Risk Management- Understanding and applying Risk Management concepts in real world.

A risk is an occurrence that can cause the substantial damage to an organization. While a risk can never be hundred percent removed- it can be managed. The idea is that risk be managed to a certain level. Not all the risks are computer based- During risk analysis; whole set of IT and NON IT risks should be included.

Risk terminology

1. Asset: An asset is any process, device or collection of computer system which needs to be protected against threats. The Asset typically has a dollar value assigned to it. If an asset is breached, there is substantial loss to the business. The loss could be in non-monetary terms too- e.g. loss of public confidence.

2. Asset valuation: An asset valuation is a process of assigning the dollar value to an asset.

3. Threat: A threat is a potential occurrence that can cause unwarranted outcome for the organization. There are typically three types of the threats, Natural, (floods), Unintentional (rebooting a production system mistakenly) Intentional (malware). In a crux- you are protecting the asset against the threats, e.g. DOS attacks.

4. Vulnerability: Vulnerability is a known weakness in the system which makes the system more prone to risk. A vulnerability once exploited causes threat to the organization

5. Exposure: An exposure is being susceptible to asset loss because of the threat. It is not stating a harm has occurred but rather how extensive the harm might will be. This is an assessment of “what worst can happen.”

6. Risk: A risk is possibility that a vulnerability will be exploited, and a harm will be caused. A risk is calculated as follows:

Risk = Vulnerability * Threat.

7. Safeguards: A process by which the risk is mitigated.

8. Attack: An intentional attempt to exploit the vulnerability. It can also be a violation of company security policies.

9. Breach: A breach is an act where a security control has been bypassed or thwarted by a threat agent. A breach can lead to penetration which is a state where an internal system is compromised.

Identify threats and vulnerabilities.

An essential part of risk management is to identify all the threats against all the specific assets in the organization. The threats could be

1. Social engineering

2. Internal theft.

3. Natural occurrence,

4. Anti-virus

5. Loss of data.

6. Malicious hackers, Virus/worms etc.

7. Cascade errors where one error leads to the other.

The team which is performing the risk assessment must be diverse and from all part of the organizations and should be demographically diverse so it can capture all the possible risks against the organization.

Risk assessment and analysis

A risk assessment is the responsibility of the higher management. The upper management should define the scope of the work, type of risk assessment and provide budget for it. The upper management should accept the risk of the resultant analysis. Risk assessment is generally performed by security professionals. There are two types of risk assessment

1. Quantitative risk analysis

2. Qualitative risk analysis

Quantitative risk analysis

In quantitative risk analysis a dollar value is assigned to each resource and is helpful for any upper management who are familiar with spread sheets and budget reports. The report is generally easy to understand. However, this is not enough in itself as some losses are intangible and subjective.

Process of performing a qualitative risk analysis is as following:

1. Inventory and assign a dollar value to each asset. The value is called Asset value AV.

2. Research and assign an exposure factor EF and Single loss expectancy SLE.

3. Identify the ARO, Annual rate of occurrence.

4. Derive the annual loss expectancy ALE.

5. Research the counter measures and then perform the changes in ARO and ALE.

6. Perform cost/benefit analysis.

Terminology

1. Exposure factor (EF): Percentage of loss an organization will suffer if the specific asset has been realised by the risk. The number is represented in terms of percentage. E.g. If a tsunami is expected to wipe out 50% business of a company which operate in fishing; EF will be 50%.

2. Single loss of expectancy (SLE): An SLE is derived from the following formula

SLE = AV * EF

e.g. if the value of an asset is 200,000 dollars and EF is 50% the Single loss of occurrence is $100,000.

3.  Annualised rate of occurrence (ARO): This term deals with what is the probability that the risk will be realised. E.g. chances of a power outage in Pakistan is more than in India. This means the ARO will be higher for Pakistan. The value starts from 0.0 which means it will never occur and could be a very high value. E.g. ARO for a Tsunami in Japan is much higher than say geo political event.

4. Annualised loss expectancy (ALE): It is the following

ALE = SLE * ARO

5.  Calculating the Annualised loss expectancy with the safeguard: This method includes using of counter measures to safeguard the asset. An Safeguard should bring down ARO or EF. Once a safeguard is implemented a new ALE needs to be calculated.

If the value if the safeguard is more than ALE then it should be rejected.

Qualitative risk analysis

Qualitative risk-based analysis is more scenario based than risk based. In this type of approach- rather than assigning the exact dollar value, the overall holistic approach is taken to assess the risk. The techniques used in qualitative risk analysis are

1. Brainstorming.

2. Interview

3. Checklist

4. Storyboarding

5. Focus groups

6. Questionnaire

7. Delphi technique.

One can employ one or more methods to perform the quantitative risk analysis.

Scenarios

A scenario is a written description of a threat and its possibility of occurring. The threat can be selected as Low, Medium or High or a digit e.g. 1,5,7.

Delphi technique is the technique is anonymous interviews- in Delphi technique all the participants writes their concern in a piece of paper anonymously. Once the concerns are discussed- they do the same process again until there is an unanimity of opinion.

Comparison of Qualitative vs Quotative Risk analysis.

Risk responses

The result of the risk analysis should include the following

1. A complete and detailed evaluation of all the assets.

2. A exhaustive list of all the threats, risks, rate of occurrence and impact if the risk is realised.

3. An ALE Annualized loss expectancy without and with safeguards.

4. Cost/Benefit analysis of safeguards

Based upon the type of risk presented, the organization may decide to perform one or more of the following options.

a. Reduce or mitigate: The Risk mitigation is done by eliminating the risk or by taking the correcting action, e.g. if a GAL is stolen- you turn off OWA.

b. Risk Assignment: This is where you assign the risk to someone else e.g. outsourcing or buying an insurance.

c. Risk acceptance: this is where the risk is accepted and someone in upper management formally agrees to own the risk of not doing anything and accepts the responsibilities in case the risk is realised.

d. Risk deterrence: Where you define the process and procedures to warn the potential attacker of the consequences. E.g. warning posters and security policies.

e. Risk avoidance: Taking steps to ensure that threat can be avoided. E.g. moving the data centre inland so floods can be avoided. Another example could be to not invest in Pakistan it being a high-risk country.

f.  Risk Rejection: This is rejecting and ignoring the risk. This should not be the case ideally as ignoring the risk doesn’t make it go away.

The risk that remains after the risk has been mitigated is called residual risk.

The total risk is calculated as follows

Total risk = Vulnerability * Asset value * threats. Where * is not a multiplier but rather a function.

Counter measure selection and implementation

The counter measure to implement security must have the following considerations.

1. A counter measure must value less than value of the asset.

2. A counter measure must cost less than the benefit of the counter measure.

3. It must cost attacker more to attack than the potential gain of the asset.

4. There must be some benefit of using a counter measure. You do not want to do that just because it nice and shiny.

5. The counter measure must be verifiable and withstand the scrutiny.

6. Should have fail safe mechanism and tamperproof.

7. Counter measure should have no or minimum dependencies.

Hope you find it useful. :)