Qualitative Risk Analysis: Sanjay Goel University at Albany, SUNY Fall 2004

Qualitative
Risk Analysis
Sanjay Goel
University at Albany, SUNY
Fall 2004
Sanjay Goel, School of Business/Center for Information Forensics and Assurance 1

University at Albany Proprietary Information
Course Outline
> Unit 1: What is a Security Assessment?
Definitions and Nomenclature
Unit 2: What kinds of threats exist?

Malicious Threats (Viruses & Worms) and Unintentional Threats
Unit 3: What kinds of threats exist? (contd)

Malicious Threats (Spoofing, Session Hijacking, Miscellaneous)
Unit 4: How to perform security assessment?

Risk Analysis: Qualitative Risk Analysis
Unit 5: Remediation of risks?

Risk Analysis: Quantitative Risk Analysis

Qualitative Risk Analysis
Outline for this unit
Module 1: Qualitative Risk Analysis
Module 2: Matrix Based Approach
Module 3: Determine Assets and Vulnerabilities
Module 4: Determine Threats and Controls
Module 5: Case Study

Module 1
Risk Analysis:
Risk Analysis
Outline
What are the difficulties with risk analysis?
What are the two different approaches?
What is the methodology for qualitative risk
analysis?

Risk Analysis
Risk Analysis Definition
Risk analysis involves the identification and
assessment of the levels of risks calculated from the
known values of assets and the levels of threats to,
and vulnerabilities of, those assets.
It involves the interaction of the following elements:
Assets
Vulnerabilities
Threats
Impacts
Likelihoods
Controls

Risk Analysis
Concept Map
Threats exploit system vulnerabilities which expose system assets.

Security controls protect against threats by meeting security
requirements established on the basis of asset values.
Source: Australian Standard Handbook of Information Security Risk Management HB231-2000
Risk Analysis
Difficulties with Information Security Risk Analysis
Relatively new field

Lack of formal models
Lack of data
Evolving threats
Constantly changing information systems and
vulnerabilities
Human factors related to security
No standard of practice

Risk Analysis
Approaches
Two Risk Analysis Approaches

Qualitative:
Based on literal description of risk factors and risk is
expressed in terms of its potential. Threats and
vulnerabilities are identified and analyzed using subjective
judgment. Uses checklists to determine if recommended
controls are implemented and if different information
systems or organizations are secure.
Quantitative:
Relating to, concerning, or based on the amount or number
of something, capable of being measured or expressed in
numerical terms.
Risk Analysis: Qualitative
Methodology
Qualitative risk analysis methodologies involve relative
comparison of risks and prioritization of controls
Usually associate relationships between interrelated factors
Things of value for the organization
Threats: things that can go wrong
Vulnerabilities: Weaknesses that make a system more prone to attack or
make an attack more likely to succeed
Controls: These are the countermeasures for vulnerabilities
More practical since it is based on user inference and follows
current processes better. It capitalizes on user experience and
doesnt resort to extensive data gathering.
Probability data is not required and only estimated potential
loss may be used
Risk Analysis: Qualitative
Questions 1, 2, and 3
1) What is the difference between quantitative and qualitative risk
analysis?
2) Why would one be performed instead of another?
3) What are the benefits to using a matrix based methodology for

qualitative risk analysis?

Module 2
Determine Assets
and Vulnerabilities
Determine Assets and Vulnerabilities
Outline
What are tangible assets?
What are non-tangible assets?
How to assign value to assets?
What questions should be asked?
Example
Lemonade Stand
How to determine vulnerabilities?
What questions should be asked?

Determine Assets
Tangible
Assets- Something that the agency values and has to protect. Assets include all
information and supporting items that an agency requires to conduct business.
Hardware
Processors, boards, monitors, keyboards, terminals, drives, cables, connections,
controllers, communications media, etc.
Software
Source programs, object programs, purchased programs, operating systems, systems
programs, diagnostic programs, etc.
Information/Data
Data used during execution, stored data on various media, archival records, audit
data, files with payment details, voice records, image files, product information,
continuity plans.
Services
Provided by the company. (e.g. computing and communication services, service
providers and utilities)
Documentation
On programs, hardware, systems, administrative procedures and the entire system,
contracts, completed forms.

Determine Assets
Non-Tangible
People and their knowledge (Employees)
Integral function/skills which the employee provides (e.g. technical,
operational, marketing, legal, financial, contractors/consultants,
outsourced providers)
Reputation and Image

Value attributed to an organization as a result of its general estimation in
the public eye. (e.g. political standing in the case of government
agencies)
Trust
Value consistent with public opinion on the integrity and character of an
organization.
Intellectual Property
Any product of the human intellect that is unique, novel, and unobvious
(and has some value in the marketplace)
Source: http://www.uta.edu/tto/ip-defs.htm
Determine Assets
Valuation
Asset values are used to identify the appropriate protection of
assets and to determine the importance of the assets to the
business.
Values can be expressed in terms of:
Potential business impacts affecting loss of confidentiality, integrity and
availability.
Valuation of some assets different for small and large
organizations
Intangible assets hard to quantify
Hidden costs of damages to recovery (often underestimated)
Borrow from litigation
Iterative to find ways of valuation

Determine Assets
Valuation, contd.
In this step, ramifications of computer security failure on
organization are determined.
Often inaccurate
Costs of human capital required to recover from failure undervalued
e.g. cost of restoring data
Indirect consequences of an event unknown until the event actually
happens
Catastrophic events that cause heavy damage are so infrequent that
correct data unavailable
Non-tangible assets hard to quantify
The questions on the next slide prompt us to think about
issues of explicit and hidden cost related to security.
The answers may not produce precise cost figures, but help identify
sources of various types of costs.

Determine Assets
Guiding Questions to Reflect on Intangible Assets
What are the legal obligations in preserving confidentiality or
integrity of data?
What business requirements and agreements cover the situation?
Could release of a data item cause harm to a person or
organization?
Could unauthorized access to data cause loss of future business
opportunity?
What is the psychological effect of lack of computer service?
What is the value of access to data or programs?
What is the value of having access to data or programs to
someone else?
What other problems would arise from loss of data?

Determine Assets
General Example #1: Lemonade Stand
Billy sells lemonade outside of his house every
weekend for 3 hours a day. Every week he makes about
$40. The wooden stand has a cardboard sign which
reads, Lemonade for SALE, 25 cents each. Supplies
he receives from his mother are paper cups and a glass
pitcher and spoon to stir with. For one pitcher of
lemonade, he needs 4 lemons, 2 cups of sugar, 1 quart
of water, and a secret ingredient and 10 minutes. The
special recipe is located in a small space within the
lemonade stand. He has a general crowd of about 10
neighbors who buy from him because they enjoy the
taste of his lemonade and his personality.

Determine Assets
General Example #1: Lemonade Stand, contd.
Listing of Tangible Assets: Listing of Intangible Assets:
Establishment People
Lemonade stand: $5 Billy
Advertising Billys Mother
Sign: $1 Intellectual Property
Supplies Special recipe
Pitcher: $7 Trust
Paper cups: $2/25 pack
Spoon: $1.50
Reputation
Lemons: $3/10 pack Customer base
Sugar: $1/1 lb.
Water: $1/gallon
Secret ingredient: $1/1 lb.

Determine Vulnerabilities
Specific to Organizations
Predict damage that might occur and source of damage
Information
is an asset that has a value to an agency and must therefore be
appropriately protected.
The objective of information security is to preserve the

agencys information assets and the business processes they
support in the context of:
Confidentiality
Information is only available to authorized individuals
Integrity
Information can only be entered, changed or destroyed by
authorized individuals.
Availability
Information is provided to authorized users when it is
requested or needed.
Impact to Assets
Vulnerability- A weak characteristic of an information asset or group of
assets which can be exploited by a threat. Consequence of weaknesses in
controls.
To organize threats & assets use the following matrix:
Harder to determine impact to non-tangible assets
Asset Confidentiality Integrity Availability
Overloaded, destroyed, Failed, Stolen,
Hardware X
Tampered with Destroyed, Unavailable
Stolen, copied, Impaired by Trojan horse, Deleted, Misplaced,
Software
pirated Modified, tampered with Usage expired
Disclosed, Damaged (software error,
Deleted, Misplaced,
Data accessed by hardware error,
Destroyed
outsider, inferred user error)
Terminated, Quit, Retired,
People X X
Vacation
Documentation X X Lost, Stolen, Destroyed
Supplies X X Lost, Stolen, Damaged
Guiding Questions
Each vulnerability may affect more than one asset or cause
more than one type of loss
While completing the matrix, answer the following questions:
What are the effects of unintentional errors?
e.g. accidental deletion, use of incorrect data
What are the effects of willful malicious insiders?
e.g. disgruntled employees, bribery, espionage
What are the effects of outsiders?
e.g. hackers, dial-in access, people sifting through trash
What are the effects of natural and physical disasters?
e.g. fire, storms, floods, power outage, component failures

Assignment
Using your own organization, determine the assets and
vulnerabilities and fill them into the appropriate matrices.

Module 3
Determine Threats and Controls
Outline
How do you identify threats?
What types of controls are there?
Organizational and Management
Physical and Environmental
Operational
Technical
What are the functions of controls?

Identification of Threats
Threat- Potential cause of an unwanted event that may result in harm to the
agency and its assets. A threat is a manifestation of vulnerability.
Malicious
Malicious Software (Viruses, worms, trojan horses, time bomb logic bomb, rabbit,
bacterium)
Spoofing or Masquerading
Sequential or Dictionary Scanning
Snooping (electronic monitoring or shoulder surfing)
Scavenging (dumpster diving or automated scanning of data)
Spamming
Tunneling
Unintentional
Equipment or Software Malfunction
Human error (back door or user error)
Physical
Power loss, vandalism, fire/flood/lightning damage, destruction
Source: http://www.caci.com/business/ia/threats.html
Functions of Controls
Security Controls- Implementations to reduce overall risk
and vulnerability
Deter
Avoid or prevent the occurrence of an undesirable event
Protect
Safeguard the information assets from adverse events
Detect
Identify the occurrence of an undesirable event
Respond
React to or counter an adverse effect
Recover
Restore integrity, availability and confidentiality of information
assets
Source: Information Security Guidelines for NSW Government

Agencies Part 3 Information Security Baseline Controls

Controls
Organizational & Management Controls
Information security policy, information security infrastructure,
third party access, outsourcing, mobile computing, telecommuting,
asset classification and control, personnel practices, job descriptions,
segregation of duties, recruitment, terms and conditions of
employment, employee monitoring, job terminations and changes,
security awareness and training, compliance with legal and
regulatory requirements, compliancy with security policies and
standards, incident handling, disciplinary process, business
continuity management, system audits
Physical & Environmental Controls

Secure areas, equipment security, clear desk and screen policy,
removal of property
Operational Controls
Operational Controls
Documentation, configuration and change management, incident
management, software development and test environment,
outsourced facilities, systems planning, systems and acceptance
testing, protection against malicious code, data backup, logging,
software and information exchange, security of media in transit,
electronic commerce security, electronic data interchange, internet
commerce, email security, electronic services, electronic publishing,
media

Technical Controls
Technical Controls
Identification and authentication, passwords, tokens, biometric
devices, logical access control, review of access rights, unattended
user hardware, network management, operational procedures,
predefined user access paths, dial-in access controls, network
planning, network configuration, segregation of networks, firewalls,
monitoring of network, intrusion detection, internet connection
policies, operating system access control, identification of terminals
and workstations, secure logon practices, system utilities, duress
alarm, time restriction, application access control and restriction,
isolation of sensitive applications, audit trails and logs

Assignment
Using your own organization, determine the vulnerabilities and
threats and fill them into the appropriate matrices.

Module 4
Matrix Based Approach
Outline
What are the steps involved?
How do you fill in the matrices?
Asset/Vulnerability Matrix
Vulnerability/Threat Matrix
Threat/Control Matrix

Methodology
Consists of three matrices
Vulnerability Matrix: Links assets to vulnerabilities
Threat Matrix: Links vulnerabilities to threats
Control Matrix: Links threats to the controls
Step 1
Identify the assets & compute the relative importance of assets
Step 2
List assets in the columns of the matrix.
List vulnerabilities in the rows within the matrix.
The value row should contain asset values.
Rank the assets based on the impact to the organization.
Compute the aggregate value of relative importance of different
vulnerabilities

Methodology
Step 3
Add aggregate values of vulnerabilities from vulnerability matrix to the
column side of the threat matrix
Identify the threats and add them to the row side of the threat matrix
Determine the relative influence of threats on the vulnerabilities
Compute aggregate values of importance of different threats
Step 4
Add aggregate values of threats from the threat matrix to the column
side of control matrix
Identify the controls and add them to the row side of the control
matrix
Compute aggregate values of importance of different controls

Determining L/M/H
There needs to be a threshold for determining the correlations
within the matrices. For each matrix, the thresholds can be
different. This can be done in two ways:
Qualitatively
determined relative to other correlations
e.g. asset1/vulnerability1 (L) is much lower than asset3/vulnerability3
(H) correlation. asset2/vulnerability2 correlation is in-between (M)
Quantitatively
determined by setting limits
e.g. if no correlation (0), if lower than 10% correlation (L), if lower
than 35% medium (M), if greater than 35% (H)

Extension of L/M/H
Although the example provided gives 4 different levels (Not
Relevant, Low, Medium, and High), organizations may choose
to have more levels for finer grained evaluation.
For example:
Not Relevant (0)
Very Low (1)
Low (2)
Medium-Low (3)
Medium (4)
Medium-High (5)
High (6)

Assets and Vulnerabilities
Critical Infrastructure
Trade Secrets (IP)
Client Secrets
Reputation (Trust)
Lost Sales/Revenue
Cleanup Costs
Info/ Integrity
Hardware
Software
Services
Assets & Costs
Scale
Not Relevant - 0
Relative Impact
Low 1
Medium 3
High 9
Vulnerabilities Value
Web Servers
Compute Servers
Firewalls
Routers
Client Nodes
Databases
Customize matrix to assets & vulnerabilities applicable to case

Compute cost of each asset and put them in the value row
Determine correlation with vulnerability and asset (L/M/H)
Compute the sum of product of vulnerability & asset values; add to impact column
Vulnerabilities and Threats
Web Servers
Compute Servers
Firewalls
Routers
Client Nodes
Databases

Vulnerabilities
Scale
Not Relevant - 0
Importance
Relative Threat
Low 1
Medium 3
High 9
Threats Value
Denial of Service
Spoofing and Masquerading
Malicious Code
Human Errors
Insider Attacks
Intrusion
Complete matrix based on the specific case

Add values from the Impact column of the previous matrix
Determine association between threat and vulnerability
Compute aggregate exposure values by multiplying impact and the associations
Threats and Controls
Denial of Service
Spoofing
Malicious Code
Human Errors
Insider Attacks
Intrusion
Spam
Physical Damage

Threats
Value of Control
Scale
Not Relevant - 0
Low 1
Medium 3
High 9
Controls Value
Firewalls
IDS
Single Sign-On
DMZ
Training
Security Policy
Network Configuration
Hardening of Environment
Customize matrix based on the specific case
Add values from the relative exposure column of the previous matrix
Determine impact of different controls on different threats
Compute the aggregate value of benefit of each control
Matrix-Based Approach
Review
This methodology used for qualitative analysis is a

matrix-based approach.
The Matrix-based approach:
Brings transparency to risk analysis process
Provides a comprehensive methodology
Easy to use
Allows organizations to work with partial data
More data can be added as made available
Risk posture can be compared to other organization's
Determines controls needed to improve security

Assignment
Go through the next modules in the unit to appropriately fill in
the matrices presented in this module.

Module 5
Case Study
Case Study
Outline
What is the case about?
What would fit into the categories of:
Assets
Vulnerabilities
Threats
Controls
Filling in the matrices
Asset/Vulnerability
Vulnerability/Threat
Threat/Control

Case Study
Example
Use the information that you have learned in the lecture in

the following case study of a government organization.
Remember these key steps for determining ALE
Identify and determine the value of assets
Determine vulnerabilities
Estimate likelihood of exploitation
Compute ALE
Survey applicable controls and their costs
Perform a cost-benefit analysis

Case Study
Case
An organization delivers service throughout New York State. As part of the planning process to prepare the annual
budget, the Commissioner has asked the Information Technology Director to perform a risk analysis to determine
the organizations vulnerability to threats against its information assets, and to determine the appropriate level of
expenditures to protect against these vulnerabilities.
The organization consists of 4,000 employees working in 200 locations, which are organized into 10 regions. The
average rate of pay for the employees is $20/hr. Cost benefit analysis has been done on the IT resource
deployment, and the current structure is the most beneficial to the organization, so all security recommendations
should be based on the current asset deployment.
Each of the 200 locations has approximately 20 employees using an equal number of desktop and laptop
computers for their fieldwork. These computers are used to collect information related to the people served by the
organization, including personally identifying information. Half of each employees time is spent collecting
information from the clients using shared laptop computers, and half is spent processing the client information at
the field office using desktop computers. Replacement cost for the laptops is $2,500 and for the desktop is $1,500.
Each of the 10 regions has a network server, which stores all of the work activities of the employees in that region.
Each server will cost $30,000 to replace, plus 80 hours of staff time. Each incident involving a server costs the
organization approximately $1,600 in IT staff resources for recovery. Each incident where financial records or
personal information is compromised costs the organization $15,000 in lawyers time and settlement payouts.
Assume that the total assets of the organization are worth 10 million dollars.
The organization has begun charging fees for the public records it collects. This information is sold from the
organization website at headquarters, via credit card transactions. All of the regional computers are linked to the
headquarters via an internal network, and the headquarters has one connection to the Internet. The headquarters
servers query the regional servers to fulfill the transactions. The fees collected are approximately $10,000 per day
distributed equally from each region, and the transactions are uniformly spread out over a 24-hour period.
Case Study
Example- Assets (Tangible)
Transaction Revenue- amount of profit from transactions
Data- client information
Laptops- shared, used for collecting information
Desktops- shared, used for processing client information
Regional Servers- stores all work activities of employees in
region
HQ Server- query regional servers to fulfill transactions

Case Study
Example- Asset Valuations (Cost per Day)
Transaction Revenue $10,000 per day
Data (Liability) $10 million (total assets of organization)
Laptops x 200 (locations) x 20 (employees) x

$2,500 (laptop cost) = $5,000,000
Desktops x 200 (locations) x 20 (employees) x

$1,500 (desktop cost) = $3,000,000
Regional Servers $30,000 (server cost)x 10 (regions) +

80 (hours) x $20 (pay rate) x 10 (regions)+
$10,000 (transaction revenue) = $326,000
HQ Server $10,000 (transaction revenue) +

$100,000 (cost of HQ server) +
80 (hours) x $20 (pay rate) x 10 (regions) = $126,000

Case Study
Example- Vulnerabilities
Vulnerabilities are weaknesses that can be exploited
Vulnerabilities
Laptop Computers
Desktop Computers
Regional Servers
HQ server
Network Infrastructure
Software
Computers and Servers are vulnerable to network attacks
such as viruses/worms, intrusion & hardware failures
Laptops are especially vulnerable to theft

Case Study
Example- Threats
Threats are malicious & benign events that can exploit
vulnerabilities
Several Threats exist
Hardware Failure
Software Failure
Theft
Denial of Service
Viruses/Worms
Insider Attacks
Intrusion and Theft of Information

Case Study
Example- Controls
Intrusion detection and firewall upgrades on HQ Server
mitigate HQ server failure and recovery
Anti-Virus Software
mitigates threat of worms, viruses, DOS attacks, and some intrusions
Firewall upgrades
mitigates threats of DOS attacks and some intrusions, worms and viruses
Redundant HQ Server
reduces loss of transaction revenue
Spare laptop computers at each location
reduces loss of transaction revenue and productivity
Warranties
reduces loss of transaction revenue and cost of procuring replacements
Insurance
offset cost of liability
Physical Controls
reduce probability of theft
Security Policy
can be used to reduce most threats.

Case Study
Asset/Vulnerability Matrix
The coefficients of this matrix are usually based on internal data as well
as financial loss organizations
For the current example we will assume data for illustration of the
concept
Transactions are mostly associated with the regional servers which store the
data, the HQ server which takes all requests, and the network infrastructure
with which clients access the data. (.30 each)
Laptops, desktops and software is only associated with the remaining 10%
(.033 each)
Data that is located on laptops and desktops make up only 10% of total data
because they are only used for collecting and processing.
The regional servers contain all other data.
Other assets are associated at 100% with their respective vulnerabilities. (e.g.
laptops with laptops, desktops with desktops, etc.)
The threshold for this matrix will be:
Not Relevant: 0
Low: 0 < x <= 0.01
Medium: 0.01 < x <= 0.05
High: 0.05 < x < 1
Case Study
Asset/Vulnerability Matrix, contd.
Assets Transaction Data Laptops Desktops Regional HQ Server Aggregates
Revenue (Liability) Servers (Impact)
Vulnerabilities
Input Asset Values 10,000 10,000,000 5,000,000 3,000,000 326,000 126,000 S (asset value x
vulnerability)
Laptops 1 1 3 0 0 0 25,010,000
Desktops 1 1 0 3 0 0 19,010,000
Regional Servers 2 3 0 0 3 0 30,998,000
HQ Servers 2 0 0 0 0 3 398,000
Network Infrast. 2 0 0 0 0 0 20,000
Software 1 0 0 0 0 0 10,000
0 Not Relevant
1 Low
Customize matrix to assets & vulnerabilities applicable to case 2 Medium
3 High
Compute cost of each asset and put them in the value row
Determine correlation with vulnerability and asset (0 for Not Relevant, 1 for Low, 2 for Medium and 3 for High)
Compute the sum of product of vulnerability & asset values; add to impact column
Case Study
Vulnerability/Threat Matrix
The coefficients of this matrix are usually based on data
from the literature, e.g.,
if rate of failure of hardware is rf (per unit time)
the number of pieces of hardware is n then
the total number of failed components during a time period is rf*n
the fraction of hardware that fails is rf*n/n= rf
For the current example we will assume data for illustration
of the concept
Failure rate of laptops is .001 per day (i.e., one in a thousand laptops
encounters hardware failure during a day)
Similarly failure rate of a desktop is .0002 (i.e. 2 in ten thousand
desktops would encounter hardware failure in a given day.
Hardware failure can cause loss of software, however, our
assumption is that all software is replaceable from backups

Case Study
Vulnerability/Threat Matrix, contd.
Vulnerabilities Laptops Desktops Regional HQ Network Software Aggregates

Servers Servers Infrast. (Threat
Threats Importance)
Input Impact 25,010,000 19,010,000 30,998,000 398,000 20,000 10,000 S (impact value x
Aggregates threat value)
Hardware Failure 2 1 1 1 3 0 100,486,000
Software Failure 2 2 2 2 0 0 150,832,000
Equipment Theft 3 2 1 1 1 2 144,486,000
Denial of Service 1 1 2 2 0 0 106,812,000
Viruses/Worms 2 2 2 2 0 2 150,852,000
Insider Attacks 2 2 1 1 1 2 119,476,000
Intrusion 2 2 2 2 0 2 150,852,000
Complete matrix based on the specific case 0 Not Relevant

1 Low
2 Medium
Add values from the Impact column of the previous matrix 3 High
Determine association between threat and vulnerability

Compute aggregate exposure values by multiplying impact and the associations and
adding across vulnerabilities
Case Study
Vulnerability/Threat Matrix, contd.
We assume that the hardware failure will disrupt the network once every one hundred days
There is 0.3 percent chance that software failure can lead to failure of desktops
We assume that there is a .01 chance of a laptop being stolen, .001 for a desktop, and .0002
for servers.
There is a very low chance that network equipment is stolen since it is kept in secure rooms
(.0001)
When equipment is stolen some software may have been stolen as well
We assume that denial-of-service is primarily targeted at servers and not individual machines
We assume that the denial-of-service can disable machines as well as cause destruction of
software
Insider attacks are primarily meant to exploit data & disable machines
We assume that the servers have less access thus are less vulnerable to insider attacks

Not Relevant: 0
Low: 0 < x <= 0.001
Medium: 0.001 < x <= 0.01
High: 0.01 < x < 1

Case Study
Threat/Control Matrix
Some of these controls have threats associated with them. However,
these are secondary considerations and we will be focusing on primary
threats.
We assume that IDS systems will control 30% of the DOS attacks, 30%
of Viruses and Worms and 90% of intrusions
In addition, IDS systems do not impact insider attacks
Anti-Virus Software will prevent 90% of Viruses and Worms.
That upgrades to a firewall will greatly control (90% each) of DOS
attacks, as well as Viruses and Worms. It will control 30% of intrusions,
but not insider attacks.
A redundant HQ server will control 10% of hardware failure (when the
original HQ server fails). This is the same percentage for theft and
insider attacks.
Also, a redundant HQ server will help with 80% in cases of DOS attacks
on the HQ server.
Spare laptops will assist in cases of hardware failure and theft (30%
because of volume).

Case Study
Threat/Control Matrix, contd.
We assume that warranties will help with 70% of both hardware failure and
software failure. While it will assist with the cost of new hardware or software,
will not reduce employee time.
It is determined that insurance will be able to control 90% of impacts from the
threats of theft, DOS attacks, Virus/Worm attacks, Insider Attacks, and
Intrusion.
Physical controls (locks, key cards, biometrics, etc.) will control 90% of theft.
Also, it is assumed that a security policy will assist with 20% of all threats since
every policy can have procedures which can assist in prevention.
Customize matrix based on the specific case
Add values from the threat importance column of the previous matrix
Determine impact of different controls on different threats
Compute the sum of the products of the threat importance by the impact of controls
to determine values.
Not Relevant: 0
Low: 0 < x <= 0.01
Medium: 0.01 < x <= 0.05
High: 0.05 < x < 1
Case Study
Threat/Control Matrix, contd.
Threats Hardware Software Theft Denial of Viruses/ Insider Intrusion Aggregates
Failure Failure Service Worms Attacks (Value of
Controls Control)
Input Threat 100,486,000 150,832,000 144,486,000 106,812,000 150,852,000 119,476,000 150,852,000 S (threat importance
Importance x impact of controls)
Values
Intrusion 0 0 0 0 0 0 0 $967,884,000.00
Detection
Anti-Virus 0 0 0 0 0 0 0 $452,556,000.00
Firewall 0 0 0 0 0 0 0 $1,074,696,000.00
Upgrades
Redundant HQ 2 2 2 2 2 2 2 $684,884,000.00
Server
Spare Laptops 2 2 2 2 2 2 2 $489,944,000.00
Warranties 0 0 0 0 0 0 0 $753,954,000.00
Insurance 3 3 3 3 3 3 3 $2,017,434,000.00
Physical 0 0 0 0 0 0 0 $433,458,000.00
Controls
Security Policy 0 0 0 0 0 0 0 $923,796,000.00
0 Not Relevant
1 Low
2 Medium
3 High
Case Study
Assignment
Given the matrices and the example case provided, use this
same methodology in application to determine the information
security risk in your own organization.

Appendix

Summary
Qualitative risk analysis involves using relative values of assets, threats,
vulnerabilities to:
Determine the relative exposure of different assets of the organization
Determine the relative effectiveness of different controls
The methodology developed here uses a series of matrices to collect the
data on assets, vulnerabilities, threats and controls
Data from the matrices is integrated to determine the relative
importance of controls
This approach is suitable when precise data for different elements is
unavailable
Most organizations start with a qualitative analysis and gradually migrate
to a quantitative analysis

Summary Contd.
J K L I I
Risk Aggregation: R* (t j ij ) jk kl al Ci
j 1k 1l 1 i 1 i 1
ij (1 qi ij )
Optimization k Q k Q
simple formulation Minimize : R j such that j
*
k 1 j 1
Cost Benefit Analysis
LEVERAGE = (RISK EXPOSUREbefore reduction RISK EXPOSUREafter reduction)
________________________________________________
COST OF REDUCTION
Regression Testing
Used for comparing risk impact
Monte Carlo Simulation
1)Develop risk model, 2) Define the shape and parameters, 3)Run
simulation, 4)Build histogram, 5)Compute summary statistics,
6)Perform sensitivity analysis, 7)Analyze potential dependency
relationship
Acknowledgements
Grants & Personnel
Support for this work has been provided through the
following grants
NSF 0210379
FIPSE P116B020477
Damira Pon, from the Center of Information Forensics and
Assurance contributed extensively by reviewing and editing
the material
Robert Bangert-Drowns from the School of Education
provided extensive review of the material from a pedagogical
view.


Qualitative Risk Analysis: Sanjay Goel University at Albany, SUNY Fall 2004

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Qualitative Risk Analysis: Sanjay Goel University at Albany, SUNY Fall 2004

Diunggah oleh

Hak Cipta:

Format Tersedia

Qualitative

Sanjay Goel, School of Business/Center for Information Forensics and Assurance 1

Unit 2: What kinds of threats exist?

Unit 3: What kinds of threats exist? (contd)

Unit 4: How to perform security assessment?

Unit 5: Remediation of risks?

Sanjay Goel, School of Business/Center for Information Forensics and Assurance 2

Sanjay Goel, School of Business/Center for Information Forensics and Assurance 3

Sanjay Goel, School of Business/Center for Information Forensics and Assurance 5

Sanjay Goel, School of Business/Center for Information Forensics and Assurance 6

Threats exploit system vulnerabilities which expose system assets.

Relatively new field

Sanjay Goel, School of Business/Center for Information Forensics and Assurance 8

Two Risk Analysis Approaches

2) Why would one be performed instead of another?

3) What are the benefits to using a matrix based methodology for

Sanjay Goel, School of Business/Center for Information Forensics and Assurance 11

Sanjay Goel, School of Business/Center for Information Forensics and Assurance 13

Sanjay Goel, School of Business/Center for Information Forensics and Assurance 14

Reputation and Image

Sanjay Goel, School of Business/Center for Information Forensics and Assurance 16

Sanjay Goel, School of Business/Center for Information Forensics and Assurance 17

Sanjay Goel, School of Business/Center for Information Forensics and Assurance 18

Sanjay Goel, School of Business/Center for Information Forensics and Assurance 19

Sanjay Goel, School of Business/Center for Information Forensics and Assurance 20

The objective of information security is to preserve the

Sanjay Goel, School of Business/Center for Information Forensics and Assurance 23

Sanjay Goel, School of Business/Center for Information Forensics and Assurance 24

Sanjay Goel, School of Business/Center for Information Forensics and Assurance 26

Source: Information Security Guidelines for NSW Government

Sanjay Goel, School of Business/Center for Information Forensics and Assurance 28

Physical & Environmental Controls

Source: Information Security Guidelines for NSW Government

Source: Information Security Guidelines for NSW Government

Sanjay Goel, School of Business/Center for Information Forensics and Assurance 32

Sanjay Goel, School of Business/Center for Information Forensics and Assurance 34

Sanjay Goel, School of Business/Center for Information Forensics and Assurance 35

Sanjay Goel, School of Business/Center for Information Forensics and Assurance 36

Sanjay Goel, School of Business/Center for Information Forensics and Assurance 37

Sanjay Goel, School of Business/Center for Information Forensics and Assurance 38

Trade Secrets (IP)

Customize matrix to assets & vulnerabilities applicable to case

Complete matrix based on the specific case

This methodology used for qualitative analysis is a

Sanjay Goel, School of Business/Center for Information Forensics and Assurance 42

Sanjay Goel, School of Business/Center for Information Forensics and Assurance 43

Sanjay Goel, School of Business/Center for Information Forensics and Assurance 45

Use the information that you have learned in the lecture in

Sanjay Goel, School of Business/Center for Information Forensics and Assurance 46

Transaction Revenue- amount of profit from transactions

Data- client information

Laptops- shared, used for collecting information

Desktops- shared, used for processing client information

Regional Servers- stores all work activities of employees in

HQ Server- query regional servers to fulfill transactions

Sanjay Goel, School of Business/Center for Information Forensics and Assurance 48

Data (Liability) $10 million (total assets of organization)

Laptops x 200 (locations) x 20 (employees) x

Desktops x 200 (locations) x 20 (employees) x

Regional Servers $30,000 (server cost)x 10 (regions) +

HQ Server $10,000 (transaction revenue) +

Sanjay Goel, School of Business/Center for Information Forensics and Assurance 49