Risk Management Concepts
Beyond basic security fundamentals, the concepts of risk management are perhaps the most important and complex part of the information security and risk management domain. The CISSP candidate must fully understand the risk management triple: Quantitative (compared with qualitative) risk assessment methodologies, risk calculations, and safeguard selection criteria and objectives.
The business of information security is all about risk management. A risk consists of a threat and a vulnerability of an asset:
Threat: Any natural or man-made circumstance or event that could have an adverse or undesirable impact, minor or major, on an organizational asset.
Vulnerability: The absence or weakness of a safeguard in an asset that makes a threat potentially more harmful or costly, more likely to occur, or likely to occur more frequently.
Asset: A resource, process, product, or system that has some value to an organization and must therefore be protected. Assets may be tangible (computers, data, software, records, and so on) or intangible (privacy, access, public image, ethics, and so on), and those assets may likewise have a tangible value (purchase price) or intangible value (competitive advantage).
Threat × Vulnerability = Risk
The risk management triple consists of an asset, a threat, and vulnerability.
Risk can never be completely eliminated. Given sufficient time, resources, motivation, and money, any system or environment, no matter how secure, can eventually be compromised. Some threats or events, such as natural disasters, are entirely beyond our control and are largely unpredictable. Therefore the main goal of risk management is risk mitigation: reducing risk to a level that’s acceptable to an organization. Risk management consists of three main elements (each treated in an upcoming section):
Identification
Analysis
Risk treatment
Risk identification
A preliminary step in risk management risk identification — detecting and defining specific elements of the three components of risk: assets, threats, and vulnerabilities.
The process of risk identification occurs during a risk assessment.
Asset valuation
Identifying an organization’s assets and determining their value is a critical step in determining the appropriate level of security. The value of an asset to an organization can be both quantitative (related to its cost) and qualitative (its relative importance). An inaccurate or hastily conducted asset valuation process can have the following consequences:
Poorly chosen or improperly implemented controls
Controls that aren’t cost-effective
Controls that protect the wrong asset
A properly conducted asset valuation process has several benefits to an organization:
Supports quantitative and qualitative risk assessments, Business Impact Assessments (BIAs), and security auditing
Facilitates cost-benefit analysis and supports management decisions regarding selection of appropriate safeguards
Can be used to determine insurance requirements, budgeting, and replacement costs
Helps demonstrate due care, thus (potentially) limiting personal liability
Three basic elements used to determine the value of an asset are
Initial and maintenance costs: Most often, a tangible dollar value that may include purchasing, licensing, development, maintenance, and support costs.
Organizational (or internal) value: Often a difficult and intangible value. It may include the cost of creating, acquiring, and re-creating information, and the business impact or loss if the information is lost or compromised. It can also include liability costs associated with privacy issues, personal injury, and death.
Public (or external) value: Another difficult and often intangible cost, public value can include loss of proprietary information or processes, as well as loss of business reputation.
Threat analysis
To perform threat analysis, you follow these four basic steps:
1. Define the actual threat.
2. Identify possible consequences to the organization if the threat event occurs.
3. Determine the probable frequency of a threat event.
4. Assess the probability that a threat will actually materialize.
For example, a company that has a major distribution center located along the Gulf Coast of the United States may be concerned about hurricanes. Possible consequences include power outages, wind damage, and flooding. Using climatology, the company can determine that an annual average of three hurricanes pass within 50 miles of its location between June and September, and that a high probability exists of a hurricane actually affecting the company’s operations during this period. During the remainder of the year, the threat of hurricanes has a low probability.
The number and types of threats that an organization must consider can be overwhelming, but you can generally categorize them as
Natural: Earthquakes, floods, hurricanes, lightning, fire, and so on.
Man-made: Unauthorized access, data-entry errors, strikes/labor disputes, theft, terrorism, social engineering, malicious code and viruses, and so on.
Not all threats can be easily or rigidly classified. For example, fires and utility losses can be both natural and man-made. See Chapter 11 for more on disaster recovery.
Vulnerability assessment
A vulnerability assessment provides a valuable baseline for determining appropriate and necessary safeguards. For example, an organization may have a Denial of Service (DoS) threat, based on a vulnerability found in Microsoft’s implementation of Domain Name System (DNS). However, if an organization’s DNS servers have been properly patched or the organization uses a UNIX-based BIND (Berkeley Internet Name Domain) server, the specific vulnerability may already have been adequately addressed, and no additional safeguards may be necessary for that threat.
Risk Analysis (RA)
The next element in risk management is risk analysis — a methodical examination that brings together all the elements of risk management (identification, analysis, and control) and is critical to an organization for developing an effective risk management strategy.
A risk analysis involves the following four steps:
1. Identify the assets to be protected, including their relative value, sensitivity, or importance to the organization.
This component of risk identification is asset valuation.
2. Define specific threats, including threat frequency and impact data.
This component of risk identification is threat analysis.
3. Calculate Annualized Loss Expectancy (ALE).
The ALE calculation is a fundamental concept in risk analysis; we discuss this calculation later in this section.
4. Select appropriate safeguards.
This process is a component of both risk identification (vulnerability assessment) and risk control (which we discuss in the section “Risk control,” later in this chapter).
The Annualized Loss Expectancy (ALE) provides a standard, quantifiable measure of the impact that a realized threat has on an organization’s assets. Because it’s the estimated annual loss for a threat or event, expressed in dollars, ALE is particularly useful for determining the cost-benefit ratio of a safeguard or control. You determine ALE by using this formula:
SLE × ARO = ALE
Here’s an explanation of the elements in this formula:
Single Loss Expectancy (SLE): A measure of the loss incurred from a single realized threat or event, expressed in dollars. You calculate the SLE by using the formula Asset value × Exposure Factor (EF).
Exposure Factor (EF) is a measure of the negative effect or impact that a realized threat or event would have on a specific asset, expressed as a percentage.
Annualized Rate of Occurrence (ARO): The estimated annual frequency of occurrence for a threat or event.
The two major types of risk analysis are qualitative and quantitative, which we discuss in the following sections.
Qualitative risk analysis
Qualitative risk analysis is more subjective than a quantitative risk analysis; unlike quantitative risk analysis, this approach to analyzing risk can be purely qualitative and avoid numbers altogether. The challenge of such an approach is developing real scenarios that describe actual threats and potential losses to organizational assets.
Qualitative risk analysis has some advantages when compared with quantitative risk analysis; these include
No complex calculations are required.
Time and work effort involved is relatively low.
Volume of input data required is relatively low.
Disadvantages of qualitative risk analysis, compared with quantitative risk analysis, include
No financial costs are defined; therefore cost-benefit analysis isn’t possible.
The qualitative approach relies more on assumptions and guesswork.
Generally, qualitative risk analysis can’t be automated.
Qualitative analysis is less easily communicated. (Executives seem to understand “This will cost us $3 million over 12 months” or “This could do long-term damage to our brand” better than “This will cause an unspecified loss at an undetermined future date.”)
A qualitative risk analysis is scenario-driven and doesn’t attempt to assign numeric values to the components (the assets and threats) of the risk analysis.
Quantitative risk analysis
A fully quantitative risk analysis requires all elements of the process, including asset value, impact, threat frequency, safeguard effectiveness, safeguard costs, uncertainty, and probability, to be measured and assigned a numeric value. However, assigning a value to every component associated with a risk (safeguard effectiveness and uncertainty) isn’t possible, so you must apply some qualitative measures.
A quantitative risk analysis attempts to assign an objective numeric value (cost) to the components (assets and threats) of the risk analysis.
Achieving a purely quantitative risk analysis is impossible.
Advantages of a quantitative risk analysis, compared with qualitative risk analysis, include the following:
Financial costs are defined; therefore, cost-benefit analysis is possible.
More concise, specific data supports analysis; thus fewer assumptions and less guesswork are required.
Analysis and calculations can often be automated.
Specific quantifiable results are easier to communicate to executives and senior-level management.
Disadvantages of a quantitative risk analysis, compared with qualitative risk analysis, include the following:
Many complex calculations are usually required.
Time and work effort involved is relatively high.
Volume of input data required is relatively high.
Some assumptions are required. Purely quantitative risk analysis is generally not possible or practical.
Risk treatment
A properly conducted risk analysis provides the basis for selecting appropriate safeguards and countermeasures. A safeguard is a control or countermeasure that reduces risk associated with a specific threat. The absence of a safeguard against a threat creates vulnerability and increases risk.
Safeguards counter risks through one of four general methods of risk treatment:
Risk reduction: Mitigating risk by implementing the necessary security controls, policies, and procedures to protect an asset. This can be achieved by altering, reducing, or eliminating the threat and/or vulnerability associated with the risk.
This is the most common risk control remedy.
Risk assignment (or transference): Transferring the potential loss associated with a risk to a third party, such as an insurance company.
Risk avoidance: Eliminating the risk altogether through a cessation of the activity or condition that introduced the risk in the first place.
Risk acceptance: Accepting the loss associated with a potential risk. This is sometimes done for convenience (not prudent) but more appropriately when the cost of other countermeasures is prohibitive and the potential risk probability is low.
Several criteria for selecting safeguards include cost-effectiveness, legal liability, operational impact, and technical factors.
Cost-effectiveness
The most common criterion for safeguard selection is cost-effectiveness, which is determined through cost-benefit analysis. Cost-benefit analysis for a given safeguard or collection of safeguards can be computed as follows:
ALE before safeguard – ALE after safeguard – Cost of safeguard = Value of safeguard to the organization
For example, if the ALE associated with a specific threat (data loss) is $1,000,000; the ALE after a safeguard (enterprise tape backup) has been implemented is $10,000 (recovery time); and the cost of the safeguard (purchase, installation, training, and maintenance) is $140,000; then the value of the safeguard to the organization is $850,000.
When calculating the cost of the safeguard, you should consider the total cost of ownership (TCO), including
Purchase, development, and licensing
Architecture and design
Testing and installation
Normal operating costs
Resource allocation
Maintenance and repair
Production or service disruptions
The total cost of a safeguard is normally stated as an annualized amount.
Legal liability
An organization that fails to implement a safeguard against a threat is exposed to legal liability if the cost to implement a safeguard is less than the loss resulting from a realized threat. The legal liability we’re talking about here could encompass statutory liability (as a result of failing to obey the law) or civil liability (as a result of failing to comply with a legal contract). A cost-benefit analysis is a useful tool for determining legal liability.
Operational impact
The operational impact of a safeguard must also be considered. If a safeguard is too difficult to implement and operate, or interferes excessively with normal operations or production, it will be circumvented or ignored and thus not be effective.
Technical factors
The safeguard itself shouldn’t introduce new vulnerabilities. For example, improper placement, configuration, or operation of a safeguard can cause new vulnerabilities; lack of fail-safe capabilities, insufficient auditing and accounting features, or improper reset functions can cause asset damage or destruction; finally, covert channel access or other unsafe conditions are technical issues that can create new vulnerabilities.