Threat is an event that could compromise the information security by causing loss or damage to assets. The threat is predominantly external to an organization. Examples of threats are fire, flood, hacking, and so on.

Vulnerability is a hole or a weakness in the system. Threat can exploit vulnerabilities through its agents called threat agents. For example, having no antivirus software is a vulnerability, which a threat agent like a virus could exploit. Similarly, hacking is a threat that could exploit a weakness in the system through its agent, for instance, a hacker.

A threat event exploiting a vulnerability is called as an attack. The end result of an attack can lead to a security violation. An attack either compromises a security control or lack of it and can affect the CIA requirements of the asset.

Observe the following illustration, which now provides threat and vulnerability scenarios in the same network depicted earlier. It is apparent, that due to vulnerabilities in the system, threat agents may be able to attack and possibly succeed in penetrating the network and obtain confidential information, alter sensitive data, or stop a service. However, we still do not know yet that such an attack could materialize with prevailing controls in place. But we will be able to estimate the possible impact if such an attack materializes. In other words, we will be able to estimate potential loss.

Fig 3

Hence, in a threat risk modeling process, the following steps are necessary to estimate potential loss:

We have reviewed assets and CIA requirements of assets in the previous chapter. The rest of the steps are covered in the following topics.

In a threat risk-modeling scenario, the infrastructure/application has to be broken down into various types of assets. Observe the following flow diagram:

Fig 4

During threat and vulnerability analysis, the following questions are pertinent to determine the risks:

Q1. What are the security objectives (requirements)?

Security objectives are based on policies, such as the information security policy, legal/regulatory requirements as mandated in privacy laws, Service Level Agreements (SLA) as required in infrastructure availability, or data integrity assurance requirements as required in financial transactions.

Q2. What is the overall infrastructure?

What are the individual components in the infrastructure? What are the CIA values of the assets (people, infrastructure, application, data, and so on)? Will the CIA values change due to certain factors? If so, what are those factors?

Infrastructure consists of physical security requirements, such as secure locations, and environmental requirements, such as clean power, heating, ventilation and air conditioning, and so on.

Application security requirements are based on access control, data flows, trust boundaries, and so on.

Q3. What threats are applicable based on the type of assets (threat register)? What are the prevailing threats to these assets?

Identify and document threats to the infrastructure, threats to the application, and threats to data.

Q4. What are the vulnerabilities (vulnerability register) that these threats can compromise? Which of these vulnerabilities are identified in these assets?

Identify and document vulnerabilities in infrastructure, applications in data flow, and so on.

When a corporation compiles the answers to the preceding questions, it is in the process of threat and vulnerability analysis. The end result of such an exercise will be a documented matrix of assets, threats, and vulnerabilities.

Based on the matrix of threats and vulnerabilities and based on the results of security testing, a few attack scenarios can be constructed. Such a scenario is called as an attack tree.

Observe the following single dimensional attack tree. This attack tree is based on Fig 2 in the previous page:

Fig 5

Hence, an attack tree is constructed based on the following questions:

Q1. What are the various attacks that are possible based on the type of assets (attack vectors)?

Attack possibilities can be created based on vulnerability assessment, penetration testing, application security testing, and also based on the existing documentation of attacks that are available from trusted sources.

Q2. What will happen when the attack succeeds?

Identify the system or data that will be compromised, CIA values that will be affected and so on. It is also important to identify cascading effects of such a compromise. For example, if an attacker compromises a webserver, will the other servers that have trust relationships established with the webserver be compromised?

Q3. What will be the loss? Is the loss quantifiable?

Identify loss in terms of money, time to recover, policy violation and its impact, loss of competitive advantage, customer loss, compliance violation and its impact, and so on.

Risk is an exposure to loss or damage due to threats, vulnerabilities, and attacks. Hence, risk analysis is used to estimate the probability of an attack, identify prevailing controls and their effectiveness in combating the attacks, and estimate the consequence of such an attack in terms of potential loss.

Risk has to be understood from the following perspectives:

The damage caused due to a security violation is called as an impact. The magnitude of such an impact is the potential loss or, in other words, risk.

If the magnitude of an impact can be calculated in monetary terms (say, a dollar value), then the risk is defined in quantitative terms. If the magnitude cannot be determined in terms of monetary value, but can be measured in relative terms (such as high, medium, or low), then the risk is defined in qualitative terms.

In terms of information security, ISO/IEC 27000 defines risk as the probability of a threat exploiting the vulnerability and the consequence of loss or damage to the asset due to that event. This is called probability versus consequence analysis and is a type of risk analysis.

The results of probability versus consequence risk analysis will provide four scenarios. Refer to the following illustration (Fig 6):

Fig 6

By systematically analyzing the probability of a threat exploiting vulnerability and the related consequences, one can deduce the risk.

The process of determining the risk level in terms of threats and a vulnerabilities and the probability versus consequence analysis is called risk analysis. In other words, risk analysis is a systematic process of identifying the risks and estimating the loss if the risk materializes.

In the risk analysis process, related parameters of threats, vulnerabilities, and attacks are taken into consideration to derive a value. The value can be a number (quantitative) or an expression (qualitative). This derived value is called the risk value. For example, an insurance agent may consider different parameters, such as age, health conditions, hereditary diseases, habits, and so on, before determining a premium for life insurance. Similarly, in information security, parameters are based on assets, their required CIA values, threats, vulnerabilities, and attacks.

Risk analysis process involves two distinctive activities. One is to measure the impact of the risk. The analysis process tries to estimate the loss in terms of monetary value if a risk materializes. However, assets are tangible or intangible in nature. It is not possible to always determine the value of assets in monetary terms. Hence, two types of analysis are used to determine loss expectancy. One is called quantitative risk analysis and the other is called qualitative risk analysis.

Both quantitative and qualitative risk analysis processes require that the value of the asset is determined. The terms of reference by which the significance of the risk is determined called are risk criteria.

Using risk analysis methods, either quantitative or qualitative risk values are obtained. This activity of assigning values to risk is called risk estimation. Once the risks are identified, it is important to understand their significance in terms of the impact to the business. This process of estimating the impact is called risk evaluation. Overall, the process of risk analysis and risk evaluation is called risk assessment.

Based on the risk assessment, suitable strategies are devised to mitigate the risks. These strategies are called controls or counter measures, which are safeguards against the risk. There are four types of risk mitigation strategies followed in the information security domain:

Fig. 7

Suitable plans need to be drawn up and controls are identified to mitigate the risks. Such plans are called risk treatment plans.

Coordinated activities to manage the risk by way of risk assessment, risk treatment, risk acceptance, risk communication to stakeholder, risk monitoring, and risk review are collectively called risk management.

Due to the heterogeneous nature of information systems, even after applying the controls, it may not be possible to assure either 100% security or 0% risk to assets. There is an amount of risk that will remain after implementing safeguards. This risk is called residual risk. For example, assume the SLE for the company website is 50,000. The EF is currently 1. Firewall A will reduce the EF to .10 and cost 10,000. Firewall B will reduce the EF to .0 and cost 50,000. Going with Firewall A will cost 40,000 less, but will still leave you with 5,000 of residual risk. Given that it would cost 40,000 to remove 5,000 of the risk, it is prudent to allow residual risk instead of implementing additional controls. In this scenario, risk acceptance is the best strategy.

Generally, risk mitigation strategies for confidentiality and integrity-related risks are implemented through various operational and technical means. They are covered in domains, such as cryptography, telecommunication network security, access control, and so on. Risk mitigation strategies to address risks in terms of the availability of assets is addressed through the business continuity management processes.

In the business continuity domain, the focus is on specific threat events that could have a devastating impact on the functioning of the organization as a whole and the IT infrastructure in specific. Examples of such events are fires, floods, earthquakes, tornados, terrorist attacks, and so on.

Generally, an organization may not have controls to prevent such events. Such events are termed as disruptive events. In other words, an event that could impact regular operations for a prolonged period of time is a disruptive event. Hurricane Katrina, the attacks on the World Trade Center in 2001, or the collapse of large organizations, such as Enron, are examples of disruptive threat events.

Business continuity management involves the following:

Business continuity management consists of policies as stipulated by the senior management, processes that involve business continuity-related activities, people with required skill sets, and infrastructure resources to support critical business functions.

Addressing the risks by way of plans and procedures for the continuation of business operations during and after a disruptive event is called Business Continuity Planning (BCP). The aim is to prevent interruptions to business operations.

This domain is concerned with the continuation of critical business processes and business support systems in the event of an incident, emergency, or disaster. For example, critical business processes may include accounting, payroll, Customer Relationship Management (CRM), and so on.

BCP involves the following:

Fig. 8

While designing the BCP, availability should be considered the primary factor. The objective of BCP is to avoid any serious damage to the business also to enable the recovery of information systems within an acceptable timeframe. This time frame is derived from Business Impact Analysis.

BCP should be as follows:

BCP resources should include the availability of processes and the availability of people to implement the processes.

The BCP process should include testing the plans and day-to-day functions/activities to be performed to make the plan effective and ready at all times.

BCP measures should include preventative measures to control known issues and facilitating measures to act in a timely manner on the issues that are not under the control of the organization.

BCP should identify mission-critical systems, business impact due to the nonavailability of critical systems (loss of revenue, loss of profits, inability to comply with laws, damage to reputation, and so on), preventive controls, and recovery controls.

BCP objectives should include recovery time by way of Recovery Time Objectives (RTO) and recovery points by way of Recovery Point Objectives (RPO).

Business continuity procedures should include the procedure for testing plans and the procedure for updating plans.

The BCP should include the following: