Chapter 4: Risk Management

Information Assurance and

Course
Security

Confidence Confident

Last Edited @October 28, 2023 1:37 PM

1.1 RISK MANAGEMENT

What is risk management
The process of identifying risk, assessing its relative
magnitude, and taking steps to reduce it to an acceptable
level.

A strategy for organizations to prevent their information

assets against potential harm attacks.

Applying the risk management in organization

Know yourself - Understanding what kind of information you
have, where it's stored

Know the enemy - You have to identify, examine, understand

the threats that has been dealing with in your organization

The roles of the communities

Risk appetite and residual risk

Residual risk - The risk to information assets that remains
even after current controls have been applied.

Risk Appetite - The quantity and nature of risk that

organizations are willing to accept as they evaluate the

Chapter 4: Risk Management 1

 trade-offs between perfect security and unlimited
accessibility.

Risk Tolerance - See risk appetite. The assessment of the

amount of risk an org. is willing to accept for particular
information asset.

Risk Categorization - A Determination of the extent to

which org. info. assets are exposed to risk.
1.2 RISK IDENTIFICATION
The recognition, enumeration, and documentation of risks to
an org.

Component of risk identification

A risk management strategy to know how to identify,
classify, and prioritize them.

Planning and Organizing the Process

organizing a team (representatives will come from every
department and will include users, managers, IT groups, and
information security groups)

Chapter 4: Risk Management 2

 Identifying, Inventorying, and Categorizing Assets
The objective of this process is to establish the relative
priority of assets to the success of the organization.

A. People, Procedures, and Data Asset

Identification
These assets should be documented using a reliable data-
handling process that allows for specifying unique
attributes.

Assets Attributes:

People - Position name, number, or ID

Procedures - Description; intended purpose; relationship

to software, hardware

Data -classification; owner, creator, and manager; size

of data structure

B. Hardware, Software, and Network Asset

Identification
Asset Attributes

Name - Choose common, meaningful names

Ip Address - Useful for network devices and servers

MAC Address - Unique identifiers for network devices

Element Type - Categorize hardware and software elements

Serial Number - Uniquely identifies hardware devices;

Manufacturer Name - Record the manufacturer

Manufacturer Model - valuable for vulnerability analysis

Software Version

Physical Location

Logical Location

Chapter 4: Risk Management 3

 Controlling Entity - Identify the organizational unit
that controls the element

C. Information Asset Inventory

This process helps determine where information is stored,
including physical and digital formats.

D. Asset Categorization
THE RISK MANAGEMENT CATEGORIZATIONS INTRODUCE SEVERAL NEW
SUBDIVISIONS:

People - Employees and non-employees

Procedures - non-sensitive procedures and sensitive

Data Components - cover all forms of data

Software Components - app, OS, or security components.

Hardware - regular system devices and peripherals

Classifying, Valuing, and Prioritizing Information Assets

1. Organizations customize categories based on their

specific requirements.

2. The hardware category can be subdivided into servers,

networking devices, and cabling for clarity.

3. The data classification scheme is crucial for assessing

data and device sensitivity and security priority.

4. Data classification levels may include confidential,

internal, and public.

5. Alignment with personnel security clearance levels is

essential for effective classification.

6. The classification method should be clear, and

comprehensive, and ensure each asset fits into only one
category.

Chapter 4: Risk Management 4

 7. Certificate authorities are categorized as software
security components due to their role in security
infrastructure.
1.3 DATA CLASSIFICATION AND MANAGEMENT
Confidential
Access to information with this classification is strictly on
a need-to-know basis or as required by the terms of a
contract.

Internal
Internal information is to be viewed only by corporate
employees, authorized contractors, and other third parties.

External
All information that has been approved by management for
public release

The U.S. Classified National Security Information (NSI)

system has a complex classification scheme with three
levels:

Top Secret

Secret

Confidential.

SECURITY CLEARANCE - each user of an information asset is

assigned an authorization level that identifies the level
of classified information he or she is “cleared” to access.

MANAGEMENT OF CLASSIFIED DATA - Classified information,

marked with colors like Orange (Top Secret), Red (Secret),
and Blue (Confidential).

INFORMATION ASSET VALUATION - One of the toughest tasks of

information security in general and risk management.To

Chapter 4: Risk Management 5

 assist in the process of assigning values to information
assets for risk assessment purposes.

INFORMATION ASSET PRIORITIZATION - ranking each asset.

Identifying and Prioritizing Threats

evaluation of the threats to information assets.

Specifying Asset Vulnerabilities

describes the process of identifying vulnerabilities in
information assets.

Threats Vulnerabilities-Assets(TVA) worksheet

prioritized list of assets and their
vulnerabilities.

You should also have a list that prioritizes the threats

Chapter 4: Risk Management 6

 KEY TERMS

DATA CLASSIFICATION SCHEME

A formal access control methodology used to assign a level of
confidentiality to
an information asset and thus restrict the number of people
who can access it

1.4 RISK ASSESSMENT

The identification, analysis, and evaluation of risk as
initial parts of risk management.

1. Planning and Organizing Assessment Risk

create a method for evaluating the relative risk of each
listed
vulnerability

KEY TERMS
Attack Success Probability - The number of successful
attacks that are expected to occur within a specified
time period.

Likelihood - The probability that a specific

vulnerability within an organization will be the target
of an attack.

Loss Frequency - The calculation of the likelihood of an

attack coupled with the attack frequency to determine
the expected number of losses within a specified time
range.

2. Determining the Loss Frequency

Chapter 4: Risk Management 7

 Loss Frequency = Likelihood X Attack Success Probability

3. Evaluating Loss Magnitude

determine how much of an information asset could be lost in
a successful attack

4. Calculating Risk
RISK is the Probability of a Successful Attack on the
Organization
Loss Frequency = Likelihood ∗ Attack Success Probability
Multiplied by The Expected Loss from a Successful Attack
Loss Magnitude = Asset Value ∗ Probable Loss

5. Assessing Risk Acceptability

1. Ranking Risk

2. Comparing Risks

3. Taking Action

1.5 RISK CONTROL

The application of safeguard or controls to reduced risk to
an org.

Selecting Control Strategies

Once the project team for information security development
has created the ranked vulnerability risk worksheet, the
team must choose a strategy for controlling each risk

DEFENSE - prevent the exploitation of vulnerabilities

TRANSFERENCE - shift risk to other assets, other processes,

MITIGATION - reduce the impact of an attack

ACCEPTANCE - choice to do nothing more to protect a

vulnerability

Chapter 4: Risk Management 8

 TERMINATION - directs the organization to avoid activities
that introduce uncontrollable risks.

Justifying Controls - must determine the actual and

perceived advantages of the control as opposed to its
actual and perceived
disadvantages.

KEY TERMS IN COST BENEFIT ANALYSIS

EXPOSURE FACTOR (EF)- expected percentage of loss that
would occur from a particular attack.

SINGLE LOSS EXPECTANCY (SLE) - the calculated value

associated with the most likely loss from an attack.

ANNUALIZED RATE OF OCCURRENCE (ARO) - the expected

frequency of an attack, expressed on a per-year basis.

ANNUALIZED LOSS EXPECTANCY (ALE) - the product of the ARO

and ALE

ANNUALIZED COST OF A SAFEGUARD (ACS) - the total cost of a

control or safeguard.

single loss expectancy (SLE)

given scenario:
Think of computer network of a company valued at ₱1 million.
Now, suppose hackers could potentially damage 10% of that
network.

SLE = exposure factor (EF) X asset value (AV)

SLE = 0.10 X ₱1,000,000
SLE = ₱100,000

Chapter 4: Risk Management 9

 annualized rate of occurrence (ARO)
given scenario:
The company can experience 1 attack every 2 years

ARO = occurrence (time frame) / years

ARO = 1 / 2
ARO = 0.50

annualized loss expectancy (ALE)

ALE = SLE X ARO

ALE = ₱100,000 X 0.50
ALE = ₱50,000

The Cost-Benefit Analysis (CBA) Formula

determines whether a particular control is worth its cost.

given scenario:
The company implements a firewall to protect the company's
computer network from cyberattacks

CBA = ALE(prior) - ALE(post) - ACS

CBA = ₱50,000 - ₱10,000 - ₱5,000

CBA = ₱35,000

1.6 QUANTITATIVE VS QUALITATIVE RISK

MANAGEMENT PRACTICES
QUALITATIVE ASSESSMENT - descriptive scales to rate the
likelihood of events occurring

Chapter 4: Risk Management 10

 QUANTITATIVE ASSESSMENT - specific numerical values to risk
factors

BENCHMARKING AND BEST PRACTICES

Metrics-based measures are based on numerical standards,
such as:

Numbers of successful attacks

Staff-hours spent on systems protection

Dollars spent on protection

Numbers of security personnel Estimated value in dollars

of the information lost in successful attacks

Loss in productivity hours associated with successful

attacks

PERFORMANCE GAPS - numerical standards like these to rank

itself against competing organizations

PROCESS-BASED MEASURES - generally less focused on numbers

and are more strategic than metrics-based measures.

BEST BUSINESS PRACTICES - provide a superior level of

performance in the protection of information

BASELINING
establishing a reference point or baseline to measure
various security metrics

OTHER FEASIBILITY STUDIES

Chapter 4: Risk Management 11

 ORGANIZATIONAL FEASIBILITY - evaluates how a proposed
control or
technology aligns with an organization's strategic
objectives and plans.

OPERATIONAL FEASIBILITY - or behavioral feasibility, gauges

employee acceptance of changes within an organization.
Encouraging user for: communication, education, and
involvement

TECHNICAL FEASIBILITY - aspect when considering the

implementation of security controls

POLITICAL FEASIBILITY - plays a significant role in

assessing the viability of information security controls
within organizations.

Chapter 4: Risk Management 12