1. Principles of Information System Security: Text and Cases
Gurpreet Dhillon
PowerPoint Prepared by Youlong Zhuang
University of Missouri-Columbia

2. Principles of Information System Security: Text and Cases
Chapter Nine
Risk Management for Information System Security

3. Copyright 2006 John Wiley & Sons, Inc.
Learning Objectives
Understand the three components of risk management
Describe the nine steps of risk assessment
Realize four classes of vulnerabilities
Familiar with the COBRA and I2S2 models
Copyright 2006 John Wiley & Sons, Inc.

4. Six Steps of Systems Development
Initiation
The need for an IT system is expressed
The purpose and scope established
The risks associated with the new system are explored
Requirements assessment
All user requirements are assessed
The risks identified feed into architectural and design trade offs in systems development
Copyright 2006 John Wiley & Sons, Inc.

5. Six Steps of Systems Development (cont’d)
Development or acquisition
The IT system is designed or acquired
Controls identified in the previous step are integrated into system designs
Implementation
The IT system is implemented
The risks specific to the context are reviewed and implementation challenges considered
Copyright 2006 John Wiley & Sons, Inc.

6. Six Steps of Systems Development (cont’d)
Operation or maintenance
Change, upgrade, and modification to the IT system are made
The risk management activities are performed regularly
Disposal
Legacy systems are phased out
Safe disposal of hardware and software
Copyright 2006 John Wiley & Sons, Inc.

7. Three Essential Components of Risk Management
Risk assessment: Identifying risks and assessing their potential impacts
Risk mitigation: prioritizing, implementing, and maintaining an acceptable level of risk
Risk evaluation: continuous appraisal of the risk management process
Copyright 2006 John Wiley & Sons, Inc.

8. Copyright 2006 John Wiley & Sons, Inc.
Risk Assessment
The process of determining potential threats throughout the system development process
Risk is a function of the likelihood of a given threat resulting in certain vulnerabilities
Nine steps of risk assessment proposed by the US National Institute of Standards and Technology (discussed in the next few slides)
Copyright 2006 John Wiley & Sons, Inc.

9. System Characterization
It helps in identifying the boundaries of the system
It also helps in scoping the risk assessment task
It can be achieved by understanding technical aspects of the system and related roles and responsibilities
Copyright 2006 John Wiley & Sons, Inc.

10. Threat Identification
Compile a list of threat sources that might be applicable to a given IT system
Intentional threats reside in the motivations of humans to undertake potentially harmful activities
Unintentional threats are benign instances
Copyright 2006 John Wiley & Sons, Inc.

11. Threat Identification, Table 9.1
Copyright 2006 John Wiley & Sons, Inc.

12. Vulnerability Identification
Identify flaws and weaknesses that could possibly be exploited because of the threats
Behavioral and attitudinal vulnerabilities
Misinterpretations
Coding problems
Physical vulnerabilities
Copyright 2006 John Wiley & Sons, Inc.

13. Copyright 2006 John Wiley & Sons, Inc.
Control Analysis
Analyze and implement controls that would minimize the likelihood of threats
Compliance oriented or self controls
Information utilization or information creation
Copyright 2006 John Wiley & Sons, Inc.

14. Classes of controls, Fig 9.2
Copyright 2006 John Wiley & Sons, Inc.

15. Likelihood Determination and Impact Analysis
There are three elements in calculating the likelihood
Source of the threat, motivation, and capability
Nature of the vulnerability
Effectiveness of current controls
Copyright 2006 John Wiley & Sons, Inc.

16. Likelihood Determination, Table 9.2
Copyright 2006 John Wiley & Sons, Inc.

17. Magnitude of Impact, Table 9.3
Copyright 2006 John Wiley & Sons, Inc.

18. Copyright 2006 John Wiley & Sons, Inc.
Risk Determination
It helps in assessing the level of risk to the IT system
It can be expressed as a function of
The likelihood of a given threat exercising the vulnerability
The magnitude of the impact of the threat
The adequacy of planned or existing security controls
Copyright 2006 John Wiley & Sons, Inc.

19. Level of Risk Matrix, Table 9.4
Copyright 2006 John Wiley & Sons, Inc.

20. Control Recommendations and Results Documentation
Control recommendation deals with suggesting appropriate controls given the level of risk identified
Effectiveness of recommended controls
Existing legislative and regulatory issues
Current organizational policy
Organizational impact
Safety and reliability of the proposed controls
Copyright 2006 John Wiley & Sons, Inc.

21. Copyright 2006 John Wiley & Sons, Inc.
Risk Mitigation
The process of prioritizing, evaluating, and implementing appropriate controls
Do nothing
Risk avoidance
Risk prevention
Risk planning
Risk recognition
Risk insurance
Copyright 2006 John Wiley & Sons, Inc.

22. Risk Mitigation Flow of Activities, Fig 9.3
Copyright 2006 John Wiley & Sons, Inc.

23. Summary of Technical, Formal, and Informal Controls, Table 9.3
Copyright 2006 John Wiley & Sons, Inc.

24. Risk Evaluation and Assessment
Continual change suggests that the risk management task needs to revaluate on a continuing basis
Continuous support of senior management needs to be stressed
The skill levels of the IT team need to be reassessed on a regular basis
Evaluation is a means to ensure feedback
Copyright 2006 John Wiley & Sons, Inc.

25. Copyright 2006 John Wiley & Sons, Inc.
COBRA
A hybrid model for software Cost Estimation, Benchmarking, and Risk Assessment
There are two major types of cost estimation techniques available today
Developing algorithmic model: depending too much on past project data which is often missing
Informal approaches: depending on experienced estimator which is difficult to find
Copyright 2006 John Wiley & Sons, Inc.

26. Copyright 2006 John Wiley & Sons, Inc.
COBRA (cont’d)
It was developed by Briand, Emam, and Bomarius at Fraunhofer Institute for Experimental Software Engineering in Germany
It utilizes both expert knowledge (experienced estimators) and quantitative project data (in a limited amount) to perform cost modeling
Copyright 2006 John Wiley & Sons, Inc.

27. Overview of Productivity Estimation Model, Fig 8.4
Copyright 2006 John Wiley & Sons, Inc.

28. Copyright 2006 John Wiley & Sons, Inc.
COBRA (cont’d)
The relationship between Productivity (P) and Cost Overhead (CO) is:
P=β0 – (β1 Χ CO)
Where β0 is the productivity of a nominal project
And β1 is the slope between CO and P
Advantage is using only a small set of historical data (around 10)
Copyright 2006 John Wiley & Sons, Inc.

29. Copyright 2006 John Wiley & Sons, Inc.
COBRA (cont’d)
Estimating the cost of project
Effort = α x Size
Where, α =
Copyright 2006 John Wiley & Sons, Inc.

30. Copyright 2006 John Wiley & Sons, Inc.
COBRA (cont’d)
Project cost risk assessment
The probability that the project will overrun its budget
Project cost benchmarking
The CO value of a given project is compared to a historical data set of similar projects
Copyright 2006 John Wiley & Sons, Inc.

31. Copyright 2006 John Wiley & Sons, Inc.
The I2S2 Model
Originally developed by Alexander Korzyk
It integrates risk analysis into IS development and specification of security requirements at the initial stage of system development
It has three levels that integrate six primary components
Copyright 2006 John Wiley & Sons, Inc.

32. I2S2 Model at Level One, Figure 8.5
Copyright 2006 John Wiley & Sons, Inc.

33. Copyright 2006 John Wiley & Sons, Inc.
The I2S2 Model (cont’d)
Level one shows high order inner-relationships between the six components
Level two considers the performance of the components to achieve the procedural integration
Level three is finer and specifies the technical integrative facilities and mechanisms
Copyright 2006 John Wiley & Sons, Inc.

34. Copyright 2006 John Wiley & Sons, Inc.
The I2S2 Model (cont’d)
Component -1: Threat definition provides the foundation for the successive sub models
Component -2: Information acquisition requirements can be done with one or more classes of information: signals, precursors, indicators, and intelligence
Copyright 2006 John Wiley & Sons, Inc.

35. Copyright 2006 John Wiley & Sons, Inc.
The I2S2 Model (cont’d)
Component -3: Scripting of defensive options include initial and final scripting of defensive options
Components -4: Threat recognition and assessment is organized in three modules – threat recognition facilities, threat/situation monitoring, security incident reporting and assessment
Copyright 2006 John Wiley & Sons, Inc.

36. Copyright 2006 John Wiley & Sons, Inc.
The I2S2 Model (cont’d)
Component -5: Countermeasure selection is based on cooperative engagement capability
Component -6: Post implementation activities – reconsider the efficacy, feedback, real time crisis management
Copyright 2006 John Wiley & Sons, Inc.

37. Copyright 2006 John Wiley & Sons, Inc.
All rights reserved. Reproduction or translation of this work beyond that permitted in section 117 of the 1976 United States Copyright Act without express permission of the copyright owner is unlawful. Request for further information should be addressed to the Permission Department, John Wiley & Sons, Inc. The purchaser may make back-up copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages caused by the use of these programs or from the use of the information herein.
Copyright 2006 John Wiley & Sons, Inc.