1

Risk Analysis (RA) and Risk Analysis (RA) and Security Planning Security Planning

The slides are derived from John Carpenter’s notes

2

Risk Analysis (RA) andRisk Analysis (RA) and Security Planning Security Planning

Risk Analysis (RA) Risk Analysis (RA) Benefits of Risk AnalysisBenefits of Risk Analysis Some Homely ExamplesSome Homely Examples Steps to Complete a RASteps to Complete a RA Security PlanningSecurity Planning Content of a Security PlanContent of a Security Plan

Pfleeger(2ed) Ch 10.4 10.5 10.6Pfleeger(2ed) Ch 10.4 10.5 10.6Pfleeger(3ed) Ch 8.1 8.2 8.3Pfleeger(3ed) Ch 8.1 8.2 8.3

3

Computer Security and IndustriesComputer Security and Industries

Company‘s computer systemsBusiness partners

(customers, competitors,suppliers, etc.)

Hackers, investigator,reporters etc.

Government and private intelligence communities

Internal threats (dishonest employees, software failures etc.)

4

Security facts – believe it or not!Security facts – believe it or not!

Bank robbery through computersBank robbery through computers Industrial espionage on corporate Industrial espionage on corporate

information information Loss of individual privacy (files, emails, Loss of individual privacy (files, emails,

chats, video conferencing, ...)chats, video conferencing, ...) Information vandalism (destroy backup, Information vandalism (destroy backup,

delete files, vandalise web pages, …)delete files, vandalise web pages, …) Computer virusesComputer viruses (more can be found in “comp.risks” and (more can be found in “comp.risks” and

other websites)other websites)

5

Is Computer Threat Real?Is Computer Threat Real?

1997 survey of 61 large companies that had 1997 survey of 61 large companies that had firewalls – (site had > 1000 pc’s & Internet servers)firewalls – (site had > 1000 pc’s & Internet servers)44% reported probes by outsiders44% reported probes by outsiders23% IP spoofing (used to break in hosts on the 23% IP spoofing (used to break in hosts on the

Internet)Internet)10% email bombs10% email bombs8% denial of service attacks8% denial of service attacks8% sendmail probes8% sendmail probes89% reported that the firewall responded 89% reported that the firewall responded

adequatelyadequately

Internet sources

6

Computer ThreatComputer Threat

Computer Security Institute/FBI Survey

35% annual increases in data sabotage incidents from 1997 to 1999

25 % annual increases in financial fraud penetrated on-line

Abuse of network access increased over 20% resulting losses of $8 millions

Security breaches caused US$15 billions losses in 2000

Internet sources

7

Other Surveys Other Surveys

Poll of 1,400 companies with > 100 Poll of 1,400 companies with > 100 employeesemployeesAbout 90% are confident with their firm’s About 90% are confident with their firm’s

network securitynetwork securityButBut 50% failed to report break-ins 50% failed to report break-ins58% increased in spending on security58% increased in spending on security

1997-2001,fortune firms lost 1997-2001,fortune firms lost US$45 billionsUS$45 billions; ; high-tech firms most vulnerablehigh-tech firms most vulnerable

Internet sources

8

Risk AnalysisRisk Analysis

Risks

Counter Measures

VulnerabilitiesAnalysis

Management

ThreatsAssets

9

Risk Analysis (RA-1) Risk Analysis (RA-1)

A study of the risk that a business or A study of the risk that a business or system is subject to.system is subject to.

A process to determine A process to determine exposureexposure and and potential potential lossloss

RISKRISK: the probability that a specific : the probability that a specific threatthreat will successfully exploit a will successfully exploit a vulnerability cvulnerability causing a ausing a lossloss

10

Risk Analysis (RA-2)Risk Analysis (RA-2)

Suppose an event is associated with a loss -Suppose an event is associated with a loss -this loss is the this loss is the risk impact risk impact (sometime (sometime simply called simply called riskrisk), measured in $’s), measured in $’s

There is a probability (There is a probability (risk probabilityrisk probability) of ) of occurrence, a number in the range 0 (if not occurrence, a number in the range 0 (if not possible) to 1 (if certain)possible) to 1 (if certain)

Risk exposure is the $ amountRisk exposure is the $ amountRisk-exposure = Risk-impact Risk-exposure = Risk-impact xx Risk-probability Risk-probability

As things change, so can these values (!)As things change, so can these values (!)

11

Risk Analysis (RA-3)Risk Analysis (RA-3)

For risk analysis: For risk analysis: RISK = LOSS ($) RISK = LOSS ($) xx PROBABILITY PROBABILITY

Usually measured as $ per annum. Usually measured as $ per annum. Expressed as Expressed as Annual Loss ExpectancyAnnual Loss Expectancy (ALE) (ALE)

expressed as: $ per annumexpressed as: $ per annum By By quantifyingquantifying the risk, we can justify the the risk, we can justify the benefitbenefit of of

spending money to implement spending money to implement controlscontrols

12

Benefits of Risk AnalysisBenefits of Risk Analysis

Improved awareness by users and managementImproved awareness by users and management Documentation of assets and their vulnerabilities Documentation of assets and their vulnerabilities

and possible controlsand possible controls Provides an accountable basis for decision makingProvides an accountable basis for decision making Provides accountable justification for expenditure Provides accountable justification for expenditure

on counter measureson counter measures

13

Example (1)Example (1)

Hard Disk Failure on your PCHard Disk Failure on your PCHard Disks fail about every three years;Hard Disks fail about every three years;

Probability of failure is 1/3 per yearProbability of failure is 1/3 per year Intrinsic cost say $600 – to buy a new disk Intrinsic cost say $600 – to buy a new disk But also, say 10 hours of your effort to But also, say 10 hours of your effort to

reload O/sys and software reload O/sys and software and and Say 4 hours to re-key assignments from Say 4 hours to re-key assignments from

last backup.last backup.Assume $10.00 per hour for your effort Assume $10.00 per hour for your effort Total loss = $600 + 10 x( 10 + 4) = $740Total loss = $600 + 10 x( 10 + 4) = $740

Annual loss expectancy = (740 x 1/3) $pa = Annual loss expectancy = (740 x 1/3) $pa = $246.66 pa $246.66 pa

14

Example (2)Example (2)

What about a virus attack on the same system?

You frequently swap stuff with other people, but have no ant-viral software running.

Assume an attack every 6 months; Probability is 2 per annum

No need to buy a new diskAssume the same rebuild effort = (10 + 4)hours,

Total loss = 10 x(10+4) = $140

ALE = ( 140 x 2 ) $pa = $280 pa

15

Steps to Complete a RASteps to Complete a RA

List the Assets List the Assets Determine their value, Determine their value, including costs of including costs of

recreating data files recreating data files VulnerabilitiesVulnerabilities Probability of LossProbability of Loss ComputationComputation Possible ControlsPossible Controls Cost of Applied ControlsCost of Applied Controls Cost/BenefitCost/Benefit

16

Assets and their valueAssets and their value

Asset Valuation WorksheetAsset Valuation Worksheet

AAsset: sset: (name, serial number)(name, serial number)Asset Intrinsic value: $Asset Intrinsic value: $ Which value is the intrinsic value ?Which value is the intrinsic value ?

physical, insured, depreciated, replacement, physical, insured, depreciated, replacement, value or value or

Asset Acquired value: Asset Acquired value: which includes the cost of the which includes the cost of the loss loss of:of: IntegrityIntegrity $$ AvailabilityAvailability $$ ConfidentialityConfidentiality $$

17

ValuationsValuations

Work quickly, using scale values Work quickly, using scale values (1,10,100,100 or 1, 2, 5, 10, 20, 50, 100, (1,10,100,100 or 1, 2, 5, 10, 20, 50, 100, 200, 500, 1000 etc) or use scale (1 to 5) or 200, 500, 1000 etc) or use scale (1 to 5) or low, medium or high scales.low, medium or high scales.

Completeness is most important.Completeness is most important.ALL the assets and ALL the acquired ALL the assets and ALL the acquired values, and cost of loss of acquired values, and cost of loss of acquired valuesvalues

Let others argue over the detail and Let others argue over the detail and accuracy. accuracy.

18

DSTO ModelDSTO Model

This DSTO paper provides guidelines for This DSTO paper provides guidelines for assessing information security risk within a assessing information security risk within a computer system. This risk is primarily a computer system. This risk is primarily a function of:function of: the sensitivity of the information to be the sensitivity of the information to be

processed;processed; the architecture of the computer system; the architecture of the computer system; and the clearance levels of the system’s users.and the clearance levels of the system’s users.

19

DSTO ModelDSTO Model

The DSTO Risk Analysis model is primarily directed at accidental and deliberate actions by authorised users. It is also possible to include deliberate acts by unauthorised users, however in a number of Defence installations, physical and administrative security safeguards are used to counter these threats.

20

VulnerabilitiesVulnerabilities

A vulnerability is a weakness. A vulnerability is a weakness. The way things work indicate the ways they The way things work indicate the ways they

are likely to fail are likely to fail Computers need electricity - so they are Computers need electricity - so they are

vulnerable to power failuresvulnerable to power failuresHard disks are easy to overwrite, so they Hard disks are easy to overwrite, so they

are vulnerable to been are vulnerable to been inappropriately inappropriately overwrittenoverwritten

21

Probability of LossProbability of Loss

Directly not computable, but eitherDirectly not computable, but eitherapply frequency probability by using apply frequency probability by using

observed data for a specific systemobserved data for a specific systemEstimate (by an expert based on his Estimate (by an expert based on his

knowledge) the number of occurrences of knowledge) the number of occurrences of each security breaches in a given time each security breaches in a given time period.period.

22

Compute the expected lossCompute the expected loss

For each asset, For each asset,

(total) risk = (total) risk = (risks) = Sum(risks) (risks) = Sum(risks)=Sum( Loss =Sum( Loss x x Probability per annum) $pa Probability per annum) $pa

For ALL assetsFor ALL assets we can derive a we can derive a total total sum,sum,the the Annual Loss Expectancy, $ per annumAnnual Loss Expectancy, $ per annum

Price-Waterhouse study: For Australian Price-Waterhouse study: For Australian organisations with no security plan in place, organisations with no security plan in place, 8% of turnover is lost each year8% of turnover is lost each year (!) (!)

23

Making sense ?Making sense ?

REALITY CHECK: REALITY CHECK: If a company is still in business, the If a company is still in business, the Annual Annual

Loss ExpectancyLoss Expectancy ( (ALE) has to be a ALE) has to be a lotlot less less than the annual turnover than the annual turnover

24

Possible ControlsPossible Controls

Match each vulnerability with at least one Match each vulnerability with at least one appropriate security techniqueappropriate security technique

Use the expected loss estimate to decide which Use the expected loss estimate to decide which controls, alone or in concert with others are the controls, alone or in concert with others are the most effective for a given situationmost effective for a given situation

Example: Risk of losing dataExample: Risk of losing data several controls – such as periodic backups, several controls – such as periodic backups,

redundant data storage, access control to prevent redundant data storage, access control to prevent unauthorised deletion, physical security from unauthorised deletion, physical security from stealing disks, program development standards stealing disks, program development standards to limit the effect of programs on the data.to limit the effect of programs on the data. Probably periodic backup may override redundant data Probably periodic backup may override redundant data

storage on cost and operational considerations.storage on cost and operational considerations.

25

Cost of Applying ControlsCost of Applying Controls

Actual cost of control includeActual cost of control include software purchase pricesoftware purchase price Installation costInstallation cost training costtraining cost

Effective cost of a controlEffective cost of a control = actual cost – any = actual cost – any expected loss from using the control (such as expected loss from using the control (such as admin or maintenance costs)admin or maintenance costs)

e.g: Cost to reconstruct data: $1M at 10% probability of loss e.g: Cost to reconstruct data: $1M at 10% probability of loss = $100K= $100K Effectiveness of access control software: (say) 60% Effectiveness of access control software: (say) 60% = $60K= $60K Cost of the access control software Cost of the access control software = $25K= $25K Expected annual cost due to loss and controls = (40+25) Expected annual cost due to loss and controls = (40+25) = $65K= $65K Effective cost the control (100-65) Effective cost the control (100-65) = = -$35K-$35K

Note that the effective cost of a control can be positive (when the control is expensive to Note that the effective cost of a control can be positive (when the control is expensive to administer or introduces new risks in another area) or negative (when the reduction in administer or introduces new risks in another area) or negative (when the reduction in risk is greater than the cost of the control)risk is greater than the cost of the control)

26

ButBut

Convenience (services) = -------------------------------------

1

Security controls

Control are not inherently desirable;most of them either cost money,

impair function, reduce performance.degrade useability or maintainability or

some combination of both

27

Some Criticisms of Risk AnalysisSome Criticisms of Risk Analysis

Although many large organisations use RA, there Although many large organisations use RA, there are some criticisms of both the idea and the are some criticisms of both the idea and the methods of RAmethods of RA

It may not appear sensible to talk of a It may not appear sensible to talk of a probable probable loss loss of a specific number of dollars,of a specific number of dollars, only when the loss occurs will we know how only when the loss occurs will we know how

much it costs to fix, and bringing that cost to a much it costs to fix, and bringing that cost to a one-year base is artificial.one-year base is artificial.

There is so much uncertainty in the method of There is so much uncertainty in the method of calculation, that any numerical figure is meaninglesscalculation, that any numerical figure is meaningless

However, Risk Management is seen as a valid However, Risk Management is seen as a valid undertaking, and using figures to attempt to quantify undertaking, and using figures to attempt to quantify risk does give us an accountable basis for spending risk does give us an accountable basis for spending resources on controls resources on controls

28

Security PlanningSecurity Planning

29

Security PlanSecurity Plan

A document that describes how an organisation will A document that describes how an organisation will address its security needs.address its security needs.

As the needs of the organisation evolve, ongoing As the needs of the organisation evolve, ongoing review and revision of the security plan is review and revision of the security plan is important.important.

Everything we see is transient (Buddha)Everything we see is transient (Buddha) Mission, Strategy, Tactics, Personnel, EnvironmentMission, Strategy, Tactics, Personnel, Environment

can all changecan all change An effective security plan is a living document.An effective security plan is a living document.

30

Content of a Security Plan (1)Content of a Security Plan (1)

PolicyPolicy Current Situation Current Situation RequirementsRequirements RecommendationsRecommendations Accountable PersonnelAccountable Personnel Plans and SchedulesPlans and Schedules Evaluation and ReviewEvaluation and Review

31

PolicyPolicy

Policy (what are we on about)Policy (what are we on about)State goalsState goalsState responsibilities - who is State responsibilities - who is

responsible for whatresponsible for whatState resources to be committed State resources to be committed

To answer the question To answer the question ““Who Who can access can access What resources What resources in in What mannerWhat manner””

32

Current SituationCurrent Situation

Present the Risk Analysis and Present the Risk Analysis and assumptionsassumptions

May need the ‘latest’ status, May need the ‘latest’ status, including who is responsible for including who is responsible for whatwhat

Comment on the status of current Comment on the status of current controls controls

33

RequirementsRequirements

What should be accomplished, not How to What should be accomplished, not How to do it?do it?

We seek:We seek:Completeness Completeness ConsistencyConsistencyCorrectnessCorrectness

(as for all types of Requirement analysis) (as for all types of Requirement analysis)

34

RecommendationsRecommendations

From the Risk Analysis, at least consider: From the Risk Analysis, at least consider: greatest riskgreatest risk largest potential losslargest potential loss loss of greatest frequencyloss of greatest frequency

Identify controlsIdentify controls Comment on status of existing controlsComment on status of existing controls which to maintain?which to maintain? which to enhance?which to enhance?