CS 564AR Lecture 11 Fall 05

8/13/2019 CS 564AR Lecture 11 Fall 05

1/50

CS 564 Software Requirements Engineering Lecture 11Professor Larry Bernstein

End Game:

Novemer !": Lecture 11

#ecemer $: Lecture 1%

#ecemer 14: &ina' E(am

Please study all handouts as they supplement the material in theprerelease of the textbook I gave you.

Risk AnalysisRis) eva'uation wit* discounted cas* f'ow ana'+sis

Condier this product ith three phases! !

Phase "! R#$% &"'( ) year for * years% probability of success at the end ! +,-

Phase *! (arket $evelopment% &",( ) year for * years starting second yearPhase ! /ales% possible scenarios% starting year 0!

". &*0( ) year for *, years 1probability ! .2*. &"*( ) year for ", years 1probability ! .32. Abandon product 1probability ! .*2

Cash flo for this product !4ear " ! 5&"'(4ear * ! 5&*'(4ear ! .+ 6 5&",(4ear 05" ! 1.+ 6 . 6 &*0(2 7 1.+ 6 .3 6 &"*(2

4ear "05* ! .+ 6 . 6 &*0(

8o discount the cash flo% compute today9s value of future moneys by using this formula

N,-: C; ) 1"7IR2n


2/50

< : number of years

>xample !4ear * ! Cash flo is 5&*'(% $iscounted cash flo at - interest rate is ! 5&*+.?(

8o get an idea of hat the pro@ect is orth one should discount cash flos for each yearand add them together.

Rate of return: xcessive /chedule Pressure 1+3- of pro@ects2*. (anagement (alpractice

. Inaccurate and InadeFuate (etrics0. Poor cost >stimates3. /ilver Bullet /yndrome+. Creping ;eaturesG. Huality'. /ie

Ris) #o/s and #on/t

$on9t overestimate the risks ! too much contingency planning $on9t underestimate the risks ! leads to panic management later $on9t look for scapegoats $o deal only ith the top ", priorities% as they get solved add to the list.

0uantitative Comutation


3/50

P1>2 : m)nP : Probabilitym : favorable eventsn : total events

Risk : "5P1>2

Risk >xposure : Risk 6 Costs

8he /piral (odel reFuires a risk analysis after the prototype 1" stcycle2.

Risk Management for IT Security

Rick Jaman% $an Port%Information Technology Management, University of Hawaii$avid Jlapphol% Computer Science, Stevens Institute of Technology

". Introduction1.1 Security Risk Assessment1.2 IT Security Risk Control1.3 Risk Management in Practice

2. Risk Assessment Methodologies2.1 OCTA!2.2 SRM"2.3 #RAP2.$ %uantitati&e ersus %ualitati&e A''roaches

. (anagement of Information /ecurity /tandards

3.1 TCS!C( ITS!C( CTCP!C( Common Criteria( and ISO 1)$*+3.2 ,S --( ISO 1--( and ISO TR 1333) /0MITS3.3 IPAA3.$ SS!CMM( and ISO4I!C 21+2-3.) 5IST 0uidance "ocuments

0. Risk (odels$.1 "e6initions$.2 Strategic Risk Models$.3 Strategic Risk Management Methods$.$ The 5eed 6or Strategic Risk Management Methods

3. Practical /trategic Risk (odels).1 Multitechni7ue Strategic Methods).2 Strategic "ecision Making and Com'eting Risks).3 Risk o6 "elay

).$ ,alancing Com'eting Risks 6or Strategic Planning).) 8nsuita9le S:eet S'ots;. Practical Risk !


4/50

2e+ words: risk% security risk% risk assessment% risk control% risk management% riskexposure% strategic methods

3stract! $ealing ith risk is critical to the success of any engineering or business endeavor. Consideringthe nature of I8 and considering recent events% this is especially true in the case of risks to I8 security. edefine the various notions associated ith the assessment and management of risk in general and of I8

security risk in particular% and provide both concrete examples of I8 security risks and categoriations ofell5knon risks. e also revie the various I8 guidelines and standards that have I8 security risk as ma@orcomponents. ;inally% e detail approaches to dealing ith I8 security risk% ith an emphasis on strategicapproaches.

1. INTRODUCTION

According to KCarr?% risks must be managed% and risk management must be part of anymature organiation9s overall management practices and management structure. 8heprimary activities identified by KCarr? for managing risk are!

Identify! risks must first be identified before they can be managed.Analyze! risks must be analyed so that management can make prudent decisions

about them.lan! for information about a risk to be turned into action% a detailed plan%outlining both present and potential future actions% must be created. 8hese actionsmay mitigate the risk% avoid the risk% or even accept the risk.Trac!! risks% hether they have been acted upon or not% must be tracked% so thatmanagement can continue to exercise diligence.Control! even if a risk has been identified and addressed% it must be continuallycontrolled% to monitor for any deviations.

8he key activity tying all of these together is assessment. Assessment is consideredcentral to the risk management process% underlying all of the other activities.

;or the purposes of exposition% e ill follo the generic risk taxonomy shon in ;igure""KBoehm?". In this taxonomy the activity of risk management has to ma@or sub5activities! ris! assessment and ris! control" Risk assessment is further divided into ris!identification% ris! analysis% and ris! prioritization. Risk control is divided into ris!management planning% ris! resolution% and ris! monitoring. hile e ill broadlydiscuss several areas of risk management% our focus in this chapter is primarily on riskassessment% as it applies to I8 security. Assessment is the starting point and forms thefundamental basis for all risk management activities. (any risk assessment methods andtechniFues have directly analogous application to risk control. In such cases e ill notethis is the case ithout elaboration.

8he terminology used in the field of risk management varies somehat among thedifferent business and engineering areas in hich it is used 1e.g. see KCarr?% all?'%Boehm?"2. It even varies among riters in the field of I8 security risk management.8he generic risk management concepts that e have @ust introduced ere created forsoftare development 1of hich security is one attribute2. 8he reader familiar ith other

"In ;igure "% for application to security the examples listed for Risk Analysis might include D/ecurity(odels% 8hreat Analysis% and =ulnerability ;actor Analysis.


5/50

orks on I8 security risk management should have little trouble seeing the directapplications. In this section e ill define terms informally ith examplesM in latersections% e ill formalie these definitions.Although most people are unaare that they9re doing it% e all engage in riskmanagement on a daily basis. Consider% as an example% a decision% on the ay out the

door% on hether to stuff an umbrella into an uncomfortably heavy bag that ill be takenon a thirty5minute train ride% folloed by a ten5minute alk*to the office. 8he decisionis based on a Fuick% often almost unconscious% assessment of the risks involved and adecision on ho to control them.

*

&igure 1: oe*m/s Ris) anagement a(onom+

Nn the one hand% there9s the probability that the rain predicted by the 8= forecaster ill

actually materialie% that it ill be in progress during the drive to the train station and)orduring the alk% and% if all goes as badly as it might% of the damage it ould cause% fromthe point of vie of both alking in drenched clothing and% possibly% losing ork timeduring the drying5out period. Balanced against all of this% on the other hand% is thediscomfort of carrying the extra eight% of the possibility of the precariously5situatedumbrella9s dropping out of the bag and% as it did last eek% causing a spillage of hot

*8his example% as ell as a number of others in this section% is taken% albeit ith considerably more detail%from K


6/50

carry5out coffee during the effort to pick it up. An additional consideration is theprobability that carrying the umbrella ill solve the problem% a consideration thatdepends upon the expected strength of prevailing indsM if the ind proves to be toostrong% the umbrella ill provide no relief from the rain. An alternative possibility toconsider% assuming it9s an option% is to ork at home all morning and to go to the office

only after the rain% or its un5materialied threat% has abated.1.1 Security Risk Assessment

In its typical definition% I8 security involves protection of the confidentiality% integrity%and availa#ilityof data)information critical to the success of a business or governmentorganiation.


7/50

8he terms threat% threat source% vulnera#ility% impact% and ris! e$posureare in commonuse in the field of I8 security risk assessment. 8heir application to the trip5to5orkscenario is as follos!

the threat% or threat source% is the onset of rain% at a sufficiently strong level%during an exposed part of the trip to ork

the vulnera#ilityis the fact that the person involved ill get drenched if the threatmaterialies and the person has no form of shelter 1e.g. an umbrella2

the impactis the damage% measured in terms of discomfort and% possibly% of lossof productivity or even health% that ill occur if the threat materialies

the ris! e$posureis an assessment% on either a numerical% perhaps monetary% scaleor an ordinal scale O e.g.% lo% medium% or high O of the expected magnitude ofthe loss given the threat% the vulnerability to it% and its impact% should it threatmaterialie. In this example the risk exposure might change if the person isearing a ater5resistant coat.

8he first step in risk assessment is ris! identification% i.e.% identification of potentialthreats% of vulnerabilities to those threats% and of impacts that ould result should theymaterialie O all of hich e9ve already done for the scenario under discussion.

In the trip5to5ork scenario% e are concerned ith such intangibles as the threat of rain%the vulnerability of getting drenched% and the impact of discomfort and ith suchtangibles as umbrellas. In the field of I8 security% e are concerned ith systems thatstore% process% and transmit data)information. Information systems are sometimeslocalied% and sometimes idely distributedM they involve computer hardare andsoftare% as ell as other physical and human assets. 8angibles include the various sortsof eFuipment and media% and the sites in hich they and staff are housed. Intangibles

include such notions as organiational reputation% opportunity or loss of same%productivity or loss of same% etc.

8hreat sources are of at least three varieties! natural% human% and environmental.>xamples are!

natural! electrical storms% monsoons% hurricanes% tornadoes% floods% avalanches%volcanic eruptions%

human! incorrect data entry 1unintentional2% forgetting to lock door1unintentional2% failure to unlock door to enable confederate to enter after hours1intentional2% denial of service attack 1intentional2% creation and propagation ofviruses 1intentional2%

environmental! failure of roof or all due to use of bad construction materials%seepage of toxic chemicals through ceiling% poer outage.

=ulnerabilities have various sources% including technical failings such as those reportedin the public and professional presses on a daily basis. ;red Cohen provides anexcellent% extensive taxonomy of threats and vulnerabilities in his /ecurity $atabase

A compilation of technical threats may be found at http))!icat.nist.gov or http!)).cert.org


8/50

KCohen,0. Nne uniFue aspect of this database is that the threats 1or causes2 are cross5referenced against the attack mechanisms to provide a linkage beteen the cause and themechanisms used. 8he attack mechanisms are also cross5referenced against the defencemechanisms to indicate hich mechanisms might be effective in some circumstancesagainst those attack mechanisms.

8he second step in risk assessment is ris! analysis% i.e.% estimation and calculation of therisk likelihoods 1i.e. probabilities2% magnitudes% impacts and dependencies. 8his is easy inthe case of monetary impacts arising from threat5vulnerability pairs hose probability ofmaterialiing can reasonably be computed% but considerably harder in most other cases./pecial care must be taken hen assigning the likelihoods as the Fuality of the hole riskassessment is strongly dependent on the accuracy and realism of the assignedprobabilities.

8he final step in risk assessment is risk prioritiation% that is prioritiing all risks ithrespect to the organiation9s relative exposures to them. It is typically necessary to utilie

techniFues that enable ris! comparison such as calculating risk exposure in terms ofpotential loss. In the trip5to5ork scenario% risks other than the one discussed above mightinclude the risks associated ith not buckling the seat belt during the drive to the station%the risk of an accident during the drive% the risk of missing the train% etc. A meticulousperson% one ho alays leaves the house earlier than necessary and ho is veryconscious of taking safety precautions ill likely rate these ne risks as having far loerexposures than the rain risk! a less meticulous person might do otherise. In a highly5simplified version of a business situation% three threats might be volcanic eruption% latedelivery of ra materials% and embelement. An organiation located in Chicago ouldlikely assign a loer priority to volcanic eruption than ould one in south5esternashingtonM an organiation hose suppliers have never before been late ould likelyassign a loer priority to late delivery than ould an organiation using a supplier for thefirst time. Be aare that there may be threats or vulnerabilities you may not haveincluded in your analysis. ;or this reason% you should dra upon the experiences ofothers to help building a library of threats and vulnerabilities.

1.2 IT Security Risk Control

$uring the risk control phase of the risk management process% e are concerned ithsafeguards% also knon as controls. /afeguards fit into at least three categories!technical% management% and operational% ith examples as follos!

technical! authentication 1prevention2% authoriation 1prevention2% access control1prevention2% intrusion detection 1detection2% audit 1detection2% automatic backup1recovery2% etc.

management! assignment of guards to critical venues 1prevention2% institution ofuser account initiation and termination procedures 1prevention2% institution ofneed5to5kno data access policy 1prevention2% institution of periodic risk re5assessment policy 1prevention2% institution of organiation5ide security training1prevention and detection2% etc.


9/50

operational! secure netork hardare from access to any but authoried netorkadministrators and)or service personnel 1prevention2% bolt desktop PC9s to desks1prevention2% screen outsiders before permitting entry 1prevention2% set up andmonitor motion alarms% sensors% and closed circuit 8= 1detection of physicalthreat2% set up and monitor smoke detectors% gas detectors% fire alarms 1detection

of environmental threats2In the trip5to5ork scenario% the safeguard that e have considered has a 1fairly lo5tech2technical component% i.e.% the umbrella% and an operational component% i.e.% carrying theumbrella. An alternative operational safeguard ould be to ork at home all morning% ifthat9s an option% and to go to the office only after the rain% or the threat of rain% hasabated.

$uring the risk control phase of the risk management process% e consider alternative individual safeguards and)or complexes of safeguards that

might be used to eliminate)reduce)mitigate exposures to the various identified%analyed% and prioritied threats 1risk management planning2

perform the cost5benefit analysis reFuired to decide hich specific safeguards toemploy and institute the relevant safeguards 1risk resolution2

institute a process for the continuous monitoring of the I8 security situation todetect and resolve problems% as they arise% and to decide% here and hennecessary% to update or change the system of safeguards 1risk monitoring2

In business and government organiations% there may be many alternative possiblesafeguards% including different vendors9 hardare and)or softare solutions to aparticular threat or cluster of threats% alternative management or procedural safeguards%and alternative combinations of technical% management% and procedural safeguards.

Complicating matters is the likelihood that different combinations of safeguards addressdifferent% overlapping% clusters of threats.

Risk resolution begins ith the cost5benefit analysis of the various possible safeguardsand controls in loering% to an acceptable level% the assessed risk exposures resultingfrom the various identified threats% vulnerabilities% and the attendant impacts. ust as ehad to consider threats% vulnerabilities% and impacts during risk assessment% e mustconsider safeguards% their costs% and their efficacies during risk resolution. In the trip5to5ork scenario% the marginal cost of the technical component of the umbrella5carryingsafeguard is likely nil as most people already on umbrellasM the operational cost is thediscomfort of carrying a heavier bag. >ven in this simple example% the safeguard9s

efficacy must be considered. ;or example% if the ind proves to be too strong% theumbrella ill not effectively reduce the exposure.

1.3 Risk Management in Practice

8he potential conseFuences of the materialiation of a significant threat to a business orgovernment organiation% and the obvious fact that risk management can greatly reducethose conseFuences makes it eminently clear that no such organiation can afford not toengage in a serious risk management effort. 8he smaller the organiation and the simpler


10/50

the threats% the less formal the organiation9s risk management effort need be. ;or thesmall organiation% e.g.% a single retail store belonging to a family% very informal riskmanagement may suffice. In many situations legal statutes and acFuisition policies givean organiation no choice O see /ection of this chapter. 8he athorne Principle statesthat productivity increases as a result of simply paying attention to orkers9

environments. It is likely% by analogy% that a simple concern ith risk managementproduces significant% though certainly not optimal% results.

Nn the other hand% it should also be clear that risk management is rarely easy. In the caseof the rare threat5vulnerability pair hose probability can easily be assigned a numericalvalue% hose impact can be assigned a precise monetary value% and for hich there existsa safeguard hose cost and efficacy can be pinned don numerically% there is noproblem. In other cases% those in hich one or more of the parameters can% at best beplaced on an ordinal scale% matters are more complicated and approximate methods mustbe used. Consider% as examples the Fuantification of the impact of!

personal embarrassment resulting from! theft and publication of personal

financial% health% or other dataM insertion into database of false financial dataimplicating the sub@ect in fraud or embelementM inability to keep appointmentsresulting from temporary inability to use electronic calendar

corporate loss of earnings resulting from theft of pre5patent technical data

loss of corporate auditors9 ability to detect embelement% and attendant loss offunds% resulting from deliberate corruption of financial data by embeler

temporary inability of corporation to issue eekly pay checks to employees% ithattendant anger and loss of productivity% resulting from temporary unavailabilityof hours5orked data

loss of life! of covert intelligence agent resulting from theft and revelation ofname and address resulting from changes to database indicating that sub@ect is acovert agent hen s)he isn9tM resulting from battlefield commander9s inability toconnect to field5support database.

8o aid in the identification and management of risks% a number of risk managementmethods and risk taxonomies have been created. 8he />I9s risk taxonomy% for example%divides risk into three classes! product engineering% development environment% andprogram constraints. 8he first level of decomposition of each of these classes is given in;igure *.

37 ,roduct Engineering 7 #eve'oment Environment C7 ,rogram Constraints


11/50

". ReFuirementsa. /tability b. Completenessc. Clarityd. =alidity

e. ;easibility f. Precedent g. /cale*. $esigna. ;unctionalityb. $ifficulty c. Interfaces d. Performancee. 8estability f. ardare Constraints g. nvironment b. Product c. /ystem3. >ngineering /pecialtiesa. (aintainabilityb. Reliability c. /afetyd. /ecurity e. uman ;actors f. /pecifications

". $evelopment Processa. ;ormalityb. /uitability c. Process Controld. ;amiliarity

e. Product Control*. $evelopment /ystema. Capacityb. /uitabilityc. Qsabilityd. ;amiliaritye. Reliability f. /ystem /upportg. $eliverability. (anagement Process a. Planning

b. Pro@ect Nrganiation c. (anagement >xperience d. Program Interfaces0. (anagement (ethods a. (onitoring b. Personnel (anagement c. Huality Assurance d. Configuration (anagement3. ork >nvironment a. Huality Attitudeb. Cooperationc. Communicationd. (orale

". Resources a. /cheduleb. /taff c. Budgetd. ;acilities

*. Contract a. 8ype of Contract b. Restrictions c. $ependencies. Program Interfaces a. Customer b. Associate Contractors c. /ubcontractors d. Prime Contractor e. Corporate (anagement f. =endors

g. Politics

;igure *! 8axonomy of /oftare $evelopment Risks 1from KCarr?2

8his taxonomy is used to DdriveE a risk assessment method. ;or each class 1such asProduct >ngineering2% and for each element ithin that class 1such as $esign2 and foreach attribute of that element 1such as Performance2% there are a set of Fuestions thatserve to guide the risk analyst. $epending on the ansers to these Fuestions% the analystmight be guided to still further Fuestions% probing the nature of the risk. ;or example% ananalyst looking at performance risks ould first ask if a performance analysis has beendone. If the anser is DyesE% a follo5on Fuestion ould ask about the level ofconfidence in this analysis. ngineering /pecialtiesE element. Clearly% to be able to manage security risks e needto delve more deeply into the elements and attributes that are particular to security. eill give some examples of risk management methods tailored for security in section *.

2. Risk Assessment Methodologies


12/50

According to the I/N "GG?? Information /ecurity /tandard KI/N% risk assessmentconsists of!

Assessment of threats to% impacts on and vulnerabilities of information andinformation processing facilities and the likelihood of their occurrences

and risk management consists of the!Process of identifying% controlling and minimiing or eliminating risks that mayaffect information systems% for an acceptable cost.

8he bulk of this chapter thus far has been addressing I8 security risk assessment. approach KNC8A=>,0 describes a family of security risk evaluationmethods that% unlike many other security analysis methods% are aimed at findingorganizational risk factors and strategic risk issues% by examining an organiation9ssecurity practices KAlberts,*. 8he focus of NC8A=> is to enable an organiation toconsider all dimensions of security risk so that they can determine their strategic bestpractices rather than to find specific security risks ithin specific systems. 8he NC8A=>approach thus needs to consider an organiation9s assets% threats% and vulnerabilities 1as

any security method ould2% but in addition it asks the stakeholders to explicitly considerand evaluate the organiational impact of security policies and practices. ;or this reasonan organiation9s evaluation team must be multidisciplinary% consisting of both technicalpersonnel and management.

8he NC8A=> process is organied into three phases that are carried out in a series oforkshops. In Phase "SBuild Asset5Based 8hreat ProfilesSthe team first determinesthe context and goals for the analysis by describing the information5related assets that


13/50

they ant to protect. 8hey do this via a set of structured intervies ith seniormanagement% operational management% I8 staff% and general staff. 8he team thencatalogues the current practices for protecting these assets. 8he NC8A=> approach thenfocuses the inFuiry by selecting the most important of these assets as critical assets%hich are the sub@ect of the remainder of the analysis. ;or each critical asset the

evaluation team identifies a set of threats to these assets.

In Phase *SIdentify Infrastructure =ulnerabilitiesSthe analysis team performs theanalysis% by first identifying a set of components that are related to the critical assets andthen determining the resistance 1or vulnerability2 of each component to beingcompromised. 8hey do this analysis by running tools that probe the identifiedcomponents for knon vulnerabilities.

;inally% in Phase S$evelop /ecurity /trategy and PlansSthe team closes the loop.8hey examine the impact of the threats associated ith each of the critical assets% basedon the Phase * analysis% using a common evaluation basis 1for example% a determination

of DhighE% DmediumE% or DloE impact2. Based on these evaluations the team determines acourse of action for each! a risk mitigation plan. Instead of merely determining a tacticalresponse to these risks% the goal of the NC8A=> analysis is to determine anorganiational Dprotection strategyE for the critical assets.

As an approach that is aimed at strategic organiation5ide risk reduction% NC8A=> alsoincludes activities to ensure that the organiation monitors and improves its process.8hese risk reduction activities revolve around planning% in detail% ho to implement theprotection strategy% implementing the plan% monitoring the plans% as they are beingimplemented% to ensure that they are on schedule and to ensure that they are effective%and finally correcting any problems encountered. 8hus the three phases of the NC8A=>approach can be seen as part of a larger picture% consisting of the activities shon in;igure .

&igure !: *e .C3-E Life C+c'e

8he NC8A=> approach has been instantiated in to methods to date! NC8A=> andNC8A=>5/. 8he difference beteen the methods is that NC8A=> is aimed at large

Identify

Analye

Plan

Implement

(onitor

Control

NC8A=> Activities

Risk (anagement Activities


14/50

organiations ith large% complex information security reFuirements and infrastructures.NC8A=>5/% on the other hand% is aimed more at smaller organiations 1or smaller sub5units of large organiations2 ith simpler information security needs.

2.2 SRM#

8he /ecurity Risk (anagement $iscipline 1/R($2 K/R($,0 provided by (icrosoftCorporation combines ideas from (icrosoft9s solutions frameork 1a set of processguidelines for delivering effective softare technology5centric solutions2 and theiroperations frameork% hich guides organiations to make their systems moremanageable% available% and supportable. 8he /R($% as its name implies% it meant toassess and mitigate or manage security risks over a system9s entire lifecycle. As such%the /R($ is meant to be proactive and continuous. It is meant to permeate all decision5making% rather than being a method that one enacts periodically.

8he /R($% like the NC8A=> methods% is divided into three Dprimary processesE. 8hefirst process% entitled Assessment% focuses first on identifying the assets that are of value

to an organiation% and assigning a specific value to each of those assets. 8his establishesthe context and goals for the analysis. 1although the /R($ doesn9t explicitly call it that2%and make strategic decisions on hich risks ill receive the most attention% and in hatorder. 8his phase therefore does thefocusingof the inFuiry as ell as the analysis.

In Phase * of the /R($% $evelopment and Implementation% the risks found in Phase "are addressed and% for each one% a remediation strategy is created% implemented% andtracked. >very remediation strategy needs to be tested% including being tested in aproduction environment% and the results of the tests are reported% to ensure institutionallearning. 8his phase thus handles closing the loop"

8he third and final phase of the /R($SNperationSrecognies that moving neprocesses and ne assets into day5to5day operation reFuires effort and attention. 8his isanother example of closing the loop. Creating ne processes starts ith a ell5definedchange management process% hich includes not only moving the ne assets intoproduction% but also accompanying those ne assets ith ne procedures as appropriate.8hese ne and changed assets must be stabilied% and all personnel must becomefamiliaried ith them% to ensure successful transition and operation.

8he /R($% like the NC8A=> approach% emphasies that security must have its place inthe softare and system development life cycle% and so has described a D/ecurity;rameork Process (odelE. 8his model consists of six ma@or processes and milestones!

Initiation of the pro@ect definition 1here a vision scope is approved2

/ecurity assessment and analyses 1here a pro@ect plan is approved2


15/50

/ecurity remediation development 1here the identified scope of the remediationis covered2

/ecurity remediation testing and resource functionality testing 1here releasereadiness is approved2

/ecurity policies and countermeasure deployment 1here the deployment iscompleted2

$eployment complete 1here preparations are made for the next iteration2

8he /R($ also identifies a D/ecurity Risk (anagement $isciplineE hich aids anorganiation in planning a strategy for minimiing the risks associated ith securitybreaches. 8his involves guidance on ho to assess risk probabilities and losses% analyingand prioritiing risks% and ho to plan% schedule% and report on security risks.

;or example% to determine a risk probability% the /R($ alks a user through a series ofsteps for determining "2 the probability of a threat% *2 the criticality for the asset% 2 theeffort reFuired to exploit the vulnerability% 02 the vulnerability factor% and 32 the assetpriority. 8he first three steps allo one to determine the Dthreat levelE and the final tosteps allo one to determine the impact% or Dloss factorE. By multiplying these togethere get a R> value. /imilarly the /R($ provides a set of steps and factors to consider invaluing assets.

2.3 $RAP

8he ;acilitated Risk Assessment Program 1;RAP2 is a Fualitative process% developed by8homas Peltier. In the ;RAP% a system or a segment of a business process is examinedby a team that includes both business)managerial and I8 personnel. 8he ;RAP guidesthem to brainstorm potential threats% vulnerabilities and the potential damages to dataintegrity% confidentiality and availability. Based on this brainstorming% the impacts tobusiness operations are analyed and threats and risks are prioritied. 8he ;RAP ispurely %ualitative% meaning that it makes no attempt to Fuantify risk probabilities andmagnitudes. 8he ;RAP consists of the folloing three phases!

,*ase 1: *e ,re8&R3, eeting

In Phase "% the revie is scoped and the initial team and the mechanics of the revie areagreed on. 8his establishes the context and goals of the inFuiry. 8he outputs of Phase "are! a scope statement% an identification of the team members 1typically beteen G and "3people2% a visual model of the security process being revieed% and a set of definitions.8hese definitions serve as an anchor to the rest of the process. 8he ;RAP recommends

that the team agrees on the folloing terms! integrity% confidentiality% availability% risk%control% impact% and vulnerability. ;inally% the mechanics of the meeting need to beagreed upon in Phase "! location% schedule% materials% etc.

,*ase %: *e &R3, Session

Phase * is itself divided into three parts. 8hese three parts serve as the focusing activity%as ell as the front5end of the analysis activity. 8he first activity is in establishing thelogistics for the meeting! ho ill take hat role 1oner% team lead% scribe% facilitator%


16/50

team member2. Nnce this is done the outputs from Phase " are revieedSthe definitions%scope statement% and so forthSto ensure that all team members are starting from acommon basis of understanding. 8he second activity is brainstorming% here all of theteam members contribute risks that are of concern to them. 8he third and final activity ofPhase * is prioritiation. Prioritiation is ranked on to dimensions! vulnerability 1lo to

high2 and impact 1lo to high2. hen the risks are documented% the team also contributessuggested controls for at least the high priority risks.

,*ase !: *e ,ost8&R3, eeting9s

Phase may be a single meeting% or may be a series of meetings over many days. In thisphase the bulk of the analysis ork is done% as ell as closing the loop. 8he outputs fromthe phase are! a cross reference sheet% an identification of existing controls% a set ofrecommendations on open risks and their identified controls% and a final report. 8he crossreference sheet is the most time5consuming of the activities. It shos all of the risksaffected by each control% as ell as any tradeoffs beteen controls that have beenidentified. 8he main contribution of the final report% in addition to documenting

everything that has been learned in the ;RAP% is an action plan% describing the controls toimplement.

2.% &uantitati'e !ersus &ualitati'e A((roaches

8he security risk management methods that e have surveyed have differed in hetherthey attempted to Fuantify security risks% or hether they attempted to Fualitativelyassess and prioritie risks. 8he /R($ and the NC8A=> process approach the problemsof identifying% analying% planning for% and managing security risks Fuantitatively 1in theNC8A=> approach% Fuantitative analysis of risks is an optional element of Phase 2. 8he;RAP and NC8A=>5/% on the other hand% are purely Fualitative. hat are the costs andbenefits of each approach


17/50

level higher than any of the aforementioned guidelines and standards. In this section% eintroduce the most important I8 /ecurity guidelines and standards in each of thesecategories. ;or each% e indicate its type% briefly describe its history and purpose%describe its ma@or areas of concern% and indicate hat it has to say about I8 security riskmanagement.

3.1 TCS"C) ITS"C) CTCP"C) Common Criteria) and IS 1*%+,

8C/>C% I8/>C% C8CP>C% Common Criteria% and I/N "30,' KI/N"30,' constitute afamily of standards in the sense that the first three are ancestors of the final to% and I/N"30,' is the I/N standard based upon Common Criteria. All deal ith security5relatedCN8/ products. 8C/>C stands for 8rusted Computer /ystem >valuation Criteria%I8/>C for I8 /ecurity >valuation and Certification /cheme% and C8CP>C for Canadian8rusted Computer Product >valuation Criteria.

8he original 8C/>C document% often referred to as the Dorange book%E as published in"?'3 by the C9s QJ counterpart% began ith ork in to governmentagencies. In "?'3% the Communications >lectronics /ecurity Troup 1C>/T2% createdfacilities for performing security evaluations of government computer systems. A feyears later the $epartment of 8rade and Industry 1$8I2 established the Commercial

Computer /ecurity Centre to evaluate security5related CN8/ products. 8he documentsthat resulted are knon as Uthe Treen BooksU. In $ecember "?'?% C>/T and $8I issueda @oint scheme% the QJ I8 /ecurity >valuation and Certification scheme% or% for short% theUQJ I8/>C schemeU. 8he scheme ent into effect on (ay "% "??". According toI8/>C9s mission statement!

8he ob@ectives of the /cheme are to meet the needs of Industry and Tovernmentfor cost effective and efficient security evaluation and certification of I8 products
http://www.webster-dictionary.org/definition/National%20Security%20Agencyhttp://www.webster-dictionary.org/definition/National%20Security%20Agencyhttp://www.webster-dictionary.org/definition/National%20Security%20Agencyhttp://www.webster-dictionary.org/definition/National%20Security%20Agency


18/50

and systems. 8he /cheme also aims to provide a frameork for the internationalmutual recognition of certificates.

ork on 8C/>C% I8/>C% theCanadian 8rusted Computer Product >valuation Criteria1C8CP>C2% developed by the Canadian Communications /ecurity >stablishment 1C/>2%

and a number of >uropean initiatives% eventually led to development of the CommonCriteria for Information 8echnology /ecurity >valuation% usually simply referred to asthe DCommon Criteria%E and often further abbreviated to DCC.E 8he organiations thatparticipated in the development of the Common Criteria% and that are involved incertifying evaluation laboratories% are AI/>P 1Australia and 1Canada2% /C//I 1;rance2% B/I 1Termany2%


19/50

>ach class is sub5categoried into a number of DfamiliesE and each family into a number ofDcomponents.E /ome classes consist of fe families% for example% Class ;C/! Cryptographicsupport consists of @ust!

" Cryptographic key management 1;C/WCJ(2

* Cryptographic operation 1;C/WCNP2

Nther classes consist of considerably more families% for example% for example Class ;$P! Qserdata protection includes!

" Access control policy 1;$PWACC2* Access control functions1;$PWAC;2 $ata authentication 1;$PW$AQ20 >xport to outside 8/; control1;$PW>8C23 Information flo control policy

1;$PWI;C2+ Information flo control functions1;$PWI;;2G Import from outside 8/; control1;$PWI8C2

' Internal 8N> transfer 1;$PWI882? Residual information protection1;$PWRIP2", Rollback 1;$PWRNL2"" /tored data integrity 1;$PW/$I2"* Inter58/; user dataconfidentiality transfer protection

1;$PWQC82" Inter58/; user data integritytransfer protection 1;$PWQI82

8he folloing are CC9s seven assurance reFuirements classes!" Class AC(! Configurationmanagement* Class A$N! $elivery andoperation Class A$=! $evelopment

0 Class AT$! Tuidance documents3 Class ALC! Life cycle support+ Class A8>! 8estsG Class A=A! =ulnerabilityassessment

An important part of a 8N>9s /8 is the Protection Profile KPP% hich detail reFuirements thatthat the product purports to satisfy or that the potential consumer must have. Common Criteriaincludes a set of DreFuirements of knon validityE from hich the preparer of the /8 maychoose in preparing the PPM consumers and)or developers may specify% in the PP% additionalreFuirements that they deem necessary in a particular product or product category.Common Criteria evaluation orks as follos! In the Qnited /tates% the =/2=alidation Body is @ointly run by the


20/50

/imilar arrangements are in effect in the other countries involved in the Common Criteria.8he result of a product9s positive CC evaluation are a confirmation that the 8N> satisfies the /8together ith an indication of the >valuation Assurance Level 1>AL2 at hich the /8 issatisfiedM there are seven >AL9s% from >AL" 1functionally tested2 and >AL* 1structurally tested2at the lo end to >AL+ 1semi5formally verified design and testing2 and >ALG 1formally verified

design and testing2 on the high end.

As far as risk is concerned% Common Criteria assumes that the organiation contemplating thepurchase and use of a security5related product ill employ the results of the product9s evaluationin performing the risk analysis reFuired to determine if the product meets the organiation9s I8security5related reFuirements. hile it naturally addresses threat)risk5related issues in depth%Common Criteria% being product5centered rather than management5centered or operationally5centered% does not address the issue of the ho an organiation goes about performing that riskanalysis. 8he folloing Fuotations from Common Criteria for Information 8echnology /ecurity>valuation Part "! Introduction and general model anuary *,,0 makes this point very clearly!

KPart "% page ' 8he evaluation process establishes a level of confidence that the securityfunctions of such products and systems and the assurance measures applied to them meetthese reFuirements. 8he evaluation results may help consumers to determine hether theI8 product or system is secure enough for their intended application and hether thesecurity risks implicit in its use are tolerable.

KPage "? Consumers can use the results of evaluations to help decide hether anevaluated product or system fulfils their security needs. 8hese security needs typicallyidentified as a result of both risk analysis and policy direction. Consumers can also usethe evaluation results to compare different products or systems. Presentation of theassurance reFuirements ithin a hierarchy supports this need.

KPage *3 8he oners of the assets ill analye the possible threats to determine hichones apply to their environment. 8he results are knon as risks. 8his analysis can aid inthe selection of countermeasures to counter the risks and reduce it to an acceptable level.

8ypes of product that have received Common Criteria certification include! operating systems%database management systems% firealls% sitches and routers% certificate management softare%Public Jey Infrastructure 1PJI2)Jey (anagement Infrastructure softare% etc.

8he three parts of the Common Criteria /tandard are available at!5Part "of the C/ /tandard version *.*% anuary *,,0! Introduction and general modelhttp!)).commoncriteriaportal.org)public)files)ccpart"v*.*.pdf5Part * of the CC /tandard version *.*% anuary *,,0! /ecurity functional reFuirementshttp!)).commoncriteriaportal.org)public)files)ccpart*v*.*.pdf5Part of the CC /tandard version *.*% anuary *,,0! /ecurity assurance reFuirementshttp!)).commoncriteriaportal.org)public)files)ccpartv*.*.pdf

8he three parts of the latest 1"???2 version of I/N "30,' may be ordered from the InternationalNrganiation for /tandardiation.
http://www.commoncriteriaportal.org/public/files/ccpart1v2.2.pdfhttp://www.commoncriteriaportal.org/public/files/ccpart2v2.2.pdfhttp://www.commoncriteriaportal.org/public/files/ccpart3v2.2.pdfhttp://www.commoncriteriaportal.org/public/files/ccpart1v2.2.pdfhttp://www.commoncriteriaportal.org/public/files/ccpart2v2.2.pdfhttp://www.commoncriteriaportal.org/public/files/ccpart3v2.2.pdf


21/50

3.2 -S //) IS 1//) and IS TR 1333* 0MITS

British /tandard GG?? 1B/ GG??2 and I/N "GG?? form a family in the sense that the latter is theI/N standard version of the second of B/ GG??9s to parts% the first of hich is bestcharacteried as guidelines% and the second of hich as a standard against hich certification ispossible. I/N 8R "3 1T(I8/2 is included in this section because it provides additional

guidance% especially in the area of risk management% for organiations seeking I/N "GG??certification. All three deal ith operational O including% of course% site5related physical O andmanagement aspects of I8 securityM as might be expected% they all deal ith both theimplementation and the ongoing operation of I8 security activities.

B/ GG?? Part " is entitled DInformation 8echnologySCode of Practice for Information /ecurity(anagement%E and B/ GG?? Part * DInformation /ecurity (anagement /ystemsS/pecificationith Tuidance for Qse.E I/N "GG?? is entitled DCode of Practice for Information /ecurity(anagement%E and I/N 8R "3 DTuidelines for the (anagement for I8 /ecurity%E or T(I8/for short.

8he earliest precursor of I/N "GG?? as created by the QJ $epartment of 8rade and IndustryXs1$8I2 Commercial Computer /ecurity Centre 1CC/C2% the organiation that developed I8/>C1see above2. Its first incarnation as the UQsers Code of Practice%U published in "?'?. Its secondincarnation as British /tandardXs guidance document P$ ,,,% DA Code of Practice forInformation /ecurity (anagement%E developed by the C$2. As of this riting B/GG?? Part * has not become an I/N standard% andthere appears to be no effort to move it in that direction.

I/N "GG??!*,,, describes "*G security controls% each ith numerous sub5sections% ithin thefolloing ten domains!

17 Securit+ ,o'ic+5 to provide management direction and support for information security

%7 .rgani;ationa' Securit+5 to manage information security ithin the organiation

!7 3sset C'assification < Contro'5 to maintain appropriate protection of organiational assets

47 ,ersonne' Securit+5 to reduce the risks of human error% theft% fraud or misuse of facilities

57 ,*+sica' Securit+5 to prevent unauthoried access% damage and interference to businesspremises and information

67 Communication and .eration anagement5 to ensure the correct and secure operation ofinformation processing facilities

$7 3ccess Contro'5 to control access to information


22/50

=7 S+stem #eve'oment and aintenanceO to ensure that security is built into informationsystems

>7 usiness Continuit+ anagement5 to counteract interruptions to business activities and to

protect critical business processes from the effects of ma@or failures or disasters

1"7 Com'iance5 to avoid breaches of any criminal and civil la% and statutory% regulatory orcontractual obligations% and of any security reFuirements

hile it is extremely thorough in its coverage% I/N)I>C "GG??!*,,, does not address the issuesof evaluation or certificationM i.e.% it is% in the strict sense% a set of guidelines rather than astandard. B/ GG??5*!*,,* is% on the other hand% a standard in the strict sense. It specifies% ingreat detail% hat is expected of an organiation for the achievement of certification and hat isexpected of an assessor in the assessment of an organiation for compliance. I/N "GG??!*,,, isintended to be used as a set of Code of Practice guidelines for organiations desirous of orking

toard B/ GG??5*!*,,* certification. It stresses risk assessment and risk management% but% as aset of guidelines% does not specify a particular approach.

B/ GG??5*!*,,* certification is based upon an organiation9s creation of a documentedInformation /ecurity (anagement /ystem 1I/(/2. 8he I/(/ is based upon the continuous5improvement Plan% $o% Check% Act 1P$CA2 feedback5loop cycle invented by alter /hehartof estern >lectric9s athorne Plant in the late "?,9s and later popularied by . >dards$eming K/he'+. 8he idea behind the cycle is to develop% implement% and continuouslyimprove the organiation9s control and management of security.As can be seen from B/ GG??5*!*,,*9s high5level definition of P$CA% the management of riskdrives the entire process!

PLACJ5>xecute monitoring procedures5Qndertake regular revies of I/(/effectiveness5Revie level of residual andacceptable risk5Conduct internal I/(/ audits5Perform regular managementrevies of the I/(/5Record actions and events thatimpact on the I/(/


23/50

AC85Implement identified improvements58ake corrective)preventive action5Apply lessons learned

5Communicate results to interestedparties5>nsure that improvements achieveob@ectives

I/N 8R "35!"??'% 8echniFues for the (anagement of I8 /ecurity% and I/N 8R "350!*,,,% /election of /afeguards go into detail on the topics of risk assessment and riskmanagement respectively. 8he British /tandard Institute9s 1B/I2 P$ ,,*% DTuide to B/ GG??risk assessment%E and P$ ,,3% DTuide on the selection of B/ GG??5* controls%E detail hoT(I8/ Part and T(I8/ Part 0 may be applied% respectively% to the risk assessment and riskmanagement aspects of I/N)I>C "GG?? and B/ GG?? Part *.http!)).bsi5global.com)IC8)/ecurity)pd,,*.xalterhttp!)).bsi5global.com)IC8)/ecurity)pd,,3.xalter

Assessment for B/GG??5*!*,,* certification is done by an assessor orking for a certification

#ody. A list of certification bodies may be found at the eb site of the International I/(/ QserTroup 1http!)).xisec.com)2 as may a list of all certified organiations.

8o be eligible to perform B/GG??5*!*,,* assessments% an organiation must be accredited as acertification body by a national accreditation #ody. $ifferent national accreditation bodiesmaintain reciprocal recognition agreements. Identities of and contact information for nationalaccreditation bodies in >urope may be found at the >uropean 1cooperation for2 Accreditation1>A2 eb site at http!)).european5accreditation.org)% as can non5>uropean accreditationbodies ith hich >A has contracts of cooperationM >A5G), 1rev.,,% ;ebruary% *,,,2%DTuidelines for the Accreditation of Bodies Nperating Certification)Registration of Information/ecurity (anagement /ystemsE may also be found at http!)).european5accreditation.org).

8he I/(/ International Qsers Troup lists the folloing as accredited certification bodies!B( 8RA$A Certification Limited


24/50

A B/GG??5*!*,,* certification comes ith a Dscope%E hich specifies the part of theorganiation that is% in fact certified O either the entire organiation or one or more of its parts oractivities.

3.3 IPAA

Q/ ealth Portability and Accountability Act of "??+ 1IPAA2 is not a standard against hichan organiation is certified% but% rather% a statute% ith hich relevant organiations are reFuiredto comply% and hich dictates government audit% ith possible severe conseFuences% in case ofcomplaints of violations. IPAA9s purpose% as stated in the act itself is!

Z to improve portability and continuity of health insurance coverage in the group andindividual markets% to combat aste% fraud% and abuse in health insurance and health caredelivery% to promote the use of medical savings accounts% to improve access to long5termcare services and coverage% to simplify the administration of health insurance% and forother purposes.

8he desired results are intended to result from improved utiliation of I8% hich accounts for the

act9s inclusion of a privacy standard)rule and a security standard)rule. 8he act applies toProtected ealth Information 1PI2 O anything to do ith a patient or patients O that iselectronicallystored and electronicallytransmitted by a Dcovered entity%E i.e.% a health plan% ahealth care provider% or a health care clearinghouse. 8he term Dhealth planE includes healthinsurers% health benefit plans% (N9s% other managed care organiations% etc. 8he term Dhealthcare clearinghouseE includes billing services% health information providers% etc. 8he finalversion of the /ecurity Rule as enacted in ;ebruary *,,M large organiations ill be reFuiredto comply by April *,,3% and small ones by April *,,+.8he IPAA /ecurity Rule is broken don into three areas! Administrative 1management andoperational2 /afeguards% Physical 1operational2 /afeguards% and 8echnical /afeguards. 8he threesafeguards are further broken don as follos!

83dministrative Safeguards

5/ecurity (anagement Process5/ecurity Responsibility5orkforce /ecurity5Information Access (anagement5/ecurity Aareness and 8raining5/ecurity Incident Procedures5Contingency Plan5>valuation5Business Associate Contracts andNther Arrangements

8,*+sica' Safeguards

;acility Access Controlsorkstation Qseorkstation /ecurity$evice and (edia Controls

8ec*nica' Safeguards

Access ControlsAudit ControlsIntegrityPerson or >ntity Authentication8ransmission /ecurity


25/50

IPAA9s /ecurity Rule specifies identification of the relevant I8 systems% i.e.% scoping of thecompliance effort O a necessary precursor to risk identification O folloed by risk assessment riskmanagement planning.

Because IPAA reFuires that a covered entity9s implementation of the /ecurity Rule be

Dcomprehensive and coordinated%E scalable%E and Dtechnology neutralE O i.e.% that it be updatedregularly as technology changes O the act9s provisions are general% rather than specific. In (ay *,,05C((?3. 8hese apply to the developmentof arbitrary 1not necessarily I8 security5related2 softare applications or systems% in the first case% andof hardare)softare systems in the second. A C(( is used to certify the process that anorganiation uses to produce its products rather than to certify the results of the application of thatprocess% i.e.% the products produced.

8he philosophy behind this notion is that if the process used by an organiation in the production ofproducts is sufficiently Dmature%E then it is safe to assume that!

5the organiation9s existing products are of sufficiently high Fuality O in the case of softare% as an example%that it meets functional reFuirements)specifications to a sufficient degree% that it has a sufficiently highlevel of performance% reliability availability% maintainability% etc.

5and that a ne product% yet to be developed% ill be of sufficiently high Fuality and ill% additionally% be

completed sufficiently close to schedule and sufficiently close to the pro@ected budget.

A further aspect of the C(( notion is that an organiations maturity can be assigned a maturity level%typically on a scale of one to five% hich% in some sense% Fualifies the notion of Dsufficient%E ith level3 representing a very high level of sufficiency% level " representing a lo level% and levels *50 being inbeteen.
http://privacy.med.miami.edu/glossary/xd_hipaa.htmhttp://privacy.med.miami.edu/glossary/xd_hipaa.htm


26/50

According to the //>5C(( (odel $escription $ocument% =ersion .,% Kith editorial comments insFuare brackets% the /ystem /ecurity C(( 1//>5C((2 is extremely flexible% so flexible% in fact%that it applies to!

5Product Developers! 8he //>5C(( includes practices that focus on gaining an understanding ofthe customer9s security needs. Interaction ith the customer is reFuired to ascertain them. In the

case of a Knon5custom% non5contracted product% the customer is generic as the product is developeda priori independent of a specific customer. hen this is the case% the product marketing group oranother group can be used as the hypothetical customer% if one is reFuired. In this case% the productis hardare)softare)other physical product to be used for I8 security.

- Countermeasure Developers:Z 8he model contains practices to address determining and analying securityvulnera#ilities% assessing operational impacts% and providing input and guidance to other groups involved1such as a softare group2. 8he group that provides the service of developing countermeasures needs tounderstand the relationships beteen these practices. In this case% the product is the countermeasuresthemselves.

- Security Service Providers: 8o measure the process capability of an organiation that performs ris!

assessments% several groups of practices come into play. $uring system development or integration% oneould need to assess the organiation ith regard to its ability to determine and analyze securityvulnera#ilities and assess the operational impacts. In the operational case% one ould need to assess theorganiation ith regard to its ability to monitor the security postureof the system% identify and analyze

security vulnera#ilities% and assess the operational impacts. K8his means assessing the entire I8 securitysystem% technical% operational% and management. 5C((. According to the same document%//>5C((9s history is as follos!

8he //>5C(( initiative began as an 5C(( /teering% Author% and Application orking Troups ith the first version of the modelpublished in Nctober "??+ and of the appraisal method in April "??G.

8o validate the model and appraisal method% pilots occurred from une "??+ through une "??G Z8he pilots addressed various organiational aspects that contributed to the validation of themodelZIn uly "??G% the /econd Public /ystems /ecurity >ngineering C(( orkshop as conductedZ 8he orkshop proceedings are available on the //>5C(( eb site. Z the International/ystems /ecurity >ngineering Association 1I//>A2 as formed to continue the development andpromotion of the //>5C(( Z I//>A continues to maintain the model and its associatedmaterials as ell as other activities related to systems security engineering and security in general.

*+


27/50

I//>A has become active in the International Nrganiation for /tandardiation and sponsored the//>5C(( as an international standards I/N)I>C *"'*G KI/N*"'*G.

8he Dbase practicesE for hich C(( assesses security engineering maturity are divided into togroups. 8he groups% along ith their Dprocess areasE are as follos!

/>CQRI84 BA/> PRAC8IC>/PA," O Administer /ecurity ControlsPA,* O Assess ImpactPA, O Assess /ecurity RiskPA,0 O Assess 8hreatPA,3 O Assess =ulnerabilityPA,+ O Build Assurance ArgumentPA,G O Coordinate /ecurityPA,' O (onitor /ecurity PosturePA,? O Provide /ecurity InputPA", O /pecify /ecurity C8 AffortPA"+ O Plan 8echnical >ffortPA"G O $efine NrganiationXs /ystems>ngineering ProcessPA"' O Improve NrganiationXs /ystems>ngineering ProcessesPA"? O (anage Product Line >volutionPA*, O (anage /ystems >ngineering /upport>nvironmentPA*" O Provide Nngoing /kills andJnoledge

PA** O Coordinate ith /uppliers

*G


28/50

C/ 3+0 ;all *,,3 /tevens Institute of 8echnology

8he maturity levels are!Caai'it+ Leve' 1 ,erformed ?nforma''+: Base practices of the process areaare generally performed. 8he performance of these base practices may not berigorously planned and tracked. Performance depends on individual knoledge

and effort. ork products of the process area testify to their performance.Individuals ithin the organiation recognie that an action should be performed%and there is general agreement that this action is performed as and hen reFuired.8here are identifiable ork products for the process.

Caai'it+ Leve' % ,'anned and rac)ed: Performance of the base practicesin the process area is planned and tracked. Performance according to specifiedprocedures is verified. ork products conform to specified standards andreFuirements. (easurement is used to track process area performance% thusenabling the organiation to manage its activities based on actual performance.8he primary distinction from Level "% Performed Informally% is that the

performance of the process is planned and managed.

Caai'it+ Leve' ! @e'' #efined: Base practices are performed according to aell5defined process using approved% tailored versions of standard% documentedprocesses. 8he primary distinction from Level *% Planned and 8racked% is that theprocess is planned and managed using an organiation5ide standard process.

Caai'it+ Leve' 4 0uantitative'+ Contro''ed: $etailed measures ofperformance are collected and analyed. 8his leads to a Fuantitativeunderstanding of process capability and an improved ability to predictperformance. Performance is ob@ectively managed% and the Fuality of orkproducts is Fuantitatively knon. 8he primarydistinction from the ell $efinedlevel is that the defined process is Fuantitatively understoodand controlled.

Caai'it+ Leve' 5 Continuous'+ ?mroving: Huantitative performance goals1targets2 for process effectiveness and efficiency are established%based on thebusiness goals of the organiation. Continuous process improvement against thesegoals is enabled by Fuantitative feedback from performing the defined processesand frompiloting innovative ideas and technologies. 8he primary distinction fromthe Fuantitatively controlled level is that the defined process and the standardprocess undergo continuousrefinement and improvement% based on a Fuantitativeunderstanding of the impact of changes tothese processes.

Considering the definitions of levels 0 and 3% it should be no surprise that thedevelopment of the first C((% the /oftare >ngineering C((% as developed understrong influence from /hehart and $eming9s ideas on statistical process controlK/he'+.

//>5C(( provides documentation of both the basic model and of the appraisal method.8he //>5C(( (odel $escription $ocument =ersion ., is available at http!)).sse5

Lecture "" Page *' of 3,
http://www.sse-cmm.org/docs/ssecmmv3final.pdfhttp://www.sse-cmm.org/docs/ssecmmv3final.pdf


29/50


cmm.org)docs)ssecmmvfinal.pdf. //>5C(( Appraisal (ethod =ersion *., isavailable at http!)).sse5cmm.org)docs)//A(.pdf. According to //>5C((Appraisal (ethod =ersion *.,% any organiation ishing to evaluate the capability ofanother organiation to perform systems security engineering activities should considerusing the //A( K/ystem /ecurity Appraisal (ethod. 8he //A( can be used to

evaluate the processes of product developers% service providers% system integrators%system administrators% and security specialists to obtain a baseline or benchmark of actualpractices against the standards detailed in the //>5C(( K//>5C(( (odel $escription$ocument.

8he International /ystems /ecurity >ngineering Association 1I//>A! http!)).sse5cmm.org)issea)issea.asp 2 Dis a non5profit membership organiation dedicated to theadvancement of /ystems /ecurity >ngineering as a defined and measurable discipline.>stablished in "???% I//>A and its members are tasked ith the maintenance of the //>5C((.E According to the I//>A eb site% an appraiser certification program is currentlybeing developed.

3.* 6IST uidance #ocuments

As can be seen from the discussions in sections *."5*.0% the Q/


30/50



31/50


disclosure of information% a corruption of the organiation9s information 1a loss ofintegrity2% or a denial of service.

In the language of risk% e need to consider the magnitude of all risk exposures to hichan organiation is susceptible. 8his leads to the #asic ris! formula% hich attempts to

Fuantify risk in terms of risk exposure 1R>2 KBoehm?"!

R> : probability1loss2 6 magnitude1loss2

8his is freFuently ritten as follos R> :'() * S'().

;or example% if organiation A calculates the probability of a key server being don for *hours as ",- due to denial of service attacks% and the loss due to this don5time to be&*,%,,,% then the risk exposure facing A due to this loss is &*%,,,;reFuently this formula is presented as a summation of all such risks to hich a system isexposed% therefore!

8otal R> : + P1Li26 /1Li2 here Li is the loss due to the ithrisk.

;or example% if organiation A has to other risks that they are facing% one ith aprobability of 3,- and a loss of &"%,,, and another ith a probability of ,."- and a lossof &"%,,,%,,, then A9s 8otal R> is!

."6&*,%,,, 7 .36&"%,,, 7 ,.,," 6 &"%,,,%,,,: &*%,,, 7 &3,, 7 &"%,,,: &%3,,

Related to the notion of R> is ris! reduction leverage 1RRL2. RRL is a ay of gaugingthe effectiveness or desirability of a risk reduction techniFue. 8he formula for RRL is!

RRL : 1R>before5 R>after2 ) RRCost

here RRCost stands for risk reduction cost. A similar formula can be used to comparethe relative effectiveness of techniFue A ith respect to B!

RRRLA%B: 1R>BO R>A2 ) 1RRCostAO RRCostB2.

here R>Aand R>Bare the risk exposures after using A and B respectively 1e assumethat the R> before applying the techniFues is the same for both techniFues2. e see thathen RRRLA%B[ ,% techniFue A is more cost5effective than techniFue B.

Let us consider an example. /ay an organiation is considering ays of loering itsdefect risk on a safety5critical system% and has identified a structured alkthrough or anI=#= 1independent validation and verification2 activity as to possible ays of findingdefects and hence reducing the system risk% it can proceed as follos. ;irst it mustestablish a cost for each risk reduction techniFue. 1hich is its R>before2 and the R> that ill result from the application of the techniFue 1the

Lecture "" Page " of 3,


32/50


R>after2. Let9s assume that the organiation is interested in the risk involved ith thesafety5critical system failing. /uch a failure ould result in a loss to the company of&",%,,,%,,, and currently the company believes that there is a 3- likelihood of such anoccurrence. /tructured alkthroughs have% in the past% shon to find ',- of theoutstanding problems% reducing the probability of a loss to "-. I=#= is even more

effective at finding problems% and it is expected that this techniFue ill reduce theprobability of a loss to ,.,"-. oever% the structured alkthrough is relativelyinexpensive% costing @ust &3%,,, 1the time of the employees involved2. 8he I=#=% sinceit is independent% involves hiring a consultant% hich ill cost &",,%,,,. 8he RRL foreach techniFue can no be calculated as follos!

RRLinspection : 1.,36",%,,,%,,, 5 .,"6",%,,,%,,,2 ) 3%,,,: 13,,%,,, O ",,%,,,2 ) 3%,,,: ',

RRLI=#= : 1,.36",%,,,%,,, 5 .,,,"6",%,,,%,,,2 ) ",,%,,,

: 13,,%,,, O "%,,,2 ) ",,%,,,: 0.??

Clearly in this case the organiation ill ant to choose to do the inspection first% as itsRRL is far greater than the I=#= activity. oever this could also be directly seenusing!

RRRLinspection% I=#= : 1.,,,"6",%,,,%,,, 5 .,"6",%,,,%,,,2 ) 13%,,, 5 ",,%,,,2: 1"%,,, O ",,%,,,2 ) 15?3%,,,2: 15??%,,,2)15?3%,,,2 : ".,0* [ ,

It is often the case that a techniFue reduces only the likelihood of a risk and not itsmagnitude. In this case% the RRL reduces to the cost5benefit 1CB2!

CB : KPbefore1L2 O Pafter1L26/1L2)RRCost : \P1L26/1L2)RRCost

;inally% another one of the things that e can do ith R> is to develop a ris! profile1or- profile2 ith respect to some measure of interest. ;or example% one can evaluate R>as a function of a monotonically increasing Fuantity such as elapsed time% cumulativeeffort% or cumulative cost. An example risk profile is given in ;igure 0.

Lecture "" Page * of 3,


33/50


&igure 4: 3n ?dea'i;ed Ris) Reduction ,rofi'e

Tiven this basis of understanding e are no in a position to begin looking at specifictechniFues for strategic risk management.

%.2 Strategic Risk Models

>very I8 system in operation ill have some degree of security risk KBoehm?". Recallthat security risks are possible situations or events that can cause a system harm and illincur some form of loss. /ecurity risks range in impact from trivial to fatal and inlikelihood from certain to improbable. 8hus far e have only discussed risks that areeither DidentifiedE in that they arise from anticipated threats and knon vulnerabilitieshoever there are also unidentifiedrisks here this is not the case. /imilarly the impact

of an identified risk is either !nownhere the expected loss5potential has been assessedor un!nown here the loss5potential has not or cannot be assessed. Risks that areunidentified or have unknon impacts are sometimes loosely labeled as ris!s due touncertainty. In the case of I8 system security% risk considerations often must focus onuncertainty since by design% identified5knon risks are either addressed or accepted asithin a DtolerableE level. (anaging risks due to uncertainty is essentially the focus ofsound risk management. ;inally note that a ris! modeldescribes risks and their impactsfor a particular system.

e consider risk profile models because risks are generally not static. Likelihoods andimpacts change ith a number of factors such as time% cost% system state% and so forth. As

a conseFuence it is often desirable to consider risks ith respect to a planned set of eventssuch as assessment effort% system operation time% development investment% etc.Representing risks that dynamically change over planned activities are called strategicris! models. e ould like to utilie these models to promote effective riskmanagement.

As introduced previously e ill make us of riskprofiling. Recall R> is computed as theproduct of the probability of loss and sie that loss summed over all sources for a

Lecture "" Page of 3,


34/50


particular risk. /ince security risk considerations greatly affect a system9s operationalvalue% it is important that these risks be investigated candidly and completely. >xpressingsystem development and operation considerations in terms of risk profiles enablesFuantitative assessment of attributes that are typically specified only Fualitatively. Auseful property of R> is that if it is computed entirely ithin a particular system 1i.e. no

external loss sources2% e may assume all R> sources are additive. 8his ill be trueregardless of any complex dependencies and is analogous to mathematical expectationcalculations ithin classic probability theory.

8he additivity of R> can be exploited to analye strategies for managing risk profiles forI8 system security. /uch analyses enable cost% schedule% and risk trade off considerationsthat help identify effective risk management strategies. In particular this approach canhelp anser difficult Fuestions such as Dhat particular methods should be used to assessthese vulnerabilitiesE% Dhich method should be used firstE% and Dho much is enough]risk assessment% risk mitigation% or risk control^E. As in previous sections% our focus illbe on risk assessment noting that the methods presented often have analogous

counterparts in risk control.%.3 Strategic Risk Management Methods

8he purpose of risk modeling is to aid in risk management decision making. (anagementdoes not necessarily mean removing riskM this is not alays possible or eveneconomically feasible. ;or any risk% there is usually only a limited degree to hich thatrisk can be controlled or mitigated 1i.e. reduced expected loss2. As indicated earlier% thereare risks due to uncertainty that cannot be mitigated or even assessed. As such% ris!managementis the collection of activities used to address the identification% assessment%mitigation% avoidance% control% and continual reduction of risks ithin hat is actuallyfeasible under particular conditions and constraints. As such% the goal of riskmanagement is one of Denlightened gamblingE here e seek an expected outcome thatis positive regardless of the circumstances. Assessment is the key starting point and% asstated earlier% the focus of this chapter. 8his includes gaining insight into the folloing!

hat the risks are and here is there risk due to uncertainty

differentiating beteen development risks and operation risks

avoidable versus unavoidable risks

controllable versus uncontrollable risks

cost and benefits of risk mitigation% avoidance% and control

Assessment enables a strategy to be chosen for the mitigation and control of risk.

oever% it is not obvious from the outset that any given assessment strategy ill beeffective 1or even feasible2. In fact a poorly chosen strategy may actually increaseoverallrisk. Astrategic ris! management methodis one that is produces a risk managementstrategy that reduces overall risk ith respect to a particular goal 1e.g. most risk reductionat loest cost2. aving a particular goal here is firmly predicated on having acceptable%ell5defined strategic risk models as described earlier.

Lecture "" Page 0 of 3,


35/50


e ill no describe models and methods for the strategic risk management of I8system security. /uch models and methods ill aid in making important Dpre5crisisE riskmanagement decisions by determining ho much effort 1or time2 should be investedassessing security risks ith respect to pro@ect risk factors such as cost% schedule% launch1or operation2 indo% available skills and technology% uncontrollable external events%

and so forth. In this ay e lay the foundation for a practical% economically feasible%empirically based approach for the strategic planning of risk management efforts.

%.% The 6eed for Strategic Risk Management Methods

8o illustrate the need for strategic risk management e consider a general I8 security riskassessment. 8he risk exposure corresponding to the cumulative potential loss fromsecurity violations in the operational system 1e.g. system intrusions2 ill be calledR>security. In the case of security risk assessment% the more assessment that is done% theloer R>security is that results from unforeseen or uncontrolled vulnerabilities 1i.e.uncertainty2 such as those listed in 8able ". Assessed security attributes reduce both thesie of loss due to DsurprisesE and the probability that surprises still remain. Prior to

embarking on a security risk assessment% the system ill likely contain many potentialvulnerabilities% either knon or from uncertainties. 8his results in an initially high1relative to the pro@ect2 probability of lossSP1L2Svalue. In this% some may be critical%and so /1L2% the sie of the loss% ill be high. 8hus ithout any assessment R> securityinitially ill be high. hen assessment has been employed% the likelihood ofunidentified vulnerabilities ill be reduced. If assessment is done thoroughly 1andidentified vulnerabilities are addressed2% most of vulnerabilities remaining are likely tominor% and R>securityill be lo.

It is generally not feasible to be totally exhaustive hen performing a system assessment.As a result% the ideal assessment risk reduction profile 1as illustrated in ;igure 02 is hereR>securitydecreases as rapidly as possible at the beginning. 8his profile is ideal because itprovides the maximum risk reduction for any given amount security assessment effort.As stated previously% this profile is not a given for any strategy.

*

*.1

*.2

*.3

*.$

*.)

*.;

*.-

*.+

*.

1

* )* 1** 1)* 2** 2)* 3** 3)*

Effort

RE

'east effort

*ig*est C4

aritrar+

;igure 3! >xample R>securityProfiles

Lecture "" Page 3 of 3,


36/50


8o give a concrete example of ho non5ideal risk reduction profile may occur% considerthe data in ;igure 3 taken from a space systems ground control pro@ect. 8he data asgenerated by assessing each relevant security attribute in 8able " for! /1L2% in terms ofpercentage of the pro@ect value lost that ould result from the exploitation of a

vulnerability in this attributeM and \P1L2 for the corresponding change in probability 1as apercentage2 of an exploitation occurring. 8hese in turn are used to calculate thecorresponding R> reductions if the attribute is fully assessed. 8he R> has beennormalied to the fractional portion of the total knon R> that can be reduced throughassessment. 8he cost is effort in hours used to perform the assessment of the attribute%and CB is the cost5benefit ratio 1the more specific form of RRL as mentioned earlier2.8he attributes ere assessed using extensive security revie checklist.

A"!$enial of /ervice A'!;ile $eletionsA*!/ystem Crash A?!Access to Private

$ata

A!(essage HueueNverflo A",!ardare;ailureA0!/ystem ;ault A""!Access to CodeA3!(isled Nperator A"*!Resource

QtiliationAG!QnauthoriedAdministrator

A"! ReFuirementConsistency andCompleteness

A+!QnauthoriedAccess

A"0!Qnderstandability

8able "! >xample /ecurity Attributes

e see that some care must be taken in choosing the order 1i.e. strategy2 to perform theassessments to achieve the ideal risk reduction profile indicated in ;igure 0. ;igure 3compares three strategies for the order in hich the assessments might be performed.>ach tick mark on the graph for each R> profile corresponds to the assessment of aparticular attribute. securityreduction profile indicated in the top5most curve in ;igure . It isseen that performing the assessments in the order of highest cost5benefit 1CB2 illarchive the desired R>securityreduction profile. It can be shon that under fairly generalcircumstances% this ill alays be true.

hile e illustrated the strategic method ith only risk assessment% analogous methodsexist for risk control. 8he important point here is that ithout a strategic approach% youare likely to end up ith a less than ideal R>securityreduction profile as indicated in figure3. 8he conseFuences of this are not fictitious and are significant because freFuently allassessment tasks are not 1or cannot be2 performed. 8his may happen for hen there are

Lecture "" Page + of 3,


37/50


arbitrarily defined budgets% or it hen people DfeelE like enough risk has been reduced% ormore commonly hen higher priority is given to other tasks over risk management. 8heresult is a system ith a high5degree of risk due to uncertainty ith the usualconseFuences for DblindE risk taking KBasili,"% 8ran?G.

*. Practical Strategic Risk Models

In this section e look at ho strategtic methods can be applied in practice. 8his includesusing strategic models to help make complex planning decisions such as Dho much isenough risk assessmentE and extending the strategic method to account for multipletechniFues.

*.1 Multi4techni7ue Strategic Methods

8o begin ith% note that in our particular example the differences beteen risk5reductionstrategies do not appear very pronounced. Nne reason for this is purely an artifact of thenormaliation of the R> scale. If a#soluteR> is used 1that is actual risk removed ratherthan relative risk reduction2% the difference ill become more pronounced. 8here is asmall concern that the absolute risk reduction profile may not be consistent ith therelative risk reduction profile. oever% under general circumstances it can be shon thatan optimal relative risk5reduction implies an optimal absolute risk5reduction profile.

In our example from ;igure 3% the differences in R> 1and% to a lesser extent% the effort2beteen the attributes are relatively small hen using a single assessment techniFue 1inthis example% vulnerability checklists2. Alloing multiple assessment techniFues canmake a profound difference. Consider in our example if the folloing differentassessment techniFues ere employed!

A8"! Analysis using formalmodelA8*! API 8>/8

A8! (odel CheckingA80! Code revie

A83! Lessons LearnedA8+! 8est /uitesA8G! =enerability checklist

A8'! /tatic analysis of codeA8?! >stimation

A8",! Intervie vendor

A8""! Investigation of pastdataA8"*! 8est on emulator

A8"! Benchmark testA8"0! Attack /imulation

0

2000

4000

6000

8000

10000

12000

14000

1600018000

20000

0 500 1000 1500

Cost

R"

MAX CB

Arbitrary

;igure +! Absolute R> for (ultiple Assessment 8echniFues on >xample /ystem

Lecture "" Page G of 3,


38/50


A comparison of maximum cost5benefit versus arbitrary ordered assessment strategiesusing multiple assessment techniFues is shon in ;igure +. 8he significant difference instrategies here is clear. 8he same amount of risk can be reduced for ") the effort. 8hiskind of difference can be critical to a successful risk management effort.

8he practical application of a strategic method assumes e are able to generate realisticstrategic risk models. ;rom the above discussion it is clear that e ant to apply the mostappropriate risk management approach for each risk. Alloing for multiple assessmenttechniFues greatly increased the risk5reduction cost5benefit. o to do this in general isnot entirely ithout complications. ;or example% in generating a multi5attribute strategye must account for the possibility that for some attributes% a particular assessmenttechniFue may not apply 1e.g. API test for (isled Nperator2 or may not be cost5effective1e.g. (odel Checking for Qnauthoried Administrator2. e no present an algorithmthat generates a practical% cost5effective strategic method 1maximum risk reduction ithrespect to costs2 ith multiple assessment techniFues for each attribute!

/tep "! Identify the most significant system assessment attributes. Label them "%

Z% n./tep *! Identify the most significant assessment techniFues 1e.g. producttestimonials% prototyping% etc.2 applicable to the pro@ect% available resources 1e.g.staff skills% tools2. Label them "%Z% m./tep ! >stimate the relative / i1L2 Fuantities for attributes i:"%Z%n before anyassessment/tep 0! >stimate the effort Ci@% and sie /i@1L2% and the change in risk exposures`R>i@1L2 : /i1L2 6 Pi1L2 5 /i@1L2 6 Pi@1L2 resulting from assessing attribute i usingtechniFue @. enceforth e associate i@ ith the pair 1attribute i% techniFue @2/tep 3! Calculate the RRL matrix RRL i@: `R>i@1L2 ) Ci@. Let 81k2:1rk%ck2 be thevalues for the corresponding attribute rk% techniFue ck index of the kth largestelement in the matrix. ;or each k remove RRLrkck for i :"%Z%n then define81k7"2 until all n attributes are covered. /et C81k2 to be the corresponding Ci@and`R>81k2to be the corresponding `R>i@1L2.

/tep +! Traph the cumulative R> drop% R>1n2 : R> total 5 =

n

! "

`R>81k2 versus

cumulative effort C1n2 : =

n

! "

C81k2.

8his above process produces an ideal R>securityrisk reduction strategy as presented earlier%and it easily generalies to risk control management activities. 8he strategy dictates toperform T'!)for ! ./,0,1,2until the cost outeighs the benefit 1i.e. (T'!) "2 unlessother risk reduction goals are desired 1this ill be discussed further in the next section2.8he algorithm assumes that the entire effort allocated for each T'!)ill be expended andthen the attribute ill not be assessed further. As a result% there may be more optimalstrategies that allo for partial effort using multiple5techniFues per attribute. (ulti5attribute optimiation techniFues such as using simulated annealing could potentially beapplied to find these but ill not be discussed further here. /ince the algorithm issomehat involved% an example to illustrate it is presented in 8ables *a%b%c%d%e% resultingin the R>securityreduction strategy displayed in ;igures Ga%b. ;or simplicity of expositionin this example e ill assume that the techniFues only change the probability and not

Lecture "" Page ' of 3,


39/50


the sie of the risks. 8hat is% e ill consider CB and not RRL% hoever the exampleeasily generalies. As such% e ill be calculating `Pi@1L2 and CBi@ rather than RRLi@.

misop ! misledoperator

syscr ! system crashsysft ! system faultunacc ! unauthoriedaccessdenos ! denial ofservice

pdt : producttestimonials

rvc : reviechecklistppy : productprototyping

misop /yscr sysft unacc denos3, 0, 0, G, 3,

8able *a! Attribute Loss /ie 1/teps "%*%2

Ci@miso

p

sys

cr

sys

ft

unac

c

deno

spdt

", ", ", ", ",

rvc

, *, *, , ,

ppy

G, G, " ', G

8able *b! 1attribute i% techniFue3) >ffort 1/tep 02

4Pi@1L2

misop

syscr

sysft

unacc

denos

pdt 0, ", +, "" *,rvc G, , 33 , ,ppy ?, ?, , ?, ?,

8able *c! 1attribute i% techniFue3) R> Reduction 1/tep 02

CBi@

misop

syscr

sysft

unacc

denos

pdt *,, 0, *0, GG ",,rvc ""G +, "", G, 3,

ppy +0 3" , G? +*

Lecture "" Page ? of 3,


40/50


8able *d! 1attribute i% techniFue3) Cost5Benefit 1/tep 32

81n2

CBi@sorted >81k2 4P81k2 R>total5 `R>81k2

" *0,.,, ", *0, '?+* *,,.,, *, 0, +3+ ""+.+G 3, G, +"+0 "",.,, G, 33 30+3 ",,.,, ', *, 0?"+ G'.G3 "+, ?, 0G"G GG.,, "G, "" '"

' G,.,, *,, , G,? +0.*? *G, ?, 0,", +".+0 0 ?, *3,"" +,.,, + , "+,"* 3".0 0 ?, "," 3,.,, 0+ , 0,"0 0,.,, 0G ", ","3 ,.,, 0G0 , ,

8able *e! ighest Cost5Benefit /orted 1attribute i% techniFue3) 1/tep 32

hile this appears to be somehat complex at first blush% the algorithm is actually fairly

straightforard to implement and use. ;or example% the authors performed all analysis forthis example and the example in ;igure + completely ithin a spreadsheet.

T(15)

T(1)

T(3)

T(2)

T(4)

T(5)T(6)

T(7)T(8)

T(9)

T(10)

T(11)

T(12)

T(13)T(14)

0

200

400

600

800

1000

1200

1400

0 100 200 300 400 500

Cumulati'e Cost

Cumulati'eCost4-enefit

T(12)

T(11)

T(10)

T(9)T(8)

T(7)T(6)

T(4) T(5)

T(3)T(2)

T(1)

0

100

200

300

400

500

600

700

800

900

1000

0 100 200 300 400 500

Cumulati'e Cost

R"

;igure Ga! Cost5Benefit 81k2 Gb! R>securityreduction 81k2 1/tep +2

*.2 Strategic #ecision Making and Com(eting Risks

Lecture "" Page 0, of 3,


41/50


ith a collection of strategic risk models% the strategic method can be used to providemeaningful ansers to Fuestions such as Dho much is enoughE risk assessment%mitigation% or control effort to invest in. 8his Fuestion is critically important as in practiceit is unfeasible to implement exhaustive risk5reduction due to constraints on resources1e.g. budget% personal% schedule% technology limitations2. >ven ithout such constraints%

it is freFuently impossible to reduce a risk to ero or even determine all possible risks forany given system. 8he best e can strive for is to reduce risk as much as possible ithinthe given resources and uncertainties.

Recall from previous sections that ordering risk5reduction activities from highest toloest RRL results in the DidealE risk5reduction profile as indicated in ;igure . It can beshon that% ith respect to cost considerations% this is the optimal ordering for reducingrisk hen only a fraction of the risk reduction activities ill be performed. 8hat is% if riskreduction activity is stopped at any point% there is no other ordering that reduces more riskand leaves less total risk hen the remaining activities are not done. In this model if costis the only consideration% then a natural anser to ho much is enough is hen the cost

exceeds the risk reduction benefit. /ince the ordering of RRL is decreasing% there ill beno activity beyond this point that ould decrease the risk m

Documents

CS 564AR Lecture 11 Fall 05