Cybersecurity Risk Analysis and Management

THE PURPOSE OF RISK MANAGEMENT

• Ensure overall business and business assets are safe
• Protect against competitive disadvantage
• Compliance with laws and best business practices
• Maintain a good public reputation

​

​

2

STEPS OF A RISK MANAGEMENT PLAN

• Step 1: Identify Risk
• Step 2: Assess Risk
• Step 3: Control Risk
• Steps are similar regardless of context (InfoSec, Physical Security, Financial, etc.)
• This presentation will focus on controlling risk within an InfoSec context

3

RISK IDENTIFICATION

• The steps to risk identification are:
• Identify your organization’s information assets
• Classify and categorize said assets into useful groups
• Rank assets necessity to the organization

To the right is a simplified example of how a company may identify risks

4

RISK ASSESSMENT

• The steps to risk assessment are:
• Identify threats and threat agents
• Prioritize threats and threat agents
• Assess vulnerabilities in current InfoSec plan
• Determine risk of each threat

R = P * V – M + U

R = Risk

P = Probability of threat attack

V = Value of Information Asset

M = Mitigation by current controls

U = Uncertainty of vulnerability

The table to the right combines elements of all of these in a highly simplified format

​

​

5

RISK CONTROL

• The steps to risk control are:
• Cost-Benefit Analysis (CBA)
• Single Loss Expectancy (SLE)
• Annualized Rate of Occurrence (ARO)
• Annual Loss Expectancy (ALE)
• Annual Cost of the Safeguard (ASG)
• Feasibility Analysis
• Organizational Feasibility
• Operational Feasibility
• Technical Feasibility
• Political Feasibility
• Risk Control Strategy Implementation

​

6

VULNERABILITY ASSESSMENT (CONT’D.)

• Single loss expectancy (SLE)
• Expected monetary loss each time a risk occurs
• Calculated by multiplying the asset value by exposure factor
• Exposure factor: percentage of asset value likely to be destroyed by a particular risk

7

VULNERABILITY ASSESSMENT (CONT’D.)

• Annualized loss expectancy (ALE)
• Expected monetary loss over a one year period
• Multiply SLE by annualized rate of occurrence
• Annualized rate of occurrence (ARO) : probability that a risk will occur in a particular year
• It can be calculated by multiplying the annual rate of occurrence (ARO) by single loss expectancy (SLE).

8

• Suppose that an asset is valued at $100,000, and the Exposure Factor (EF) for this asset is 25%.
• The single loss expectancy (SLE) then, is 25% * $100,000, or $25,000.
• For an annual rate of occurrence of one, the annualized loss expectancy is 1 * $25,000, or $25,000.

9

10

COST-BENEFIT ANALYSIS

• Determine what risk control strategies are cost effective
• Below are some common formulas used to calculate cost-benefit analysis
• SLE = AV * EF
• AV = Asset Value, EF = Exposure factor (% of asset affected)
• ALE = SLE * ARO
• CBA = ALE (pre-control) – ALE (post-control) – ASG

​

11

FEASIBILITY ANALYSIS

• Organizational: Does the plan correspond to the organization’s objectives? What is in it for the organization? Does it limit the organization’s capabilities in any way?
• Operational: Will shareholders (users, managers, etc.) be able/willing to accept the plan? Is the system compatible with the new changes? Have the possible changes been communicated to the employees?
• Technical: Is the necessary technology owned or obtainable? Are our employees trained and if not can we afford to train them? Should we hire new employees?
• Political: Can InfoSec acquire the necessary budget and approval to implement the plan? Is the budget required justifiable? Does InfoSec have to compete with other departments to acquire the desired budget?

​

12

RISK CONTROL STRATEGIES

• Defense
• Transferal
• Mitigation
• Acceptance (Abandonment)
• Termination

13

RISK CONTROL STRATEGY: DEFENSE

• Defense: Prevent the exploitation of the system via application of policy, training/education, and technology. Preferably layered security (defense in depth)
• Counter threats
• Remove vulnerabilities from assess
• Limit access to assets
• Add protective safeguards

​

14

RISK CONTROL STRATEGY: TRANSFERAL

• Transferal: Shift risks to other areas or outside entities to handle
• Can include:
• Purchasing insurance
• Outsourcing to other organizations
• Implementing service contracts with providers
• Revising deployment models

15

RISK CONTROL STRATEGY: MITIGATION

• Mitigation: Creating plans and preparations to reduce the damage of threat actualization

Preparation should include a:

• Incidence Response Plan
• Disaster Recovery Plan
• Business Continuity Plan

​

16

RISK CONTROL STRATEGY: ACCEPTANCE

• Acceptance: Properly identifying and acknowledging risks, and choosing to not control them

Appropriate when:

• The cost to protect an asset or assets exceeds the cost to replace it/them
• When the probability of risk is very low and the asset is of low priority
• Otherwise acceptance = negligence

17

RISK CONTROL STRATEGY: TERMINATION

• Termination: Removing or discontinuing the information asset from the organization
• Examples include:
• Equipment disposal
• Discontinuing a provided service
• Firing an employee

​

​

18

PROS AND CONS OF EACH STRATEGY

Pros

• Defense: Preferred all round approach
• Transferal: Easy and effective
• Mitigation: Effective when all else fails
• Acceptance: Cheap and easy
• Termination: Relatively cheap and safe

Cons

• Defense: Expensive and laborious
• Transferal: Dependence on external entities
• Mitigation: Guarantees company loss
• Acceptance: Rarely appropriate, unsafe
• Termination: Rarely appropriate, requires company loss

19

STANDARD APPROACHES TO RISK MANAGEMENT

• U.S CERT’s Operationally Critical Threat Assessment Vulnerability Evaluation (OCTAVE) Methods (Original, OCTAVE-S, OCTAVE-Allegro)
• ISO 27005 Standard for InfoSec Risk Management
• NIST Risk Management Model
• Microsoft Risk Management Approach
• Jack A. Jones’ Factor Analysis of Information Risk (FAIR)
• Delphi Technique

​

20

• Thank You

21