You are on page 1of 56

Risk Management

How Much to Invest in Security?
How much is too much?  Firewall  Intrusion Detection/Prevention  Guard  Biometrics  Virtual Private Network  Encrypted Data & Transmission  Card Readers  Policies & Procedures  Audit & Control Testing  Antivirus / Spyware  Wireless Security How much is too little?  Hacker attack  Internal Fraud  Loss of Confidentiality  Stolen data  Loss of Reputation  Loss of Business  Penalties  Legal liability  Theft & Misappropriation

Security is a Balancing Act between Security Costs & Losses

Risk Management
Structure

Internal Factors

External Factors

Risk Mgmt Strategies are determined by both internal & external factors

Risk Management Process
Establish Scope & Boundaries Risk Risk Assessment Treatment Identification Analysis What to investigate? What to consider?

What does this risk cost? What priorities shall we set?
What controls can we use? Transfer Retain

Evaluation Avoid

Reduce

Accept Residual Risk

Risk Communication & Monitoring

What assets & risks exist?

Risk Appetite

  

Do you operate your computer with or without antivirus software? Do you have antispyware? Do you open emails with forwarded attachments from friends or follow questionable web links? Have you ever given your bank account information to a foreign emailer to make $$$?

What is your risk appetite? If liberal, is it due to risk acceptance or ignorance? Companies too have risk appetites, decided after evaluating risk

Continuous Risk Mgmt Process Risk Appetite Risks change with time as business & environment changes Controls degrade over time and are subject to failure Counter measures may open new risks Identify & Assess Risks Proactive Monitoring Develop Risk Mgmt Plan Implement Risk Mgmt Plan .

Security Evaluation: Risk Assessment Five Steps include: 1. Avoid or Accept Risk Estimate Likelihood of Exploitation Compute Expected Loss Treat Risk . Availability Weekly. 3. Determine Loss due to Threats & Vulnerabilities      Confidentiality. 5. 10 years? Loss = Downtime + Recovery + Liability + Replacement Survey & Select New Controls Reduce. monthly. Integrity. 4. Transfer. Assign Values to Assets:  Where are the Crown Jewels? 2. 1 year.

reputation. services.Step 1: Determine Value of Assets Identify & Determine Value of Assets (Crown Jewels):  Assets include:   IT-Related: Information/data.org . software. documents. cash. sales opportunities      What is the value of this asset to the company? How much of our income can we attribute to this asset? How much would it cost to recover this? How much liability would we be subject to if the asset were compromised? Helpful websites: www. personnel Other: Buildings. hardware.attrition. inventory.

Determine Cost of Assets Costs Sales Tangible $ Risk: Product A Risk: Product B Intangible: High/Med/Low Replacement Cost= Cost of loss of integrity= Cost of loss of availability= Cost of loss of confidentiality= Replacement Cost= Cost of loss of integrity= Cost of loss of availability= Cost of loss of confidentiality= Replacement Cost= Cost of loss of integrity= Cost of loss of availability= Cost of loss of confidentiality= Product C Risk: .

16) Size of Loss Hacker steals customer data. $20M $2M 10M Recor ds 10K Recor ds $20M $20M $10M $5M $200K $5M $10M Min. sells data to hackers 1-10K Recor ds Repu. data found in garbage. sells data to competitor Backup tapes and Cust. $200K . Yearly Loss $10M 3-year Min. Market Loss $1M$5M Exp. Loss $1M$35M Min.Matrix of Loss Scenario (taken from CISM Exhibit 2. Min. publicly blackmails company Employee steals strategic plan.Lawtation suit Loss $1M$20M $1M$10M Min. Fines/ Reg. makes front-page news Contractor steals employee data.

Integrity.Step 1: Determine Value of Assets Asset Name $ Value Direct Loss: Replacement $ Value Consequential Financial Loss Confidentiality. Avail. and Availability Notes Laptop $1.000 Mailings= $130 x #Cust Reputation = $9. Breach Notification Law Availability Equipment $10..000 .000 $2k per day in income Conf.

water. identity theft. theft. non-physical: Fraud. building damage/collapse. phishing. vandalism Intentional.Step 2: Determine Loss Due to Threats Natural: Flood. rain/snow/hail and earthquakes Unintentional: Fire. and equipment failure Intentional: Fire. cyclones. fire. loss of utility services. hacking. malicious code. social engineering. espionage. water. denial of service .

rebellion Financial gain. Exploitation Fraud/ theft. Disclosure/ destruction of info. computer crimes info warfare Info theft. Destruction/ revenge/ extortion Competitive advantage Opportunity.Threat Agent Types Hackers/ Crackers Criminals Challenge. abuse Terrorists Industry Spies Insiders . personal issues Unauthorized access Fraud. econ. malware.

no redundancy . poorly-defined requirements. employee error. uncontrolled processes. unprotected communication Physical Vulnerabilities: Fire. poor network design. Insufficient staff. improperly configured Equipment Misinterpretation: Poorly-defined procedures. Inadequate mgmt.Step 2: Determine Threats Due to Vulnerabilities System Vulnerabilities Behavioral: unsatisfied employee. flood. negligence. Inadequate compliance enforcement Coding Problems: Security ignorance. theft. defective software. kicked terminals.

engineering.Step 3: Estimate Likelihood of Exploitation Best sources:  Past experience  Specialists and expert advice  Economic. or other models  Market research & analysis  Experiments & prototypes .

Likelihood of Exploitation: Sources of Losses Lost laptop/device 35% Third party or outsourcer 21% Electronic backup 19% Paper records 9% Malicious insider or code 9% Hacked system 7% Source: 2009 Annual Study: Evaluation of 31 organizations .

intuition. and experience  May factor in reputation.Step 4: Compute Expected Loss Risk Analysis Strategies Qualitative: Prioritizes risks so that highest risks can be addressed first  Based on judgment. goodwill. nontangibles Quantitative: Measures approximate cost of impact in financial terms Semiquantitative: Combination of Qualitative & Quantitative techniques .

Step 4: Compute Loss Using Qualitative Analysis Qualitative Analysis is used:  As a preliminary look at risk  With non-tangibles. such as reputation. image -> market share. share value  When there is insufficient information to perform a more quantified analysis .

Vulnerability Assessment Quadrant Map Threat (Probability) Hacker/Criminal Malware Snow emergency Intruder Disgruntled Employee Vulnerability (Severity) Fire Terrorist Flood Spy .

2. Moderate: Occurred in $1M last 5 years. >$1M 4. 4.Step 4: Compute Loss Using Semi-Quantitative Analysis 1. 3. Rare meaningful impact 2. < 3. 5. Frequent: Occurs on a >$200M regular basis Catastrophic: Failure or downsizing of company Risk = Impact * Likelihood . Likely: Occurred in last Material: Requires year external reporting. but not in Major: Impacts company last year brand. Impact Likelihood Insignificant: No 1. Unlikely: Not seen Minor: Impacts a small within the last 5 years part of the business. 5.

SemiQuantitative Impact Matrix Catastrophic (5) Material (4) Major (3) Minor (2) Impact Insignificant (1) Rare(1) Unlikely(2) Moderate(3) Likely (4) Frequent(5) Likelihood .

resulting from a specific threat  ALE = SLE x ARO .0  SLE = Asset Value (AV) x Exposure Factor (EF)  Annualized Rate of Occurrence (ARO): Probability or frequency of the threat occurring in one year  If a fire occurs once every 25 years. ARO=1/25 Annual Loss Expectancy (ALE): The annual expected financial loss to an asset.Step 4: Compute Loss Using Quantitative Analysis Single Loss Expectancy (SLE): The cost to the organization if one threat occurs once  Eg. Stolen laptop=    Replacement cost + Cost of installation of special software and data Assumes no liability With Stolen Laptop EF > 1.

Risk Assessment Using Quantitative Analysis Quantitative:  Cost of HIPAA accident with insufficient protections  SLE = $50K + (1 year in jail:) $100K = $150K  Plus loss of reputation… Estimate of Time = 10 years or less = 0.1  Annualized Loss Expectancy (ALE)=   $150 x .1 =$15K .

Annualized Loss Expectancy Asset Value-> 1 Yr 5 Yrs 10 Yrs 20 Yrs $1K 1K 200 100 50 Asset Costs $10K $10K 10K 2K 1K 1K $100K 100K 20K 10K 5K $1M 1000K 200K 100K 50K Risk of Loss 20% per Year Over 5 years. average loss = $10K Spend up to $2K each year to prevent loss .

2 (5 years) Work book Annual Loss Expectancy (ALE) $50K $1K Laptop Stolen .05 (20 years) 0.Quantitative Risk Asset Threat Single Loss Expectancy (SLE) Buildi ng Fire $1M $1K + $9K (breach notif) Annualized Rate of Occurrence (ARO) .

.: Do not use Social Security Numbers Risk Mitigation: Implement control to minimize vulnerability  E.g.g.g. legal responsibility cannot Risk Planning: Implement a set of controls .Step 5: Treat Risk Risk Acceptance: Handle attack when necessary  E. Buy malpractice insurance (doctor)  While financial impact can be transferred.: Comet hits  Ignore risk if risk exposure is negligible Risk Avoidance: Stop doing risky behavior  E.g. Purchase & configure a firewall Risk Transference: Pay someone to assume risk for you  E.

OIG System Characterization Identify Threats Audit & test results Identify Vulnerabilities Analyze Controls Determine Likelihood Business Impact Analysis Data Criticality & Sensitivity analysis Analyze Impact Likelihood Rating Impact Rating Determine Risk Documented Risks Recommended Controls Risk Assessment Report NIST Risk Assessment Methodology Recommend Controls Document Results .Activity Output System boundary System functions System/data criticality System/data sensitivity List of threats & vulnerabilities List of current & planned controls Input Company history Intelligence agency data: NIPC.

Control Types Threat Creates Deterrent Control Reduces likelihood of Detective Control Preventive Control Results in Compensating Control Reduces likelihood of Corrective Control Attack Vulnerability Decreases Impact .

THREAT Deterrent control Mitigating control Detective control Preventive control Corrective control R i s k P r o b a b i l i t y V U L N E R A B I L I T Y I M P A C T Residual risk .

Controls & Countermeasures Cost of control should never exceed the expected loss assuming no control  Countermeasure = Targeted Control   Aimed at a specific threat or vulnerability  Problem: Firewall cannot process packets fast enough due to IP packet attacks  Solution: Add border router to eliminate invalid accesses .

Law Firewall Stolen Laptop $60 $750 $1K Cost of Some Controls is shown in Case Study Appendix .Analysis of Risk vs. Controls Workbook Risk ALE or Score Control Cost of Control $1K Encryption ($9K Breach Notif. Law) Disk Failure $3K per day RAID Hacker $9K Breach Notif.

legal issues $200K $400K $200K Security Dashboard. Heat chart or Stoplight Chart Report to Mgmt status of security  Metrics showing current performance  Outstanding issues  Newly arising issues  How handled – when resolution is expected .Extra Step: Step 6: Risk Monitoring Stolen Laptop HIPAA Incident Response Cost overruns HIPAA: Physical security In investigation Procedure being defined – incident response Internal audit investigation Training occurred $2k.

Training        Importance of following policies & procedures Clean desk policy Incident or emergency response Authentication & access control Privacy and confidentiality Recognizing and reporting security incidents Recognizing and dealing with social engineering .

Security Control Baselines & Metrics Baseline: A measurement of performance  Metrics are regularly and consistently measured.Not real) . quantifiable.g. How many viruses is help desk reporting? 90 80 70 60 50 40 30 20 10 0 Year 1 Year 2 Year 3 Year 4 Stolen Laptop Virus/Worm % Misuse (Company data . inexpensively collected  Leads to subsequent performance evaluation  E.

Risk Management Risk Management is aligned with business strategy & direction  Risk mgmt must be a joint effort between all key business units & IS  Business-Driven (not Technology-Driven)  Steering Committee: • Sets risk management priorities • Define Risk management objectives to achieve business strategy .

DB. Security Mgr Allocate resources. Security Trainers Develop appropriate training materials. performance incl. . to educate end users. admin. assess Develops. risk Business Managers (Process Owners) Make difficult decisions relating to priority to achieve business goals System / Info Owners Responsible to ensure controls in place to address CIA. budget. Sign off on changes IT Security Practitioners Implement security requirem into IT systems: network. app. and & use risk assessment results manages IS risk mgmt process Chief Info Officer IT planning. system.Risk Management Roles Governance & Sr Mgmt: Info. collaborates. including risk assessment.

Due Diligence Due Diligence = Did careful risk assessment (RA) Due Care = Implemented recommended controls from RA Liability minimized if reasonable precautions taken Senior Mgmt Support .

and risk monitoring 2. Answers the question: What risks are we prone to. The identification. Assesses controls after implementation 4. The steps: risk analysis. and evaluation of controls . and what is the financial costs of these risks? 3. financial analysis.Question Risk Assessment includes: 1. risk acceptance. and prioritization of risks. risk treatment.

risk treatment. and risk monitoring 2. and what is the financial costs of these risks? 3. Assesses controls after implementation 4. Answers the question: What risks are we prone to.Question Risk Management includes: 1. risk acceptance. financial analysis. The identification. and evaluation of controls . The steps: risk analysis. and prioritization of risks.

Determine threats and vulnerabilities 2. Estimate likelihood of exploitation 4. Determine values of key assets 3. Analyze existing controls .Question The FIRST step in Security Risk Assessment is: 1.

Single Loss Expectancy refers to: The probability that an attack will occur in one year The duration of time where a loss is expected to occur (e. 3. one year. one decade) The cost of losing an asset once The average cost of loss of this asset per year . one month.Question 1.g. 2. 4..

or mitigated is: The Chief Information Officer The Chief Risk Officer The Chief Information Security Officer Enterprise governance and senior business management 1. 3. 2. .Question The role(s) responsible for deciding whether risks should be accepted. 4. transferred.

Question Which of these risks is best measured using a qualitative process? Temporary power outage in an office building Loss of consumer confidence due to a malfunctioning website Theft of an employee’s laptop while traveling Disruption of supply deliveries due to flooding 1. . 3. 4. 2.

3. . 4. 2.Question The risk that is assumed after implementing controls is known as: Accepted Risk Annualized Loss Expectancy Quantitative risk Residual risk 1.

. 3.Question The primary purpose of risk management is to: Eliminate all risk Find the most cost-effective controls Reduce risk to an acceptable level Determine budget for residual risk 1. 4. 2.

3. 2.Question 1. 4. Due Diligence ensures that An organization has exercised the best possible security practices according to best practices An organization has exercised acceptably reasonable security practices addressing all major security areas An organization has implemented risk management and established the necessary controls An organization has allocated a Chief Information Security Officer who is responsible for securing the organization’s information assets .

2. for a single incident An estimate using quantitative risk management of the frequency of asset loss due to a threat An estimate using qualitative risk management of the priority of the vulnerability ALE = SLE x ARO . 3. 4. ALE is: The average cost of loss of this asset.Question 1.

due care . ARO. risk appetite. ALE Due diligence. risk reduction/risk mitigation. residual risk Risk avoidance.Vocabulary to study       Risk mgmt. risk treatment. threat agent. quantitative risk analysis SLE. vulnerability. risk analysis. risk assessment. risk transference. Qualitative risk analysis. risk retention/risk acceptance Threat.

Jamie Ramon MD Doctor Chris Ramon RD Dietician Terry Medical Admin Pat Software Consultant HEALTH FIRST CASE STUDY Analyzing Risk .

Step 1: Define Assets .

Step 1: Define Assets Consider Consequential Financial Loss Asset Name Confidentiality. Integrity. Direct Loss: Consequentia and Availability Notes l Financial Replacement Loss C? I? A? $ Value $ Value Medical DB Daily Operation (DO) Medical Malpractice (M) HIPAA Liability (H) Notification Law Liability (NL) .

Direct Loss: Consequentia and Availability Notes l Financial Replacement Loss DO+M_H+NL C IA $ Value $ Value Medical DB Daily Operation (DO) Medical Malpractice (M) HIPAA Liability (H) Notification Law Liability (NL) $ $ $ $ .Step 1: Define Assets Consider Consequential Financial Loss Asset Name Confidentiality. Integrity.

or cause malicious harm Up to $100K Up to $500K Then consider bad press. state audit. state law penalties. civil lawsuits. achieve personal gain.HIPAA Criminal Penalties $ Penalty Imprisonment Up to $50K Up to one year Up to 5 years Up to 10 years Offense Wrongful disclosure of individually identifiable health information …committed under false pretenses … with intent to sell. … . lost claims.

 .Step 2: Estimate Potential Loss for Threats Step 3: Estimate Likelihood of Exploitation Normal threats: Threats common to all organizations  Inherent threats: Threats particular to your specific industry  Known vulnerabilities: Previous audit reports indicate deficiencies.

Shut Down Business Threat (Probability) Threaten Business Hacker/Criminal Loss of Electricity Malware 2 1 year 5 years (.2) 10 years (.Step 2: Estimate Potential Loss for Threats Step 3: Estimate Likelihood of Exploitation Slow Down Business 1 week Temp.02) 4 3 .05) Vulnerability (Severity) Social Engineering Intruder Fire Earthquake 50 years (.1) Snow Emergency Pandemic Failed Disk Tornado/Wind Storm Stolen Laptop Stolen Backup Tape(s) 1 Flood 20 years (.

Step 4: Compute Expected Loss Step 5: Treat Risk Step 4: Compute E(Loss) ALE = SLE * ARO Asset Threat Single Annual Annual Loss ized Loss Expect Rate of Expect ancy Occurr ancy (ALE) ence (SLE) (ARO)  Step 5: Treat Risk     Risk Acceptance: Handle attack when necessary Risk Avoidance: Stop doing risky behavior Risk Mitigation: Implement control to minimize vulnerability Risk Transference: Pay someone to assume risk for you Risk Planning: Implement a set of controls .