Risk management «Once we know our weaknesses, they cease to do us any harm.» G.C. Lichtenberg

Risk management and Sun Tzu… “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” Sun Tzu Know Yourself Know the Enemy

What is risk management? Risk Management consist of identifying and controlling the risks facing an organization Risk Management Risk Identification Risk Control Risk Assessment Selecting Strategy Inventory Assets Justifying Controls Classifying Assets Identifying Threats

Outline 1. Risk Identification 2. Risk Assessment 3. Risk Control Strategies

Risk Identification Plan and organize the process 2) - Asset Identification - Information Asset Classification Categorize system components 3) - Information Asset Valuation - Listing Assets in Order of Importance - Data Classification and Management Inventory/ Categorize assets Identify threats Specify vulnerable assets 4) - Identify and Prioritize Threats 5) - Vulnerability Identification

Risk Assessment Risk estimation Factors of risk: Assess a risk: to assign a risk rating or score to each information asset Risk estimation Factors of risk: Dico: to mitigate= atténuer Uncertainty of current knowledge of the vulnerability Likelihood of the occurrence of vulnerabilities Value of information asset Percentage of risk mitigated by current controls + *

Risk Assessment Example of risk estimation 1 50 10% 0,5 100 50% 20% Asset A vulnerability is rated at 55 55= (50*1)-[(50*1)*0]+[(50*1)*0,1] Asset B vulnerability is rated at 35 likelihood Value Current Control Uncertainty ASSET A 1 50 10% ASSET B 0,5 100 50% 20%

Documenting the Results of Risk Management Risk Assessment Documenting the Results of Risk Management Ranked vulnerability risk worksheet

Risk Control Stategies Avoidance Transference Mitigation Incident Response Plan Disaster Response Plan Business Continuity Plan Acceptance

Selecting a Risk Control Strategy selecting one of the four risk control strategies for each vulnerability the level of threat and the value of the asset play a major role in strategy selection Once a control strategy has been implemented, it should be monitored and measured  a cyclical process to ensure that risk are controlled.

Feasibility Studies & CBA (Cost Benefit Analysis) (1) Aim: used to determine the costs associated with protecting an asset An organization should not spend more to protect an asset then the asset is worth Items that affect the cost of a control - Cost of development & acquisition of software, hardware and services - Training fees - Cost of implementation (install, configure, test) - Service costs (maintenance & upgrade)

Feasibility Studies & CBA (Cost Benefit Analysis) (2) Benefit = the value that an organization realizes by using controls to prevent losses associated with a specific vulnerability. Asset valuation = the process of assigning financial value or worth to each information asset. E.g.1: cost to replace a network switch – simple to determine E.g.2: the dollar value of the loss in market share if information on new product offerings is released prematurely

Risk Assessment & CBA Single Loss Expectancy SLE = Asset Value x Exposure Factor Website value: 1.000.000 euros , Exposure factor = 10% SLE= 100.000 euros Annualized Loss Expectancy ALE = SLE x ARO ARO= 0.5 ALE= 100.000 x 0.5 = 50.000 euros Cost Benefit Analysis (CBA) CBA= ALE(prior)- ALE(post) - ACS

Benchmarking alternative method to the economic feasibility analysis that seeks out and studies the practices used in other organizations that produce the results desired in an organization. Measures to compare practices: metric-based: comparisons based on numerical standards process-based : less focused on numbers and more strategic Two categories of benchmarks are used in InfoSec: standards of due care & due diligence best practices

Applying Best Practices & Benchmarking Does the organization resemble the identified target organization with the best practice under consideration? Does the organization face similar challenges as the target? Is its organizational structure similar to the target’s? Are the resources the organization can expend similar to those identified with the best practice? No two organizations are identical; Best practices are a moving target; Security is a managerial problem, not a technical one.

Delphi Technique What? - Technique for accurately estimating scales and values How? By a group who rates or ranks a set of information. Responses are complied and returned for a new iteration Final: entire group is satisfies with the result Quantitative assessment – actual values or estimates Qualitative assessment – no numeric values, scales (A-Z, 0-10, low, medium, high, very high)

Conclusion “Security is an investment, not an expense. Investing in computer and network security measures that meet changing business requirements and risks makes it possible to satisfy changing business requirements without hurting the business viability.” (F. Avolio, “Best Practices in Network Security”)