RISK

MANAGEMENT

RISK
MANAGEMENT

LEARNING OUTCOMES HASIL PEMBELAJARAN

Principles of Info Security RA

Business impact
Business impact

Benefits of Info Security

Chapter 1: Introduction to the Security Risk Management Guide

Chapter 2: Survey of Security Risk Management Practices
Chapter 3: Security Risk Management Overview
Chapter 4: Assessing Risk
Chapter 5: Conducting Decision Support
Chapter 6: Implementing Controls and Measuring Program
Effectiveness

INTRODUCTION TO SECURITY RISK MANAGEMENT

DEFINITION OF RISK
AND
ITS DYNAMICS

The concept of the risk management is applied in all

aspects of business, including planning and project risk
management, health and safety, and finance. It is also
a very common term amongst those concerned with IT
security.
A

generic

definition

of

risk

management

is

the

assessment and mitigation of potential issues that are a

threat to a business, whatever their source or origin.

INTRODUCTION
TO INFORMATION SECURITY RISK
MANAGEMENT GUIDE

A risk assessment determines what type of controls are required to

protect assets and resources (physical locations, networks/servers,
staff, etc.) from threats allowing your organization to reduce
exposure and maintain an acceptable "risk tolerance".
The risk assessment process evaluates the likelihood and potential
damage of identified threats, measures the individual risk level of
each asset as they relate to Confidentiality, Integrity and Availability
(CIA), and then gauges the effectiveness of existing controls to limit
the organization's exposure such risk. Results help the organization
identify which assets are the most critical, provides a basis for
prioritization and recommends a course for remediation.

The risk assessment will encompass provisions that address both

internal and external threats and answers the following questions:
What can go wrong?
How can it go wrong?
What is the potential impact?
What preventive steps can be taken to reduce the risk?

In general, the security risk management process enables

organizations

to

implement

and

maintain

processes

to

identify and prioritize risks in their IT environments thereby

improving security which facilitates increased availability of IT
infrastructures and improved business value.
Normally the security risk management process offers a
combination of various approaches including pure quantitative
analysis, return on security investment (ROSI) analysis,
qualitative analysis, and best practice approaches.

Strategic Information Security

And
Risk Management Planning

CRITICAL SUCCESS FACTORS

Successful implementation of a security risk management
program in an organization involves:
a. First, executive support and commitment is very
important. When security risk management is led from
the top, organizations can articulate security in terms
of value to the business.
b. Next, a clear definition of roles and responsibilities is
fundamental to success. Business owners are
responsible for identifying the impact of a risk and
determining the appropriate controls. They are also in
the best position to articulate the business value of
assets that are necessary to operate their functions.

CRITICAL SUCCESS FACTORS

Executive sponsorship.
A well-defined list of risk management
stakeholders.
Organizational maturity in terms of risk
management.
An atmosphere of open communication.
A spirit of teamwork.
A holistic view of the organization.
Authority throughout the process.

a. Executive Sponsorship: Senior management must

unambiguously and enthusiastically support the security
risk management process.
Sponsorship implies the following:
Delegation of authority and responsibility for a clearly
articulated project scope to the Security Risk
Management Team
Support for participation by all staff as needed
Allocation of sufficient resources such as personnel and
financial resources
Unambiguous and energetic support of the security risk
management process
Participation in the review of the findings and
recommendations of the security risk management
process

b. List of Risk Management Stakeholders

Stakeholders, which in this context means members of the
organization with a vested interest in the results of the
security

risk

management

process.

The

Security

Risk

Management Team needs to understand who all of the

stakeholders arethis includes the core team itself as well
as the executive sponsor(s).
It will also include the people who own the business assets
that are to be evaluated. The IT personnel responsible and
accountable for designing, deploying, and managing the
business assets are also key stakeholders.

c. Organizational Maturity in Terms of Risk Management

Organizational maturity in terms of risk management is evidenced
by such things as well defined security processes and a solid
understanding and acceptance of security risk management at
many levels of the organization.

d. An Atmosphere of Open Communication

Lack of open communications in organizations frequently leads
to misunderstandings and impairs the ability of a team to
deliver a successful solution in times of crisis incidents.
Therefore approach to communications, both within the team
and with key stakeholders must be open and free-flow. A freeflow

of

information

not

only

reduces

the

risk

of

misunderstandings and wasted effort but also ensures that all

team

members

can

contribute

to

effectively

uncertainties surrounding the security risk incident.

reducing

e. A Spirit of Teamwork
The strength and vitality of the relationships among all of the
people working on the security risk management process will
greatly affect the effort. Regardless of the support from senior
management, the relationships that are developed among security
staff and management and the rest of the organization are critical
to the overall success of the process.

f. A Holistic View of the Organization

All participants involved in the security risk management process,
particularly the Security Risk Management Team, need to consider the
entire organization during their work. What is best for one particular
employee is frequently not what is best for the organization as a
whole.
Likewise, what is most beneficial to one business unit may not be in
the best interest of the organization. Staff and managers from a
particular business unit will instinctively seek to drive the process
toward outcomes that will benefit them and their parts of the
organization.

g. Authority Throughout the Process

Team members, in order to effectively mitigate those risks by
implementing sensible controls, they will also require sufficient
authority to make the appropriate changes.
Team

members

must

be

empowered

to

meet

the

commitments assigned to them. Empowerment requires that

team members are given the resources necessary to perform
their work, are responsible for the decisions that affect their
work, and understand the limits to their authority.
They must also understand the escalation paths available to
handle issues that transcend these limits.

SURVEY OF SECURITY RISK MANAGEMENT PRACTICES

Survey Of Security Risk Management Practices

Survey observations indicate that in general there are two types of
Risk

Management

practices,

namely

proactive

and

reactive

approaches. Each has got its own strengths and weaknesses.

Similarly, in practice there also two methods of assessing risk namely
qualitative security risk management and quantitative security risk
management, the two traditional methods. Each has got its own
strengths and weaknesses.

The Proactive Approach

Proactive security risk management has many advantages over a
reactive approach. Instead of waiting for bad things to happen and
then responding to them afterwards, you minimize the possibility of
the bad things ever occurring in the first place.
You make plans to protect your organization's important assets by
implementing controls that reduce the risk of vulnerabilities being
exploited by malicious software, attackers, or accidental misuse.

The Reactive Approach

Reacting to security event, by trying to to contain the
situation, figure out what happened, and fix the affected
systems as quickly as possible.
A small degree of rigor to the reactive approach can help
organizations of all types to better use their resources. Recent
security incidents may help an organization to predict and
prepare for future problems. A very systematic and and
organized approach is recommended.
This means that an organization that takes time to respond to
security incidents in a calm and rational manner while
determining the underlying reasons that allowed the incident
to transpire will be better able to both protect itself from
similar problems in the future and respond more quickly to
other issues that may arise.

Six-step Incident Response Actions

1. Protect human life and people's safety should always be the
first priority. For example, if affected computers include life
support systems, shutting them off may not be an option;
perhaps you could logically isolate the systems on the network
by reconfiguring routers and switches without disrupting their
ability to help patients.
2. Contain the damage. Containing the harm that the attack
caused helps to limit additional damage. Protect important data,
software,

and

hardware

quickly.

Minimizing

disruption

of

computing resources is an important consideration too, but

keeping systems up during an attack may result in greater and
more widespread problems in the long run.

Assess the damage. Immediately make a duplicate of the

hard disks in any servers that were attacked and put those
aside for forensic use later.
Then assess the extent of damage occurred as soon as
possible, so that you can restore the organization's operations
as soon as possible
Determine the cause of the damage. Focus on the origin of
the attack, in order to understand the resources at which the
attack was aimed and what vulnerabilities were exploited to
gain

access

or

disrupt

services.

Review

the

system

configuration, patch level, system logs, audit logs, and audit

trails on both the systems that were directly affected as well as
network devices that route traffic to them.

Repair the damage. In most cases, it is very important that

the damage be repaired as quickly as possible to restore
normal business operations and recover data lost during the
attack.

The

organization's

business

continuity

plans

and

After

the

procedures should cover the restoration strategy.

Review

response

and

update

policies.

documentation and recovery phases are complete, you should

review the process thoroughly.

Incident Response Process

SECURITY RISK MANAGEMENT OVERVIEW

Approaches to Risk Prioritization

Security

risk

management

process

defines

risk

management as the overall effort to manage risk to an

acceptable level across the business.
Risk assessment is defined as the process to identify and
prioritize risks to the business.
There are many different methodologies for prioritizing or
assessing risks, but most are based on one of two approaches
or

combination

of

the

two:

quantitative

management or qualitative risk management.

risk

Quantitative Risk Assessment

In quantitative risk assessments, the goal is to try to calculate
objective numeric values for each of the components gathered
during the risk assessment and cost-benefit analysis.
For example, you estimate the true value of each business
asset in terms of what it would cost to replace it, what it would
cost in terms of lost productivity, what it would cost in terms of
brand reputation, and other direct and indirect business
values.
Note: Significant weaknesses - there is no formal and rigorous
way to effectively calculate values for assets and controls.
Mostly estimates only.

Quantitative Approach Method

A brief examination of some of the details of the above
approach shall provide general understanding of both the
advantages and drawbacks of quantitative risk assessments :
asset valuation;
costing controls;
determining Return On Security Investment (ROSI);
calculating values for Single Loss Expectancy (SLE),
Annual Rate of Occurrence (ARO),
Annual Loss Expectancy (ALE).

a. Valuing Assets
Determining the monetary value of an asset is an important part of
security risk management. Many organizations maintain a list of
asset values (AVs) as part of their business continuity plans.

The overall value of the asset to your organization. Calculate

or estimate the assets value in direct financial terms. Consider a
simplified example of the impact of temporary disruption of an ecommerce Web site that normally runs seven days a week, 24 hours a
day, generating an average of RM2,000 per hour in revenue from
customer orders. You can state with confidence that the annual value
of the Web site in terms of sales revenue is RM17,520,000.

The immediate financial impact of losing the asset. If you

deliberately simplify the example and assume that the Web site
generates a constant rate per hour, and the same Web site becomes
unavailable for six hours, the calculated exposure is .000685 or .0685
percent per year. By multiplying this exposure percentage by the
annual value of the asset, you can predict that the directly attributable
losses in this case would be approximately RM12,000.
The indirect business impact of losing the asset. In this
example, the company estimates that it would spend $10,000 on
advertising to counteract the negative publicity from such an incident.
Additionally, the company also estimates a loss of .01 or 1 percent of
annual sales, or $175,200. By combining the extra advertising
expenses and the loss in annual sales revenue, you can predict a total
of $185,200 in indirect losses in this case.

Determining the SLE

The SLE is the total amount of revenue that is lost from a single
occurrence of the risk. It is a monetary amount that is assigned to a
single event that represents the companys potential loss amount if a
specific threat exploits a vulnerability. (The SLE is similar to the
impact of a qualitative risk analysis.)
Calculate the SLE by multiplying the asset value by the exposure
factor (EF).The exposure factor represents the percentage of loss that
a realized threat could have on a certain asset. If a Web farm has an
asset value of $150,000, and a fire results in damages worth an
estimated 25 percent of its value, then the SLE in this case would be
$37,500. This is an oversimplified example, though; other expenses
may need to be considered.

Determining the ARO

The ARO is the number of times that you reasonably expect the
risk to occur during one year. Making these estimates is very difficult;
there is very little actuarial data available. What has been gathered
so far appears to be private information held by a few property
insurance firms.
To estimate the ARO, draw on your past experience and consult
security

risk

management

experts

and

security

and

business

consultants. The ARO is similar to the probability of a qualitative risk

analysis, and its range extends from 0 percent (never) to 100
percent (always).

Determining the ALE

The ALE is the total amount of money that your organization will lose
in one year if nothing is done to mitigate the risk. Calculate this value
by multiplying the SLE by the ARO. The ALE is similar to the relative
rank of a qualitative risk analysis.
For example, if a fire at the same companys Web farm results in
$37,500 in damages, and the probability, or ARO, of a fire taking place
has an ARO value of 0.1 (indicating once in ten years), then the ALE
value in this case would be $3,750 ($37,500 x 0.1 = $3,750).

The ALE provides a value that your organization can work with to
budget what it will cost to establish controls or safeguards to
prevent this type of damagein this case, $3,750 or less per year
and provide an adequate level of protection. It is important to
quantify the real possibility of a risk and how much damage, in
monetary terms, the threat may cause in order to be able to know
how much can be spent to protect against the potential consequence
of the threat.

Determining Cost of Controls

Determining the cost of controls requires accurate estimates on how
much acquiring, testing, deploying, operating, and maintaining each
control would cost. Such costs would include buying or developing the
control solution; deploying and configuring the control solution;
maintaining the control solution and communicating new policies.
For example, to reduce the risk of fire damaging the Web farm, the
organization might consider deploying an automated fire suppression
system. It would need to hire a contractor to design and install the
system and would then need to monitor the system on an ongoing
basis. It would also need to check the system periodically and,
occasionally, recharge it with whatever chemical retardants the system
uses.

ROSI
Estimate the cost of controls by using the following equation: (ALE
before control) (ALE after control) (annual cost of control) = ROSI
For example, the ALE of the threat of an attacker bringing down a
Web server is RM12,000, and after the suggested safeguard is
implemented, the ALE is valued at RM3,000. The annual cost of
maintenance and operation of the safeguard is RM650, so the ROSI is
RM8,350 each year as expressed in the following equation: RM12,000
- RM3,000 - RM650 = RM8,350.

Results of the Quantitative Risk Analyses

The input items from the quantitative risk analyses provide clearly
defined goals and results. The following items generally are derived
from the results of the previous steps:
Assigned monetary values for assets
A comprehensive list of significant threats
The probability of each threat occurring
The loss potential for the company on a per-threat basis over 12
months
Recommended safeguards, controls, and actions

Qualitative Risk Assessment

What differentiates qualitative risk assessment from quantitative risk
assessment is that in the former you do not try to assign hard
financial values to assets, expected losses, and cost of controls.
Instead, you calculate relative values.
The basic process for qualitative assessments is very similar to what
happens in the quantitative approach. The difference is in the details.
Comparisons between the value of one asset and another are relative,
a lot of time is not invested in trying to calculate precise financial
numbers for asset valuation. The same is true for calculating the
possible

impact

from

implementing controls.

risk

being

realized

and

the

cost

of

The process of Qualitative Risk Assessment (IT)according to NIST SP

800-30 methodology is divided into 9 phases:
Selection of systems which are subject to evaluation,
Definition of the scope of evaluation, collection of needed
information;
Identification of threats of evaluated systems;
Identification of susceptibility of evaluated systems;
Analysis of applied and planned mechanisms of control
and protections;
Specification of probabilities of susceptibility usage by
identification of the source of threats (probability is defined as: low,
medium, high);
Analysis and determination of incidents impact on system, data and
organization (impact defined in three degree scale: high, medium,
low)

 Determination of risk level with the help of matrix.

Risk Level Matrix for the whole risk for identified threats. This
matrix is created by as a result of multiplication of probabilities of
incidents occurrence (high probability receives 1,0 weigh, medium
0,5, and low 0,1) and strength if incident impact (high impact
receives 100 (weighted), medium 50, and low 10). On the basis of
matrix there is defined level of whole risk for every identified threat,
determined as high for product from range (50,100], medium for range
(10,50] and low for product from range [1,10].

INTRODUCTION TO RISK
WHAT IS RISK ?
Risk is the chance of something
happening that will have an impact upon
objectives of an organization.
It is measured in terms of severity of
consequences and likelihood.

risk is a potential problem it might

happen and it might not
Conceptual definition of risk
Risk concerns future happenings
Risk involves change in mind, opinion,
actions, places, etc.
Risk involves choice and the uncertainty
that choice entails
Two characteristics of risk
Uncertainty the risk may or may not
happen, that is, there are no 100% risks
(those, instead, are called constraints)
Loss the risk becomes a reality and
unwanted consequences or losses occur

Taking a risk: it isnt all bad

Taking

risks is a normal unavoidable everyday

necessity
Taking controlled, informed risks is a sensible
and everyday essential part of life
Taking uninformed, uncontrolled risks is
patently dumb
We take risks not to avoid harm, but to
achieve benefits and gains
Risk taking is positive, not implicitly negative.

Why Manage Risks?

It

is a fact of life that chance

events will occur and affect the
outcome of your project

Murphys Laws codify this

knowledge
If anything can go wrong, it will!
Of things that could go wrong, the one
that causes the most damage will
occur!

1982 Darwin Award Honorable

Mention given to Lawn Chair
Larry Walters. Cartoon by Jay
Ziebarth, 2002

Risks are defined as the undesirable event, the chance this

event might occur and the consequences of all possible
outcomes
Risk management attempts to identify such events,
minimize their impact & provide a response if the event is
detected
LSU 10/09/2007

Risk Management

51

Purpose of Risk Management

Risk Concepts
Likelihood
of Attack

Consequence
of Adversary
Success

System
Effectiveness

Risk
The amount of control over each is different

Responses to Risk
Severity

High

Low

Transfer

Avoid

Accept

Accept/Transfer

Low

High
Frequency

RISK AND SECURITY

IN
BUSINESS ENVIRONMENT

Increasingly Complex
Security and Environment
risk management in business
environment is principally concerned with
protection and conservation of corporate
assets and resources. The task of protection
continues to be increasingly complex one in
a time when technology is creating new
products (and thus risk) at an explosive rate
and

criminals

sophisticated.

are

getting

more

What is RISK in a business environment?

A perilous / hazardous situation in the
business organization where threat/s may
exploit the vulnerability surrounding an
asset/s

to

create

disastrous

consequence or impact causing financial

losses or loss of lives.

What is SECURITY in a business environment?

A secured, safe and relatively stable
environment
organization

where
is

able

the
to

business

conduct

its

business operations without / minimal

disturbance or disruptions from threats
( man-made and natural ) by having
adequate security control measures.

Two types of Risk in Business

Risks arising from uncertainty may also
include
a positive as well as a negative side.
Pure Risk : Generally pure risk do not hold
out any prospect of gain. It always brings
about negative consequences. Examples
theft, negligence, flood, fire etc.
Speculative Risk : On the contrary,
speculative risk may either bring gain or
loss.
Examples gambling, share market, etc

Categories of Risks
Financial

Risks
Information Risks
Operational Risks
Strategic Risks
Reputation Risks
Environmental Risks

Australia/New Zealand Standard

(ASS/NZS 4360:2004) Risk Management

INFO System Risk Management Framework

(an example)
Starting Point
FIPS 199 / SP 800-60
SP 800-37 / SP 800-53A

MONITOR

Security Controls
Continuously track changes to the
information system that may affect
security controls and reassess control
effectiveness

CATEGORIZE
Information
System

FIPS 200 / SP 80053

SELECT

Security Controls

Define criticality /sensitivity

of information system
Select baseline (minimum) security
according to potential impact controls to protect the information system;
of loss
apply tailoring guidance as appropriate

SP 800-37

SP 800-53 / SP 800-30

AUTHORIZE

SUPPLEMENT

Information
System

Security Controls
Use risk assessment results to supplement
the tailored security control baseline as
needed to ensure adequate security and
due diligence

Determine risk to agency operations,

agency assets, or individuals and, if
acceptable, authorize information system
operation
SP 800-53A

ASSESS

Security Controls
Determine security control effectiveness
(i.e., controls implemented correctly,
operating as intended, meeting security
requirements)

SP 800-70

IMPLEMENT

Security Controls
Implement security controls;
apply security configuration
settings

SP 800-18

DOCUMENT

Security Controls
Document in the security plan, the
security requirements for the
information system and the security
controls planned or in place

THE CHANGING SECURITY

ENVIRONMENT

Shift in Paradigm
The traditional view of security has
moved

from

guns,

guards

and

gates through ciphers, safety and

society toward the evolving and
dynamic
resilience.

concept

of

providing

As technologies evolve, we face more complex

threats as opposed to traditional

ones such as

bio-terrorism, cyber-terrorism and global warming

and greater demands from society to sustain,
protect and improve our lives.
Hence the notion of security is expanding to
include the notions of resilience, sustainability
and critical services assurance. Collectively this
notion of resilience revolves around maintaining
capability rather than protecting assets.

CONSEQUENCES OF RISK
IN
AN OPERATIONAL
ENVIRONMENT

Risk Appetite
Many organizations do not commit themselves
to have an adequate security posture by not
spending for an effective Security Program.
This is in view of the fact that the return on
investment
for
security
programs
are
perceived to be discouraging. Therefore most
organizations have a low appetite for risk and
are exposed to uncertainties.
Just ask Management this question. Why not
we allow the Security Department to go on
leave one day enbloc.
What will be the outcome of business
operations in the

Risk Appetite
Have

security procedures have been published?

Does

the organization has contact with Law

Enforcement Agency?
Are

there periodic 100 % checks of

identification?
Is

there control of employee movement

between areas within the plant?

Is

there a continuous barrier around the

property?

Risk Appetite
Do

you operate your computer with or without

antivirus software & antispyware?

Do

you open emails with forwarded

attachments from friends or follow

questionable web links?
Have

you ever given your bank account

information to a foreign emailer to make $$$?

What is your risk appetite? If liberal, is it due
to risk
acceptance or ignorance?
Companies too have risk appetites, decided after

Causes of Interruption in Business

Operations
Security Processes in Daily Operations :
Access control
Patrolling
Traffic control
Shipping control
Waste and thrash control
Central monitoring control
Ineffectiveness of the above controls in,
procedural, tools & equipment and
personnel competencies may incur risk and
lead to business disruptions.

Other Elements that cause Business

Disruptions

Fire
Strike / Riot
Transit Accident
Violence
Sexual Harassment
Sabotage / Vandalism
Contagious Disease
Natural Disasters
IT System Malfunction
Power Failure
Terrorism

Risk and Security Operations

SECURITY FROM A SYSTEMS PERSPECTIVE
Input
Input

Manpower
Money

Security
Security Process
Process

Protective Activities
Incident Response
Activities

Machine
Recovery Activities
Material
Method

Continuity Activities

Output
Output
Safe & Stable
Environment to
Carryout
responsibilities
and tasks with
minimal
disturbance
from threats by
having enough
Security
controls

Protective Activities
In daily security operations the main
protective activities involved are:
Access control people, vehicle and
goods
patrolling and clocking activity
Waste and Thrash control
Key control & locking activity

Shipping

&

receiving

activity

Factors Affecting Risk Elements

1. Asset:

Cost, Criticality, Replacement Cost,

Consequence, Attractiveness

2. Threat: Impact, Predictability, Intention,

Capability, Motivation
3. Vulnerability: Building characteristic, Personnel
behaviour, Location of assets,
Operational practices, Eqpt properties
4. Mitigation: Deterrent, Detective, Delay, Assess
&
Annunciate, Respond

CRITICAL ASSETS IN AN ORGANIZATION

An organization must determine, which

assets

may

materially

affect

the

business operations on a daily basis

and

is

of

high

value

and

is

not

replaceable easily within a short time

span when loss.

EXAMPLES OF CRITICAL
ASSETS

Material

Intellectual

Equipment

Reputation

Facilities

People

Processes

Records

Property

Types of Security Threats

Man made or Anthropogenic
-

Political Events Explosives, disgruntled

employees, unauthorized access, employee
pilferage, espionage, arson/fires, sabotage,

etc.

Natural Disasters
Earthquakes, floods, storms, hurricanes, fires,
tsunami, etc.

Threats Leading To Business Risk

Business
Risk
in a
Dynamic
Environment

Impact of Risk and Security

Implications
Business organizations that are exposed to RISK are
guests of impending disaster or negative
consequences. The kind of risk impacts with which
business and industry are most commonly
concerned are:

natural catastrophe
industrial disaster
civil disturbance
criminality
conflict of interest
nuclear accident

These events may bring an organization to a

grinding halt and lead to closure of business and
other chain of negative events.

UNDESIRABLE CONSEQUENCES
May lead to :
Loss of human life
Loss of revenue
Loss of vital equipment
Loss of vital capabilities
Note: All leads to disruption of
Business
Operations

Security Implications
The impact of risk causing negative
consequences has got serious security
implications to the business organization:
an unstable operational environment
disruption of business activities
unnecessary diversions from primary
activities
unable to meet customer demands &
satisfaction
organizations image and reputation is at
stake
possibility of loosing future business

TYPES AND SOURCES

OF RISK THAT CAN
AFFECT SECURITY OPERATIONS

PEOPLE
People involves the service provider,
the clients and the uninvited. By
nature
peoples
behaviour
is
underpinned by seeking pleasure
against pain. Therefore they are
more inclined to violate rules to
satisfy their needs. As such people
are greater potential hazard in the
daily operations at workplace.

Process

PROCESS
is
composed

of

technology, people, and tools.

This

is

processes

important
involve

because
time

and

interaction between entities and

many of the hard problems in
security operations stem from

TECHNOLOGY
Technology is a double-edged
has

got

both

good

sword. It
and

bad

characteristics. When it is in the hands of

responsible people it becomes a faithful
servant and promotes efficiency in daily
operations. On the contrary, in the hands
of wrong people it will become a threat
posing risk to the operations.

Criticality , Vulnerability & Probability

Criticality

- Criticality is the effect that

partial or total loss of the entity or area
would have facilitys mission

Vulnerability

- The susceptibility of an entity

or area to damage or destruction or the
possible theft or loss of property

Probability

- The chances that certain

events could or might occur such as a
penetration of the perimeter, compromise
of a system

Vulnerability
Vulnerabilities are opportunities,
opportunities for crime, opportunities for rule
breaking violations, opportunities for loss.
By definition, a vulnerability is a weakness or
gap in a security program that can be
exploited by threats to gain unauthorized
access to an asset.
Vulnerabilities include structural, procedural,
electronic, human and other elements which
provide opportunities to attack assets.

The

basic

process

of

vulnerability

assessment first determines what assets are

in need of protection, then identifies the
protection measures already in place to
secure those assets and what gaps in
protection exist.
The

assessment

measures

the

security

controls effectiveness against valid security

metrics and provides recommendations.

Three questions to ask :

What is the threat?
What is the level of vulnerability
relative to that threat?
To what extent will the
threat/vulnerability change?

OPERATIONAL
RISK MANAGEMENT STRATEGIES

A Simple Understanding of Risk Management

Risk management is present in all aspects of

life. It is about the everyday trade-off
between an expected reward on a potential
danger. However in the business world risk is
often associated with some variability in
financial outcomes. But the notion of risk is
much larger.
It is universal, in the sense that it refers to
human behaviour in the decision making
process. Risk management is an attempt
identify, to measure, to monitor and to
manage uncertainty.

Risk Management Process

A Continuous Cycle of:
Risk
assessment
risks
to
the
organization are
assessed in terms of the likelihood of an
undesirable event taking place, and the
anticipated consequences
Implementation - security measures are
identified
and implemented to reduce the likelihood
and
impact of the undesirable event to an
acceptable
level

Risk Analysis and Risk

Mitigation
ASSETS

THREATS

VULNERABILITI
ES
ANALYSIS

RISKS

MITIGATION

COUNTERMEASURES

Systems Approach-Risk Assessment

Methodology
Input

Company history
Intelligence agency
data
Audit &
test results

Process

Identify Threats

Identify Vulnerabilities

List of threats
& vulnerabilities

Analyze Controls

List of current &

planned controls

Determine Likelihood
Business Impact
Analysis
Data Criticality &
Sensitivity analysis

Output

Likelihood Rating

Analyze Impact

Impact Rating

Determine Risk

Documented Risks

Identify Controls

Implement Controls

Ranking the Risk Importance

Rank

risks from those that can

be neglected to those that
require elevated vigilance
A Risk Severity Matrix can be
helpful in prioritizing risks
Plot of event probability versus
impact

Red

zone identifies the most

important events
Yellow zone lists risks that are
moderately important
Green zone events probably
can be safely ignored

Note that the zones are not symmetrical across the matrix

High impact low probability events much more important

than likely low impact events
LSU 10/09/2007

Risk Management

101

Five Steps Risk Assessment Model

1. Asset Assessment Understanding the
organization and identify the people and
assets at risk
2. Threat Assessment Identify loss risk events
3. Vulnerability Assessment Establish the
probability of loss risk and probability and
frequency of events and also the impact of
events
4. Risk assessment Establish the value of risk
loss
5. Identification of Control Measures
Protective measures or safeguards

Characteristics of Risk Components

S/N

Asset

Threat

Vulnerability

Mitigation

1.

Criticality

Motivation

Building
characteristic

Deterrent
capabilities

2.

Cost

Potential

Systems and
Equipment
reliability

Detection
capabilities

3.

Attractiveness Intention

Location of assets Delay

capabilities

4.

Replacement
cost

Capability

Personnel
behaviour

Assess &
annunciation
capabilities

5.

Consequence

Impact

Operational
practices

Response
capabilities

Security Mitigation Objectives

1. DETER Menghalang
2. DETECTMengesan
3. DELAY Melambatkan
4. ASSESS Menilai
5. RESPOND Bertindak

Asset Value Rating

Very High
High

5
4

Medium

Low

Very Low

Threat Value Rating

Very High
High

5
4

Medium

Low

Very Low

Vulnerability Value
Rating
Very High
High

5
4

Medium

Low

Very Low

RISK = Impact * Probability

Asset
What are
you trying
to
assess?

Threat
x

Vulnerabil Mitigatio
itycould
How
Whatnis

What are
you afraid
of
happening?

the threat
occur?

Impact
What is the
impact to
the
business?

currently
reducing
the risk?

Probability

*
=

Current Level
of Risk
What is the probability that
the threat will overcome
controls to successfully
exploit the vulnerability and
impact the asset?

How likely is
the threat
given
the
controls?

RISK EQUATION
RISK = (Asset x Threat) * (Vulnerability x
Mitigation)
Probability
ImpactRISK = (5 x 4 ) * (4 x 3)

5
=

20

12
5
5
=

2.4

RISK
Evaluation

sk = Asset Value x Threat Rating x Vulnerability Ratin

Mitigation

S/No Risk Value

Risk Rating

1.

>21

Very High

2.

16 - 20

High

3.

11 - 15

Medium

4.

6 - 10

Low

5.

1-5

Very Low

Decision Matrix-A Risk Handling

Decision Aid
Frequency of Loss

Severity
of Loss
High

Medium

Low

High
Avoidance
Loss
prevention
and
avoidance

Loss
prevention

Medium

Low

Loss
prevention
and
avoidance

Transfer
via
insurance

Loss
prevention
and
Transfer via
insurance

Assumption
And
pooling

Loss
prevention
and
Assumption

Assumption

Expense v. Security
Achieved
100% Security

Dollars

Security Achieved

Benefit = 100,000 -

RM25,000 = RM 75,000

= 75,000 / 25,000

Ratio is 3 to 1

STRATEGIC
ACTION PLANS
TO CONTROL RISK

Why do we need a Strategic Action

Plan?

Characteristics
environment:

nature

of

business

Business Organizations face continuous threats

from
its operating environment both internal and
external
What are these threats? Man-made and natural
forces
What are the contributing factors? Multiple
variables
Legal, Political, Social, Economic and Global
Climatic
conditions

Strategic Action Plan Tools

Focus Areas for Continuous Monitoring,

Record Keeping for regular Audit and
Review and Revise
1. Perimeter Security
2. Building Security
3. Plant Security
4. Shipping & Receiving Security
5. Area Security
6. Protective lighting
7. Key Control & Locking Devices
8. Controls of Personnel & Vehicles
9. Safety for Personnel
10. Organization for Emergency
11.Theft control
12.Security Guard Forces

Future Trends
In order to satisfy the changing customer
needs as a result of information explosion
that

revolutionized

the

business

environment, the future challenges

business

organizations

besides

for
risk

management, will be to maintain a state of

preparedness at all times to ensure:
staying abreast in intelligence gathering
Response planning
maintaining organizational resilience

Any
Questions Please ???

Thanks You See U Again