This next module is a long one, covering some 50 slides, give or take a couple here and there. Before you start this module, grab yourself a cup of tea, a couple of cookies, and then lean back, because we're going to be talking about a lot of information. There are a number of considerations that we go through when we're doing a risk assessment. Slide Number 38 identify cells, things like asset identification, threats, vulnerabilities, likelihood, and impact. The idea behind the standard approach is that we do asset valuation. We looked at vulnerabilities and threats to those assets. To come up with a risk assessment, we put controls and countermeasures, and then we look to see what's leftover, and we talk to management to see if they're willing to accept that residual risk, and then we repeat the process. The first step in doing risk assessment is to locate the assets, where are they? Then we have to value those, and that should be a straightforward financial consideration. What's the impact if that asset should be compromised? Don't forget, not only do we do tangible assets, but intangible assets. In most cases, when we do valuation, it's best to do it in terms of if I lost that asset. Accuracy is not as critical as having an approach for how you're going to do this. We do a couple of things. We do quantitative evaluation, that's the one it is numbers and generally more precise, or we do qualitative when we don't have quantitative data to do the analysis. Intellectual property might be an intangible, company reputation might be an intangible. But the way we value those, get hold of somebody in finance or accounting and let them tell you what the value of that intangible asset is. There are a number of different risk management models, and you can read down through those COBIT from ISACA, OCTAVE from the Carnegie Mellon University Software Engineering Institute, NIST 800-39, The International Community, even ITIL. The first thing when we look at NIST, is we have to characterize the system. Then do threat identification followed by vulnerability identification. Look at the current controls, do likelihood and impact to determine the risk, and then come up with new control recommendations. The next two slides identified that nine step process from NIST SP 800-30 characterizes this threat and vulnerability. Look at the current controls, determining your likelihood, then determine the impact analysis, come up with your risk and the new control recommendations, document all of that in the risk assessment report and give that to management. We have to aggregate risk. We have to put the little ones together because while you have a number of minor ones, that might not appear to be a major risk. Once you aggregate that, you realize there might be a significant impact. The other ways that we look at risk is something called factor analysis, may be risk-factor analysis or even probabilistic risk assessment. FAIR looks at loss, event frequency, how often it's going to occur, and compares that to impact, or the probable loss magnitude. Risk factor analysis looks at four basic factors. What's the budget risk, cost, technical risks, or the risk to the schedule not being completed on time. What goes into RFA? If you look at something like technology and the maturity of technology, then we categorize that, high, medium or low. High might be facilities and equipment that require new technology or new construction in order to put the control in place. PRA is probabilistic. What's the magnitude? What's the likelihood? In other words, what's the probability this risk is going to occur? One of the things we have to do when we identify risk, and there are a number of ways of doing it, where is it coming from? Is it an event, an incident, a threat? What would be its consequences? What causes it to occur? What's the specific reason? How do we proactively address this? By reducing the exposure, by implementing controls. When and where is this going to occur? When we look at threats, we look at things like natural threats, flood, fire, tornadoes, those kind of things, and then intentional and unintentional. Unintentional, loss of utility services. Intentional might be either physical, bombs, fire, water, those kind of things, or non-physical, like phishing attacks or social engineering. Threats, we have to look at what are the internal threats? What are the external threats, and what are the new emerging threats that are coming about? When we look at vulnerabilities, what is a vulnerability and how vulnerable, what's the degree of it? Is it simply that we've got a weak control that's not addressing the threat. How are those controls performing? What's the process? How do we determine what the vulnerabilities are? Come up with some examples. Vulnerability is often used to define a flaw or a weakness in the system or in controls or in design. The next thing we have to do, what's the degree of that? We do pen testing to test to see how vulnerable we really are to a particular identified vulnerability. When you look at that, it could be that you simply have a control that is weak. It doesn't fully address the threat. We look at, how's those controls performing. We can identify vulnerabilities by using some of the automated vulnerability assessments tools like Nessus or Nexpose or IBM AppScan. What are some examples? Defective software, improperly configured equipment, a poor network design, insufficient staff, in properly trained staff, they're not following the procedures, you're using technology which hasn't been tested, you have single points of failure or we simply don't have any communication among management. When we do risk assessment, we have to understand what the risk profile for the organization is because risk is part of doing business. The failure to do that, the failure to adequately assess risk could be an indirect impact on how much risk the organization actually experiences. When we look at operational risk, we look at governance, policy, and procedure risk, risk identification. Those are all of the different components there on the left-hand side in red on this slide, and then on the area on the right-hand side, what are the things that we do to control risk? Like defining a corrective action plan or defining a preventive action plan or putting together business continuity frameworks and then testing our disaster recovery plan. Where do we keep all of this information? We keep it in a central repository so that somebody else coming along after us will be able to look at that, understand what we identified and what we did, and whether or not the control works. This is a good example of what a risk register might look like. Now we need to analyze that risk. We have to examine the source, the threats, vulnerabilities, and their impact. What would be the positive or negative consequences if that should occur? What's the likelihood? Then what are the controls that we already have in place? The level of risk can be estimated in a number of different ways and several of them are listed on slide 66. Past history, market research, economic engineering models, SMEs, subject matter expert. Risk analysis can vary too. We can do qualitative analysis, best guess, semi-quantitative or quantitative. Having real numbers to calculate things like asset value, exposure factor, and annualized rate of occurrence. In qualitative analysis, we look at the magnitude and the likelihood. We put together a matrix. That matrix looks something like this and you've got zones green, low, medium would be yellow, high would be orange, and then severe would be red. To go to semi-quantitative, we assign numbers to the different impact categories. One for insignificant, five for catastrophic and numbers to the likelihood, one for rare, and then five for frequent occurrence. We simply take the two numbers, multiply them together, and put the result in the matrix. Then we can use those numbers and come up with a semi quantitative writing. In semi-quantitative this what we're just talking about, we put those numbers in and then we aggregate that and look at that. Here are some values that you might use to help you determine what constitutes insignificant, minor, and major. The same thing with likelihood how many times has it occurred over the last year, five years, 10 years. When we do quantitative, we're looking at things like money, technical exposure, operational exposure, human impact criteria. To calculate quantitative, we use something called single loss expectancy or the value of the asset times exposure factor. Then we annualize that with annualized loss expectancy by introducing a third variable called the annualized rate of occurrence. Take for example, you've got a company that sells iPods and you suffer denial of service attacks that lower your weekly profit by 40 percent. The asset value, $20,000 times your exposure, 40 percent, would give you an $8,000 single loss expectancy. Now if this is a scenario, say it's happened seven times a year, then your annualized loss expectancy would be in the neighborhood of $56,000. If you had a control like a monthly subscription fee that was $10,000 a month, that 10 times 12 would be a $120,000. So you wouldn't justify spending $120,000 if you were only going to lose $56,000. Value at risk is another approach and we do something called Monte Carlo simulations. We look at a given period of time and at certain factors, 95 percent, 96 percent, and 97 percent. We look at the risk and we say, now we need to know what we're going to do with them. In some cases, we take into consideration the organizations objectives, the scope of the process for risk management, what the different stakeholders, what their views are. We also look at the consequences, the liability, and the cumulative impact that a series of events which might occur simultaneously would have on the organization. Then we rank the risk. Because management wants to know which one is most important based upon the capability of the attacker, based upon the severity and likelihood, and based upon the impact if that attack was successful. We have to assign somebody the ownership of this risk. Somebody who has the authority to make the decision, to spend money, to put controls in. The controls, the options are to mitigate the risks put in controls. Accept the risk. Don't do that part of the business, avoid it. Or maybe by an insurance policy to transfer that risk. What's leftover, and there will always be something leftover, is called residual risk. Those are the things that you simply cannot prevent, and that becomes management's requirements to look at that and say whether or not they're willing to accept that residual risk. Impact is what is the effect on the bottom line to your management. Ultimately, that's loss of money. Now, it could be criminal, civil liability. It might be a breach of privacy, it might be lost business opportunity, it might represent a conflict of interest with your staff or with your customers. The controls that we put in can be one of two types. Either proactive, what we call preventive controls, safeguards, or reactive controls, countermeasures. Those are targeted controls, they're addressing one specific risk. When we look at risk assessment, we have to remember we have to look at the legal and regulatory environment, and what would be the risk if we are not in compliance with the law. If the law is HIPAA and it's PHI data, there's a provision in HIPAA that says, management, you get to go to jail. But we need to evaluate that. Not only complete noncompliance but what if we only partially complied? What would be the impact? You look at the controls, we do cost-benefit analysis, and you wouldn't want to spend more money on a control than you would experience if the risk occurred. What events might affect that minimum security baseline and it could be simply if you change that minimum security baseline. Let's say you go from Windows 7 to Windows 8 or from 8-10, what might that affect and what new risk might be introduced? The last part for this module, what I'd like for you to do is to tell me what you would recommend to management if the annualized loss expectancy for a particular risk is $10,000, and there are no controls available; none, zero, which costs less than $10,000. What would you recommend to management?