Analytical Risk Management A Systems Approach to Security Decision Making by malj

VIEWS: 2 PAGES: 18

									             Analytical Risk Management
            A Systems Approach to Security Decision Making




U.S. Department of Commerce
  Office Of Security (OSY)
                                        Process Overview                                              Updated 09/30/11


                                                                                                                    1
                              Security is Everyone's Responsibility – See Something, Say Something!
What is Risk Management?


 The process of selecting and
    implementing security
countermeasures to achieve an
    acceptable level of risk
    at an acceptable cost.


                                                                         2
 Security is Everyone's Responsibility – See Something, Say Something!
        Risk Avoidance vs. Risk Management

n    Risk Avoidance
       n    Assumes an aggressive, opponent in
            all scenarios
       n    Counters ALL possible vulnerabilities
       n    Responds based on worst-case
            scenarios
    klist
Chec




                                                                                       3
               Security is Everyone's Responsibility – See Something, Say Something!
    Risk Avoidance vs. Risk Management
n   Risk Management
    n   Integrates the process of assessing the
        threat, the vulnerabilities, and the value
        of the asset to the owner
    n   Weighs the risk of compromise/loss
        against the cost of security practices


                                                                                 4
         Security is Everyone's Responsibility – See Something, Say Something!
Identify Assets and Loss Impacts
              ASSESS ASSETS

  n   Determine critical assets requiring
      protection
  n   Identify undesirable events and
      expected impacts
  n   Value/prioritize assets based on
      consequence of loss
                                                                          5
  Security is Everyone's Responsibility – See Something, Say Something!
               What is an Asset?

An asset is anything of value

 (people, information, equipment,
facilities, activities/operations, etc.)


                                                                              6
      Security is Everyone's Responsibility – See Something, Say Something!
      Crafting Undesirable Event Statements
                              Some Examples:

 Undesirable Event Results In A Loss (describe)
            Vehicle bombing                      Massive loss of life
              Package bomb                       Limited loss of life
                 Letter bomb                     Possible death or injury
        Employee espionage                       Extensive loss of classified info.
        Accidental disclosure                    Minor loss of classified info.
Coll. of tempest emanations                      Loss of classified info.
      Anti-US demonstration                      Immobilization of VIP convoy
           Surreptitious entry                   Loss of classified documents
            Massive flooding                     Destruction of valuable tools
                                                                                    7
            Security is Everyone's Responsibility – See Something, Say Something!
                Identify and
           Characterize the Threat
                      ASSESS
                      THREATS
n   Identify threat categories and adversaries

n   Assess intent and motivation of each adversary

n   Assess capability of each adversary

n   Estimate threat relative to each critical asset

n   Determine frequency of past incidents

                                                                                    8
            Security is Everyone's Responsibility – See Something, Say Something!
              Threats and Adversaries

n   What is a threat?

     n   Any indication, circumstance, or event that can cause the
         loss of, damage to, or the denial of an asset


n   Who is an adversary?

     n   Any entity that conducts, or has the capability and intention
         to conduct, activities detrimental to interests or assets

                                                                                      9
              Security is Everyone's Responsibility – See Something, Say Something!
                        Types of Threats
n   Foreign Intelligence Services               w Criminal Threats
     n Facility penetration                        s  Fraud, theft, robbery
     n Non-access attack                           s  Arson
     n Recruiting staff                            s  Vandalism
n   Terrorist Threats                              s  Computer hacking
     n Kidnapping                               w Insider Threats
     n Bombing                                     s  Espionage
     n Sabotage                                    s  Misuse of equipment
n   Natural Threats                                s  Malicious acts by disgruntled
     n Fire                                           staff
     n Flood                                    w Military Threats
     n Wind (storm, hurricane)                     s  War
     n Earthquake                                  s  Insurrection
                                                   s  Military Action            10
           Security is Everyone's Responsibility – See Something, Say Something!
      Identify and Analyze Vulnerabilities
            ASSESS VULNERABILITIES

n   Identify vulnerabilities of specific assets related to
    undesirable events

n   Identify existing countermeasures and their level of
    effectiveness in reducing vulnerabilities

n   Estimate degree of vulnerability to each asset and
    threat


                                                                                   11
           Security is Everyone's Responsibility – See Something, Say Something!
                     Vulnerabilities
Vulnerabilities - Any weakness that can be exploited by an
           adversary to gain access to an asset.

  n   For example, can result from:
      n   building characteristics
      n   equipment properties
      n   personal behavior
      n   locations of people, equipment and buildings
      n   operational and personnel practices

                                                                                     12
             Security is Everyone's Responsibility – See Something, Say Something!
                  Identify Risks
                   ASSESS RISKS
n   Estimate degree of impact relative to each critical
    asset
n   Estimate likelihood of attack by a potential
    adversary or threat
n   Estimate likelihood that a specific vulnerability will
    be exploited
n   Determine relative degree of risk
n   Prioritize risks based on integrated assessment
                                                                                  13
          Security is Everyone's Responsibility – See Something, Say Something!
     Risk Formula
              Risk = Impact x (Threat x Vulnerability)

                                   Impact of
   Asset                           Unwanted
                                     Event


  Threat                                                                     Risk
                                 Likelihood of
                                  Unwanted
Vulnerability                        Event

                                                                                    14
           Security is Everyone's Responsibility – See Something, Say Something!
    Identify Countermeasures,
         Costs & Benefits
             DETERMINE
       COUNTERMEASURE OPTIONS
n   Identify potential countermeasures to reduce V
    and / or T and / or I.
n   Identify countermeasures benefits in terms of risk
    reduction
n   Identify countermeasure costs
n   Conduct countermeasure cost-benefit and tradeoff
    analyses
n   Prioritize options and prepare a recommendation for
    decision maker
                                                                                15
        Security is Everyone's Responsibility – See Something, Say Something!
         Countermeasure Costs and
                 Benefits
n   Countermeasures
     n An action taken or a physical entity used to reduce or
       eliminate one or more V and / or T and / or I.

n   Cost-Benefit Analysis
     n The part of the process in which costs / benefits of
       countermeasures are compared and the most
       appropriate alternative selected
     n Cost: Tangible, operational, and other costs of
       countermeasures
     n Benefit: Amount of risk reduction based on the
       overall effectiveness of countermeasures
                                                                                     16
             Security is Everyone's Responsibility – See Something, Say Something!
       What We Want You to Remember
ARM is:
n   A structured yet flexible approach to
    understanding your security posture

n   A process for developing effective security
    countermeasures and options that consider cost &
    benefit

n   A snapshot in time that provides an audit trail

                                                                                 17
         Security is Everyone's Responsibility – See Something, Say Something!
    Discussion of Risk
   Management Process




                                                                        18
Security is Everyone's Responsibility – See Something, Say Something!

								
To top