RISK ASSESSMENT
7CCSMSEM Security Management Dr. Jose M. Such
Risk Management Steps
1
2
3
4
5 6
• Asset Identification (and their value)
• Threat Assessment
• Vulnerability Assessment
• Risk Assessment
• Risk Treatment
• (Reduce, Transfer, Avoid or Accept the risk.)
• Risk Monitoring
Risk Assessment
• The universal formula
𝑅𝑖𝑠𝑘 = 𝑇h𝑟𝑒𝑎𝑡×𝑉𝑢𝑙𝑛𝑒𝑟𝑎𝑏𝑖𝑙𝑖𝑡𝑦×𝐼𝑚𝑝𝑎𝑐𝑡
• All three need to be present
• Where do we look for this information
• Approaches tend to aim for objectivity but end up as subjective
Questions
• But how do we combine all three values?
• What processes should we use to develop the values? • Should we go qualitative or quantitative?
Asset identification and valuation (Impact)
Identifying Assets
• What do we mean by assets?
• Information can be in multiple forms
• Need to consider how assets are held and managed
• Vital to understand the process that surrounds the asset • Assets may not be tangible
Examples of Assets
• System (or network of systems)
• Database (or just information)
• Building (or other physical infrastructure) • Intellectual Property
• Business service
• Business process (or workflows)
• Reputation
Asset Valuation
• The value of an asset is prioritised by the contribution it makes to the business. This may include
• CIA-N requirements
• Information classification policies (public vs highly sensitive
information)
• Cost of compromise (Replacement equipment)
• Interdependencies with other business systems/processes
• Personal injury or death
Asset Valuation
• The value of an asset is usually calculated by means of a business impact assessment.
• This predicts the consequences of disruption of a business function and process and gathers information needed to develop recovery strategies.
• It considers both assets and employees that handle the asset.
Asset Valuation
• Direct value
• The estimated cost or value of its loss or unavailability to the
business.
• Indirect value
• Can it impact (or damage) the business’ reputation if the information was lost or made public? Is it valuable to a competitor?
Indirect Impact Example
British Airways 2018 Case
Indirect Impact: British Airways 2018
Indirect Impact Example
Asset Register
• Normally done as a consultative project • Workshop, questionnaires and/or interviews
• Including:
• Hardware
• Information
• People
• Processes
• Infrastructure
• Value the asset and also the impact of tamper • Value may lie in other area such as reputation
• What are the linkages and dependencies?
• Scope is crucial to a successful assessment
Risk Assessment
Quantitative vs Qualitative
Statistics
“Statistics are like bikinis. What they reveal is suggestive, but what they conceal is vital. ”
~Aaron Levenstein
“Facts are stubborn, but statistics are more pliable.”
~Mark Twain
“It is likely that unlikely things should happen.”
~Aristotle
“It is scientific only to say what’s more likely or less likely, and not to be proving all the time what’s possible or impossible.”
~Richard Feynman
Qualitative
• Generally a workshop/interview approach
• Analysis avoids the over simplification to numbers
• Numbers are no substitute for human understanding • Excellent communication skills are required
• Can draw together the apparently inconsequential bits of information
Qualitative cont…
• Discourse analysis useful
• Language dependent on the environment and context • Language used can be enlightening
• Discourse and data analysis used in other disciplines
• Too subjective?
• Highly reliant on interviewer skills
Qualitative cont…
• There is a tendency to dismiss as IT is a hard technology area
• People are the problem and the solution
Completely Knowable?
• IT security, because of background, is often considered to be completely knowable
“No plan survives contact with the enemy”
~Helmuth Carl Bernard Graf von Moltke
• Information security is treated in isolation
• Need to be integrated with other business areas (Physical and Personnel Security)
Still Completely Knowable?
• A technology focus fails to assess people, process.
• Technology, people, process interact in unpredictable and irrational ways
The Risk Space
• Qualitative approaches create a rich picture of this space • This remains the case until we reduce to numbers
• When distilling to numbers you are reducing the resolution of the space
• Qualitative provides a firm grounding for Quantitative approaches
Quantitative
• Aim to produce reliable statistic evidence
• Is this possible at the moment?
• Is internal data acquisition enough?
• The questions and answers must be tightly controlled.
• Can limit the breadth of response
• Can limit the understanding of the complexity of the risk space
Information is the key
• Quant analysis relies on accurate data
• Data tend to be empirically based
• There is a seduction of pure data • Loss of bias in its generation
• Loss of bias in its interpretation(?)
• Problem is when Qual data is presented as Quant data
• Happens all the time.
• Risk assessment exercises encourage this.
The Whole Puzzle
• It is not a case of Qual Vs. Quant
• There needs to be a balance
• Mature risk approaches accept the best from each and understand the issues with each
• Why are qualitative approaches considered substandard? • Driven by IT staff
• Both however should be undertaken with rigor
The Whole Puzzle cont…
• Just because it has numbers doesn’t make it better • Getting the data right is difficult
• Qual can be very useful for capturing complex systems and subject areas:
• Constant increasing complexity: • In technology
• In business models
• Qual can be used to communicate with examples • How to shorten to a briefing?
Pseudo-Quant
• This is one of the big things that is output from the many risk assessment processes
• Can be useful for communicating ideas quickly
• Enables relative risk to be identified so actions can be
taken
• Feeling that numbers are more concrete
• But if context lost the pseudo part does too!
Skill Sets in the Risk Team
• Qualitative:
• Need to know how to be a good interviewer
• Need to know how to conduct discourse and data analysis • Good at separating evidence from interpretation
• Quantitative:
• Statistics and probability background
• Good at experiment design and results analysis
• These skills are hard to find in this area.
Quantitative Risk Assessment
• Quantitative probabilities • Quantitative impact
• For each risk:
• ALE=ARO*SLE
• ALE = Annual loss expectancy
• ARO = Annual Rate of Occurrence • SLE = Single Loss Expectancy
Annual Rate of Occurrence
• A business-friendly measure of the probability of occurrence of an event.
• How likely is that an event happens this year? Or how many times it will happen?
• Helps in terms of annual budget.
Single loss Expectancy
• SLE is the monetary value expected from the occurrence of a risk on an asset.
• It follows from the asset value
• How much of that asset value will be taken away
Qualitative Risk Assessment
• Qualitative probabilities
• Qualitative/Quantitative Impact
• Risk = Threat x Vulnerability x Impact
Likelihood
OWASP Risk Rating Methodology
• https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology
Example
• Likelihood getting infected after getting connected to the Internet: High
• Impact of getting infected: High
• Risk rating: critical (needs action)
Risk Assessment tools
• Many tools use a qualitative approach
• Does it really matter as long as? • Fits the business
• Transparent
• Repeatable
• Auditable • Rigorous
• What is the purpose of the process anyway? • Highest importance is risk communication
Common Pitfalls
• Oversimplification of the threat space
• Ignorance of the threat space
• Especially in tools
• Not thinking strategically about risk
• Failure of imagination
• Being too heavyweight in the risk processes • Not adaptive to the future or business.
• Consider scale and complexity in an interconnected world.