data; publicly blackmails
company

1-10K
Recor
ds

$1M$20M

$1M$35M

$1M$5M

$10M

Employee steals strategic

plan; sells data to
competitor

3-year

Backup tapes and Custmr

data found in garbage;
makes front-page news

10M
Recor
ds

$20M

$20M

Contractor steals employee

data; sells data to hackers

10K
Recor
ds

$5M

$10M

$1M$10M

$20M $2M

$10M

$5M

$200K

$200K

Step 1:
Determine Value of Assets
Asset Name

Laptop

$ Value
Direct Loss:
Replacement

$1,000

Equipment $10,000

$ Value
Consequential
Financial Loss

Work
book
Confidentiality,
Integrity, and
Availability Notes

$130 x #Cust Conf., Avail.

Reputation (Breach
Notification
= $9,000
Law)
$2k per day
in income

Availability
(e.g., due to
fire or theft)

Step 2: Determine Loss

Due to Threats
Natural: Flood, fire, cyclones,
rain/snow, and earthquakes
Unintentional: Fire, water,
building damage/collapse, loss
of utility services, and
equipment failure
Intentional: Fire, water, theft,
vandalism
Intentional, non-physical:
Fraud, espionage, hacking,
identity theft, malicious code,
social engineering, phishing,
denial of service

Threat Agent Types

Threat
Agents
Hackers/
Crackers
Criminals

Terrorists
Industry
Spies
Insiders

Motivation
Challenge

Result

Unauthorized
access
Financial gain,
Fraud, computer
Disclosure/ destruction of crimes
info.
Destruction/ revenge/
DOS, info warfare
extortion
Competitive advantage
Info theft, econ.
exploitation
Opportunity, personal
Fraud/ theft,
issues
malware, abuse

Step 2: Determine Threats

Due to Vulnerabilities
System
Vulnerabilities

Misinterpretation:

Behavioral:
Disgruntled employee,
uncontrolled processes,
poor network design,
improperly configured
equipment

Poorly-defined
procedures,
employee error,
Insufficient staff,
Inadequate mgmt,
Inadequate compliance
enforcement

Coding
Problems:
Security ignorance,
poorly-defined
requirements,
defective software,
unprotected
communication

Physical
Vulnerabilities:
Fire, flood,
negligence, theft,
no redundancy

Step 3:
Estimate Likelihood of Exploitation
Best sources:
Past experience
National & international standards & guidelines:
NIPC, OIG, FedCIRC etc.
Specialists and expert advice
Market research & analysis
If no good numbers emerge, estimates can be
used.

Likelihood of Exploitation:
Sources of Losses
Lost laptop/device 35%
Third party or outsourcer 21%
Electronic backup 19%
Paper records 9%
Malicious insider or code 9%
Hacked system 7%

Source: 2006 Annual Study: Cost of a Data Breach, PGP/Vontu

Evaluation of 31 organizations

Step 4: Compute Expected Loss

Risk Analysis Strategies
Qualitative: Prioritizes risks so that highest risks
can be addressed first
Based on judgment, intuition, and experience
May factor in reputation, goodwill, nontangibles
Quantitative: Measures approximate cost of
impact in financial terms
Semiquantitative: Combination of Qualitative &
Quantitative techniques

Step 4: Compute Loss Using

Qualitative Analysis
Qualitative Analysis is used:
As a preliminary look at risk
With non-tangibles, such as reputation,
image -> market share, share value
When there is insufficient information to
perform a more quantified analysis

Vulnerability Assessment
Quadrant Map
Snow emergency
Intruder

Work
book

Threat
(Probability)
Hacker/Criminal
Malware

Disgruntled Employee
Vulnerability
(Severity)

Flood
Spy

Fire
Terrorist

Step 4: Compute Loss Using

Semi-Quantitative Analysis
1.
2.

3.
4.

5.

Impact
Likelihood
Insignificant: No
1. Rare
meaningful impact
2. Unlikely: Not seen
Minor: Impacts a small
within the last 5 years
part of the business, <
3. Moderate: Occurred in
$1M
last 5 years, but not in
Major: Impacts company
last year
brand, >$1M
4. Likely: Occurred in last
Material: Requires
year
External reporting
5. Frequent: Occurs on a
>$200M
regular basis
Catastrophic: Failure or
downsizing of company
Risk = Impact * Likelihood

SemiQuantitative Impact Matrix

Catastrophic
(5)

Impact

Material
(4)
Major
(3)
Minor
(2)

Insignificant
(1)
Rare(1)

Unlikely(2)

Moderate(3)

Likelihood

Likely (4)

Frequent(5)

Step 4: Compute Loss Using

Quantitative Analysis
Single Loss Expectancy (SLE): The cost to the
organization if one threat occurs once

Eg. Stolen laptop=

Replacement cost + Cost of installation of special software and data

Assumes no liability

SLE = Asset Value (AV) x Exposure Factor (EF)

Annualized Rate of Occurrence (ARO): Probability or

frequency of the threat occurring in one year

If a fire occurs once every 25 years, ARO=1/25

Annual Loss Expectancy (ALE): The annual expected

financial loss to an asset, resulting from a specific threat

ALE = SLE x ARO

Risk Assessment Using

Quantitative Analysis
Quantitative:
Cost of HIPAA accident with insufficient
protections
SLE

= $50K + (1 year in jail:) $100K = $150K

Plus loss of reputation

Estimate of Time = 10 years or less = 0.1

Annualized Loss Expectancy (ALE)=

$150K

x .1 =$15K

Annualized Loss Expectancy

Asset
Value->
1 Yr
5 Yrs
10 Yrs
20 Yrs

$1K

$10K

$100K

$1M

1K
200
100
50

10K
2K
1K
0.5K

100K
20K
10K
5K

1000K
200K
100K
50K

Asset Costs $10K

Risk of Loss 20% per Year

Over 5 years, average loss = $10K

Spend up to $2K each year to prevent loss

Quantitative
Risk

Work
book

Asset Threat Single Loss

Expectancy
(SLE)
Buildi
ng

Fire

$1M

Laptop

Stolen

$1K + $9K
(breach
notif)

Annualized
Rate of
Occurrence
(ARO)
.05
(20 years)

Annual Loss
Expectancy
(ALE)

0.2
(5 years)

$2K

$50K

Step 5: Treat Risk

Risk Acceptance: Handle attack when necessary
E.g.: Earthquake
Ignore risk if risk exposure is negligible
Risk Avoidance: Stop doing risky behavior
E.g.: Do not use Social Security Numbers
Risk Mitigation: Implement control to minimize
vulnerability
E.g. Purchase & configure a firewall
Risk Transference: Pay someone to assume risk for you
E.g., Buy malpractice insurance (doctor)
While financial impact can be transferred, legal
responsibility cannot
Risk Planning: Implement a set of controls

Activity
Input
Company history
Intelligence agency
data: NIPC, OIG
Audit &
test results

Business Impact
Analysis
Data Criticality &
Sensitivity analysis

NIST Risk
Assessment
Methodology

System Characterization

Output
System/data criticality
System/data sensitivity

Identify Threats
Identify Vulnerabilities

List of threats
& vulnerabilities

Analyze Controls

List of current &

planned controls

Determine Likelihood

Likelihood Rating

Analyze Impact

Impact Rating

Determine Risk

Documented Risks

Recommend Controls

Recommended Controls

Document Results

Risk Assessment
Report

Control Types
Compensating
Control

Threat
Creates
Deterrent
Control
Reduces
likelihood of

Reduces
likelihood of

Corrective
Control

Attack
Vulnerability

Detective
Control

Decreases

Preventive
Control

Results
in

Impact

THREAT

Deterrent
control

R
i
s
k
P
r
o
b
a
b
i
l
i
t
y

Mitigating
control
Detective
control

Preventive
control

V
U
L
N
E
R
A
B
I
L
I
T
Y

Corrective
control

I
M
P
A
C
T

Residual
risk

Controls & Countermeasures

Cost of control should never exceed the

expected loss assuming no control

Countermeasure = Targeted Control

Aimed

at a specific threat or vulnerability

Analysis of Risk vs. Controls

Workbook
Risk

ALE or
Score

Control

Cost of
Control

Stolen
Laptop

$1K
Encryption
($9K Breach
Notif. Law)
Disk Failure $3K per day
RAID
Hacker

$9K Breach
Notif. Law

Firewall

Cost of Some Controls is shown in Case Study Appendix

$60

$750
$1K

Extra Step:
Step 6: Risk Monitoring
Stolen Laptop

In investigation

$2k, legal issues

HIPAA Incident
Response

Procedure being defined

incident response

$200K

Cost overruns

Internal audit investigation

$400K

Flaws in Physical
security

Training occurred

$200K

Security Dashboard, Heat chart or Stoplight Chart

Report to Mgmt status of security

Metrics showing current performance
Outstanding issues
Newly arising issues
How handled when resolution is expected

Training

Importance of following policies & procedures

Incident or emergency response
Authentication & access control
Privacy and confidentiality
Recognizing and reporting security incidents
Recognizing and dealing with social engineering

Security Control Baselines &

Metrics
Baseline: A measurement
of performance
Metrics are regularly and
consistently measured,
quantifiable,
inexpensively collected
Leads to subsequent
performance evaluation
E.g. How many viruses is
help desk reporting?

90
80
70

Stolen Laptop
Virus/Worm
% Misuse

60
50
40
30
20
10
0
Year 1 Year 2 Year 3 Year 4

(Company data - Not real)

Risk Management
Risk Management is aligned with business
strategy & direction
Risk mgmt must be a joint effort between
all key business units & IS
Business-Driven (not Technology-Driven)

Steering Committee:
Sets risk management priorities
Define Risk management objectives to
achieve business strategy

Risk Management Roles

Governance & Sr Mgmt:
Info. Security Mgr
Allocate resources, assess
Develops, collaborates, and
& use risk assessment results manages IS risk mgmt process
Business Managers
(Process Owners)
Make difficult decisions
relating to priority to
achieve business goals
System / Info Owners
Responsible to ensure
controls in place to
address CIA.
Sign off on changes

Chief Info Officer

IT planning, budget,
performance incl. risk

IT Security Practitioners
Implement security requirem
into IT systems: network,
system, DB, app, admin.
Security Trainers
Develop appropriate
training materials, including
risk assessment, to
educate end users.

Due Diligence
Due Diligence = Did careful risk assessment (RA)
Due Care = Implemented recommended controls from RA
Liability minimized if reasonable precautions taken

Senior Mgmt Support

Due care :The lack of due care is often considered negligence,

and in most countries is actionable under law. If an organization
is legally mandated to comply with regulations or information
security requirements knowingly or unknowingly neglecting those
requirements could lead to legal exposure from a due care
perspective.
Due Diligence
This pertains to best practices that a company should follow to
keep its head above the water(keep itself secure). If a company
fails to implement these measures, it might face an attack but
might not be legally liable. For example, performing penetration
tests or employee background checks to find holes would be due
diligence as it might not be mandated by law but its a good
practice.

Question
Risk Assessment includes:
1. The steps: risk analysis, risk treatment, risk
acceptance, and risk monitoring
2. Answers the question: What risks are we
prone to, and what is the financial costs of
these risks?
3. Assesses controls after implementation
4. The identification, financial analysis, and
prioritization of risks, and evaluation of controls

Question
Risk Management includes:
1. The steps: risk analysis, risk treatment, risk
acceptance, and risk monitoring
2. Answers the question: What risks are we
prone to, and what is the financial costs of
these risks?
3. Assesses controls after implementation
4. The identification, financial analysis, and
prioritization of risks, and evaluation of controls

Question
The FIRST step in Security Risk
Assessment is:
1. Determine threats and vulnerabilities
2. Determine values of key assets
3. Estimate likelihood of exploitation
4. Analyze existing controls

Question
1.

2.

3.
4.

Single Loss Expectancy refers to:

The probability that an attack will occur in one
year
The duration of time where a loss is expected
to occur (e.g., one month, one year, one
decade)
The cost of losing an asset once
The average cost of loss of this asset per year

Question

1.
2.
3.
4.

The role(s) responsible for deciding whether

risks should be accepted, transferred, or
mitigated is:
The Chief Information Officer
The Chief Risk Officer
The Chief Information Security Officer
Enterprise governance and senior business
management

Question

1.
2.

3.
4.

Which of these risks is best measured using a

qualitative process?
Temporary power outage in an office building
Loss of consumer confidence due to a
malfunctioning website
Theft of an employees laptop while traveling
Disruption of supply deliveries due to flooding

Question

1.
2.
3.
4.

The risk that is assumed after

implementing controls is known as:
Accepted Risk
Annualized Loss Expectancy
Quantitative risk
Residual risk

Question

1.
2.
3.
4.

The primary purpose of risk management

is to:
Eliminate all risk
Find the most cost-effective controls
Reduce risk to an acceptable level
Determine budget for residual risk

Question
1.
2.

3.
4.

ALE is:
The average cost of loss of this asset, for a
single incident
An estimate using quantitative risk
management of the frequency of asset loss due
to a threat
An estimate using qualitative risk management
of the priority of the vulnerability
ALE = SLE x ARO

Vocabulary to study

Risk mgmt, risk appetite, risk analysis, risk

assessment, risk treatment, residual risk
Risk avoidance, risk reduction/risk mitigation,
risk transference, risk retention/risk acceptance
Threat, threat agent, vulnerability,
Qualitative risk analysis, quantitative risk
analysis
SLE, ARO, ALE
Due diligence, due care

Questions?

Jamie Ramon MD
Doctor

Chris Ramon RD
Dietician

Terry
Medical Admin

Pat
Software Consultant

HEALTH FIRST CASE STUDY

Analyzing Risk

Step 1: Define Assets

Step 1: Define Assets

Consider Consequential Financial Loss
Asset Name

Medical DB
Daily Operation (DO)
Medical Malpractice (M)
HIPAA Liability (H)
Notification Law Liability (NL)

$ Value

$ Value

Confidentiality, Integrity,
Direct Loss: Consequentia and Availability Notes
l Financial
Replacement
Loss
C? I? A?

Step 1: Define Assets

Consider Consequential Financial Loss
Asset Name

$ Value

$ Value

Confidentiality, Integrity,
Direct Loss: Consequentia and Availability Notes
l Financial
Replacement
Loss

Medical DB

DO+M_H+NL

Daily Operation (DO)

Medical Malpractice (M)

HIPAA Liability (H)

Notification Law Liability (NL)

C IA

HIPAA Criminal Penalties

$ Penalty Imprisonment
Up to $50K

Up to one
year

Up to
$100K
Up to
$500K

Up to 5
years
Up to 10
years

Offense
Wrongful disclosure of
individually identifiable health
information
committed under false
pretenses
with intent to sell, achieve
personal gain, or cause
malicious harm

Then consider bad press, state audit, state law penalties, civil lawsuits, lost claims,

Step 2: Estimate Potential Loss for Threats

Step 3: Estimate Likelihood of Exploitation
Normal threats: Threats common to all
organizations
Inherent threats: Threats particular to your
specific industry
Known vulnerabilities: Previous audit
reports indicate deficiencies.

Step 2: Estimate Potential Loss for Threats

Step 3: Estimate Likelihood of Exploitation
Slow Down Business
1 week

2
1 year

Temp. Shut Down Business

Threaten Business

Threat
(Probability)

Hacker/Criminal
Loss of Electricity

Snow Emergency

Malware
Pandemic
Failed Disk
Tornado/Wind Storm
Stolen Laptop

5 years
(.2)

Stolen Backup Tape(s)

10 years
(.1)

Vulnerability
(Severity)

Flood
20 years
(.05)

50 years
(.02)

Earthquake

Social Engineering
Intruder
Fire

Step 4: Compute Expected Loss

Step 5: Treat Risk
Step 4: Compute E(Loss)
ALE = SLE * ARO
Asset

Threat

Single Annual Annual

Loss
ized
Loss
Expect Rate of Expect
ancy Occurr ancy
(ALE)
ence
(SLE)

Step 5: Treat Risk

(ARO)

Risk Acceptance: Handle

attack when necessary
Risk Avoidance: Stop doing
risky behavior
Risk Mitigation: Implement
control to minimize
vulnerability
Risk Transference: Pay
someone to assume risk for
you
Risk Planning: Implement a
set of controls