1. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information Security Risk Assessment Module 1: Introduction to Risk  Module 2: Definitions and Nomenclature Module 3: Security Risk Assessment Module 4-5: Methodology and Objectives Module 6: Case Study Module 7: Summary

2. Module 2 Definitions and Nomenclature

3. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 3 Students should be able to: –Define information security risk formally –Understand the nomenclature of risk –Be able to identify threats, vulnerabilities, and assets –Understand different types of risk. Definitions and Nomenclature Learning Objectives

4. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 4 Definitions and Nomenclature Concept Map Source: Australian Standard Handbook of Information Security Risk Management – HB231-2000 Threats exploit system vulnerabilities which expose system assets. Security controls protect against threats by meeting security requirements established on the basis of asset values.

5. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 5 Assets- Something that the agency values and has to protect. Assets include all information and supporting items that an agency requires to conduct business. Vulnerability- A weak characteristic of an information asset or group of assets which can be exploited by a threat. 1 Consequence of weaknesses in controls. Threat- Potential cause of an unwanted event that may result in harm to the agency and its assets. 1 A threat is a manifestation of vulnerability. Controls- Implementations to reduce overall risk and vulnerability. Security Risk- is the probability that a specific threat will successfully exploit a vulnerability causing a loss. 1 http://www.oit.nsw.gov/au/pdf/4.4.16.IS1.pdfhttp://www.oit.nsw.gov/au/pdf/4.4.16.IS1.pdf Definitions and Nomenclature Basic Definitions

6. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 6 Definition – protection of information systems and data from unauthorized (accidental or intentional) modification, destruction, or disclosure. –Protection includes confidentiality, integrity, authentication, access control and availability (CIA 3 ) of these systems and data Goals – identification, measurement, control, and minimization of security risks in information systems to a level commensurate with the value of the assets protected Definitions and Nomenclature Information Security

7. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 7 Assets– things that agency values wants to protect. Includes all information and supporting items that an agency requires to conduct business. Asset Categories and Threats to Assets Data –Breach of confidentiality –Loss of data integrity –Denial of service –Corruption of Applications –Disclosure of Data Organization –Loss of trust –Embarrassment –Management failure Definitions and Nomenclature Assets Personnel –Injury and death –Sickness –Loss of morale

8. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 8 Infrastructure –Electrical grid failure –Loss of power –Chemical leaks –Facilities & equipment –Communications Legal –Use or acceptance of unlicensed software –Disclosure of Client Secrets Definitions and Nomenclature Assets Cont’d Operational –Interruption of services –Loss/Delay in Orders –Delay in Shipments

9. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 9 Vulnerabilities –flaws within an asset (e.g. operating system, router, network, or application), that allow an asset to be exploited by a threat. Examples –Software design flaws –Software implementation errors –System misconfiguration (e.g. misconfigured firewalls) –Inadequate security policies –Poor system management –Lack of physical protections –Lack of employee training (e.g. passwords on post-it notes in drawers or under keyboards) Definitions and Nomenclature Vulnerabilities

10. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 10 Threats are potential causes of events which have a negative impact. –Threats exploit vulnerabilities causing impact to assets Examples –Denial of Service (DOS) Attacks –Spoofing and Masquerading –Malicious Code –Human Error –Insider Attacks –Intrusion Definitions and Nomenclature Threats

11. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 11 Definitions and Nomenclature Sources of Threats SourceExamples of Reasons External Hackers with Malicious Intent Espionage Intent to cause damage Terrorism External Hackers Seeking Thrill Popularity Insiders with Malicious Intent Anger at company Competition with co-worker(s) Accidental Deletion of Files and Data User errors Environmental Damage Floods Earthquakes Fires Equipment and Hardware Failure Hard disk crashes

12. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 12 Risk –probability that a specific threat will successfully exploit a vulnerability causing a loss. Evaluated by three distinguishing characteristics: –loss associated with an event, e.g., disclosure of confidential data, lost time, and lost revenues. –likelihood that event will occur, i.e. probability of event occurrence –Degree that risk outcome can be influenced, i.e. controls that will influence the event Definitions and Nomenclature Security Risk Various forms of threats exist Different stakeholders have various perception of risk Several sources of threats exist simultaneously

13. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 13 Physical Asset Risks –Relating to items with physical and tangible items that have an associated financial value Mission Risks –Relating to functions, jobs or tasks that need to be performed Security Risks –Integrates with both asset and mission risks Definitions and Nomenclature Types of Risk

14. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 14 Relatively new field Constantly changing information systems & vulnerabilities Human factors related to security No standard of practice Lack of formal models Lack of data Evolving threats Definitions and Nomenclature Why is security risk different?

15. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 15 Assets are valuables which an organization wants to protect. Vulnerabilities are weaknesses in assets that can be exploited by threats. Threats exploit vulnerabilities to impact threats Risk is the potential impact of threats resulting in a loss Risk can be minimized through use of controls. Definitions and Nomenclature Summary