Risk Management Benefit by fmb31949


Risk Management Benefit document sample

More Info
									Risk Management

           Risk Management
•   Risk controls
•   Control categories
•   Cost-benefit analysis
•   Risk control methods

             Risk Controls
• There are four main types:
  – Avoidance
  – Transference
  – Mitigation
  – Acceptance
• Strategy selection methods:
  – Evaluation
  – Assessment
  – Maintenance
              Risk Controls
• Avoidance refers to either reducing or
  eliminating threats posed by identified
• Methods available are:
  – Apply policy already in place
  – Provide training to key personnel
  – Educate all involved about the vulnerability
  – Implement security controls

             Risk Controls
• Transference refers to shifting the risk to
  other entities of the organizations
• Example: When the inventory system is
  under attack, move the inventory update
  process to another server where the
  partners have access to update. Using
  additional validation techniques the data is
  then transferred to the main server
  connected to the sales terminals.

                Risk Controls
• Mitigation refers to minimizing the impact of an
  attack or the exposure to a known threat
• Methods for mitigation are:
  – Incident response plan
  – Disaster recovery plan
  – Business continuity plan
• Incident response plan involves:
  – An identified set of steps to be taken during a disaster
  – Acquire intelligence on the nature of attack
  – Analyze information

                Risk Controls
• Disaster recovery plan involves:
  – Procedures for recovering lost data
  – Procedures for resumption of service
  – Take systems offline to assess damage and protect
• Business continuity plan involves:
  – Procedures to activate the backup site (hot, warm, or
  – Procedures for resumption of telecommunication
    among the key personnel

              Risk Controls
• Acceptance involves:
  – Knowing the level of risk assumed from an
  – Estimate the potential loss
  – Perform a cost-benefit analysis
  – Evaluate controls in place
  – Cost required to protect an asset does not
    justify the damage caused by an attack

           Control Categories
• Rules of thumb:
  – Implement security controls to address known
    vulnerabilities (e.g., people sharing passwords.
    Security control could be only one login per userid)
  – Cost of protection exceeds cost of asset being
    protected (e.g., sales information is confidential but
    not critical. Slow the response rate on dial-in lines,
    drop connections periodically). Goal is to make it
    inconvenient for the hacker to keep trying
  – Potential loss is significant (e.g., check processing
    system could be exposed. Augment procedures for
    check issuance and limit the check value under
    normal conditions to less than $1,000)
         Control Categories
• Control function
  – Preventive (policy change, access control)
  – Detective (IDS, audit trail)
• Architectural control
  – Connection between internal and external
  – Access to extranets
  – Use of DMZs
  – Allowed applications

          Control Categories
• Information Security control involves:
  – Confidentiality
  – Integrity
  – Availability
  – Authentication
  – Authorization
  – Accountability
  – Privacy

      Cost – Benefit Analysis
• Difficult to evaluate value of information
• Consequently, difficult to evaluate value of
  cost of protection
• Cost includes:
  – Equipment
  – Software
  – Training
  – Implementation
  – Maintenance
       Cost – Benefit Analysis
• Benefit is the value to the organization coming
  from the security system
• Value could be intrinsic or acquired due to the
  security provided to information
• Value could also be calculated by the cost of
  replacing the information system in place
• Value to owners
• Value to competitors
• Loss of productivity
• Loss of revenue
       Cost – Benefit Analysis
• Single loss expectancy (SLE) is the loss from a
  single attack
• SLE = AV * EF where AV denotes asset value
  and EF denotes exposure factor
• Annual Loss Expectancy (ALE) is the loss
  expected from all threats during one year
• ALE = SLE * ARO where ARO denotes annual
  rate of occurrence (i.e. the number of times a
  particular type of loss is likely to occur in one

        Cost – Benefit Analysis
• Example: AV is $100,000. EF is 10% (i.e. that a
  hacker would disable 10% of the services on the
  company’s website). Hence, SLE = 100000 * .1 =
  10000. Assume that the loss due to the vulnerability
  is likely to occur once in two years. Hence ARO = ½
  = 0.5 and so ALE = 10000 * .5 = 5000
• The above example shows that unless the
  protection is increased to address the vulnerability,
  the business is expected to lose $5,000 per year
• This amount is then used in calculating the cost of
  protection to see if there is a benefit in protecting the
  system or not.

       Cost – Benefit Analysis
• CBA = ALE (pre-control) – ALE (post-control) – ACS
  where CBA is the cost-benefit analysis amount
  and ACS is the Annual Cost to Safeguard
• In calculating CBA the organization should view
  security as an investment and not as an
• ROI should not be the only factor in evaluating
  security investments
• Many of the security investment benefits are
  intangible, such as goodwill generated due to
  the reliability of the operational system
        Risk control methods
• Qualitative measure could be on a scale of 1 to
  10 for assessing the value of information that
  needs to be protected. This usually refers to an
  individual developing the ranking.
• Delphi technique method is a qualitative method,
  except that the qualitative value is averaged out
  from a group of people giving their rankings
  rather an individual providing the ranking
• OCTAVE (Operationally Critical Threat, Asset,
  and Vulnerability Evaluation) method developed
  by CERT is another tool available for risk
• Management of Information Security by
  M.E.Whitman and H.J.Mattord, Course
  Technology, 2004
• OCTAVE http://www.cert.org/octave/


To top