In this course, we will cover risk management. Understanding the organizational risk management is key to implementation of the risk management framework. First, let's look at what is risk. Risk exists in most IT programs and systems with new types of security-related incidents emerging all the time. Organizations often find themselves plan a form of IT whack-a-mole. Preventive activities like conducting risk management assessments and business impact assessments can in some cases help lower the number of incidents, but not all incidents can be prevented or foreseen. We need to rely on programs like the risk management framework to help at least reduce the risks to an acceptable level. When we look at what is risk, we have to first look at how risk is defined. Risk is defined in the American Heritage Dictionary as the possibility of loss. Another way, the possibility of damage or harm and likelihood that damage or harm will be realized. In information security, risk is the likelihood that a threat source will exploit one or more vulnerabilities or the potential to create significant impacts or consequences that affect the organization's assets. NIST Special Publication 830 defines vulnerability as an inherent weakness in an information system, security procedure, internal control, or implementation that could be exploited by a threat source. I created a picture here to help pull all this together for you. You see I have illustrated my asset as sheep, control as a fence, the threat as a wolf and the vulnerability has a hole in the fence. If I was a sheep farmer, I would need to evaluate what threats my sheep would face and try to mitigate that down to an acceptable level. Without the sheep, my farm would be severely impacted. I would put controls in this case a fence to protect the assets. However, if my control had a vulnerability, in this case, a hole in it, that can be easily translated to a software flaw, a failed patch malfunction in hardware, you get the picture. What would be the chances that the threat will capitalize on that vulnerability and affect the assets? The higher the probability, the higher the risk. When identifying threats, you first need to understand the threats, vulnerabilities, and risks to your organization. They could be natural such as fire floods, tornadoes, hurricanes, storms, earthquakes, those types of things. They could be human, either criminal or user error, either a malicious, outsider, malicious insider, loss of key personnel, human errors, etc. It could be technical as a hardware failure, software failure of malicious code, unauthorized use, wireless, or some other technological failure that introduces a vulnerability. It could be physical, a closed-circuit television failure due to faulty components, a perimeter defense going down, the gates not working properly, a lock not locking the way it's supposed to, etc. It could be environmental such as hazardous waste, biological agents, utility failures, or operational. A process either manual or automated that affects the confidentiality, integrity, and availability. It could also include things like compliance and regulatory risks, financial risks, legal risks, political risks, project risks, reputational risks, safety risks, etc. My point here is that you need to evaluate the risk based on your business. When we look at risk we need to consider that a threat will most likely exploit a vulnerability to cause harm to an asset. We look at likelihood. This is the chance that a threat will be realized by taking advantage of an exposure or probability and frequency when dealing with quantitative assessments. Impact. This is the way a protected asset could be affected or harmed by a threat based on a vulnerability present in the environment. Exposure. Establishing a realistic potential for the organization to face certain types of threats. The wolf ate my sheep. Now I'm out of business. Obviously, the organization will have a greater exposure to those threats posed by the organization's activities. For instance, an organization involved in commercial fishing faces a threat of losing a person to drowning whereas a metropolitan bicycle messenger service does not. Location might be another factor that affects exposure. Some natural disasters are native to certain geographical locations while others are not. Based on that, we implement countermeasures. Countermeasures are what we put in place in order to reduce the threats ability to exploit the exposure, or that can lessen the impact to the organization when a threat is able to exploit a vulnerability. If we put countermeasures in place, we may end up with residual risk. Residual risk is the risk that remains after security controls have been put in place as a means of risk mitigation. This is basically the amount of risk that is leftover when appropriate controls are properly applied to lessen or remove the vulnerability. We need to look at total risk versus residual risk. Total risk is the amount of risk an organization would face if no safe guards were implemented. All risks, threats, vulnerabilities are measured for the potential capability to compromise one or all of the CIA triad which is the confidentiality, integrity, and availability principles. It is the process known as. Threat modeling, a process by which developers can understand security threats to a system, determine risks from those threats, and establish appropriate mitigation. Residual risk is the risk that's remaining after security controls have been put in place as a means of risk mitigation. This is basically the amount of risk that is leftover when the appropriate controls are properly applied to lessen or remove the vulnerabilities as I've previously stated. Total risk versus residual risks can be calculated by looking at threat times vulnerability times the asset value that's going to give you the total risk. Total risk minus control gap equals your residual risk. When we're trying to evaluate risk, we would have threat times vulnerability times the cost of mitigation, times the consequences. Consequences is calculated by looking at likelihood times impact. What is an acceptable level of risk? This is the suitable level of risk commensurate with the potential benefits of an organization's operations as determined by senior management. Senior management will determine what level of risk the organization is willing to accept. This is also known as the risk appetite. This is relative to the rewards offered by conducting the operations. Remember that every organization makes its own determination of what constitutes acceptable risk and how to manage that risk. Let me see if I could frame this in another way. An acceptable level of risk might be something you do at home when you're getting ready to go to bed. If you have a two-story house, you lock all the doors and windows on the first floor, and then you go upstairs. It's a nice breezy day. You may open the windows on the second floor to get that breeze and have the benefit of that breeze without wasting electricity. However, you are making a decision to open the windows knowing that there is a possibility that someone may come in through that window on that second story floor. However, the risk of that happening is very low since in order to get into the window, they would have to come with a 30-foot ladder to place it on the side of the house and then come in through the window. You have made a decision and determined that this is an acceptable level of risk to keep the windows open and benefit from the wind in contrast to the risk that might be posed by someone coming in through the window. How can an organization deal with risk? An organization can mitigate, avoid, transfer, or accept the risk by reducing it to an acceptable level. Risk mitigation is putting security controls in place to attenuate the possible impact or likelihood of a specific risk. This is done by applying controls to reduce or mitigate the risk to an acceptable level. They can also avoid the risk. This is determining that the impact and or likelihood of a specific risk is way too great to be offset by any potential benefit and not performing a certain business function because of that determination. Basically, risk avoidance is discontinuing the activity because you don't want to accept its risk. Another one is risky assignment or transfer. This is also known as risk-sharing. This is paying an external party to accept the financial impacts of a given risk, basically passing the risk to another entity like an insurance company. But remember, not all risk can be transferred. The final one is risk acceptance. This is making the determination that the potential benefit of a business function outweighs the possible risks impact, or likelihood, and performing that business function with no other action. Basically, this is an explicit decision to not mitigate, instead, live with the risk because usually a lower level of impact as expected, the trade-off here is the cost-benefit analysis to support that decision. Organizations can perform a risk assessment in one of two ways, quantitatively or qualitatively. Quantitative risk analysis determines if risk mitigation cost outweigh the risk itself. It assigns real numbers, costs to the elements of the risk analysis process. For example, safeguard costs, acid value, business impact, threat frequency, safeguard effectiveness, exploit probabilities, etc. The frequency probability impact countermeasures effectiveness and other aspects of the risk assessment have a discrete mathematical value in a pure quantitative analysis. The key to remember here when we're talking about quantitative analysis is that it is based on real numbers and cost. Qualitative analysis produces results that are descriptive versus measurable. This analysis is more subjective, no real numbers, mostly opinion based on scenarios of risk possibilities and ranking the seriousness of the threats and validity of the countermeasures, usually using grades like high, medium, and low, or other classifications. Arrangements of assets into categories can also assist with this, that can express the value of assets or resources without using numbers. The key to remember here is that qualitative assessment is based on judgment, best-practices, intuition, and experience. Often, the risk assessment in an organization is conducted using a combination of quantitative and qualitative methods or more of a hybrid analysis because fully quantitative assessments may not be possible, there's always some subjective input present like the value of information. Remember that risk equals threat times vulnerability. Reducing either the threat agent or the vulnerability will directly result in a reduction in risk. There is a formula we use for risk versus mitigation calculation, and I've placed it on the screen here for you, asset value times exposure factor is going to equal single loss expectancy, then you multiply that times your annual rate of occurrence, which gives you your annualized loss expectancy. This also goes into what we call, your safe guard value. Let me see if I can walk you through an example here. First, we need to figure out the asset value. Let's say that we have a building worth one million dollars, the next thing is we need to calculate the exposure factor. Let's say that the last time someone ran into the building, they caused $100,000 worth of damage, so the single loss expectancy, SLE is the expected negative impact related to a particular risk, the risk being assessed, the results will be our single loss expectancy or SLE so we won't have AV or asset value one million dollars times the exposure factor. We're going to break that into 10 percent and it's going to be 10 percent of one million dollars is $100,000, so our single loss expectancy is $100,000. Next, we calculate the annual rate of occurrence. Annual rate of occurrence is the number of times per year a given impact is expected. This is expressed as a number, let's say someone seems to run into the building once every four years, that's going to be 1/4 or 0.25. Our single loss expectancy, $100,000 times our annual rate of occurrence, 0.25 is going to equal an annual loss expectancy of $25,000. The annual loss expectancy of $25,000 is the result of your single loss expectancy multiplied by the annual rate of occurrence, which gives us the estimated annual cost related to a particular risk. Basically, you can expect to set aside $25,000 a year for four years in order to cover the expected building damage of $100,000 which becomes your safe guard value or you could simply invest $20,000 for concrete pillars or bullards or barriers to put in front of the building and mitigate that risk of people running into the building or hitting the building and then that $25,000 is saved. You would be saving $80,000 over that four-year period by investing $20,000 now, to remediate the risk. Remember, quantitative analysis is based on real numbers like costs to assets or resources so we need to figure out our annualized loss expectancy in order to figure this out. In summary, in this course, we've discussed risk versus acceptable level of risk, the types of risks, natural human tentacle, physical, environmental, and operational, total risk versus residual risk, dealing with risks such as risk mitigation, risk avoidance, risk assignment transference, or risk acceptance. We also discussed risk assessment methods such as quantitative risk analysis and qualitative risk analysis.
