Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information Security Risk Assessment  Module 1: Introduction to Risk Module 2: Definitions and Nomenclature Module 3: Security Risk Assessment Module 4-5: Methodology and Objectives Module 6: Case Study Module 7: Summary

Module 1 Introduction to Risk

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 3 Students should be able to: –Gain understanding of introductory risk concepts –Conceptualize risk for simple situations –Gain a historical perspective of risk analysis –Understand application of risk to different disciplines Risk Learning Objectives

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 4 Risk – perception of uncertainty in events that occur and actions taken. Risks encountered in everyday decision-making Multiple ways to consider risks: –Risk as feelings –Risk as analysis –Risk as politics We primarily evaluate risk intuitively (as feelings ) Risk Definition

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 5 Statisticians –Probabilities –Consequences of Adverse Events –Quantifiable Social scientists –Invented to cope with uncertainties –Dependent on perception –Risk perception: blending of science and judgment with important psychological, social, cultural, and political factors Risk estimation depends on risk definition Risk Opposing Views –Needs to be a consistent and universally accepted definition of risk per domain –Our risk domain is information security

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 6 Uncertainty in computing risk is unavoidable Reactions to risk based on emotion, rather than scientific evidence. –When people become outraged, they may overreact. –If people are not outraged, they may under-react. –An industrial process producing an unpronounceable chemical is a much less acceptable risk than something more everyday, like driving or eating junk food. Risk comparisons may be more clear than using absolute numbers Emotions must be considered with scientific evidence. Risk Human Factors People become uneasy when scientists are not certain about the risk posed by a hazard (effect, severity, or prevalence). –Rather than diminish legitimate concerns or heighten illegitimate ones, psychological factors must be addressed to encourage constructive action.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 7 Risk is the probability that a specific threat will successfully exploit a vulnerability causing a loss. Risks are evaluated by three distinguishing characteristics: 1.Loss associated with an event, e.g., disclosure of confidential data, lost time and revenues. 2.Likelihood that event will occur, i.e. probability of occurrence 3.Degree risk outcome can be influenced, i.e. controls Risk Formal Definition Various forms of threats exist – Different stakeholders have different perceptions –Several sources of threats exist simultaneously

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 8 Risk is the probability that a specific threat will successfully exploit a vulnerability causing a loss. Risk Risk Management Process What can go wrong (Initiating Events)? How Bad (Consequences)? How Often (Likelihood of failure)? Aggregate Risk (Likelihood of consequences calculated for every possible combination of precipitating events) Measures to reduce the consequences of risk until they reach acceptable levels (Benefits > Aggregated Risk)

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 9 Risk Example #1: Caveman Going to Hunt Potential Accidents – Being eaten by prey – Being mistakenly hurt by tribe member – Accidentally getting hurt on terrain Hazard Control (Reduce likelihood of damage) –Avoid dangerous terrain –Scare animals with fire or sticks –Hide from animals –Hunt in groups Protection & Damage Limitation (Reduce Consequences) –Apply first aid –Run once animal follows you How Bad (Consequences) –Injury –Death Risk = Consequence x Likelihood Cost-Benefit Analysis Total Risk Total Benefit Food

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 10 Risk Example #2: Participating in Sports Event Potential Accidents –Collision –Slipping –Tripping Hazard Control (Reduce likelihood of damage) –Training –Being Careful –Using proper footwear & protective gear –Following Rules Protection & Damage Limitation (Reduce Consequences) –First Aid –Ambulance –Medical & Hospital Services How Bad (Consequences) –Out for Match –Out for Season Risk = Consequence x Likelihood Cost-Benefit Analysis –Broken Bone –Sprained Muscle –Torn Ligament Thrill & Pride Total Risk Total Benefit

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 11 Risk Example #3: Driving to Work Potential Accidents –Head on Collision –Side/Rear-end impact –Hit pedestrian –Overturn Car –Carjacking Hazard Control (Reduce likelihood of damage) –License –Proper road & signal construction –Safety Barriers –Police Surveillance & speed control –Obeying traffic rules Protection & Damage Limitation (Reduce Consequences) –Having Airbags Installed in Vehicle –Wearing Seatbelts –First Aid & Hospitalization How Bad (Consequences) –Vehicle Damage –Traffic Ticket Risk = Consequence x Likelihood Cost-Benefit Analysis –Death –Insurance Premium Hike –Injury Causes –Fatigue –Poor Judgment –Environmental Conditions –Failure to see traffic signals Employment Total Risk Total Benefit

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 12 Finance –Risk in investments, insurance etc., Industrial –Plant failures, accidents, competitive risks Political –Impact of decisions, probabilities of success etc. Nuclear –Plant operation, fuel storage, proliferation of fissile material Aviation –Safety of airplanes, weather conditions, terrorism impact Medicine –Weighing different treatment options Risk Applications

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 13 Risk can be viewed as uncertainty and similarly risk analysis can be viewed as decision making in terms of uncertainty. Risk be analyzed intuitively or analytically In a lot of day to day activities risk is considered intuitively –Such skills are honed via years of experience in dealing with some situations Humans have limitations in handling multiple pieces of information –Analytic techniques are required for complex problems where a lot of factors are required. Risk Summary