MANAGEMENT
RISK
MANAGEMENT
DEFINITION OF RISK
AND
ITS DYNAMICS
generic
definition
of
risk
management
is
the
INTRODUCTION
TO INFORMATION SECURITY RISK
MANAGEMENT GUIDE
to
implement
and
maintain
processes
to
risk
management
process.
The
Security
Risk
of
information
not
only
reduces
the
risk
of
members
can
contribute
to
effectively
reducing
e. A Spirit of Teamwork
The strength and vitality of the relationships among all of the
people working on the security risk management process will
greatly affect the effort. Regardless of the support from senior
management, the relationships that are developed among security
staff and management and the rest of the organization are critical
to the overall success of the process.
members
must
be
empowered
to
meet
the
Management
practices,
namely
proactive
and
reactive
and
hardware
quickly.
Minimizing
disruption
of
access
or
disrupt
services.
Review
the
system
The
organization's
business
continuity
plans
and
After
the
Review
response
and
update
policies.
risk
management
process
defines
risk
combination
of
the
two:
quantitative
risk
a. Valuing Assets
Determining the monetary value of an asset is an important part of
security risk management. Many organizations maintain a list of
asset values (AVs) as part of their business continuity plans.
risk
management
experts
and
security
and
business
The ALE provides a value that your organization can work with to
budget what it will cost to establish controls or safeguards to
prevent this type of damagein this case, $3,750 or less per year
and provide an adequate level of protection. It is important to
quantify the real possibility of a risk and how much damage, in
monetary terms, the threat may cause in order to be able to know
how much can be spent to protect against the potential consequence
of the threat.
ROSI
Estimate the cost of controls by using the following equation: (ALE
before control) (ALE after control) (annual cost of control) = ROSI
For example, the ALE of the threat of an attacker bringing down a
Web server is RM12,000, and after the suggested safeguard is
implemented, the ALE is valued at RM3,000. The annual cost of
maintenance and operation of the safeguard is RM650, so the ROSI is
RM8,350 each year as expressed in the following equation: RM12,000
- RM3,000 - RM650 = RM8,350.
impact
from
implementing controls.
risk
being
realized
and
the
cost
of
INTRODUCTION TO RISK
WHAT IS RISK ?
Risk is the chance of something
happening that will have an impact upon
objectives of an organization.
It is measured in terms of severity of
consequences and likelihood.
Risk Management
51
Risk Concepts
Likelihood
of Attack
Consequence
of Adversary
Success
System
Effectiveness
Risk
The amount of control over each is different
Responses to Risk
Severity
High
Low
Transfer
Avoid
Accept
Accept/Transfer
Low
High
Frequency
Increasingly Complex
Security and Environment
risk management in business
environment is principally concerned with
protection and conservation of corporate
assets and resources. The task of protection
continues to be increasingly complex one in
a time when technology is creating new
products (and thus risk) at an explosive rate
and
criminals
sophisticated.
are
getting
more
to
create
disastrous
where
is
able
the
to
business
conduct
its
Categories of Risks
Financial
Risks
Information Risks
Operational Risks
Strategic Risks
Reputation Risks
Environmental Risks
MONITOR
Security Controls
Continuously track changes to the
information system that may affect
security controls and reassess control
effectiveness
CATEGORIZE
Information
System
SELECT
Security Controls
SP 800-37
SP 800-53 / SP 800-30
AUTHORIZE
SUPPLEMENT
Information
System
Security Controls
Use risk assessment results to supplement
the tailored security control baseline as
needed to ensure adequate security and
due diligence
ASSESS
Security Controls
Determine security control effectiveness
(i.e., controls implemented correctly,
operating as intended, meeting security
requirements)
SP 800-70
IMPLEMENT
Security Controls
Implement security controls;
apply security configuration
settings
SP 800-18
DOCUMENT
Security Controls
Document in the security plan, the
security requirements for the
information system and the security
controls planned or in place
Shift in Paradigm
The traditional view of security has
moved
from
guns,
guards
and
concept
of
providing
ones such as
CONSEQUENCES OF RISK
IN
AN OPERATIONAL
ENVIRONMENT
Risk Appetite
Many organizations do not commit themselves
to have an adequate security posture by not
spending for an effective Security Program.
This is in view of the fact that the return on
investment
for
security
programs
are
perceived to be discouraging. Therefore most
organizations have a low appetite for risk and
are exposed to uncertainties.
Just ask Management this question. Why not
we allow the Security Department to go on
leave one day enbloc.
What will be the outcome of business
operations in the
Risk Appetite
Have
Does
Enforcement Agency?
Are
identification?
Is
property?
Risk Appetite
Do
Fire
Strike / Riot
Transit Accident
Violence
Sexual Harassment
Sabotage / Vandalism
Contagious Disease
Natural Disasters
IT System Malfunction
Power Failure
Terrorism
Manpower
Money
Security
Security Process
Process
Protective Activities
Incident Response
Activities
Machine
Recovery Activities
Material
Method
Continuity Activities
Output
Output
Safe & Stable
Environment to
Carryout
responsibilities
and tasks with
minimal
disturbance
from threats by
having enough
Security
controls
Protective Activities
In daily security operations the main
protective activities involved are:
Access control people, vehicle and
goods
patrolling and clocking activity
Waste and Thrash control
Key control & locking activity
Shipping
&
receiving
activity
may
materially
affect
the
is
of
high
value
and
is
not
EXAMPLES OF CRITICAL
ASSETS
Material
Intellectual
Equipment
Reputation
Facilities
People
Processes
Records
Property
etc.
Natural Disasters
Earthquakes, floods, storms, hurricanes, fires,
tsunami, etc.
Business
Risk
in a
Dynamic
Environment
natural catastrophe
industrial disaster
civil disturbance
criminality
conflict of interest
nuclear accident
UNDESIRABLE CONSEQUENCES
May lead to :
Loss of human life
Loss of revenue
Loss of vital equipment
Loss of vital capabilities
Note: All leads to disruption of
Business
Operations
Security Implications
The impact of risk causing negative
consequences has got serious security
implications to the business organization:
an unstable operational environment
disruption of business activities
unnecessary diversions from primary
activities
unable to meet customer demands &
satisfaction
organizations image and reputation is at
stake
possibility of loosing future business
PEOPLE
People involves the service provider,
the clients and the uninvited. By
nature
peoples
behaviour
is
underpinned by seeking pleasure
against pain. Therefore they are
more inclined to violate rules to
satisfy their needs. As such people
are greater potential hazard in the
daily operations at workplace.
Process
PROCESS
is
composed
of
is
processes
important
involve
because
time
and
TECHNOLOGY
Technology is a double-edged
has
got
both
good
sword. It
and
bad
Vulnerability
Probability
Vulnerability
Vulnerabilities are opportunities,
opportunities for crime, opportunities for rule
breaking violations, opportunities for loss.
By definition, a vulnerability is a weakness or
gap in a security program that can be
exploited by threats to gain unauthorized
access to an asset.
Vulnerabilities include structural, procedural,
electronic, human and other elements which
provide opportunities to attack assets.
The
basic
process
of
vulnerability
assessment
measures
the
security
OPERATIONAL
RISK MANAGEMENT STRATEGIES
THREATS
VULNERABILITI
ES
ANALYSIS
RISKS
MITIGATION
COUNTERMEASURES
Company history
Intelligence agency
data
Audit &
test results
Process
Identify Threats
Identify Vulnerabilities
List of threats
& vulnerabilities
Analyze Controls
Determine Likelihood
Business Impact
Analysis
Data Criticality &
Sensitivity analysis
Output
Likelihood Rating
Analyze Impact
Impact Rating
Determine Risk
Documented Risks
Identify Controls
Implement Controls
Red
Note that the zones are not symmetrical across the matrix
Risk Management
101
Asset
Threat
Vulnerability
Mitigation
1.
Criticality
Motivation
Building
characteristic
Deterrent
capabilities
2.
Cost
Potential
Systems and
Equipment
reliability
Detection
capabilities
3.
Attractiveness Intention
4.
Replacement
cost
Capability
Personnel
behaviour
Assess &
annunciation
capabilities
5.
Consequence
Impact
Operational
practices
Response
capabilities
1. DETER Menghalang
2. DETECTMengesan
3. DELAY Melambatkan
4. ASSESS Menilai
5. RESPOND Bertindak
5
4
Medium
Low
Very Low
5
4
Medium
Low
Very Low
Vulnerability Value
Rating
Very High
High
5
4
Medium
Low
Very Low
Threat
x
Vulnerabil Mitigatio
itycould
How
Whatnis
What are
you afraid
of
happening?
the threat
occur?
Impact
What is the
impact to
the
business?
currently
reducing
the risk?
Probability
*
=
Current Level
of Risk
What is the probability that
the threat will overcome
controls to successfully
exploit the vulnerability and
impact the asset?
How likely is
the threat
given
the
controls?
RISK EQUATION
RISK = (Asset x Threat) * (Vulnerability x
Mitigation)
Probability
ImpactRISK = (5 x 4 ) * (4 x 3)
5
=
20
12
5
5
=
2.4
RISK
Evaluation
Risk Rating
1.
>21
Very High
2.
16 - 20
High
3.
11 - 15
Medium
4.
6 - 10
Low
5.
1-5
Very Low
Severity
of Loss
High
Medium
Low
High
Avoidance
Loss
prevention
and
avoidance
Loss
prevention
Medium
Low
Loss
prevention
and
avoidance
Transfer
via
insurance
Loss
prevention
and
Transfer via
insurance
Assumption
And
pooling
Loss
prevention
and
Assumption
Assumption
Expense v. Security
Achieved
100% Security
Dollars
Security Achieved
Benefit = 100,000 -
RM25,000 = RM 75,000
= 75,000 / 25,000
Ratio is 3 to 1
STRATEGIC
ACTION PLANS
TO CONTROL RISK
Characteristics
environment:
nature
of
business
Future Trends
In order to satisfy the changing customer
needs as a result of information explosion
that
revolutionized
the
business
organizations
besides
for
risk
Any
Questions Please ???