Certified Information

Security Manager
(CISM)
Kelly Handerhan, Instructor

Chapter 2: Risk Management

RISK MANAGEMENT
 Processes of identifying, analyzing, assessing,
mitigating, or transferring risk. It’s main goal is the
reduction of probability or impact of a risk.
 Summary topic that includes all risk-related actions

CISM 2
WHERE DO RISKS COME FROM?
• Manmade
• Disgruntled Employees
• Fraud
• Strikes
• Corporate/Political Espionage
• Physical
• Fire
• Flood
• Earthquake
• Technical
• Viruses
• Power
• Hardware Failure
CISM
RISK MANAGEMENT
 Risk-related Definitions
 Risk Management
 Risk Assessment
 Identify and Valuate Assets
 Identify Threats and Vulnerabilities PSE (Preliminary Security Evaluation)
 Risk Analysis
 Qualitative
 Quantitative
 Risk Mitigation/Response
 Reduce
 Accept
 Transfer
 Avoid
 Reject
• Ongoing Controls Evaluation
CISM 4
HOW MUCH SECURITY IS ENOUGH?

Just enough.

CISM
RISK RELATED DEFINITIONS
 Risk: Likelihood that a threat will exploit a vulnerability in an asset
 Threat: Has the potential to harm an asset
 Vulnerability: A weakness; a lack of a safeguard
 Exploit: Instance of compromise
 Controls: Protective mechanisms to secure vulnerabilities
 Safeguards: Proactive
 Countermeasures: Reactive mechanism
 Secondary Risk: Risk event that comes as a result of another risk
response
 Residual Risk: The amount of risk left over after a risk response
 Fallback Plan: “Plan B”
 Workaround: Unplanned Response (for unidentified risk or when other
responses don’t work

CISM 6
ASSESSMENT
 Identify and Valuate Assets
 Identify Threats and Vulnerabilities
 Methodologies:
 OCTAVE: an approach where analysts identify asses and their
criticality, identify vulnerabilities and threats and base the
protection strategy to reduce risk
 FRAP: Facilitated Risk Analysis Process. Qualitative analysis
used to determine whether or not to proceed with a
quantitative analysis. If likelihood or impact is too low, the
quantitative analysis if foregone.
 NIST 800-30: Risk management Guide for Information
Technology systems

CISM 7
NIST 800-30
 9 Step Process:
 System characterization
 Threat identification
 Vulnerability identification
 Control analysis
 Likelihood Determination
 Impact Analysis
 Risk Determination
 Control Recommendations
 Results Documentation

CISM 8
RISK ANALYSIS
 Qualitative
 Subjective analysis to help prioritize probability and impact of
risk events.
 May use Delphi Technique
 Quantitative:
 Providing a dollar value to a particular risk event.
 Much more sophisticated in nature, a quantitative analysis if
much more difficult and requires a special skill set
 Business decisions are made on a quantitative analysis
 Can't exist on its own. Quantitative analysis depends on
qualitative information

CISM 9
QUALITATIVE ANALYSIS
 Subjective in Nature
 Uses words like “high” “medium”
“low” to describe likelihood and
severity (or probability and
impact) of a threat exposing a
vulnerability
 Delphi technique is often used to
solicit objective opinions

CISM 10
QUANTITATIVE ANALYSIS
 More experience required than with Qualitative
 Involves calculations to determine a dollar value associated
with each risk event
 Business Decisions are made on this type of analysis
 Goal is to the dollar value of a risk and use that amount to
determine what the best control is for a particular asset
 Necessary for a cost/benefit analysis

CISM 11
QUANTITATIVE ANALYSIS FORMULAS AND
DEFINITIONS
 (AV) Asset Value: Dollar figure that represents what the asset is worth to the
organization
 (EF) Exposure Factor: The percentage of loss that is expected to result in the
manifestation of a particular risk event.
 (SLE) Single Loss Expectancy: Dollar figure that represents the cost of a single
occurrence of a threat instance
 (ARO) Annual Rate of Occurrence: How often the threat is expected to
materialize
 (ALE) Annual Loss Expectancy: Cost per year as a result of the threat
 (TCO) Total Cost of Ownership is the total cost of implementing a safeguard.
Often in addition to initial costs, there are ongoing maintenance fees as well.
 (ROI) Return on Investment: Amount of money saved by implementation of a
safeguard. Sometimes referred to as the value of the safeguard/control.

CISM 12
QUANTITATIVE ANALYSIS FORMULAS AND
DEFINITIONS CONTINUED
 SLE = AV * EF
 ALE = SLE * ARO
TCO = Initial Cost of Control + Yearly fees
Return on Investment:
ALE (before implementing control)
– ALE (after implementing control)
– cost of control
= ROI (Value of Control)

CISM 13
QUANTITATIVE ANALYSIS EXAMPLE
 Assume your company has 500 systems that contain PII (Personally
Identifiable Information). You need to convince management of the need to
implement controls to secure customer information. Though the systems
cost $2,000 a piece, the true value of the laptops is $10,000 ($8,000 for the
potentially exposed PII.) $10,000 is the AV for each resource. Over the
past ten years, we have suffered a total of thirty compromises. There is
already a control in place that provides limited protection. Currently, in the
event that an attack compromises the confidentiality of this information,
75% of data will be compromised.
 Asset value is $10,000; Exposure Factor is (75%)
 The Single Loss Expectancy is $7,500 (AV*EF)
 Your ARO is 30/10 (number of compromises/years evaluated)=3
 The annual loss expectancy is currently $22,500 (SLE*ARO)

CISM 14
 TCO EXAMPLE
To deploy antivirus software within an organization has an upfront cost of 50
per computer. There are 500 computers, so the initial cost will be $25,000.
The software vendor charges an additional 5% yearly fee to upgrade the
software, or $1,250per year. It will take 2 hours per computer to install
and configure this software—1000 hours. The staff makes 30 dollars per
hour. The company is evaluating costs for a 4 year period.
 Cost of software: $25,000
 4 year vendor support $5,000
 Staff cost: $30,000
 TCO of control = $60,000
 TCO of control per year = $15,000

CISM 15
 ROI EXAMPLE
 After implementing the software, your exposure factor drops to 20%.
What is the ROI for the control
 After implementing the control, the SLE will be Asset value of $10,000*
Exposure Factor of (20%)= $2,000
 ALE will be $6000 or SLE($2,000) * ARO (3)
 ROI = ALE (Before) $22,500
-ALE (After) -$6,000
-Yearly TCO of Control -$15,000
$1,500 This is a positive
Return on investment/Value of Control
outcome and the control should be implemented. I f ROI is
negative, it is a bad decision to implement the control.

CISM 16
QUANTITATIVE ANALYSIS
SCENARIO 1
Scenario 1
A widget manufacturer has installed new network servers, changing its network from a peer -to-peer network to
a client/server-based network. The network consists of 200 users who make an average of $20 an hour,
working on 100 workstations. Previously, none of the workstations involved in the network had anti -virus
software installed on the machines. This was because there was no connection to the Internet, and the
workstations didn’t have floppy disk drives or Internet connectivity, so the risk of viruses was deemed
minimal. One of the new servers provides a broadband connection to the Internet, which employees can
now use to send and receive email, and surf the Internet. One of the managers read in a trade magazine
that other widget companies have reported an 80 percent chance of viruses infecting their network after
installing T1 lines and other methods of Internet connectivity, and that it may take upwards of three hours
to restore data that’s been damaged or destroyed. A vendor will sell licensed copies of anti -virus software
for all servers and the 100 workstations at a cost of $4,700 per year. The company has asked you to
determine the annual loss that can be expected from viruses, and determine if it is beneficial in terms of
cost to purchase licensed copies of anti-virus software.
1. What is the Annualized Rate of Occurrence (ARO) for this risk?
2. Calculate the Single Loss Expectancy (SLE) for this risk.
3. Using the formula ARO x SLE = ALE, calculate the Annual Loss Expectancy.
4. Determine whether it is beneficial in terms of monetary value to purchase the anti -virus software by
calculating how much money would be saved or lost by purchasing the software.

CISM 17
QUANTITATIVE ANALYSIS
SCENARIO 2
You have a warehouse that's value is 1,000,000 (between actual structure and contents).
If a fire were to occur it is expected that 40% of the warehouse would be damaged.
the risk of a fire PER year is 8%
1) what is the Exposure Factor (it's directly given in the problem above)
2) What is the Single Loss Expectancy of a fire
3) What is the Annual Rate of Occurrence ?
4) what is the Annual Loss Expectancy of a Fire to the warehouse?
Now suppose we can buy a fire suppression system that would reduce the damage to the warehouse if a fire occurred to 15%
(from 40%). The cost of the countermeasure is $5,000.00.
5) What would the new Exposure Factor be?
6) What would the new SLE be?
7) What the ARO change?
8) Would the ALE change?
9) If the ALE changes, what’s the new ALE?
10) Should you buy the counter measure for this year?
11) if so how much money would you be “saving” this year?
12) if we have to renew the countermeasure every year (ie pay $5,000 per year) is it still worth it?

CISM 18
QUANTITATIVE ANALYSIS
SCENARIO 3
Scenario 3
When performing a risk assessment you have developed the following values
for a specific threat/risk pair. Asset value = 100K, exposure factor = 35%;
Annual rate of occurrence is 5 times per year; the cost of a recommended
safeguard is $5000 per year, which will reduce the annual loss expectancy
in half. What is the SLE?
a) $175,000
b) $35,000
c) $82,500
d) $87,500

CISM 19
RISK MITIGATION
• Quantitative Analysis leads to the proper risk Mitigation
strategy.
• Reduce
• Accept
• Transfer
• Avoidance
• Rejection

CISM 20
 ADDITIONAL RISK TERMS

• Total Risk: The risk that exists before any control is

implemented
• Residual Risk: Leftover risk after applying a control
• Secondary Risk: When one risk response triggers another
risk event

CISM 21
RISK MANAGEMENT PROCESS
REVIEW
• Risk Assessment
• usually the most difficult to accomplish
• Many unknowns
• Necessary effort of gathering the right data
• Risk Analysis:
• can be done qualitatively and/or quantitatively
• Risk Mitigation
• Take steps to reduce risk to acceptable level
• Maintain that risk level
***Remember - Risk must be managed, since it cannot be totally eliminated

CISM 22