INFORMATION SECURITY RISK

ASSESSMENT

Ayan Ghosh
Information Science (PG) Department
Data Analysis

● Introduction
● Compiling Observations from Organizational Risk Documents
● Preparation of Threat and Vulnerability Catalogs
● Overview of the System Risk Computation
● Designing the Impact Analysis Scheme
● Designing the Control Analysis Scheme
● Designing the Likelihood Analysis Scheme
● Putting it Together and the Final Risk Score
COMPILING OBSERVATIONS FROM DOCUMENTS

❏ Observation/Findings — A one-sentence description of the finding or

observation.
❏ Description — A more detailed narrative of the observation including the
cause,
management response, risk, and mitigation if available.
❏ Assessment Area —The security area that the finding pertains to. For
example,
access control, physical security, etc.
❏ Source of the Finding— What document was reviewed and who was the
author
of the particular finding or observation (e.g. internal or external audit).
List of important documents
● Previous Information Security Risk Assessments
● Previous IT Risk Assessments
● Previous Internal or External Audit Reports
● Previous Legal, Regulatory, Insurance, or Framework Driven Assessments
● Previous Vulnerability Assessments
● Previous Penetration Tests
● Current Security Policies, Standards, and Procedures
● Disaster Recovery and Business Contingency Plans
● Business Impact Analysis (BIA)
● Asset Inventories
● IT and Information Security Metrics
● Facilities Security Plan
● Organizational Chart and Contact List
● Any Previous Security Presentations and Debriefs
● Security Program, Plans, and Roadmaps
● SAS70s/SSAE16
● Vendor Security Accreditations
● Technology Configuration and Hardening Guidelines or Checklists
Threat Catalog
A threat catalog is very simply a generic list of threats that are considered
common information security threats.
The following is a list of threat catalogs that can be used as references:
● BITS Calculator— comprehensive list of over 600 threats. This is freely
available from the BITS website.
● Microsoft Threat Model—A list of 36 threats focusing on application security
risks. This is freely available from the Microsoft website.
● NIST SP800-30—A high level list of 5 human threat sources with 32
corresponding threat actions. This is freely available from the NIST website.
● ISO 27005—A high level list of 8 threat types with 43 corresponding threats
in Annex C of the document. This document is available for a fee.
● BSI Base IT Security Manual—A list of 370 threats. This is freely available
from the BSI website.
Vulnerability Catalog

The vulnerability catalog is simply a list of vulnerabilities that affect or

could affect an organization. There are two ways to go about building
the catalog:
1. Current vulnerabilities—The current vulnerabilities catalog should
be a list of vulnerabilities currently affecting the organization.
2. Hypothetical vulnerabilities—The hypothetical vulnerabilities
catalog is a list of vulnerabilities that are unverified but could
affect the organization. These vulnerabilities can be determined
based on the concerns brought up in various meetings and
executive interviews and scenarios derived from the threat
listings.
Threat Vulnerability Pairs

A threat-vulnerability pair is a matrix that matches all the threats in our

listing with the current or hypothetical vulnerabilities that could be
exploited by the threats.
SYSTEM RISK COMPUTATION

1. Identify the Assets.

2. Identify the Threats.
3. Identify the Vulnerabilities.
4. Determine the Impact.
5. Determine the Controls.
6. Determine the Likelihood.
IMPACT ANALYSIS SCHEME

1. Confidentiality: The data element that will provide

a reliable, consistent and repeatable value for
confidentiality would be the asset’s data
classification rating.
2. Integrity: This parameter determines impact of
unauthorized changes.
3. Availability: This parameter determines impact of
accessibility to information.
Confidentiality Impact Matrix
Integrity Impact Analysis
Availability Impact Score
CIA Score
CONTROL ANALYSIS SCHEME
Control Score
LIKELIHOOD ANALYSIS SCHEME

Likelihood in the context of an information security risk assessment is the

probability that a threat may be able to exploit a weakness or vulnerability and
in so doing, affect the confidentiality, integrity, or availability of the asset. In
computing for likelihood, we consider two important elements that affect this
probability: Exposure and Frequency.
Exposure: Exposure is the predisposition of the system to the threat based on
environmental factors. Certain environments increase the likelihood of a threat.

Frequency: Frequency is the value that we assign to measure how often an

event could happen. For each threat to the system, we determine the frequency
value. Determination of frequency is never exact though there are sources of
information that can help the assessor in determining a value.
Likelihood

● Exposure is proportional to Likelihood. An increase in exposure

increases the likelihood that a threat could successfully exploit
a given vulnerability.
● Frequency is proportional to Likelihood. An increase in
frequency of activities by a threat agent would increase the
expected frequency of the risk being realized and thus the
likelihood that a threat could exploit a given vulnerability.
● Strength of Control is inversely proportional to Likelihood. A
stronger control decreases the likelihood that a threat would be
able to exploit a given vulnerability
Likelihood = ((Exposure + Frequency)/2) x (Reverse
Control)
 FINAL RISK SCORE

● Threat—This was obtained via the threat catalog. Threat catalogs such as those
from BITS, ISO27001, and NIST SP800-30 were used to build an initial list.
● Vulnerability—This was obtained by building a given vulnerability catalog
based on sources such as interviews, assessments, and audits identifying
potential issues and weaknesses in various controls in the organization. The
threat plus the vulnerability give us a threat and vulnerability pair which was
structured into a table.
● Impact Score—This was obtained by considering the potential impact of
the threat to the confidentiality, integrity, and availability of the system by
assigning scores for each of them. The category with the highest impact
became the impact score for the threat and vulnerability pair.
● Likelihood Score—This was obtained by assigning scores for the exposure ,
RISK= IMPACT × LIKELIHOOD
frequency, and control for each of the threat and vulnerability pairs.
Putting it all together