Principles of Information System Security: Text and Cases Gurpreet Dhillon PowerPoint Prepared by Youlong Zhuang University of Missouri-Columbia

Principles of Information System Security: Text and Cases Chapter Nine Risk Management for Information System Security

Copyright 2006 John Wiley & Sons, Inc. Learning Objectives Understand the three components of risk management Describe the nine steps of risk assessment Realize four classes of vulnerabilities Familiar with the COBRA and I2S2 models Copyright 2006 John Wiley & Sons, Inc.

Six Steps of Systems Development Initiation The need for an IT system is expressed The purpose and scope established The risks associated with the new system are explored Requirements assessment All user requirements are assessed The risks identified feed into architectural and design trade offs in systems development Copyright 2006 John Wiley & Sons, Inc.

Six Steps of Systems Development (cont’d) Development or acquisition The IT system is designed or acquired Controls identified in the previous step are integrated into system designs Implementation The IT system is implemented The risks specific to the context are reviewed and implementation challenges considered Copyright 2006 John Wiley & Sons, Inc.

Six Steps of Systems Development (cont’d) Operation or maintenance Change, upgrade, and modification to the IT system are made The risk management activities are performed regularly Disposal Legacy systems are phased out Safe disposal of hardware and software Copyright 2006 John Wiley & Sons, Inc.

Three Essential Components of Risk Management Risk assessment: Identifying risks and assessing their potential impacts Risk mitigation: prioritizing, implementing, and maintaining an acceptable level of risk Risk evaluation: continuous appraisal of the risk management process Copyright 2006 John Wiley & Sons, Inc.

Copyright 2006 John Wiley & Sons, Inc. Risk Assessment The process of determining potential threats throughout the system development process Risk is a function of the likelihood of a given threat resulting in certain vulnerabilities Nine steps of risk assessment proposed by the US National Institute of Standards and Technology (discussed in the next few slides) Copyright 2006 John Wiley & Sons, Inc.

System Characterization It helps in identifying the boundaries of the system It also helps in scoping the risk assessment task It can be achieved by understanding technical aspects of the system and related roles and responsibilities Copyright 2006 John Wiley & Sons, Inc.

Threat Identification Compile a list of threat sources that might be applicable to a given IT system Intentional threats reside in the motivations of humans to undertake potentially harmful activities Unintentional threats are benign instances Copyright 2006 John Wiley & Sons, Inc.

Threat Identification, Table 9.1 Copyright 2006 John Wiley & Sons, Inc.

Vulnerability Identification Identify flaws and weaknesses that could possibly be exploited because of the threats Behavioral and attitudinal vulnerabilities Misinterpretations Coding problems Physical vulnerabilities Copyright 2006 John Wiley & Sons, Inc.

Copyright 2006 John Wiley & Sons, Inc. Control Analysis Analyze and implement controls that would minimize the likelihood of threats Compliance oriented or self controls Information utilization or information creation Copyright 2006 John Wiley & Sons, Inc.

Classes of controls, Fig 9.2 Copyright 2006 John Wiley & Sons, Inc.

Likelihood Determination and Impact Analysis There are three elements in calculating the likelihood Source of the threat, motivation, and capability Nature of the vulnerability Effectiveness of current controls Copyright 2006 John Wiley & Sons, Inc.

Likelihood Determination, Table 9.2 Copyright 2006 John Wiley & Sons, Inc.

Magnitude of Impact, Table 9.3 Copyright 2006 John Wiley & Sons, Inc.

Copyright 2006 John Wiley & Sons, Inc. Risk Determination It helps in assessing the level of risk to the IT system It can be expressed as a function of The likelihood of a given threat exercising the vulnerability The magnitude of the impact of the threat The adequacy of planned or existing security controls Copyright 2006 John Wiley & Sons, Inc.

Level of Risk Matrix, Table 9.4 Copyright 2006 John Wiley & Sons, Inc.

Control Recommendations and Results Documentation Control recommendation deals with suggesting appropriate controls given the level of risk identified Effectiveness of recommended controls Existing legislative and regulatory issues Current organizational policy Organizational impact Safety and reliability of the proposed controls Copyright 2006 John Wiley & Sons, Inc.

Copyright 2006 John Wiley & Sons, Inc. Risk Mitigation The process of prioritizing, evaluating, and implementing appropriate controls Do nothing Risk avoidance Risk prevention Risk planning Risk recognition Risk insurance Copyright 2006 John Wiley & Sons, Inc.

Risk Mitigation Flow of Activities, Fig 9.3 Copyright 2006 John Wiley & Sons, Inc.

Summary of Technical, Formal, and Informal Controls, Table 9.3 Copyright 2006 John Wiley & Sons, Inc.

Risk Evaluation and Assessment Continual change suggests that the risk management task needs to revaluate on a continuing basis Continuous support of senior management needs to be stressed The skill levels of the IT team need to be reassessed on a regular basis Evaluation is a means to ensure feedback Copyright 2006 John Wiley & Sons, Inc.

Copyright 2006 John Wiley & Sons, Inc. COBRA A hybrid model for software Cost Estimation, Benchmarking, and Risk Assessment There are two major types of cost estimation techniques available today Developing algorithmic model: depending too much on past project data which is often missing Informal approaches: depending on experienced estimator which is difficult to find Copyright 2006 John Wiley & Sons, Inc.

Copyright 2006 John Wiley & Sons, Inc. COBRA (cont’d) It was developed by Briand, Emam, and Bomarius at Fraunhofer Institute for Experimental Software Engineering in Germany It utilizes both expert knowledge (experienced estimators) and quantitative project data (in a limited amount) to perform cost modeling Copyright 2006 John Wiley & Sons, Inc.

Overview of Productivity Estimation Model, Fig 8.4 Copyright 2006 John Wiley & Sons, Inc.

Copyright 2006 John Wiley & Sons, Inc. COBRA (cont’d) The relationship between Productivity (P) and Cost Overhead (CO) is: P=β0 – (β1 Χ CO) Where β0 is the productivity of a nominal project And β1 is the slope between CO and P Advantage is using only a small set of historical data (around 10) Copyright 2006 John Wiley & Sons, Inc.

Copyright 2006 John Wiley & Sons, Inc. COBRA (cont’d) Estimating the cost of project Effort = α x Size Where, α = Copyright 2006 John Wiley & Sons, Inc.

Copyright 2006 John Wiley & Sons, Inc. COBRA (cont’d) Project cost risk assessment The probability that the project will overrun its budget Project cost benchmarking The CO value of a given project is compared to a historical data set of similar projects Copyright 2006 John Wiley & Sons, Inc.

Copyright 2006 John Wiley & Sons, Inc. The I2S2 Model Originally developed by Alexander Korzyk It integrates risk analysis into IS development and specification of security requirements at the initial stage of system development It has three levels that integrate six primary components Copyright 2006 John Wiley & Sons, Inc.

I2S2 Model at Level One, Figure 8.5 Copyright 2006 John Wiley & Sons, Inc.

Copyright 2006 John Wiley & Sons, Inc. The I2S2 Model (cont’d) Level one shows high order inner-relationships between the six components Level two considers the performance of the components to achieve the procedural integration Level three is finer and specifies the technical integrative facilities and mechanisms Copyright 2006 John Wiley & Sons, Inc.

Copyright 2006 John Wiley & Sons, Inc. The I2S2 Model (cont’d) Component -1: Threat definition provides the foundation for the successive sub models Component -2: Information acquisition requirements can be done with one or more classes of information: signals, precursors, indicators, and intelligence Copyright 2006 John Wiley & Sons, Inc.

Copyright 2006 John Wiley & Sons, Inc. The I2S2 Model (cont’d) Component -3: Scripting of defensive options include initial and final scripting of defensive options Components -4: Threat recognition and assessment is organized in three modules – threat recognition facilities, threat/situation monitoring, security incident reporting and assessment Copyright 2006 John Wiley & Sons, Inc.

Copyright 2006 John Wiley & Sons, Inc. The I2S2 Model (cont’d) Component -5: Countermeasure selection is based on cooperative engagement capability Component -6: Post implementation activities – reconsider the efficacy, feedback, real time crisis management Copyright 2006 John Wiley & Sons, Inc.

Copyright 2006 John Wiley & Sons, Inc. All rights reserved. Reproduction or translation of this work beyond that permitted in section 117 of the 1976 United States Copyright Act without express permission of the copyright owner is unlawful. Request for further information should be addressed to the Permission Department, John Wiley & Sons, Inc. The purchaser may make back-up copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages caused by the use of these programs or from the use of the information herein. Copyright 2006 John Wiley & Sons, Inc.