2
Risk Management
In this chapter you will
• Explore the different types of risk
• Learn basic terminology associated with risk management
• Examine qualitative risk management methods
• Examine quantitative risk management methods
• Explore the types of risk controls
Risk management is an important element of the decision-making process. It is the total process of identifying, controlling, and eliminating or minimizing uncertain events that may affect system resources. Risk management includes risk analysis, cost-benefit analysis, selection, implementation and testing, security evaluation of safeguards, and overall security review. In the simplest terms, when you manage risk, you assess the impact if an adverse event were to happen, and you decide what you could do to control that impact as much as you or your management deems necessary. You then can decide to act or not to act with respect to your understanding of risks and consequences. This process is not just for senior management, but can be adopted at all levels of action throughout an organization, and for risks to be truly managed in the enterprise, a multilevel, responsive, risk-based management methodology is required.
Risk management is both a skill and a task that is performed by all managers, either deliberately or intuitively. It can be simple or complex, depending on the size of the project or business and the amount of risk inherent in an activity. Two main methodologies are used for risk management: qualitative and quantitative. Every manager, at all levels, must learn to manage risk. The essence of risk management is to maximize the areas where one has some control over the outcome while minimizing the areas where we have no control over the outcome or where the linkage between cause and effect is hidden.
 | NOTE The purpose of risk management is to improve the future, not explain the past. |
Definitions and Terminology
Risk management is a discipline with its own vocabulary. Understanding these terms is important if one wants to communicate with others in this technical domain. The list of terms is organized into groups of related terms. A complete set of comprehensive definitions and other pertinent terms are listed alphabetically in the glossary at the end of this book.
General Terms
The following terms are general terms associated with risk management.
Risk Risk is the possibility of suffering harm or loss.
Residual risk Residual risk is the risk that remains after a control is utilized and reduces the specific risk associated with a vulnerability. This is the level of risk that must be borne by the entity.
Total risk The sum of all risks associated with an asset, a process, or even a business is called the total risk.
Risk management Risk management is the overall decision-making process of identifying threats and vulnerabilities and their potential impacts, determining the costs to mitigate such events, and deciding what actions are cost effective for controlling these risks.
Risk assessment Risk assessment is the process of analyzing an environment to identify the risks (threats and vulnerabilities) and mitigating actions to determine (either quantitatively or qualitatively) the impact of an event that would affect a project, program, or business. It is also sometimes referred to as risk analysis.
Asset An asset is any resource or information an organization needs to conduct its business.
Vulnerability A vulnerability is any characteristic of an asset that can be exploited by a threat to cause harm. Your system has a security vulnerability, for example, if you have not installed patches to fix a cross-site scripting (XSS) error on your website.
Attack The instance of attempting to perform undesired or unauthorized activities via a vulnerability.
Impact Impact is the loss resulting when a threat exploits a vulnerability. A malicious hacker (the threat) uses an XSS tool to hack your unpatched website (the vulnerability), stealing credit card information that is used fraudulently. The credit card company pursues legal recourse against your company to recover the losses from the credit card fraud (the impact).
Threat A threat is any circumstance or event with the potential to cause harm to an asset. For example, a malicious hacker might choose to hack your system by using readily available hacking tools.
Mitigate The term mitigate refers to any action taken to reduce the likelihood of a threat occurring.
Control A control is a measure taken to detect, prevent, or mitigate the risk associated with a threat. The term control is also called countermeasure or safeguard.
Qualitative risk assessment Qualitative risk assessment is the process of subjectively determining the impact of an event that affects a project, program, or business. Completing the qualitative risk assessment usually involves the use of expert judgment, experience, or group consensus to complete the assessment.
Quantitative Terms
The following terms are associated specifically with quantitative risk management.
Quantitative risk assessment Quantitative risk assessment is the process of objectively determining the impact of an event that affects a project, program, or business. Quantitative risk assessment usually involves the use of metrics and models.
Single loss expectancy (SLE) The single loss expectancy (SLE) is the monetary loss or impact of each occurrence of a threat.
Exposure factor Exposure factor is a measure of the magnitude of loss of an asset. Used in the calculation of single loss expectancy.
Annualized rate of occurrence (ARO) Annualized rate of occurrence (ARO) is the frequency with which an event is expected to occur on an annualized basis.
Annualized loss expectancy (ALE) Annualized loss expectancy (ALE) is how much an event is expected to cost per year.
 | EXAM TIP These terms are important, and you should completely memorize their meanings before taking the CSSLP exam |
Risk Management Statements
Statements associated with risk management can take many forms. When communicating risk information, a complete and comprehensive statement can help prevent miscommunication caused by an assumption associated with the details. A well-formed risk statement will include the following elements: asset, threat, vulnerability, mitigation, impact, and probability. Figure 2-1 illustrates the relationship of these elements.
Figure 2-1 Well-formed risk statement
Types of Risk
Risk is everywhere and is associated with everything you do. It comes in many forms and from many sources. Risk can be described by the area it impacts or the source of the vulnerability. It is common to separate business risk from technology risk, defining one as associated with the operation of the business and the other with the technical activities within the operations.
Risks can be classified as one of two types: systematic and unsystematic. Systematic risks are those chances of loss that are predictable under typical stable circumstances. Risk such as fire, theft, and software bugs are all examples of elements that are stable over long periods of time. Unsystematic risks are those that are unpredictable in the aggregate because they come from sources that are difficult to predict. Recession, epidemics, and protocol design errors are examples of this type of risk. Because of the nature of systematic risks, they can be mitigated through diversification, whereas unsystematic risks do not respond to normal measures.
Business Risk
It is not possible to identify all sources of risk in a business. In software engineering, risk is often simplistically divided into two areas: business risk and, a major subset, technology risk. Business risk is associated with the operation of the business as a business. The following are common sources of business risk.
Treasury management Businesses operate as financial enterprises. The management of company holdings in bonds, futures, currencies, and other financial instruments is a source of financial risk to the business.
Revenue management Revenue management refers to the actions associated with customer behavior and the generation of revenue. As revenue is the lifeblood of business, revenue management is an important area where business risks can affect the enterprise.
Contract management Contract management refers to managing contracts with customers, vendors, and partners. Contract management can affect both costs and revenues, and is an important aspect of the financial operation of a business.
Fraud Fraud is the deliberate deception made for personal gain to obtain property or services, and is a form of business risk.
Regulatory The software industry operates in a realm of regulation. Security, privacy, and other business operation regulations can have an impact on a business and is a source of business risk. When the regulation effect is related to the technology being employed, it can also be seen as a technological risk.
Business continuity Management of risks associated with recovering and restoring business functions after a disaster or major disruption occurs is referred to as business continuity or disaster recovery risk. Software enterprises tend to be highly dependent upon personnel, so issues that impact personnel involved in software development can be viewed as a business continuity risk.
Technology Technology is frequently employed in the operations of a business. The implementation of technology itself creates opportunities for risk, and as such, the employment of technology can be a business risk. A good example would be the effect of changing from a Java development environment to a .NET one. This is a change in technology and carries with it both risks and rewards.
Technology Risk
Software development is, by nature, a technological endeavor. A myriad of technologies are involved in the development of software, and with this array of technologies comes risks. Some of the risks will be associated with the technology employed as part of the development process. Another set of risks is associated with the aspects of the software functionality.
Security Security is implemented using a variety of technologies. Specific risks are associated with the specific security functionality being implemented.
Privacy Privacy is an attribute that plays a role in many software projects and is implemented using a variety of technologies. Specific risks are associated with the specific privacy functionality being implemented.
| | NOTE Security and privacy are often confused—while security describes the protective attributes of data in a system, privacy describes the attributes that define with whom the data within a system is shared (or not shared). |
Project risk management Software development is implemented using a project management methodology. Project management carries its own set of risks, and the impact of these on the software development effort is a form of technological risk.
Change management Software is a field that is dominated by change—change in development, change in deployment, change in operations—and with each comes sources of risk. How these risks will be managed is influenced by the change management process employed.
Risk Controls
Controls are defined as the measures taken to detect, prevent, or mitigate the risks associated with the threats a system faces. Controls are also sometimes referred to as countermeasures or safeguards. They can be associated with several types of actions: administrative, technical, or physical. For each of these classes of controls there are four types of controls: preventative, detective, corrective, and compensating.
Preventive
Preventive controls are used to prevent the vulnerability from being exploited. Preventive controls are one of the primary control mechanisms used in the deployment of security functionality. They are proactive in nature and provide the widest level of risk mitigation per control. Examples of preventive controls include separation of duties, adequate documentation, physical controls over assets, and authorization mechanisms.
Types of Controls
Controls can be classified based on the types of actions they perform. Three classes of controls exist:
• Administrative
• Technical
• Physical
For each of these classes, there are four types of controls:
• Preventative (deterrent)
• Detective
• Corrective (recovery)
• Compensating
Detective
When the preventive controls fail, a vulnerability can be exploited. At this point, detective controls, or controls that can detect the presence of an attack, are employed. Detective controls act after the fact. Typical detective controls include elements such as logs, audits, and inventories.
Corrective
Corrective controls correct a system after a vulnerability is exploited and an impact has occurred. Because impacts may have multiple aspects, a corrective control acts on some aspects to reduce the total impact. Corrective controls are also after the fact and are typically targeted toward the system under attack rather than the attack vector. Backups are a common form of a corrective control, for they are only useful after an attack has occurred and serve to make recovery more efficient.
Compensating
Compensating controls are designed to act when a primary set of controls has failed. Compensating controls typically occur after the fact, as they are employed as a form of defense in depth. Separation of duties might be a primary control to prevent fraud, and a financial review of accounting reports can serve as an after-the-fact compensating control.
Controls Framework
Controls are not implemented in a vacuum or as individual isolated items. Controls work to reduce risk as part of a complete system. Managing risk across an enterprise is a complex endeavor, and the use of a framework to organize the individual risk controls assists in organizing the design of a comprehensive set. Figure 2-2 illustrates the relationships between the risk elements and forms the basis for a controls framework.
Figure 2-2 Controls framework
Qualitative Risk Management
Qualitative risk analysis uses expert judgment and experience to determine a level of risk exposure. In qualitative risk management, two elements are used in the judgment process: the impact of the threat and the probability of it occurring. A simple scheme, such as high, medium, or low rankings, is used to assign an impact level and probability level to the risk. For example, if a threat has a high impact and a high probability of occurring, the risk exposure is high and probably requires some action to reduce this threat. Conversely, if the impact is low with a low probability, the risk exposure is low and no action may be required to reduce this threat. Qualitative risk assessment is used to prioritize risk management activities, so exact quantification is not needed.
Qualitative Matrix
One method of expressing a collection of qualitative information is in the form of a matrix. The first step in the matrix formation process is defining the values for high, medium, and low. For systems associated with the federal government, general-purpose definitions that require specific refining for use are provided in Federal Information Processing Standard (FIPS) 199. After defining the values, they are then arranged in a matrix, with the rows being specific issues or elements being examined. The columns represent the security element that is impacted—typically, confidentiality, integrity, and availability. Where the row intersects a column, the correct value, from high, medium, and low, is chosen to indicate the risk level associated with the security attribute. An example of a qualitative matrix is shown in Table 2-1.
Table 2-1 Sample Qualitative Matrix
Failure Mode Effects Analysis
Failure mode effects analysis (FMEA) is a structured methodology for the assessment of failure modes and their effects on the system. Originally developed for the U.S. military and advanced by the National Aeronautics and Space Administration (NASA) during the space race, FMEAs allow engineers to rank risks in a system. For each given issue, a series of elements is defined. The severity or the risk is described, usually on a 1 to 10 scale, with 1 representing virtually no severity and 10 being catastrophic. Next, the probability associated with the event occurring is estimated, again using a 1 to 10 scale, with 1 being virtually never and 10 being highly probable. Detectability is also estimated with the same 1 to 10 scale.
The next step is to multiply the three values together and use the product as a risk priority number or ranking mechanism. The scale is 1 to 1000, but it is highly nonlinear, and in most uses, values over 200 are considered worthy of attention. The documentation of the system can include descriptive elements as well, providing a convenient mechanism for communicating risk management information across a development team.
Quantitative Risk Management
Whereas qualitative risk assessment relies on judgment and experience, quantitative risk assessment applies historical loss information and trends in an attempt to predict future losses. Quantitative risk assessment is highly dependent on historical loss data, and obtaining accurate data can be difficult. This also assumes that the sources of risk and their occurrence rates are unchanged from the historical values. In the realm of software vulnerabilities and risk, the concept of constant risk rates is far from an agreed-upon concept. Even with the challenges faced by determining individual risks, the objective of determining future losses can still be estimated against many types of risk in aggregate form.
It is important to understand that key assumptions underlie any risk management model, and different risk management models will produce different results even when given the same input data. Regardless of which risk management model is being used, it is important for all parties to come to a consensus agreement as to the values being used in the calculations employed in the model. When comparing options or systems, it is important to use equivalent values for inputs. By using consistent values and consensus-driven inputs, the results obtained from a model can be useful to an organization.
Although significant research and development have been invested in improving and refining the various risk analysis models, expert judgment and experience must still be considered an essential part of any risk assessment process. Insurance companies have relied upon expert judgment and experience in the creation of their business models, which even with their extensive datasets, have experienced widely divergent results due to the accuracy of their applied judgment. Models can never replace judgment and experience, but they do provide a means to supplement and manipulate them, and can significantly enhance the input to the decision-making process.
Annualized Loss Expectancy Model
A common method of quantitative assessment is the calculation of the annualized loss expectancy (ALE). This calculation begins by calculating a single loss expectancy (SLE) with the following formula:
SLE = asset value * exposure factor
The asset value is the amount put at risk. This may represent the replacement cost of an asset in the event of equipment loss, or the loss of business value in the event of accessibility issues. The exposure factor is the percentage of loss a system sustains. If capacity is reduced to 25 percent of normal, then the exposure factor of .25 can apply this aspect to the loss.
The next element to calculate is how often an event occurs, or the annualized rate of occurrence (ARO). The ARO is calculated by dividing the number of occurrences by the number of years covered. The result is a value to express the rate of loss occurrence in years.
ARO = number of events / number of years
The next element to calculate is the annual loss expectancy (ALE). The ALE is calculated simply by multiplying the SLE by the number of times the event is expected to occur in a year, or ARO.
ALE = SLE * ARO
The value of ALE is the expected annual loss due to the risk being measured. This value can be useful in applying return on investment calculations.
Residual Risk Model
One of the key principles of security is the concept that absolute security is not an achievable goal. When a control is applied, it reduces the risk associated with a vulnerability by some measurable amount. The concept of absolute security can thus be expressed such that residual risk will not be zero. This provides a mathematical basis behind the application of multiple layers of defense in an attempt to minimize risk.
Using the operational security model and one single form of risk as an example, we can explore the effect of residual risk. Assume we are protecting a network from intrusion using a firewall, an intrusion detection system (IDS), and an incident response team (IRT). The firewall is 95 percent effective, the IDS is 80 percent, and the IRT is 50 percent. Assume the potential loss is $100,000.
Figure 2-3 illustrates this simple example with a firewall that blocks $95,000 worth of loss. Of the remaining $5,000 of potential loss, the IDS identifies only 80 percent ($4000) and of that amount the IRT captures 50 percent ($2000). The total effectiveness is $95,000 (firewall) plus $2000 (IDS/IRT), for a total of $97,000, or 97 percent effective. The same example without the firewall or assuming a firewall effectiveness of 0 percent would show that the IDS/IRT value would be $50,000. But as any operational security expert will tell you, IDS and IRT processes do not scale as well as technology such as a firewall, and it is highly doubtful an organization could examine and analyze the number of incidents that would be involved if the primary defenses were rendered ineffective. This also highlights one of the issues of defense in depth and quantitative risk management modeling—namely, we do not fully understand the quantitative interdependent relationships between components and scale to the degree necessary to fully model all conditions.
Figure 2-3 Sample residual risk calculation
Calculate SLE, ARO, and ALE
A company owns five web servers, each of which is valued at $100,000 and contributes equally to the company’s capacity. The web servers are geographically spaced at the different regional offices. Each web server provides internal web services to the regional office. The daily value of the content server is calculated at $10,000 to support workers in the office. Try calculating the SLE, ARO, and ALE for the warehouse located in the Mountain West office, where the probability of a weather-driven outage lasting more than 24 hours is once every five years, with the average outage being two days. How does this compare to the Southeast Regional office, where the probability of hurricane-related outage is twice every three years and the average outage is three days?
Mountain West
SLE = loss * duration = $10,000 * 2 = $20,000
ARO = 1 / 5 = 0.2
ALE = SLE * ARO = $20,000 * 0.2 = $4,000
Southeast Region
SLE = $10,000 * 3 = $30,000
ARO = 2 / 3 = 0.667
ALE = SLE * ARO = $30,000 * 0.667 = $20,000
If a backup generator costs $40,000 and has an annual maintenance cost of $2000, what is the return on investment (ROI) for each location? In simplest form, ROI can be expressed as:
ROI (%) = (Avoided Loss – Control Cost) / (Control Cost) * 100
Or
ROI (Time) = (Avoided Annual Loss) / (Annual Control Cost)
To apply this formula, you need to annualize the control cost. Assume the generator can be depreciated over five years and ignore the time value of money. The annual control cost is $8000 ($40,000 / 5) + $2000 annual maintenance cost = $10,000 total annual cost.
For Mountain West office, ROI has no meaningful value, as it costs more for the control than the loss it would prevent. For the Southeast Region office, ROI % = 100% with a payback period of six months. Using this information, it would make financial sense to buy a generator for the Southeast Region office, but not for the Mountain West office.
Comparison of Qualitative and Quantitative Methods
In practical use, neither the quantitative nor qualitative methods exist in isolation. The primary purpose for either method is to allow the prioritization of resource employment. It is common practice to employ both methods in management. Specific issues with data can be analyzed and options compared with quantitative methods. Wider analysis activities, such as system assessments, are typically done using qualitative methods. The end objective is the same: identify the appropriate use of limited resources to reduce risk.
Governance, Risk, and Compliance
Management deals with the balance between daily operations and strategic initiatives and goals by acting within a set of principles to maintain control over an enterprise. For the senior positions of the C-level staff and board of directors, this is mostly a risk management exercise. The senior executives leave many of the routine operational decisions to lower levels of management, freeing themselves to concentrate on monitoring risk and making larger-scale changes to capitalize on or protect against changes in overall risk. The term governance has come to mean the sum of executive actions with respect to managing risk. One important element of this risk management is complying with existing laws and regulations. Thus, the terms governance, risk management, and compliance are used synonymously, and the combined term, abbreviated GRC, is used as an umbrella term to describe the sum of actions in this arena.
Regulations and Compliance
Management has a responsibility for ensuring compliance with a wide range of requirements that are associated with the organization’s business objectives and the actions they take to achieve them. These requirements have many sources—some are contractual, some are based on policy or strategic initiatives. Others may be process based, defined by the organization or industry. There are also external sources of requirements in the form of regulations or laws.
Compliance is the term typically used when referring to the activities associated with these outside requirements. Conformance is the term typically used when referring to the activities associated with internal requirements (organizational policies and standards).
Compliance and conformance efforts are frequently a key issue with respect to GRC efforts. Activities related to compliance are usually given priority over conformance. There are a variety of reasons for the prioritization, but the principle reason is related to the penalties associated with noncompliance. While management actions that run counter to conformance may have internal costs in the form of dissonance, failure to comply with external regulations or legal requirements frequently carries a financial penalty.
Legal
Governance includes the act of managing legal-driven risk elements. Two specific legal issues that have significant risk to an enterprise are intellectual property and data breach events. Intellectual property is a valuable asset of the firm, and one that requires appropriate protection. In some cases, this protection can be obtained through legal action and the courts. But in other cases, the legal mechanism has no party to act against. When intellectual property is stolen by unknown criminal elements, using the Internet and international borders to avoid prosecution, it is still lost. Intellectual property needs prevention controls in addition to the legal remedies available after loss.
When losses involve personally identifiable information (PII), additional legal issues become involved. Many states have data breach laws, with disclosure and response provisions. Two strategies can be employed with respect to PII. First and foremost are the actions taken to protect the data prior to potential loss. Encryption is the primary method employed by most enterprises, and this can meet the requirements of many data breach laws and requirements, such as the Payment Card Industry Data Security Specification (PCI DSS). One of the economic drivers is the cost of complying with data breach laws notification provisions.
When senior executives weigh the options for dealing with risk, legal issues and consequences play a role in determining the appropriate balance in actions. Legal consequences, whether from compliance failure or loss, are part of the overall risk equation and should be included in the decision process.
Standards
Standards are an established norm used to define a specific set of rules governing some form of behavior. Standards exist for a wide range of elements, from business processes to outcomes. The sources of standards are many, including government bodies and industry and trade organizations. The ultimate goal of standards is to define a set of rules associated with ensuring a specified level of quality. It is important for a CSSLP to have a solid working knowledge of the relevant security standards, as this is the blueprint for designing, creating, and operating a system that reflects best practices.
Risk Management Models
Risk management concepts are fundamentally the same despite their definitions, and they require similar skills, tools, and methodologies. Several models can be used for managing risk through its various phases. Two models are presented here: The first can be applied to managing risks in general, and the second is tailored for managing risk in software projects. Remembering back to the beginning of the chapter, the purpose to managing risk is to improve the future, and models can assist in delivering on this objective.
General Risk Management Model
The following five-step general risk management model can be used in virtually any risk management process. These steps will lead to an orderly process of analyzing and mitigating risks.
Step 1: Asset Identification
Identify and classify the assets, systems, and processes that need protection because they are vulnerable to threats. Use a classification that fits your project. This classification leads to the ability to prioritize assets, systems, and processes and to evaluate the costs of addressing the associated risks. Assets can include elements of information, with some data elements requiring more security than others. The key factor to use in determining value is information criticality with respect to the business objectives of the enterprise. It is important to think globally when examining value, since from a risk perspective it doesn’t matter where the breach occurs.
Step 2: Threat Assessment
After identifying the assets, you identify both the threats and the vulnerabilities associated with each asset and the likelihood of their occurrence. All things have vulnerabilities; one of the keys is to examine exploitable vulnerabilities. Threats can be defined as any circumstance or event with the potential to cause harm to an asset.
From a software perspective, there is significant literature concerning common weaknesses (CWE from mitre.org), SANS Top 25 list, OWASP Top 10 list, etc. These vulnerability lists serve as a good starting point. In spite of the fact that these issues are widely known, they result in significant problems because they are frequently overlooked.
Step 3: Impact Determination and Quantification
An impact is the loss created when a threat is realized and exploits a vulnerability. Impacts can be either tangible or intangible. A tangible impact results in financial loss or physical damage. For an intangible impact, such as impact on the reputation of a company, assigning a financial value can be difficult.
Step 4: Control Design and Evaluation
In this step, you determine which controls to put in place to mitigate the risks. Controls (also called countermeasures or safeguards) are designed to control risk by reducing vulnerabilities to an acceptable level. (In this text, the terms control, countermeasure, and safeguard are considered synonymous and are used interchangeably.)
Controls can be actions, devices, or procedures. A comprehensive list of software controls can be found in the NIST SP 800-53 series.
Step 5: Residual Risk Management
Understand that risk cannot be completely eliminated. A risk that remains after implementing controls is termed a residual risk. In this step, you further evaluate residual risks to identify where additional controls are required to reduce risk even more. Multiple controls can be employed to achieve a better defense posture through defense in depth.
Software Engineering Institute Model
The Software Engineering Institute is a federally funded research development center charged with developing methodologies to reduce risks associated with software engineering. In an approach tailored for managing risk in software projects, SEI uses the following methodology (SEI, Continuous Risk Management Guidebook [Pittsburgh, PA: Carnegie Mellon University, 1996]). Although the SEI terminology varies slightly from the general model, the relationships are apparent, and either model can be applied for risk management.
SEI Model Steps
1. Identify Examine the system, enumerating potential risks.
2. Analyze Convert the risk data gathered into information that can be used to make decisions. Evaluate the impact, probability, and timeframe of the risks. Classify and prioritize each of the risks.
3. Plan Review and evaluate the risks and decide what actions to take to mitigate them. Implement the plan.
4. Track Monitor the risks and the mitigation plans. Trends may provide information to activate plans and contingencies. Review periodically to measure progress and identify new risks.
5. Control Make corrections for deviations from the risk mitigation plans. Correct products and processes as required. Changes in business procedures may require adjustments in plans or actions, as do faulty plans and risks that become problems.
Model Application
The general model and SEI model define steps that can be used in any general or software risk management process. These models can be applied to any project or program, no matter how simple or complex. There is a relationship between project scope and risk exposure, in which risk increases with project scope. Figure 2-4 shows how risk complexity increases with respect to project scope or enterprise size.
Figure 2-4 Risk complexity versus project size
Risk Options
Once risks are identified, management has a series of options to deal with them. The first option is to fix the problem. Fixing the problem involves understanding the true cause of the vulnerability and correcting the issue that led to it. When available, this is the preferred option, as it solves the problem irrespective of external changes. The second method involves removing the problem. This can be done in a couple of ways: If the problem is associated with a particular feature, then removing the feature may remove the problem. If the problem is associated with a particular standard—that is, confidentiality associated with cleartext protocols—removing the communication or protocol may not make sense and fixing the protocol is probably not possible; what remains is some form of compensating control. Adding encryption to the communication channel and removing the cleartext disclosure issue is a form of removing the problem. In both of these cases, there is an opportunity for some form of residual risk, and for that, management needs to make a similar decision. Can we live with the residual risk? If the answer is no, then you need to repeat the corrective process, removing additional levels of risk from the residual risk.
Other options exist for dealing with the risk. Transferring the risk to another party is an option. This can be in the form of a warning to a user, transferring the risk to the user or to a third party. In the case of financial fraud associated with online credit cards, the merchant is typically protected, and the bank card issuer ends up covering the fraud loss. This cost is ultimately borne by the customer, but only after aggregating and distributing the cost across all customers in the form of increased interest rates. It is also possible in some cases to purchase insurance to cover risk, in essence, transferring the financial impact to a third party.
The last option is to do nothing. This is, in essence, accepting the risk and the consequences associated with the impact should the risk materialize. This is a perfectly viable option, but it is best only when it is selected on purpose with an understanding of the ramifications. Ignoring risk also leads to this result, but it does so without the comprehensive understanding of the potential costs.
Chapter Review
This chapter began with an examination of the vocabulary associated with risk management. This is important, as the concepts presented are framed in terms used in this specific discipline and misuse of the terminology can lead to miscommunication and errors. Risk management is framed as a means to an end, specifically that of making the future better using data from the past. Then the types of risk were explored, based on source. Knowing the sources of risk assists in determining the proper control to manage a system response. Controls were explored as a framework for operationally managing activities that enable the objectives of the enterprise while minimizing the risks associated with those activities.
Risk can be examined using two types of frameworks: qualitative and quantitative. Qualitative risk methodology was explored, including a generic method and a sample. Quantitative risk management methodology was then presented along with an example. A comparison of the two was presented along with how they can be combined. Other forms of risk management models primarily constructed around the qualitative method were presented, including a model from the Software Engineering Institute.
The chapter ended with a discussion of the options that management has with respect to dealing with risk. Risk management involves the balancing of many options, all in an effort to minimize residual risk to a desired level.
Quick Tips
• The vocabulary of risk management is an important element in communicating risks and controls to facilitate cross-cutting activities needed to manage risk in the enterprise.
• There are two primary forms of risk management methodology: qualitative and quantitative.
• The purpose of risk management is to influence the future and reduce future risk.
• The foundational element in determining value associated with risk is information criticality.
Questions
To further help you prepare for the CSSLP exam, and to provide you with a feel for your level of preparedness, answer the following questions and then check your answers against the list of correct answers found at the end of the chapter.
1. Of the following, which is not a class of controls?
A. Physical
B. Informative
C. Technical
D. Administrative
2. Log file analysis is a form of what type of control?
A. Preventive
B. Detective
C. Corrective
D. Compensating
3. To calculate ALE, you need?
A. SLE, asset value
B. ARO, asset value
C. SLE, ARO
D. Asset value, exposure factor
4. Risk that remains after the application of controls is referred to as:
A. Acceptable risk
B. Business risk
C. Systematic risk
D. Residual risk
5. Calculate ALE for asset value = $1000, exposure factor = .75, ARO = 2.
A. $1500
B. $15,000
C. $375
D. Cannot be determined without additional information
6. Single loss expectancy (SLE) can best be defined by which of the following equations?
A. SLE = asset value * exposure factor
B. SLE = asset value * annualized rate of occurrence (ALE)
C. SLE = annualized loss expectancy (ALE) * annualized rate of occurrence (ARO)
D. SLE = annualized loss expectancy (ALE) * exposure factor
7. Which of the following describes qualitative risk management?
A. The process of using equations to determine impacts of risks to an enterprise
B. The use of experience and knowledge in the determination of single loss expectancies
C. The process of objectively determining the impact of an event that affects a project, program, or business
D. The process of subjectively determining the impact of an event that affects a project, program, or business
8. Risk is defined as:
A. Any characteristic of an asset that can be exploited by a threat to cause harm
B. Any circumstance or event with the potential to cause harm to an asset
C. The overall decision-making process of identifying threats and vulnerabilities and their potential impacts
D. The possibility of suffering a loss
9. A measure of the magnitude of loss of an asset is:
A. Impact level
B. Exposure factor
C. Residual risk
D. Loss factor
10. A well-formed risk statement includes all except:
A. Asset
B. Impact
C. Frequency
D. Mitigation
11. Backups are an example of what type of control?
A. Preventive
B. Detective
C. Corrective
D. Operational
12. Two controls, each 60 percent effective in series, are placed to mitigate risk in a system worth $100,000. What is the value of residual risk?
A. $60,000
B. $36,000
C. $40,000
D. $16,000
13. Quantitative risk management depends upon:
A. Expert judgment and experience
B. Historical loss data
C. Impact factor definition
D. Exposure ratio
14. The following are all examples of technological risk except:
A. Regulatory
B. Security
C. Change management
D. Privacy
15. Which of the following is measured in dollars?
A. Exposure factor
B. SLE
C. ARO
D. Impact factor
Answers
1. B. The three classes of controls are administrative, technical, and physical.
2. B. The review of log files is a detective type of control, as it occurs after the fact and is used to detect specific activity.
3. C. Annual loss expectancy is the single loss expectancy times the annual rate of occurrence.
4. D. This is the definition of residual risk.
5. A. SLE = AV * EF * ARO = $1000 * .75 * 2 = $1500
6. A. This is the definition of SLE.
7. D. Qualitative risk management is a subjective means. The other answers are all objectively based or include elements of quantitative risk management.
8. D. This is the definition of risk. A is the definition of vulnerability. B is the definition of threat. C is the definition of risk management.
9. B. This is the definition of exposure factor.
10. C. Frequency is not part of a risk statement; the elements are asset, threat, vulnerability, mitigation, impact, and probability.
11. C. Backups are controls that work after an impact has occurred.
12. D. Start with $100,000. The first control mitigates $60,000. This leaves $40,000, and the second control mitigates 60 percent, or $24,000, leaving a residual of $16,000.
13. B. Quantitative risk assessment is highly dependent upon historical loss data. A applies to qualitative risk assessment, and B and D are false distractor terms.
14. A. Regulatory risk is an example of business risk.
15. B. Single loss exposure (SLE) is in dollars. ARO is time. Exposure factor is a ratio, and impact factor is not a risk management term.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.