Transcript Risk Measurement - University of South Australia

INFORMATION RISK
MANAGEMENT
Today’s Reference:
Whitman & Mattord, Management
of Information Security, 2nd edition
Chapters 7 & 8
What’s the problem ?
• Management still ask –
•
•
•
•
“How secure are we ?”
“Are our controls adequate ?”
“Do we comply with Standards?”
“Do we have the best blend of
controls in place ?”
• “How do we measure our IS
security ?”
• “What controls do I need ?”
• “How much will controls cost ?”
Overview
•
•
•
•
•
What is Risk Management?
Why is it important?
Risk Analysis
Risk Control Strategies
Other Risk Management
Techniques
• Summary
Risk Management
Extracted from
Australian Standard AS/NZS 4360:2004
Why is it important?
• Subsidiaries of large orgs. Have an
obligation (e.g. Agencies of SA
Govt.)
• Corporate management may wish to
compare these subsidiaries
• Shareholders may demand a certain
level of compliance with Standards
• Directors have a ‘duty of care’
responsibility
• Trading partners may need you to
prove your level of security (or they
won’t trade with you)
Managing Risk
• The goal of information
security is not to bring residual
risk to zero, but to bring it in
line with an organization’s risk
appetite
Residual Risk
• When vulnerabilities have been
controlled as much as
possible, there is often
remaining risk that has not
been completely removed,
shifted, or planned for.
Risk Tolerance
• Risk tolerance (also known as
risk appetite) defines the
quantity and nature of risk that
organizations are willing to
accept, as they evaluate the
trade-offs between perfect
security and unlimited
accessibility
Risk Analysis (RA)
• Various methods
• Qualitative
• Quantitative
• Software packages
(e.g. RiskPac, RiskCalc, CRAMM, SPAN,
Courtney’s Method, Rank-it)
• The quantitative approach•
•
•
•
•
•
Identify IS assets
Identify threats to those assets
Estimate probability of occurrence
Estimate cost of impact of threat
Calculate Annual Loss Exposure (ALE)
Build a control profile to match risk profile
Identify Assets
• Iterative process; begins with
identification of assets,
including all elements of an
organization’s system (people,
procedures, data and
information, software,
hardware, networking)
• Assets are then classified and
categorized. For example:
•
•
•
•
•
Unclassified
Sensitive but unclassified
Confidential
Secret
Top secret
Identify Threats
• Realistic threats need
investigation; unimportant
threats are set aside
• Threat assessment:
• Which threats present danger to
assets?
• Which threats represent the most
danger to information?
• How much would it cost to
recover from attack?
• Which threat requires greatest
expenditure to prevent?
Threat Analysis
Risk
Probability Exposure
(H, M, L) (H, M, L)
Threat
Impact
(H, M, L)
1.
Errors & omissions
Low
2.
Data network
breakdowns
High
3.
Software errors &
omissions
Medium
Medium
4.
Computer-based
fraud
High
High
5.
Accidental & natural
disasters
Low
6.
Equipment failure
7.
Unauthorised access
8.
Deliberate destruction
of equipment
9.
Misuse of computing
equipment
10. Theft of computers
11. Loss of key personnel
12. Theft of information
13. Logical sabotage
14. Software piracy
15. Loss of vital services
Low
Low
Medium
Medium
Medium
Medium
High
Medium
The Metrics
• Annual Loss Expectancy (ALE) =
Threat probability (ARO) X
Single Loss Expectancy(SLE)
• ROI is the reduction in ALE
due to the implementation of
the control
• Uses Courtney’s Scales
• Temptation to ‘manufacture’
desired outcome
Courtney’s Scales for
calculating Annual
Loss Exposure (ALE)
• Probability of occurrence of threat
•
•
•
•
•
•
Once in 100 years
Once in 10 years
Once per year
10 times per year
100 times per year
1000 times per year
• Impact of threat
•
•
•
•
•
•
$100 million
$10 million
$1 million
$100, 000
$10,000
$1,000
THREATS
Virus
Hardware
Attack
Malfunction Sabotage
Physical
Input
Errors
Risk
Exposure
per asset
per annum
1:1 year
Application
Software
$1000
$1000
$1000 pa
A
S
S
E
T
S
Network
Server &
OS
Database
1:1 year
1:1 year
1:1 year
$1000
$10000
$10000
$1000 pa
$10000 pa
$10000 pa
1:1 year
1:1 year
1:10 yrs
10:1 year
$10000
$10000
$100000
$100
$10000 pa
$10000 pa $10000 pa
$21000
$31000
$1000 pa
IS People
Risk
Exposure
per threat
per annum
$12000
$20000
$20000
$1000
$53000
Benefits of RA
• Improves awareness by
involving people
• Relate security mission to
management objectives
• Identifies assets, vulnerabilities
and controls
• Improves basis for decision
• Helps justify expenditure for
security
Arguments against RA
• Not precise
• Hard to perform
• False sense of precision &
confidence
• Never up-to-date
• No scientific foundation
• Not designed for small business
• Not self assessment method
Risk Control Strategies
• An organization must choose one
of four basic strategies to control
risks
• Avoidance: applying safeguards that
eliminate or reduce the remaining
uncontrolled risks for the vulnerability
• Transference: shifting the risk to
other areas or to outside entities
• Mitigation: reducing the impact
should the vulnerability be exploited
• Acceptance: understanding the
consequences and accepting the risk
without control or mitigation
Avoidance
• Attempts to prevent exploitation of
the vulnerability
• Preferred approach; accomplished
through countering threats,
removing asset vulnerabilities,
limiting asset access, and adding
protective safeguards
• Three common methods of risk
avoidance:
• Application of policy
• Training and education
• Applying technology
Transference
• Control approach that attempts to
shift risk to other assets,
processes, or organizations
• If lacking, organization should hire
individuals/firms that
provide security management and
administration expertise
• Organization may then transfer risk
associated with management of
complex systems to another
organization experienced in
dealing with those risks
Mitigation
• Attempts to reduce impact of
vulnerability exploitation
through planning and
preparation
• Approach includes three types
of plans:
• Incident response plan (IRP)
• Disaster recovery plan (DRP)
• Business continuity plan (BCP)
Acceptance
• Doing nothing to protect a
vulnerability and accepting the
outcome of its exploitation
• Valid only when the particular
function, service, information, or
asset does not justify cost of
protection
• Risk appetite describes the
degree to which organization is
willing to accept risk as trade-off to
the expense of applying controls
Other RM Techniques
•
•
•
•
•
Baselining
Benchmarking
Best Practices
Due Care
Due Diligence
Baselining
• Baselining is the analysis of
measures against established
standards
• In information security,
baselining is the comparison of
security activities and events
against the organization’s
future performance
Benchmarking
• Benchmarking is seeking out
and studying the practices from
other organizations that
produce the results desired,
and then measuring the
differences between the way
the organizations conduct
business
• In the field of information
security, two categories of
benchmarks are used:
• Standards of due care and due
diligence
• Best practices
Best Business
Practices
• Security efforts that seek to
provide a superior level of
performance are referred to as
best business practices
• Best security practices are those
that are among the best in the
industry, balancing access to
information with adequate
protection, while maintaining a
solid degree of fiscal
responsibility
Due Care and Due
Diligence
• For legal reasons, an organization
may be forced to adopt a certain
minimum level of security
• When organizations adopt levels of
security for a legal defense, they
may need to show that they have
done what any prudent organization
would do in similar circumstances
• This is referred to as a standard of due
care
• Due diligence is the demonstration
that the organization is persistent in
ensuring that the implemented
standards continue to provide the
required level of protection
What you need to know
• The risk analysis process
• The risk analysis metrics
• Risk control strategies
• The terminology used in this
presentation