Risk Analysis
Sanjay Goel
University at Albany, SUNY
Fall 2004
Trust
Value consistent with public opinion on the integrity and character of an
organization.
Intellectual Property
Any product of the human intellect that is unique, novel, and unobvious
(and has some value in the marketplace)
Source: http://www.uta.edu/tto/ip-defs.htm
Sanjay Goel, School of Business/Center for Information Forensics and Assurance 15
University at Albany Proprietary Information
Determine Assets
Valuation
Asset values are used to identify the appropriate protection of
assets and to determine the importance of the assets to the
business.
Values can be expressed in terms of:
Potential business impacts affecting loss of confidentiality, integrity and
availability.
Valuation of some assets different for small and large
organizations
Intangible assets hard to quantify
Hidden costs of damages to recovery (often underestimated)
Borrow from litigation
Iterative to find ways of valuation
Critical Infrastructure
Client Secrets
Reputation (Trust)
Lost Sales/Revenue
Cleanup Costs
Info/ Integrity
Hardware
Software
Services
Assets & Costs
Scale
Not Relevant - 0
Relative Impact
Low 1
Medium 3
High 9
Vulnerabilities Value
Web Servers
Compute Servers
Firewalls
Routers
Client Nodes
Databases
Web Servers
Compute Servers
Firewalls
Routers
Client Nodes
Databases
Vulnerabilities
Scale
Not Relevant - 0
Importance
Relative Threat
Low 1
Medium 3
High 9
Threats Value
Denial of Service
Spoofing and Masquerading
Malicious Code
Human Errors
Insider Attacks
Intrusion
Denial of Service
Spoofing
Malicious Code
Human Errors
Insider Attacks
Intrusion
Spam
Physical Damage
Threats
Value of Control
Scale
Not Relevant - 0
Low 1
Medium 3
High 9
Controls Value
Firewalls
IDS
Single Sign-On
DMZ
Training
Security Policy
Network Configuration
Hardening of Environment
Customize matrix based on the specific case
Add values from the relative exposure column of the previous matrix
Determine impact of different controls on different threats
Compute the aggregate value of benefit of each control
Sanjay Goel, School of Business/Center for Information Forensics and Assurance 41
University at Albany Proprietary Information
Matrix-Based Approach
Review
region
Laptops 1 1 3 0 0 0 25,010,000
Desktops 1 1 0 3 0 0 19,010,000
Regional Servers 2 3 0 0 3 0 30,998,000
HQ Servers 2 0 0 0 0 3 398,000
Network Infrast. 2 0 0 0 0 0 20,000
Software 1 0 0 0 0 0 10,000
0 Not Relevant
1 Low
Customize matrix to assets & vulnerabilities applicable to case 2 Medium
3 High
Compute cost of each asset and put them in the value row
Determine correlation with vulnerability and asset (0 for Not Relevant, 1 for Low, 2 for Medium and 3 for High)
Compute the sum of product of vulnerability & asset values; add to impact column
Sanjay Goel, School of Business/Center for Information Forensics and Assurance 54
University at Albany Proprietary Information
Case Study
Vulnerability/Threat Matrix
The coefficients of this matrix are usually based on data
from the literature, e.g.,
if rate of failure of hardware is rf (per unit time)
the number of pieces of hardware is n then
the total number of failed components during a time period is rf*n
the fraction of hardware that fails is rf*n/n= rf
For the current example we will assume data for illustration
of the concept
Failure rate of laptops is .001 per day (i.e., one in a thousand laptops
encounters hardware failure during a day)
Similarly failure rate of a desktop is .0002 (i.e. 2 in ten thousand
desktops would encounter hardware failure in a given day.
Hardware failure can cause loss of software, however, our
assumption is that all software is replaceable from backups
Input Impact 25,010,000 19,010,000 30,998,000 398,000 20,000 10,000 S (impact value x
Aggregates threat value)
Hardware Failure 2 1 1 1 3 0 100,486,000
Software Failure 2 2 2 2 0 0 150,832,000
Equipment Theft 3 2 1 1 1 2 144,486,000
Denial of Service 1 1 2 2 0 0 106,812,000
Viruses/Worms 2 2 2 2 0 2 150,852,000
Insider Attacks 2 2 1 1 1 2 119,476,000
Intrusion 2 2 2 2 0 2 150,852,000
Input Threat 100,486,000 150,832,000 144,486,000 106,812,000 150,852,000 119,476,000 150,852,000 S (threat importance
Importance x impact of controls)
Values
Intrusion 0 0 0 0 0 0 0 $967,884,000.00
Detection
Anti-Virus 0 0 0 0 0 0 0 $452,556,000.00
Firewall 0 0 0 0 0 0 0 $1,074,696,000.00
Upgrades
Redundant HQ 2 2 2 2 2 2 2 $684,884,000.00
Server
Spare Laptops 2 2 2 2 2 2 2 $489,944,000.00
Warranties 0 0 0 0 0 0 0 $753,954,000.00
Insurance 3 3 3 3 3 3 3 $2,017,434,000.00
Physical 0 0 0 0 0 0 0 $433,458,000.00
Controls
Security Policy 0 0 0 0 0 0 0 $923,796,000.00
0 Not Relevant
1 Low
2 Medium
3 High
Sanjay Goel, School of Business/Center for Information Forensics and Assurance 60
University at Albany Proprietary Information
Case Study
Assignment
Given the matrices and the example case provided, use this
same methodology in application to determine the information
security risk in your own organization.
k 1 j 1
Cost Benefit Analysis
LEVERAGE = (RISK EXPOSUREbefore reduction RISK EXPOSUREafter reduction)
________________________________________________
COST OF REDUCTION
Regression Testing
Used for comparing risk impact
Monte Carlo Simulation
1)Develop risk model, 2) Define the shape and parameters, 3)Run
simulation, 4)Build histogram, 5)Compute summary statistics,
6)Perform sensitivity analysis, 7)Analyze potential dependency
relationship
Sanjay Goel, School of Business/Center for Information Forensics and Assurance 64
University at Albany Proprietary Information
Acknowledgements
Grants & Personnel
Support for this work has been provided through the
following grants
NSF 0210379
FIPSE P116B020477
Damira Pon, from the Center of Information Forensics and
Assurance contributed extensively by reviewing and editing
the material
Robert Bangert-Drowns from the School of Education
provided extensive review of the material from a pedagogical
view.