MANAGEMENT of INFORMATION SECURITY, Fifth Edition

Risk Assessment and Risk Appetite Management of Information Security, 5th Edition, © Cengage Learning

Management of Information Security, 5th Edition, © Cengage Learning Risk Assessment Assessing the relative risk for each vulnerability is accomplished via a process called risk assessment Risk assessment assigns a risk rating or score to each specific vulnerability While this number does not mean anything in absolute terms, it enables you to gauge the relative risk associated with each vulnerable information asset, and it facilitates the creation of comparative ratings later in the risk control process Management of Information Security, 5th Edition, © Cengage Learning

Management of Information Security, 5th Edition, © Cengage Learning Assessing Risk Estimating risk is not an exact science; thus some practitioners use calculated values for risk estimation, whereas others rely on broader methods of estimation The goal is to develop a repeatable method to evaluate the relative risk of each of the vulnerabilities that have been identified and added to the list Management of Information Security, 5th Edition, © Cengage Learning

Management of Information Security, 5th Edition, © Cengage Learning Likelihood Likelihood is the overall rating - a numerical value on a defined scale - of the probability that a specific vulnerability will be exploited Using the information documented during the risk identification process, you can assign weighted scores based on the value of each information asset, i.e. 1-100, low-med-high, etc. Whatever rating system you employ for assigning likelihood, use professionalism, experience, and judgment to determine the rating—and use it consistently Whenever possible, use external references for likelihood values, after reviewing and adjusting them for your specific circumstances Management of Information Security, 5th Edition, © Cengage Learning

Risk Estimate Factors Risk is Multiplied by Less Plus R=(L*I)-M%+U% One method of estimating risk uses the following: Risk is The likelihood that the threat as to an asset will result in an adverse impact Multiplied by The consequences (or level of impact) on the value of an asset as a result of a successful attack Less The percentage of risk mitigated by current controls Plus The degree of uncertainty of current knowledge of the threat/asset environment R=(L*I)-M%+U% Management of Information Security, 5th Edition, © Cengage Learning

Likelihood Likelihood is the overall rating—a numerical value on a defined scale—of the probability that a specific vulnerability will be exploited NIST’s “Special Publication 800-30 Rev. 1, Guide for Conducting Risk Assessments,” recommends that vulnerabilities be assigned a likelihood rating between 0.1 (low) and 1.0 (high) Whenever possible, use external references for likelihood values, after reviewing and adjusting them for your specific circumstances Management of Information Security, 5th Edition, © Cengage Learning

Assessing Potential Impact on Asset Value (Consequences) Once the probability of an attack by a threat has been evaluated, the organization will typically look at the possible outcomes or consequences of a successful attack The consequences of an attack (most often as a loss in asset value) are of great concern to the organization in determining where to focus its protection efforts Most commonly, organizations will create multiple scenarios to better understand the potential loss of a successful attack, using a “worst case/most likely outcome” approach It is useful for organizations to retain this information, as it can also be used during contingency planning Management of Information Security, 5th Edition, © Cengage Learning

Percentage of Risk Mitigated by Current Controls If a vulnerability is fully managed by an existing control, it can be set aside If it is partially controlled, estimate what percentage of the vulnerability has been controlled Management of Information Security, 5th Edition, © Cengage Learning

Management of Information Security, 5th Edition, © Cengage Learning Uncertainty It is not possible to know everything about every vulnerability The degree to which a current control can reduce risk is also subject to estimation error Uncertainty is an estimate made by the manager using judgment and experience Management of Information Security, 5th Edition, © Cengage Learning

Management of Information Security, 5th Edition, © Cengage Learning Risk Determination Asset A has an impact value of 50 and has one vulnerability, which has a likelihood of 1.0 with no current controls. Your assumptions and data are 90% accurate Asset B has an impact value of 100 and has two vulnerabilities: vulnerability #2 has a likelihood of 0.5 with a current control that addresses 50% of its risk; vulnerability # 3 has a likelihood of 0.1 with no current controls. Your assumptions and data are 80% accurate The resulting ranked list of risk ratings for the three vulnerabilities is as follows: Asset A: Vulnerability 1 rated as 55 = (50 × 1.0) – 0% + 10% Asset B: Vulnerability 2 rated as 35 = (100 × 0.5) – 50% + 20% Asset B: Vulnerability 3 rated as 12 = (100 × 0.1) – 0 % + 20% Management of Information Security, 5th Edition, © Cengage Learning

Likelihood and Consequences In Risk Assessment Another approach to calculating risk based on likelihood is the likelihood and consequence rating from the Australian and New Zealand Risk Management Standard 4360, which uses qualitative methods of determining risk based on a threat’s probability of occurrence and expected results of a successful attack. Management of Information Security, 5th Edition, © Cengage Learning

ANZ RM Standard 4360 Consequences Levels for Organizational Threats Management of Information Security, 5th Edition, © Cengage Learning

ANZ RM Standard 4360 Likelihood Levels for Organizational Threats Management of Information Security, 5th Edition, © Cengage Learning

Likelihood and Consequences In Risk Assessment Next Consequences and Likelihoods are combined, enabling the organization to determine which threats represent the greatest danger to the organization’s information assets The resulting rankings can then be inserted into the TVA tables for use in risk assessment Management of Information Security, 5th Edition, © Cengage Learning

ANZ RM Standard 4360 Qualitative Risk Assessment Matrix Management of Information Security, 5th Edition, © Cengage Learning

Documenting the Results of Risk Assessment The goal of the risk management process so far has been to identify information assets and their vulnerabilities and to rank them according to the need for protection In preparing this list, a wealth of factual information about the assets and the threats they face is collected Also, information about the controls that are already in place is collected The final summarized document is the ranked vulnerability risk worksheet Management of Information Security, 5th Edition, © Cengage Learning

Ranked Vulnerability Risk Worksheet Management of Information Security, 5th Edition, © Cengage Learning

Risk Identification and Assessment Deliverables Management of Information Security, 5th Edition, © Cengage Learning

Risk Appetite Before the organization can or should proceed, it needs to understand whether the current level of controls identified at the end of the risk assessment process results in a level of risk management it can accept The amount of risk that remains after all current controls are implemented is residual risk The organization may very well reach this point in the risk management process, examine the documented residual risk, simply state, “Yes, we can live with that,” and then document everything for the next risk management review cycle What is difficult is the process of formalizing exactly what the organization “can live with”; this process is the heart of risk appetite Management of Information Security, 5th Edition, © Cengage Learning

Risk Appetite According to KPMG, A well-defined risk appetite should have the following characteristics: Reflective of strategy, including organizational objectives, business plans, and stakeholder expectations Reflective of all key aspects of the business Acknowledges a willingness and capacity to take on risk Is documented as a formal risk appetite statement Considers the skills, resources, and technology required to manage and monitor risk exposures in the context of risk appetite Is inclusive of a tolerance for loss or negative events that can be reasonably quantified Is periodically reviewed and reconsidered with reference to evolving industry and market conditions Has been approved by the board Management of Information Security, 5th Edition, © Cengage Learning

Risk Appetite The KPMG approach to defining risk appetite involves understanding the organization’s strategic objectives, defining risk profiles for each major current organizational activity and future strategic plan, defining a risk threshold for each profile, and finally documenting the formal risk appetite statement The risk tolerance (or risk threshold) works hand in glove with risk appetite, as it more clearly defines the range of acceptable risk for each initiative, plan, or activity If an administrator were asked, “What level of attack success and loss are you willing to accept for a particular system?,” the answer would provide insight into the risk threshold for that system, as well as that for the data it stores and processes If the answer to the question was “absolutely none,” the administrator would have a zero tolerance risk exposure for the system, and would require the highest level of protection Management of Information Security, 5th Edition, © Cengage Learning