Risk Management and Controlling Risk

  • View

  • Download

Embed Size (px)


Risk Management and Controlling Risk. Risk Control Strategies. Once ranked vulnerability risk worksheet complete, must choose one of four strategies to control each risk: Apply safeguards (avoidance) Transfer the risk (transference) Reduce impact (mitigation) - PowerPoint PPT Presentation

Text of Risk Management and Controlling Risk

  • Risk Management and Controlling Risk

  • Risk Control StrategiesOnce ranked vulnerability risk worksheet complete, must choose one of four strategies to control each risk: Apply safeguards (avoidance) Transfer the risk (transference)Reduce impact (mitigation)Understand consequences and accept risk (acceptance)

  • AvoidanceAttempts to prevent exploitation of the vulnerabilityPreferred approach; accomplished through countering threats, removing asset vulnerabilities, limiting asset access, and adding protective safeguards

  • Avoidance (continued)Three common methods of risk avoidance:Application of policyTraining and educationApplying technology

  • TransferenceControl approach that attempts to shift risk to other assets, processes, or organizationsIf lacking, organization should hire individuals/firms that provide security management and administration expertiseOrganization may then transfer risk associated with management of complex systems to another organization experienced in dealing with those risks

  • MitigationAttempts to reduce impact of vulnerability exploitation through planning and preparation Approach includes three types of plans: Incident response plan (IRP) Disaster recovery plan (DRP)Business continuity plan (BCP)

  • Mitigation (continued)DRP is most common mitigation procedureThe actions to take while incident is in progress is defined in IRPBCP encompasses continuation of business activities if catastrophic event occurs

  • AcceptanceDoing nothing to protect a vulnerability and accepting the outcome of its exploitationValid only when the particular function, service, information, or asset does not justify cost of protectionRisk appetite describes the degree to which organization is willing to accept risk as trade-off to the expense of applying controls

  • Selecting a Risk Control StrategyLevel of threat and value of asset play major role in selection of strategyRules of thumb on strategy selection can be applied:When a vulnerability existsWhen a vulnerability can be exploitedWhen attackers cost is less than potential gainWhen potential loss is substantial

  • Figure 4- 8- Risk Handling Decision Points

  • Categories of ControlsControlling risk through avoidance, mitigation or transference accomplished by implementing controlsEffective approach is to select controls by category:Control functionArchitectural layerStrategy layerInformation security principle

  • Categories of Controls (continued)Control function: controls (safeguards) designed to defend systems are either preventive or detectiveArchitectural layer: some controls apply to one or more layers of organizations technical architectureStrategy layer: controls sometimes classified by risk control strategy (avoidance, mitigation, transference) in which they operate

  • Characteristics of Secure InformationControls can be classified according to the characteristics of secure information they are intended to assureThese characteristics include: confidentiality; integrity; availability; authentication; authorization; accountability; privacy

  • Feasibility StudiesBefore deciding on strategy, all information about economic/non-economic consequences of vulnerability of information asset must be exploredA number of ways exist to determine advantage of a specific control

  • Cost Benefit Analysis (CBA)Most common approach for information security controls is economic feasibility of implementationCBA is begun by evaluating worth of assets to be protected and the loss in value if those assets are compromisedThe formal process to document this is called cost benefit analysis or economic feasibility study

  • Cost Benefit Analysis (CBA) (continued)Items that impact cost of a control or safeguard include: cost of development; training fees; implementation cost; service costs; cost of maintenanceBenefit is the value an organization realizes by using controls to prevent losses associated with a vulnerabilityAsset valuation is process of assigning financial value or worth to each information asset; there are many components to asset valuation

  • Cost Benefit Analysis (CBA) (continued)Once worth of various assets is estimated, potential loss from exploitation of vulnerability is examinedProcess results in estimate of potential loss per risk

  • Cost Benefit Analysis (CBA) (continued)Expected loss per risk stated in the following equation:Annualized loss expectancy (ALE) equals Single loss expectancy (SLE) TIMESAnnualized rate of occurrence (ARO)SLE is equal to asset value times exposure factor (EF)

  • The Cost Benefit Analysis (CBA) FormulaCBA determines whether or not control alternative being evaluated is worth cost incurred to control vulnerabilityCBA most easily calculated using ALE from earlier assessments, before implementation of proposed control:CBA = ALE(prior) ALE(post) ACS

  • The Cost Benefit Analysis (CBA) Formula (continued)ALE(prior) is annualized loss expectancy of risk before implementation of controlALE(post) is estimated ALE based on control being in place for a period of timeACS is the annualized cost of the safeguard

  • BenchmarkingAn alternative approach to risk managementBenchmarking is process of seeking out and studying practices in other organizations that ones own organization desires to duplicateOne of two measures typically used to compare practices: Metrics-based measuresProcess-based measures

  • Benchmarking (continued)Standard of due care: when adopting levels of security for a legal defense, organization shows it has done what any prudent organization would do in similar circumstancesDue diligence: demonstration that organization is diligent in ensuring that implemented standards continue to provide required level of protectionFailure to support standard of due care or due diligence can leave organization open to legal liability

  • Benchmarking (continued)Best business practices: security efforts that provide a superior level protection of informationWhen considering best practices for adoption in an organization, consider:Does organization resemble identified target with best practice?Are resources at hand similar? Is organization in a similar threat environment?

  • Problems with Applying Benchmarking and Best PracticesOrganizations dont talk to each other (biggest problem)No two organizations are identicalBest practices are a moving targetKnowing what was going on in information security industry in recent years through benchmarking doesnt necessarily prepare for whats next

  • BaseliningAnalysis of measures against established standardsIn information security, baselining is comparison of security activities and events against an organizations future performanceUseful when baselining to have a guide to the overall process

  • Other Feasibility StudiesOperational: examines how well proposed information security alternatives will contribute to organizations efficiency, effectiveness, and overall operationTechnical: examines whether or not organization has or can acquire the technology necessary to implement and support the control alternativesPolitical: defines what can/cannot occur based on consensus and relationships between communities of interest

  • Risk Management Discussion PointsOrganizations must define level of risk it can live withRisk appetite: defines quantity and nature of risk that organizations are willing to accept as tradeoffs between perfect security and unlimited accessibility are weighedResidual risk: risk that has not been completely removed, shifted, or planned for

  • Documenting Results At minimum, each information asset-threat pair should have documented control strategy clearly identifying any remaining residual riskAnother option: document outcome of control strategy for each information asset-vulnerability pair as an action planRisk assessment may be documented in a topic-specific report

  • Recommended Practices in Controlling RiskConvince budget authorities to spend up to value of asset to protect from identified threatFinal control choice may be balance of controls providing greatest value to as many asset-threat pairs as possibleOrganizations looking to implement controls that dont involve such complex, inexact and dynamic calculations

  • Qualitative MeasuresSpectrum of steps described previouslyperformed with real numbersknown as a quantitative assessmentQualitative assessment: based on characteristics that do not use numerical measures

  • Delphi TechniqueA technique for accurately estimating scales and valuesProcess whereby a group of individuals rates or ranks a set of information Responses compiled and returned to group for another iteration Process continues until group is satisfied with result

  • SummaryRisk identification: formal process of examining and documenting risk present in information systemsRisk control: process of taking carefully reasoned steps to ensure the confidentiality, integrity, and availability of components in organizations information system

  • SummaryRisk identificationA risk management strategy enables identification, classification, and prioritization of organizations information assets Residual risk: risk that remains to the information asset even after the existing control is applied

  • SummaryRisk control: four strategies are used to control risks that result from vulnerabilities: Apply safeguards (avoidance) Transfer the risk (transference)Reduce impact (mitigation) Understand consequences and accept risk (acceptance)

    RISK CONTROL STRATEGIESWhen organizational management has determined that risks from information security threats are creating a competitive