Security Risk Management and Ethics Ch1 PDF

Summary

This document provides an introduction to security risk management, including the definition and relationship between risk, threat, and vulnerability, and the purpose of risk management in terms of business profitability and survivability. The textbook used is "Measuring and managing information risk: A FAIR Approach" by Freund, J., & Jones, J, 1st edition, Butterworth-Heinemann, 2015.

Full Transcript

Security Risk Management and Ethics

Chapter One: Introduction to Security
Risk Management

Textbook : Freund, J., & Jones, J,
“Measuring and managing information risk:
A FAIR Approach”, 1st Edition, Butterworth-
Heinemann, 2015. ISBN-13:.9780127999326
 Chapter1: Topics
This chapter covers the following topics and
:concepts

What risk is and what its relationship to threat,.vulnerability, and loss is
What the major components of risk to an IT.infrastructure are
What risk management is and how it is.important to the business.What some risk identification techniques are.What some risk management techniques are
 Chapter1: Goals
When you complete this chapter, you will be able
:to
Define risk
Identify the major components of risk
Describe the relationship between threats and
vulnerabilities, and impact
Define risk management
Describe risk management’s relationship with
profitability and survivability
Explain the relationship between the cost of loss
and the cost of risk management
 ,.Chapter 1 Goals Cont

Describe how risk is perceived by different roles
within an organization
Identify threats
List the different categories of threats
Describe techniques to identify vulnerabilities
Identify and define risk management techniques
 ?What Is Risk
Risk is the likelihood that a loss will occur. Losses occur
when.a threat exposes a vulnerability
Organizations of all sizes face risks. Some risks are so
severe they cause a business to fail. Other risks are.minor and can be accepted without another thought
Organizations use risk management techniques to.identify and differentiate severe risks from minor risks
When this is done properly, administrators and
managers can intelligently decide what to do about any.type of risk
Thus, the end result is a decision to avoid, transfer,.mitigate, or accept a risk
 ,.What Is Risk? Cont
The common themes of these definitions are threat,.vulnerability, and loss
:Here’s a short definition of each of these terms
Threat—A threat is any activity that represents a -.possible danger.Vulnerability—A vulnerability is a weakness -
Loss—A loss results in a compromise to business -.functions or assets
Risks to organizations can result in a loss that.negatively affects the business
The overall goal is to reduce the losses that can occur.from risk
 Classified the Effect of Risks on
Businesses
Organization losses can be categorized in to three
:levels

Business functions )1( -

Business assets )2( -

Driver of business costs )3( -
 Business functions )1(
Business functions are the activities a business.performs to provide services or sell products

If any of these functions are negatively affected by any
type of security risks, the organization won’t be able to
sell as much. The organization will earn less revenue,
resulting in an overall loss in terms of customers or.profits
 Examples of Business functions and
:possible risks
A Web site sells products on the Internet. If the Web.site is attacked and fails, sales are lost
Authors write articles that must be submitted by a
deadline to be published. If the author’s PC becomes
infected with a virus, the deadline passes and the.article’s value is reduced
Analysts compile reports used by management to
make decisions. Data is gathered from internal servers
and Internet sources. If network connectivity fails,
analysts won’t have access to current data.
Management could make decisions based on inaccurate.information
 ,.Examples of business Cont
A warehouse application is used for shipping products
that have been purchased. It identifies what has been
ordered, where the products need to be sent, and where
they are located. If the application fails, products aren’t.shipped on time
 Business assets )2(
A business asset is anything that has measurable value
to a company. If an asset has the potential of losing.value, it is at risk.Value is defined as the worth of an asset to a business
Value can often be expressed in monetary terms, such.as $5,000.Assets can have both tangible and intangible values.The tangible value is the actual cost of the asset
The intangible value is value that cannot be measured.by cost, such as client confidence
 ,..Business assets Cont )2(
:Some examples of tangible assets are
Computer systems—Servers, desktop PCs, and mobile.computers are all tangible assets
Network components—Routers, switches, firewalls,
and any other components necessary to keep the.network running are assets
Software applications—Any application that can be
installed on a computer system is considered a tangible.asset
Data—This includes the large-scale databases that are
integral to many businesses. It also includes the data.used and manipulated by each employee or customer
 ,..Business assets Cont )2(

One of the early steps in risk management is
associated with identifying the assets of a company and
their associated costs. This data is used to prioritize
risks for different assets. Once a risk is prioritized, it
becomes easier to identify risk management processes.to protect the asset
 Example the effect risk on Business
assets
Imagine that your company sells products via a Web
site. The Web site earns $5,000 an hour in revenue.
Now, imagine that the Web server hosting the Web site
fails and is down for two hours. The costs to repair it
?total $1,000. What is the tangible loss

Lost revenue—$5,000 times two hours 5 $10,000
Repair costs—$1,000
Total tangible value—$11,000
 Example the effect risk on Business
,..assets Cont
The intangible value isn’t as easy to calculate but is still.very important
Imagine that several customers tried to make a
purchase when the Web site was down. If the same
product is available somewhere else, they probably
bought the product elsewhere. That lost revenue is the.tangible value
However, if the experience is positive with the other
business, where will the customers go the next time
they want to purchase this product? It’s very possible
the other business has just gained new customers and.you have lost some
 Example the effect risk on Business
,..assets Cont
:The intangible value includes
Future lost revenue—Any additional purchases the
customers make with the other company is a loss to.your company
Cost of gaining the customer—A lot of money is.invested to attract customers
:Notes
It is much easier to sell to a repeat customer than it is.to acquire a new customer.If you lose a customer, you lose the investment
 Example the effect risk on Business
,..assets Cont
:The intangible value includes
Future lost revenue—Any additional purchases the )1(
customers make with the other company is a loss to.your company
Cost of gaining the customer—A lot of money is )2(
invested to attract customers. It is much easier to sell to
a repeat customer than it is to acquire a new customer..If you lose a customer, you lose the investment
Customer influence—Customers have friends, )3(
families, and business partners. They commonly share
their experience with others, especially if the experience.is exceptionally positive or negative
 Driver of Business Costs )3(
Risk is also a driver of business costs. Once risks are
identified, steps can be taken to reduce or manage the.risk
Risks are often managed by implementing.countermeasures or controls
The costs of managing risk need to be considered in.total business costs
If too much money is spent on reducing risk, the overall
profit is reduced. If too little money is spent on these
controls, a loss could result from an easily avoidable.threat and/or vulnerability
 Driver of Business Costs Cont.…, )3(
Profitability Vs Survivability
Both profitability and survivability must be considered.when considering risks

Profitability: The ability of a company to make a profit..Profitability is calculated as revenues minus costs

Survivability : The ability of a company to survive loss
due to a risk. Some losses such as fire can be disastrous.and cause the business to fail
 ,….Profitability Vs Survivability Cont
In terms of profitability, a loss can ruin a business. In
terms of survivability, a loss may cause a company.never to earn a profit

The costs associated with risk management don’t
contribute directly to revenue gains. Instead, these costs
help to ensure that a company can continue to operate.even if it incurs a loss
 ,….Profitability Vs Survivability Cont
In terms of profitability, a loss can ruin a business. In
terms of survivability, a loss may cause a company.never to earn a profit

The costs associated with risk management don’t
contribute directly to revenue gains. Instead, these costs
help to ensure that a company can continue to operate.even if it incurs a loss
,….Profitability Vs Survivability Cont
When considering profitability and survivability, you
:will want to consider the following items

Out-of-pocket costs—The cost to reduce risks comes )1(.from existing funds

Lost opportunity costs—Money spent to reduce risks )2(
can’t be spent elsewhere. This may result in lost
opportunities if the money could be used for some other.purpose
 ,….Profitability Vs Survivability Cont
Future costs—Some countermeasures require )3(
ongoing or future costs. These costs could be for
renewing hardware or software. Future costs can also
include the cost of employees to implement the.countermeasures

Client/stakeholder confidence—The value of client )4(
and stakeholder confidence is also important. If risks
aren’t addressed, clients or stakeholders may lose
confidence when a threat exploits a vulnerability,.resulting in a significant loss to the company
Example the risk on Driver of Business
Costs
Consider antivirus software. The cost to install antivirus
software on every computer in the organization can be
quite high. Every dollar spent reduces the overall profit,
and antivirus software doesn’t have the potential to add.any profit
However, what’s the alternative? If antivirus software is
not installed, every system represents a significant risk.
If any system becomes infected, a virus could release a
worm as a payload and infect the entire network.
Databases could be corrupted. Data on file servers could
be erased. E­mail servers could crash. The entire
business could grind to a halt. If this happens too often.or for too long the business could fail
?What Are the Major Components of Risk to an IT Infrastructure
 Seven Domains of a Typical IT
Infrastructure
There are a lot of similarities between different IT
organizations.
For example, any IT organization will have users and
computers.
There are seven domains of a typical IT infrastructure.

Figure 1.­1 shows the seven domains of a typical IT
infrastructure.

When considering risk management, you can examine
each of these domains separately. Each domain
represents a possible target for an attacker.
 Seven Domains of a Typical IT
,….Infrastructure Cont
Some attackers have the skills and aptitudes to con
users so they focus on the User Domain. Other attackers
may be experts in specific applications so they focus on
the System/Application Domain.
An attacker only needs to be able to exploit
vulnerabilities in one domain of the seven domains.
However, a business must provide protection in each
of the domains. A weakness in any one of the domains
can be exploited by an attacker even if the other six
domains have no vulnerabilities.
 Risk on the User Domain )1(
The User Domain includes people. They can be users,
employees, contractors, or consultants. The old phrase
that a chain is only as strong as its weakest link applies
to IT security too. People are often the weakest link in IT
security.
Business could have the strongest technical and
physical security available. However, if personnel don’t
understand the value of security, the security can be
bypassed. For example, technical security can require
strong, complex passwords that can’t be easily cracked.
However, a social engineer can convince an employee
to give up the password. This called “Social
Engineering”.
 ,….Risk on the User Domain Cont )1(
Some users assume that no one will ever think of
looking at the sticky note under their keyboard.

Users can visit risky Web sites, and download and
execute infected software. They may unknowingly bring
viruses from home via universal serial bus (USB) thumb
drives. When they plug in the USB drive the work
computer becomes infected. This in turn can infect other
computers and the entire network.
Risk on the User Domain Cont.…, )1(
Example of Social Engineering
 Risk on Workstation Domain )2(
The workstation is the end user’s computer. The
workstation is susceptible to malicious software, also
known as malware.
The workstation is vulnerable if it is not kept up to date
with recent patches.
If antivirus software isn’t installed, the workstation is also
vulnerable.
If a system is infected, the malware can cause significant
harm. Some malware infects a single system.
Other malware releases worm components that can
spread across the network.
Antivirus companies regularly update virus definitions as
new malware is discovered.
 ,.Risk on Workstation Domain Cont )2(
In addition to installing the antivirus software, companies
must also update software regularly with new definitions. If
the antivirus software is installed and up to date, the
likelihood of a system becoming infected is reduced.
Bugs and vulnerabilities are constantly being discovered
in operating systems and applications. Some of the bugs
are harmless. Others represent significant risks.
Microsoft and other software vendors regularly release
patches and fixes that can be applied. When systems are
kept updated, these fixes help keep the systems protected.
When systems aren’t updated, the threats can become
significant.
 Risk on LAN Domain )3(
The LAN Domain is the area that is inside the firewall. It
can be a few systems connected together in a small home
office network. It can also be a large network with
thousands of computers.
Each individual device on the network must be protected
or all devices can be at risk.
Network devices such as hubs, switches, and routers are
used to connect the systems together on the local area
network (LAN). The internal LAN is generally considered a
trusted zone. Data transferred within the LAN isn’t
protected as thoroughly as if it were sent outside the LAN.
As an example, sniffing attacks occur when an attacker
uses a protocol analyzer to capture data packets.
 ,.Risk on LAN Domain Cont )3(
A protocol analyzer is also known as a sniffer. An
experienced attacker can read the actual data within these
packets.
If hubs are used instead of switches, there is an
increased risk of sniffing attacks. An attacker can plug into
any port in the building and potentially capture valuable
data.
If switches are used instead of hubs, the attacker must
have physical access to the switch to capture the same
amount of data. Most organizations protect network
devices in server rooms or wiring closets.
NOTE : Many organizations outlaw the use of hubs within
the LAN. Switches are more expensive. However, they
reduce the risk of sniffing attacks.
 Risk on LAN-to-WAN Domain )4(
The LAN­-to-­WAN Domain connects the local area network
to the wide area network (WAN). The LAN Domain is
considered a trusted zone since it is controlled by a
company.
The WAN Domain is considered an untrusted zone
because it is not controlled and is accessible by attackers.
The area between the trusted and untrusted zones is
protected with one or more firewalls. This is also called the
boundary, or the edge.
Security here is referred to as boundary protection or
edge protection.
 ,.Risk on LAN-to-WAN Domain Cont )4(
The public side of the boundary is often connected to the
Internet and has public Internet Protocol (IP) addresses.
These IP addresses are accessible from anywhere in the
world, and attackers are constantly probing public IP
addresses.

They look for vulnerabilities and when one is found, they
pounce.

A high level of security is required to keep the LAN-­to-­-
WAN Domain safe.
 Risk on Remote Access Domain )5(
Mobile workers often need access to the private LAN
when they are away from the company.
Remote access is used to grant mobile workers this
access.
Remote access can be granted via direct dial­up
connections or using a virtual private network (VPN)
connection.
A VPN provides access to a private network over a public
network.
The public network used by VPNs is most commonly the
Internet. Since the Internet is largely untrusted and has
known attackers, remote access represents a risk.
 ,.Risk on Remote Access Domain Cont )5(
Attackers can access unprotected connections. They can
also try to break into the remote access servers. Using a
VPN is an example of a control to lessen the risk. But VPNs
have their vulnerabilities, too.

Vulnerabilities exist at two stages of the VPN connection:
(1) The first stage is authentication. Authentication is when
the user provides credentials to prove identity. If these
credentials can be discovered, the attacker can later use
them to impersonate the user.
(2) The second stage is when data is passed between the
user and the server. If the data is sent in clear text, an
attacker can capture and read the data.
 ,.Risk on Remote Access Domain Cont )5(
NOTE:
VPN connections use tunneling protocols to reduce the risk
of data being captured. A tunneling protocol will encrypt
the traffic sent over the network. This makes it more
difficult for attackers to capture and read data.
 Risk on WAN Domain )6(
For many businesses, the WAN is the Internet. However,
a business can also lease semiprivate lines from private
telecommunications companies.
These lines are semiprivate because they are rarely
leased and used by only a single company. Instead, they
are shared with other unknown companies.
As mentioned in the LAN­-to-­WAN Domain, the Internet is
an untrusted zone. Any host on the Internet with a public
IP address is at significant risk of attack.
 ,.Risk on WAN Domain Cont )6(
Moreover, it is fully expected that any host on the
Internet will be attacked.
Semiprivate lines aren’t as easily accessible as the
Internet. However, a company rarely knows who else is
sharing the lines.
These leased lines require the same level of security
provided to any host in the WAN Domain.
A significant amount of security is required to keep hosts
in the WAN Domain safe.
 Risk on System/Application Domain )7(
The System/Application Domain refers to servers that
host server level applications.
Mail servers receive and send e­mail for clients. Database
servers host databases that are accessed by users,
applications, or other servers.
Domain Name System (DNS) servers provide names to IP
addresses for clients.
You should always protect servers using best practices:
Remove unneeded services and protocols. Change default
passwords.
Regularly patch and update the server systems. Enable
local firewalls.
 Risk on System/Application Domain )7(
One of the challenges with servers in the
System/Application Domain is that the knowledge becomes
specialized. People tend to focus on areas of specialty.

For example, common security issues with an e­mail
server would likely be known only by technicians who
regularly work with the e­mail servers.
NOTE:
You should lock down a server using the specific security
requirements needed by the hosted application. An e-mail
server requires one set of protections while a database
server requires a different set.
 Threats, Vulnerabilities, and Impact
When a threat exploits a vulnerability it results in a loss.
The impact identifies the severity of the loss.
A threat is any circumstance or event with the potential
to cause a loss. You can also think of a threat as any
activity that represents a possible danger. Threats are
always present and cannot be eliminated, but they may be
controlled.
Threats have independent probabilities of occurring that
often are unaffected by an organizational action. As an
example, an attacker may be an expert in attacking Web
servers hosted on Apache. There is very little a company
can do to stop this attacker from trying to attack. However,
a company can reduce or eliminate vulnerabilities to
reduce the attacker’s chance of success.
 Threats, Vulnerabilities, and Impact
Threats are attempts to exploit vulnerabilities that result
in the loss of confidentiality, integrity, or availability of a
business asset.
The protection of confidentiality, integrity, and
availability are common security objectives for information
systems.
Figure 1.­2 shows these three security objectives as a
protective triangle. If any side of the triangle is breached
or fails, security fails.
In other words, risks to confidentiality, integrity, or
availability represent potential loss to an organization.
Because of this, a significant amount of risk management
is focused on protecting these resources.
,.Threats, Vulnerabilities, and Impact Cont
 ,.Threats, Vulnerabilities, and Impact Cont
Confidentiality—Preventing unauthorized disclosure of
information. Data should be available only to authorized
users. Loss of confidentiality occurs when data is accessed
by someone who should not have access to it. Data is
protected using access controls and encryption
technologies.
Integrity—Ensuring data or an IT system is not modified
or destroyed. If data is modified or destroyed, it loses its
value to the company. Hashing is often used to ensure
integrity.
Availability—Ensuring data and services are available
when needed. IT systems are commonly protected using
fault tolerance and redundancy techniques. Backups are
used to ensure the data is retained even if an entire
 ,.Threats, Vulnerabilities, and Impact Cont
A vulnerability is a weakness. It could be a procedural,
technical, or administrative weakness.
It could be a weakness in physical security, technical
security, or operational security.
It’s only when an attacker is able to exploit the vulnerability
that a loss to an asset occurs.
Vulnerabilities may exist because they’ve never been
corrected. They can also exist if security is weakened either
intentionally or unintentionally.
Example: Consider a locked door used to protect a server
room. A technician could intentionally unlock it to make it
easier to access. If the door doesn’t shut tight on its own, it
could accidentally be left open. Either way, the server room
becomes vulnerable.
 ,.Threats, Vulnerabilities, and Impact Cont
The impact is the amount of the loss. The loss can be
expressed in monetary terms, such as $5,000.
The value of hardware and software is often easy to
determine. If a laptop is stolen, you can use the purchase
value or the replacement value.
However, some losses aren’t easy to determine. If that
same laptop held data, the value of the data is hard to
estimate.
Descriptive terms instead of monetary terms can be used
to describe the impact.
You can describe losses in relative terms such as high,
medium, or low. As an example, NIST SP 800­30 suggests
the following impact terms:
 ,.Threats, Vulnerabilities, and Impact Cont
(1) High impact—If a threat exploits the vulnerability it may:
Result in the costly loss of major assets or resources.
Significantly violate, harm, or impede an organization’s mission,
reputation, or interest.
Or, result in human death or serious injury.
(2) Medium impact—If a threat exploits the vulnerability it may:
Result in the costly loss of assets or resources.
Violate, harm, or impede an organization’s mission, reputation,
or interest.
Or, result in human injury.
(3) Low impact—If a threat exploits the vulnerability it may:
Result in the loss of some assets or resources.
Or, noticeably affect an organization’s mission, reputation, or
interest.
 IT Security Management
 IT Security Management: a process used to
achieve and maintain appropriate levels of
confidentiality, integrity, availability, accountability,
authenticity and reliability. IT security management
functions include:
 Organizational IT security objectives, strategies and
policies
 Determining organizational IT security requirements
 Identifying and analyzing security threats to IT assets
 Identifying and analyzing risks
 Specifying appropriate safeguards
 Monitoring the implementation and operation of
safeguards
 Developing and implement a security awareness
program
 Detecting and reacting to incidents
 ISO 27000 Security Standards
ISO27000 a proposed standard which will define the vocabulary and definitions used in
the 27000 family of standards.
ISO27001 defines the information security management system specification and
requirements against which organizations are formally certified. It replaces
the older Australian and British national standards AS7799.2 and BS7799.2.
ISO27002 currently published and better known as ISO17799, this standard specifies a
code of practice detailing a comprehensive set of information security control
(ISO17799) objectives and a menu of best-practice security controls. It replaces the older
Australian and British national standards AS7799.1 and BS7799.1.
ISO27003 a proposed standard containing implementation guidance on the use of the
27000 series of standards following the “Plan-Do-Check-Act” process quality
cycle. Publication is proposed for late 2008.
ISO27004 a draft standard on information security management measurement to help
organizations measure and report the effectiveness of their information
security management systems. It will address both the security management
processes and controls. Publication is proposed for 2007.
ISO27005 a proposed standard on information security risk management. It will replace
the recently released British national standard BS7799.3. Publication is
proposed for 2008/9.
ISO13335 provides guidance on the management of IT security. This standard
comprises a number of parts. Part 1 defines concepts and models for
information and communications technology security management. Part 2,
currently in draft, will provide operational guidance on ICT security. These
replace the older series of 5 technical reports ISO/IEC TR 13335 parts 1-5.
IT Security
Management
Process
Plan - Do - Check – Act (Deming Cycle)
take corrective and
preventative actions
)based on audits(

establish policy; define assess and measure
objectives and processes and report results

implement and operate
policy, controls, processes
Organizational Context and Security
Policy
 First examine organization’s IT security:
 Objectives - wanted IT security outcomes
 Strategies - how to meet objectives

 Policies - identify what needs to be done

 Maintained and updated regularly
 Using periodic security reviews
 Reflect changing technical/risk environments
 Security Policy: Topics to Cover
 Needs to address:
 Scope and purpose including relation of objectives to
business, legal, regulatory requirements
 IT security requirements
 Assignment of responsibilities
 Risk management approach
 Security awareness and training
 General personnel issues and any legal sanctions
 Integration of security into systems development
 Information classification scheme
 Contingency and business continuity planning
 Incident detection and handling processes
 How when policy reviewed, and change control to it
 Management Support

 IT security policy must be supported by
senior management
 Need IT security officer
 Toprovide consistent overall supervision
 Manage process

 Handle incidents

 Large organizations needs IT security
officers on major projects/teams
 Manage process within their areas
 Security Risk Assessment
 Critical component of process
 else may have vulnerabilities or waste money
 Ideally examine every asset vs risk
 not feasible in practice
 Choose one of possible alternatives based on
organization’s resources and risk profile
 Baseline
 Informal
 Formal
 Combined
 Baseline Approach
 Use “industry best practice”
 Easy, cheap, can be replicated
 But gives no special consideration to org

 May give too much or too little security

 Implement safeguards against most
common threats
 Baseline recommendations and checklist
documents available from various bodies
 Alone only suitable for small
organizations
 Informal Approach
 Conduct informal, pragmatic risk analysis
on organization’s IT systems
 Exploits knowledge and expertise of
analyst
 Fairly quick and cheap
 Does address some org specific issues
 Some risks may be incorrectly assessed
 Skewed by analysts views, varies over
time
 Suitable for small to medium sized orgs
 Detailed Risk Analysis
 Most comprehensive alternative
 Assess using formal structured process
 With a number of stages
 Identify likelihood of risk and consequences
 Hence have confidence controls appropriate
 Costly and slow, requires expert analysts
 May be a legal requirement to use
 Suitable for large organizations with IT systems
critical to their business objectives
 Combined Approach

 Combines elements of other approaches
 Initialbaseline on all systems
 Informal analysis to identify critical risks
 Formal assessment on these systems
 Iterated and extended over time

 Better use of time and money resources
 Better security earlier that evolves
 May miss some risks early
 Recommended alternative for most orgs
Detailed Risk
Analysis Process
 Establish Context
 Determine broad risk exposure of org
 Related to wider political/social environment
 Legal and regulatory constraints

 Specify organization’s risk appetite
 Set boundaries of risk assessment
 Partly on risk assessment approach used
 Decide on risk assessment criteria used
 Asset Identification
 Identify assets
 “anything which needs to be protected”
 of value to organization to meet its objectives

 tangible or intangible

 in practice try to identify significant assets

 Draw on expertise of people in relevant
areas of organization to identify key
assets
 identify
and interview such personnel
 see checklists in various standards
 Terminology

asset: anything that has value to the organization

threat: a potential cause of an unwanted incident which may result in harm to
a system or organization

vulnerability: a weakness in an asset or group of assets which can be exploited
by a threat

risk: the potential that a given threat will exploit vulnerabilities of an asset or
group of assets to cause loss or damage to the assets.
 Threat Identification
 To identify threats or risks to assets asK
 who or what could cause it harm?
 how could this occur?
 Threats are anything that hinders or
prevents an asset providing appropriate
levels of the key security services:
 confidentiality, integrity, availability,
accountability, authenticity and reliability
 Assets may have multiple threats
 Threat Sources
 Threats may be
 natural “acts of god”
 man-made and either accidental or deliberate
 Should consider human attackers
 motivation
 capability
 resources
 probability of attack
 deterrence
 Any previous history of attack on org
 Threat Identification

 Depends on risk assessors experience
 Uses variety of sources
 natural threat chance from insurance stats
 lists of potential threats in standards, IT

security surveys, info from governments
 tailored to organization’s environment

 and any vulnerabilities in its IT systems
Vulnerability Identification

 Identify exploitable flaws or weaknesses in
organization’s IT systems or processes
 Hence determine applicability and
significance of threat to organization
 Need combination of threat and
vulnerability to create a risk to an asset
 Again can use lists of potential
vulnerabilities in standards etc
Analyze Risks

 Specify likelihood of occurrence of each identified
threat to asset given existing controls
 management, operational, technical processes
and procedures to reduce exposure of org to
some risks
 Specify consequence should threat occur
 Hence derive overall risk rating for each threat
risk = probability threat occurs x cost to
organization
 In practice very hard to determine exactly
 Use qualitative not quantitative, ratings for each
 Aim to order resulting risks in order to treat them
 Determine Likelihood

Rating Likelihood Expanded Definition
Description
1 Rare May occur only in exceptional circumstances and may
deemed as “unlucky” or very unlikely.
2 Unlikely Could occur at some time but not expected given
current controls, circumstances, and recent events.
3 Possible Might occur at some time, but just as likely as not. It
may be difficult to control its occurrence due to
external influences.
4 Likely Will probably occur in some circumstance and one
should not be surprised if it occurred.
5 Almost Is expected to occur in most circumstances and
Certain certainly sooner or later.
Determine Consequence
Rating Consequence Expanded Definition
1 Insignificant Generally a result of a minor security breach in a single area. Impact is
likely to last less than several days and requires only minor expenditure
to rectify.
2 Minor Result of a security breach in one or two areas. Impact is likely to last
less than a week, but can be dealt with at the segment or project level
without management intervention. Can generally be rectified within
project or team resources.
3 Moderate Limited systemic (and possibly ongoing) security breaches. Impact is
likely to last up to 2 weeks and generally requires management
intervention. Will have ongoing compliance costs to overcome.
4 Major Ongoing systemic security breach. Impact will likely last 4-8 weeks
and require significant management intervention and resources to
overcome, and compliance costs are expected to be substantial. Loss of
business or organizational outcomes is possible, but not expected,
especially if this is a once off.
5 Catastrophic Major systemic security breach. Impact will last for 3 months or
more and senior management will be required to intervene for the
duration of the event to overcome shortcomings. Compliance costs are
expected to be very substantial. Substantial public or political debate
about, and loss of confidence in, the organization is likely. Possible
criminal or disciplinary action is likely.
6 Doomsday Multiple instances of major systemic security breaches. Impact duration
cannot be determined and senior management will be required to place
the company under voluntary administration or other form of major
restructuring. Criminal proceedings against senior management is
expected, and substantial loss of business and failure to meet
organizational objectives is unavoidable.
 Determine Resultant Risk
Consequences
Likelihood Doomsday Catastrophic Major Moderate Minor Insignificant

Almost E E E E H H
Certain
Likely E E E H H M
Possible E E E H M L
Unlikely E E H M L L
Rare E H H M L L

Risk Level Description
Extreme (E) Will require detailed r esearch and management planning at an
executive/director level. Ongoing planning and monitoring will be required
with regular reviews. Substantial adjustment of controls to manage the.risk are expected, with costs possibly exceeding original forecasts
High
H (H) Requires management attention, but management and planning can be left
to senior project or team leaders. Ongoing planning and monitoring with
regular reviews are likely, though adjustment of controls are likely to be
met from within existing resources
Medium (M).Can be managed by existing specific monitoring and response procedures
Management by employees is suitable with appropriate monitoring and.reviews
Low (L).Can be managed through routine procedures
 Document in Risk Register
and Evaluate Risks

Asset Threat/ Existing Likelihood Consequence Level of Risk
Vulnerability Controls Risk Priority
Internet Router Outside Hacker Admin Possible Moderate High 1
attack password
only
Destruction of Accidental Fire None (no Unlikely Major High 2
Data Center or Flood disaster
recovery
plan)
Risk Treatment
 Risk Treatment Alternatives

 Risk acceptance: accept risk (perhaps
because of excessive cost of risk treatment)
 Risk avoidance: do not proceed with the
activity that causes the risk (loss of
convenience)
 Risk transfer: buy insurance; outsource
 Reduce consequence: modify the uses of
an asset to reduce risk impact (e.g., offsite
backup)
 Reduce likelihood: implement suitable
controls
 Case Study: Silver Star Mines
 Fictional operation of global mining
company
 Large IT infrastructure
 bothcommon and specific software
 some directly relates to health & safety
 formerly isolated systems now networked

 Decided on combined approach
 Mining industry less risky end of spectrum
 Management accepts moderate or low risk
Assets
 Reliability and integrity of SCADA nodes and
net
 Integrity of stored file and database
information
 Availability, integrity of financial system
 Availability, integrity of procurement
system
 Availability, integrity of
maintenance/production system
 Availability, integrity and confidentiality of
mail services
Threats & Vulnerabilities

 Unauthorized modification of control system
 Corruption, theft, loss of info
 Attacks/errors affecting procurement
system
 Attacks/errors affecting financial system
 Attacks/errors affecting mail system
 Attacks/errors maintenance/production
affecting system
 Risk Register
Asset Threat/ Existing Likelihood Consequence Level of Risk Priority
Vulnerability Controls Risk
Reliability and integrity Unauthorized layered Rare Major High 1
of the SCADA nodes and modification of firewalls
network control system & servers
Integrity of stored file Corruption, firewall, Possible Major Extreme 2
and database theft, loss of policies
information info
Availability and Attacks/ errors firewall, Possible Moderate High 3
integrity of Financial affecting system policies
System
Availability and Attacks/ errors firewall, Possible Moderate High 4
integrity of affecting system policies
Procurement System
Availability and Attacks/ errors firewall, Possible Minor Medium 5
integrity of affecting system policies
Maintenance/
Production System
Availability, integrity Attacks/ errors firewall, Almost Minor High 6
and confidentiality of affecting system ext mail Certain
mail services gateway
Summary

 Detailed need to perform risk assessment
as part of IT security management
process
 Relevant security standards
 Presented risk assessment alternatives
 Detailed risk assessment process involves
 Context including asset identification
 Identify threats, vulnerabilities, risks
 Analyse and evaluate risks
 Silver Star Mines case study