Documente Academic
Documente Profesional
Documente Cultură
Security Manager
(CISM)
Kelly Handerhan, Instructor
CISM 2
WHERE DO RISKS COME FROM?
• Manmade
• Disgruntled Employees
• Fraud
• Strikes
• Corporate/Political Espionage
• Physical
• Fire
• Flood
• Earthquake
• Technical
• Viruses
• Power
• Hardware Failure
CISM
RISK MANAGEMENT
Risk-related Definitions
Risk Management
Risk Assessment
Identify and Valuate Assets
Identify Threats and Vulnerabilities PSE (Preliminary Security Evaluation)
Risk Analysis
Qualitative
Quantitative
Risk Mitigation/Response
Reduce
Accept
Transfer
Avoid
Reject
• Ongoing Controls Evaluation
CISM 4
HOW MUCH SECURITY IS ENOUGH?
Just enough.
CISM
RISK RELATED DEFINITIONS
Risk: Likelihood that a threat will exploit a vulnerability in an asset
Threat: Has the potential to harm an asset
Vulnerability: A weakness; a lack of a safeguard
Exploit: Instance of compromise
Controls: Protective mechanisms to secure vulnerabilities
Safeguards: Proactive
Countermeasures: Reactive mechanism
Secondary Risk: Risk event that comes as a result of another risk
response
Residual Risk: The amount of risk left over after a risk response
Fallback Plan: “Plan B”
Workaround: Unplanned Response (for unidentified risk or when other
responses don’t work
CISM 6
ASSESSMENT
Identify and Valuate Assets
Identify Threats and Vulnerabilities
Methodologies:
OCTAVE: an approach where analysts identify asses and their
criticality, identify vulnerabilities and threats and base the
protection strategy to reduce risk
FRAP: Facilitated Risk Analysis Process. Qualitative analysis
used to determine whether or not to proceed with a
quantitative analysis. If likelihood or impact is too low, the
quantitative analysis if foregone.
NIST 800-30: Risk management Guide for Information
Technology systems
CISM 7
NIST 800-30
9 Step Process:
System characterization
Threat identification
Vulnerability identification
Control analysis
Likelihood Determination
Impact Analysis
Risk Determination
Control Recommendations
Results Documentation
CISM 8
RISK ANALYSIS
Qualitative
Subjective analysis to help prioritize probability and impact of
risk events.
May use Delphi Technique
Quantitative:
Providing a dollar value to a particular risk event.
Much more sophisticated in nature, a quantitative analysis if
much more difficult and requires a special skill set
Business decisions are made on a quantitative analysis
Can't exist on its own. Quantitative analysis depends on
qualitative information
CISM 9
QUALITATIVE ANALYSIS
Subjective in Nature
Uses words like “high” “medium”
“low” to describe likelihood and
severity (or probability and
impact) of a threat exposing a
vulnerability
Delphi technique is often used to
solicit objective opinions
CISM 10
QUANTITATIVE ANALYSIS
More experience required than with Qualitative
Involves calculations to determine a dollar value associated
with each risk event
Business Decisions are made on this type of analysis
Goal is to the dollar value of a risk and use that amount to
determine what the best control is for a particular asset
Necessary for a cost/benefit analysis
CISM 11
QUANTITATIVE ANALYSIS FORMULAS AND
DEFINITIONS
(AV) Asset Value: Dollar figure that represents what the asset is worth to the
organization
(EF) Exposure Factor: The percentage of loss that is expected to result in the
manifestation of a particular risk event.
(SLE) Single Loss Expectancy: Dollar figure that represents the cost of a single
occurrence of a threat instance
(ARO) Annual Rate of Occurrence: How often the threat is expected to
materialize
(ALE) Annual Loss Expectancy: Cost per year as a result of the threat
(TCO) Total Cost of Ownership is the total cost of implementing a safeguard.
Often in addition to initial costs, there are ongoing maintenance fees as well.
(ROI) Return on Investment: Amount of money saved by implementation of a
safeguard. Sometimes referred to as the value of the safeguard/control.
CISM 12
QUANTITATIVE ANALYSIS FORMULAS AND
DEFINITIONS CONTINUED
SLE = AV * EF
ALE = SLE * ARO
TCO = Initial Cost of Control + Yearly fees
Return on Investment:
ALE (before implementing control)
– ALE (after implementing control)
– cost of control
= ROI (Value of Control)
CISM 13
QUANTITATIVE ANALYSIS EXAMPLE
Assume your company has 500 systems that contain PII (Personally
Identifiable Information). You need to convince management of the need to
implement controls to secure customer information. Though the systems
cost $2,000 a piece, the true value of the laptops is $10,000 ($8,000 for the
potentially exposed PII.) $10,000 is the AV for each resource. Over the
past ten years, we have suffered a total of thirty compromises. There is
already a control in place that provides limited protection. Currently, in the
event that an attack compromises the confidentiality of this information,
75% of data will be compromised.
Asset value is $10,000; Exposure Factor is (75%)
The Single Loss Expectancy is $7,500 (AV*EF)
Your ARO is 30/10 (number of compromises/years evaluated)=3
The annual loss expectancy is currently $22,500 (SLE*ARO)
CISM 14
TCO EXAMPLE
To deploy antivirus software within an organization has an upfront cost of 50
per computer. There are 500 computers, so the initial cost will be $25,000.
The software vendor charges an additional 5% yearly fee to upgrade the
software, or $1,250per year. It will take 2 hours per computer to install
and configure this software—1000 hours. The staff makes 30 dollars per
hour. The company is evaluating costs for a 4 year period.
Cost of software: $25,000
4 year vendor support $5,000
Staff cost: $30,000
TCO of control = $60,000
TCO of control per year = $15,000
CISM 15
ROI EXAMPLE
After implementing the software, your exposure factor drops to 20%.
What is the ROI for the control
After implementing the control, the SLE will be Asset value of $10,000*
Exposure Factor of (20%)= $2,000
ALE will be $6000 or SLE($2,000) * ARO (3)
ROI = ALE (Before) $22,500
-ALE (After) -$6,000
-Yearly TCO of Control -$15,000
$1,500 This is a positive
Return on investment/Value of Control
outcome and the control should be implemented. I f ROI is
negative, it is a bad decision to implement the control.
CISM 16
QUANTITATIVE ANALYSIS
SCENARIO 1
Scenario 1
A widget manufacturer has installed new network servers, changing its network from a peer -to-peer network to
a client/server-based network. The network consists of 200 users who make an average of $20 an hour,
working on 100 workstations. Previously, none of the workstations involved in the network had anti -virus
software installed on the machines. This was because there was no connection to the Internet, and the
workstations didn’t have floppy disk drives or Internet connectivity, so the risk of viruses was deemed
minimal. One of the new servers provides a broadband connection to the Internet, which employees can
now use to send and receive email, and surf the Internet. One of the managers read in a trade magazine
that other widget companies have reported an 80 percent chance of viruses infecting their network after
installing T1 lines and other methods of Internet connectivity, and that it may take upwards of three hours
to restore data that’s been damaged or destroyed. A vendor will sell licensed copies of anti -virus software
for all servers and the 100 workstations at a cost of $4,700 per year. The company has asked you to
determine the annual loss that can be expected from viruses, and determine if it is beneficial in terms of
cost to purchase licensed copies of anti-virus software.
1. What is the Annualized Rate of Occurrence (ARO) for this risk?
2. Calculate the Single Loss Expectancy (SLE) for this risk.
3. Using the formula ARO x SLE = ALE, calculate the Annual Loss Expectancy.
4. Determine whether it is beneficial in terms of monetary value to purchase the anti -virus software by
calculating how much money would be saved or lost by purchasing the software.
CISM 17
QUANTITATIVE ANALYSIS
SCENARIO 2
You have a warehouse that's value is 1,000,000 (between actual structure and contents).
If a fire were to occur it is expected that 40% of the warehouse would be damaged.
the risk of a fire PER year is 8%
1) what is the Exposure Factor (it's directly given in the problem above)
2) What is the Single Loss Expectancy of a fire
3) What is the Annual Rate of Occurrence ?
4) what is the Annual Loss Expectancy of a Fire to the warehouse?
Now suppose we can buy a fire suppression system that would reduce the damage to the warehouse if a fire occurred to 15%
(from 40%). The cost of the countermeasure is $5,000.00.
5) What would the new Exposure Factor be?
6) What would the new SLE be?
7) What the ARO change?
8) Would the ALE change?
9) If the ALE changes, what’s the new ALE?
10) Should you buy the counter measure for this year?
11) if so how much money would you be “saving” this year?
12) if we have to renew the countermeasure every year (ie pay $5,000 per year) is it still worth it?
CISM 18
QUANTITATIVE ANALYSIS
SCENARIO 3
Scenario 3
When performing a risk assessment you have developed the following values
for a specific threat/risk pair. Asset value = 100K, exposure factor = 35%;
Annual rate of occurrence is 5 times per year; the cost of a recommended
safeguard is $5000 per year, which will reduce the annual loss expectancy
in half. What is the SLE?
a) $175,000
b) $35,000
c) $82,500
d) $87,500
CISM 19
RISK MITIGATION
• Quantitative Analysis leads to the proper risk Mitigation
strategy.
• Reduce
• Accept
• Transfer
• Avoidance
• Rejection
CISM 20
ADDITIONAL RISK TERMS
CISM 21
RISK MANAGEMENT PROCESS
REVIEW
• Risk Assessment
• usually the most difficult to accomplish
• Many unknowns
• Necessary effort of gathering the right data
• Risk Analysis:
• can be done qualitatively and/or quantitatively
• Risk Mitigation
• Take steps to reduce risk to acceptable level
• Maintain that risk level
***Remember - Risk must be managed, since it cannot be totally eliminated
CISM 22