CE/CZ 4064

Security Management

Risk Analysis and

Assessments

CE/CZ 4064: Security Management, © 2014, Anwitaman DATTA

Risk management

CE/CZ 4064: Security Management, © 2014, Anwitaman DATTA

Dilemmas of Information Security

How much resource for which?

Prevent Detect Respond
Dilemmas of Information Security
Complacency

If no major security
incidents happened
recently, why bother?

How do you justify a

budget for security?
Dilemmas of Information Security
Security at all cost!!
Security is priceless
But, there is “no perfect
security”

How do we know what

is good enough?
Dilemmas of Information Security
The fallacy of relative
privation

Is being better than 


the competition good
enough?
Dilemmas of Information Security
Or is it to follow “Best practices”?

Lowest common denominator

Dilemmas of Information Security
Standards compliant?

compliance out of
compulsion

Sounds like a burden,

but is there any value?
Dilemmas of Information Security
Everything has a price
Blakley et al. (2001) rationalize that since
information security concerns Security is priceless
the protection of
business-critical or sensitive information and
related IT systems and infrastructure, failures of
information security will trigger adverse events,
resulting in losses or damages that will exert
negative impacts on a business. Information
security must be a risk managementOr,discipline
is it?
that
manages risks by considering their costs and/or
impacts on a business. In other words,
“information security is information risk
management”
Dilemmas of Information Security
Recognizing the wisdom
of the “no perfect
security” principle and the
need to prioritize and
decide resource
allocations within a
limited security budget,
a risk management
approach seems logical
and has been widely OSCAR WILDE
proposed for managing
information security.
 Risk analysis

CE/CZ 4064: Security Management, © 2014, Anwitaman DATTA

 Risk analysis
Many methodologies (but trying to broadly investigate):

What needs to be protected?

Who/What are the threats and vulnerabilities?

What are the implications if they were damaged or

lost?

What is the value to the organization?

What can be done to minimize exposure to the loss

or damage?
Source: http://www.sans.org/reading-room/whitepapers/auditing/overview-threat-risk-assessment-76
 Risk analysis
Desired outcome:

Recommendations that maximize the protection of

confidentiality, integrity and availability while still
providing functionality and usability

Note: Instead of the CIA-triad, the scope of

protection may be expanded to other desirable
security attributes.

Source: http://www.sans.org/reading-room/whitepapers/auditing/overview-threat-risk-assessment-76
 Risk analysis
Process:

Scope

What is it for? What all is to be investigated?

The network, the databases, the web service,

system boundary, …

Who is it for?

CFO needs to know different things than what the

CISO or the network administrator needs to know …
Source: http://www.sans.org/reading-room/whitepapers/auditing/overview-threat-risk-assessment-76
 Risk analysis
Process:

Data Collection

processes and policies in place

which softwares/patches are being used

repository of known vulnerabilities (for the

products being used)

Source: http://www.sans.org/reading-room/whitepapers/auditing/overview-threat-risk-assessment-76
 Risk analysis
Process:

Vulnerability analysis

determine current exposures

e.g., not the latest patches

penetration testing (e.g., using standard tools)

With/without knowledge of the internals

Source: http://www.sans.org/reading-room/whitepapers/auditing/overview-threat-risk-assessment-76
 Risk analysis
Process:

Vulnerability analysis

ple
x a m
e

Source: http://www.sans.org/reading-room/whitepapers/auditing/overview-threat-risk-assessment-76
 Risk analysis
Process:

Vulnerability analysis

ple
x a m
e

Source: http://www.sans.org/reading-room/whitepapers/auditing/overview-threat-risk-assessment-76
 Risk analysis
Process:

Threat analysis

ple
m
exa

Source: http://www.sans.org/reading-room/whitepapers/auditing/overview-threat-risk-assessment-76
 Risk analysis
Process:

Risk identification and analysis of acceptable risks

 Risk analysis
Process:

Analysis of acceptable risks

Sources: http://blog.securestate.com/acceptance-is-the-first-step/

http://executive-education.insead.edu/ressources_edp/library/ckfinder/userfiles/images/executive_education/ssss.png
 Qualitative risk analysis
Different (relative) levels of
the risks’ probabilities and
impacts be defined.

Definitions of probability
levels and impact levels
are tailored to the
individual settings.

Note: We already did a

similar exercise for the
vulnerability analysis
Sources: http://m.engineering.queensu.ca/Outreach/EngineeringStudents/files/PMBOK3rdEnglish.pdf
 Qualitative risk analysis
Other aspects

Risk urgency

Collaterals and
interdependencies

Sources: http://m.engineering.queensu.ca/Outreach/EngineeringStudents/files/PMBOK3rdEnglish.pdf
 What is it really worth?
Quantitative risk analysis

Difficult to make improvements in security without

proper financial analyses to justify the budget

Quantitative risk analysis attempts to assign

independently objective monetary values to the
components of the risk assessment and to the
assessment of the potential loss

Sources: http://www.sans.org/reading-room/whitepapers/auditing/quantitative-risk-analysis-step-by-step-849
 Quantitative risk analysis
Advantages (if done “correctly”)

More objectivity in its assessment

Analysis is often derived from some irrefutable facts

Offers direct projection of cost/benefit of proposal

More powerful selling tool to management

less prone to arouse disagreements during management

review

Can be fine-tuned to meet the needs of specific situations

and customised for specific industries
Sources: http://www.sans.org/reading-room/whitepapers/auditing/quantitative-risk-analysis-step-by-step-849
 Example
BuyAnyTime Inc. is an online retailer, gearing up for
Christmas sale - and for the increased traffic at its site for
a period of one month (30 days), it expects the following:

Average 100 transactions a minute

Average $10 profit per transaction

Current system avg downtime of 30 minutes per day

An upgrade will cost $800,000 and reduce downtime to

5 minutes per day

Is it worth it?
 Example
Cost to business 

30 minutes downtime = $ 30*30*10*100
= $ 900,000

vs
Cost to business 

5 minutes downtime = $ (5*30*10*100 + 800,000)
= $ 950,000
 Example
BuyAnyTime Inc. does a consumer survey to
conclude, that in fact, if they have more than 10
minutes downtime per day, their reputation will suffer,
leading to 2% customer attrition.

Reevaluate the decision?

Assume reduction in the volume of transactions to

be proportional to the quantum of customer
attrition.
 Example
Cost to business 

30 minutes downtime = $ 30*30*10*100
= $ 900,000

Reevaluated cost to business 


vs = $ (30*30*10*100) + $(1410*30*10*2)
= $ 1,746,000

Cost to business 

5 minutes downtime = $ (5*30*10*100 + 800,000)
= $ 950,000
Quantitative risk analysis
Need to take into account

Different risk countermeasure strategies will have

different payback or cash flow scenarios.

One time investment (infrastructure upgrade) vs.

recurrent costs (regular penetration tests by
security consultant)

Long term benefits vs. time-limited benefits

Secondary effects (e.g., reputation as an “asset”)

Annualized Loss Expectancy
The monetary loss expected in one year due to a risk

where

ALE: Annualized Loss Expectancy

ARO: Annual Rate of Occurrence

SLE: Single Loss Expectancy

Annualized Loss Expectancy
The monetary loss expected in one year due to a risk

ARO: Annual Rate of Occurrence

How often does a specific loss event from a

particular risk occur?
Annualized Loss Expectancy
The monetary loss expected in one year due to a risk

SLE: Single Loss Expectancy

The monetary loss expected from the occurrence

of a risk once, on an asset.

The exposure factor is represented in the impact

of the risk over the asset, or percentage of asset
lost.
 ALE example
A company has 10000 employees. Personal information and
emails for these employees are stored in a distributed manner
over ten machines, each storing 1000 distinct (non-
intersecting) records.

Whenever one of these employees fall victim to a phishing

attack, the whole machine (where the victim’s records are
stored) is compromised. The IT department claims that the
Single Loss Expectancy from such an incident is 5000$.

What is the valuation of the whole asset according to the IT

department?

If 18 people fall victim to phishing spread over a year, what

is the annualised loss expectancy?
Annualized Loss Expectancy
Many “shortcomings”

If all 18 people fall victim to phishing together, what is the

annualised loss expectancy?

Depends on the actual number of machines affected.

(level of abstraction may not capture things precisely)

Combining the two risk components - asset value and the

probability of loss together “simplifies” things (which is
sometimes good), but this simplification also means
distinguishing high-frequency, low-impact events from low
frequency, high-impact events based on a single number
is no longer possible.
Annualized Loss Expectancy
Many “shortcomings”

Say, the cost estimated by the IT

department was based on the
cost to restore data. But now if
an employee sues the company
because his/her personal data
was not properly protected (say Objectivity is subjective

under a new “Personal Data

Protection Act”), then what?

May not be possible/easy to

“correctly” value the asset
Annualized Loss Expectancy
Many “shortcomings”

ARO: Annual Rate of Occurrence

May not be easy to predict/may have high variance

AV and EF: Asset valuation and Exposure factor

May not be easy to quantify and can be subjective,

the person assessing the risk may have to define it
…
 Hybrid approach
Risk assessment is not a precise science

A hybrid of qualitative and quantitative approaches

All models are wrong, but some are useful.
- George Box
Identifying & Prioritizing

CE/CZ 4064: Security Management, © 2014, Anwitaman DATTA

 Penetration testing
Goal oriented

Can a specific security attribute be violated?

Deliverable: A report of how security was breached

in order to reach the agreed-upon goal

Recommend remedy

Source: http://danielmiessler.com/writing/vulnerability_assessment_penetration_test/
 Vulnerability Assessment
Exploratory:

Identification and
prioritization of
vulnerabilities

In terms of severity

It terms of likelihood of
occurrence
 Fault tree analysis
Fault tree analysis (FTA) is a top down, deductive
failure analysis in which an undesired state of a system
is analyzed using Boolean logic to combine a series of
lower-level events.

ple
x a m key-logger
e
password

password cracked
phishing guessed
unauthorized
ineffective access to email
hardware stolen two-factor 

not deployed authorization

Note: FTA is a general purpose technique used for system reliability and safety engineering, risk assessment
eLearning task: Read http://en.wikipedia.org/wiki/Fault_tree_analysis
 Attack trees
Conceptual diagrams showing how an asset, or target, might be
attacked, possibly qualifying an attack in multiple dimensions

Motivation: e.g., Opportunistic versus motivated

Access: e.g., insider attack/external hack/…

Skills and resources of attacker: uses ready-made rootkit,

crafts customized attacks, has money for special equipment
…

Risk-aversion: Will send phishing mail, but won’t pick pocket

…

Note: Attack trees are closely related to, but not the same as fault trees, see http://en.wikipedia.org/wiki/
Attack_tree for more discussions
 Attack trees
Represent the attacks and countermeasures as a tree
structure

Root node is the goal of the attack

Complex systems will have many targets

(modeled as separate roots)

Leaf nodes are the attacks

Source: https://www.schneier.com/paper-attacktrees-ddj-ft.html
 Attack trees
Two kinds of intermediate nodes

“Or” nodes: different ways to achieve same goal

“And” nodes: multiple steps required together to

achieve a goal

(And) is indicated explicitly

 Attack trees
ple key logger
m
exa
password
Breaking cracked
into house password

guessed

phishing unauthorized

AND
pick
pocket access to email

hardware 2FA
lost stolen ineffective

not
from office deployed
desk
 Attack trees
Qualified with additional attributes, e.g., probability
p1
ple key logger
e xam
password
p2 ??
Breaking cracked
into house password

p3 guessed

phishing unauthorized

AND
pick
pocket access to email

hardware
stolen 2FA
lost ineffective

not
from office deployed
desk
 Attack trees
Qualified with additional attributes, e.g., time
3 months
ple key logger
x a m
e
20 hours
password
Breaking cracked
into house password

guessed
1 day 2 months
phishing unauthorized

AND
pick
pocket access to email

1 day hardware
stolen 2FA
lost ineffective
not possible
not
from office deployed
desk not applicable
not possible
 Attack trees
device
cost-effective
layered defence

Can be made as
Its possible to Can be used to
detailed as possible,
combine multiple identify the
but also, templates of
qualifiers (e.g., time, “preferred” attack
attack sub-trees can
money, probability) vectors.
be reused
 Event tree analysis
Event tree analysis (ETA) is a forward, bottom up, logical
modeling technique for both success and failure that explores
responses through a single initiating event and lays a path for
assessing probabilities of the outcomes and overall system
analysis
unauthorized 

successful access to email

ple phishing 
 unauthorized 


x a m attacked 
 access to email

e yes to obtain 

login 

credential
2FA keylogger unauthorized 

ineffective infected access to email
password
cracked NO unauthorized 

access to email
no NO unauthorized 

access to email

Note: ETA is also a general purpose technique, and allows probabilistic risk assessment
eLearning task: Read http://en.wikipedia.org/wiki/Event_tree_analysis
 Probabilistic risk assessment
Event tree can be used for probabilistic risk assessment

ple
x a m
e

eLearning task: Read http://en.wikipedia.org/wiki/Probabilistic_risk_assessment

 Failure mode and effects
analysis (FMEA)
FMEA is an inductive reasoning (forward logic) single point of
failure analysis to review as many components, assemblies,
and subsystems as possible to identify failure modes, and
their causes and effects

Each failure mode gets a numeric score that quantifies:

likelihood (probability) that the failure will occur

likelihood that the failure will not be detected

the amount of harm or damage the failure mode may

cause to a person or to equipment (severity)
Note: FMEA originated from the literature of reliability analysis, but is used in ISO 27k
eLearning task: Read http://en.wikipedia.org/wiki/Failure_mode_and_effects_analysis
 FMEA
Risk Priority Number (RPN) ple
m k
exa IS O27
from
RPN=sev*prob*det

eLearning task: Understand www.iso27001security.com/ISO27k_FMEA_spreadsheet.xlsx

 FMEA in ISO27k

Source: www.iso27001security.com/ISO27k_FMEA_spreadsheet.xlsx
FMEA in ISO27k
FMEA in ISO27k
The only constant is change
Risk analysis needs to be “current”
 ISCM
Information security continuous monitoring (ISCM) is
defined as maintaining ongoing awareness of
information security, vulnerabilities, and threats to
support organizational risk management decisions.

NIST publication SP800-137 (statutory under FISMA)

“continuous” frequent

Frequency determined by criticality of issues

Source: http://csrc.nist.gov/publications/nistpubs/800-137/SP800-137-Final.pdf
 ISCM
Tier 1 risk management
activities address high-
level information security
governance policy as it
relates to risk to the
organization as a whole,
to its core missions, and
to its business functions.
 ISCM
Tier 2 criteria for continuous
monitoring of information
security are defined by how
core mission/business
processes are prioritized
with respect to the overall
goals and objectives of the
organization, the types of
information needed to
successfully execute the
stated mission/business
processes, and the
organization-wide
information security
program strategy.
 ISCM
ISCM activities at Tier 3
address risk management
from an information system
perspective. These activities
include ensuring that all
system-level security controls
(technical, operational, and
management controls) are
implemented correctly,
operate as intended,
produce the desired outcome
with respect to meeting the
security requirements for the
system, and continue to be
effective over time.
Wrap-up: Risk Assessment
No perfect security

Limited resources

Identify and prioritize risks

Consequences and costs

Different approaches to explore

There’s no marauder’s map!!