Risk Management Acknowledgments Material is sourced from n

Risk Management

Acknowledgments Material is sourced from: n CISM® Review Manual 2012, © 2011, ISACA. All rights reserved. Used by permission. n All-in-One CISSP Exam Guide, 4 th Ed. / Shon Harris, Mc. Graw Hill, 2008 Author: Susan J Lincke, Ph. D Univ. of Wisconsin-Parkside Reviewers/Contributors: Todd Burri, Kahili Cheng Funded by National Science Foundation (NSF) Course, Curriculum and Laboratory Improvement (CCLI) grant 0837574: Information Security: Audit, Case Study, and Service Learning. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and/or source(s) and do not necessarily reflect the views of the National Science Foundation.

Objectives Students should be able to: n Define risk management process: risk management, risk assessment, risk analysis, risk appetite, risk treatment, accept residual risk n Define treat risk terms: risk acceptance/risk retention, risk avoidance, risk mitigation/risk reduction, risk transference n Describe threat types: natural, unintentional, intentional (nonphysical) n Define threat agent types: hacker/crackers, criminals, terrorists, industry spies, insiders n Perform risk analysis using techniques: qualitative, quantitative n Define vulnerability, SLE, ARO, ALE, due diligence, due care

How Much to Invest in Security? How much is too much? n Firewall n Intrusion Detection/Prevention n Guard n Biometrics n Virtual Private Network n Encrypted Data & Transmission n Card Readers n Policies & Procedures n Audit & Control Testing n Antivirus / Spyware n Wireless Security How much is too little? n Hacker attack n Internal Fraud n Loss of Confidentiality n Stolen data n Loss of Reputation n Loss of Business n Penalties n Legal liability n Theft & Misappropriation Security is a Balancing Act between Security Costs & Losses

Risk Management Structure Corpo rate H istory Internal Factors Re External Factors ure st ry Cult du al n o i izat n a Org aturity M n io t a l gu In ’s t n e m e e c g n a ra n Ma Tole k Risk Mgmt Strategies are determined by both internal & external factors Risk Tolerance or Appetite: The level of risk that management is comfortable with

Risk Management Process What to investigate? What to consider? Identification What assets & risks exist? Analysis What does this risk cost? What priorities shall we set? Evaluation What controls can we use? Avoid Reduce Transfer Accept Residual Risk Retain Risk Communication & Monitoring Risk Assessment Treatment Establish Scope & Boundaries

Risk Appetite n n Do you operate your computer with or without antivirus software? Do you have antispyware? Do you open emails with forwarded attachments from friends or follow questionable web links? Have you ever given your bank account information to a foreign emailer to make $$$? What is your risk appetite? If liberal, is it due to risk acceptance or ignorance? Companies too have risk appetites, decided after evaluating risk

Continuous Risk Mgmt Process Risk Appetite Identify & Assess Risks change with time as business & environment changes Controls degrade over time and are subject to failure Countermeasures may open new risks Develop Risk Mgmt Plan Proactive Monitoring Implement Risk Mgmt Plan

Security Evaluation: Risk Assessment Five Steps include: 1. Assign Values to Assets: ¨ 2. Determine Loss due to Threats & Vulnerabilities ¨ 3. Weekly, monthly, 1 year, 10 years? Compute Expected Loss ¨ ¨ 5. Confidentiality, Integrity, Availability Estimate Likelihood of Exploitation ¨ 4. Where are the Crown Jewels? Loss = Downtime + Recovery + Liability + Replacement Risk Exposure = Probability. Of. Vulnerability * $Loss Treat Risk ¨ ¨ ¨ Survey & Select New Controls Reduce, Transfer, Avoid or Accept Risk Leverage = (Risk exposure before reduction) – (risk exposure after reduction) / (cost of risk reduction)

Step 1: Determine Value of Assets Identify & Determine Value of Assets (Crown Jewels): n Assets include: IT-Related: Information/data, hardware, software, services, documents, personnel ¨ Other: Buildings, inventory, cash, reputation, sales opportunities ¨ n n n What is the value of this asset to the company? How much of our income can we attribute to this asset? How much would it cost to recover this? How much liability would we be subject to if the asset were compromised? Helpful websites: www. attrition. org

Determine Cost of Assets Costs Tangible $ Intangible: High/Med/Low Sales Risk: Product A Risk: Product B Product C Risk: Replacement Cost= Cost of loss of integrity= Cost of loss of availability= Cost of loss of confidentiality=

Matrix of Loss Scenario (taken from CISM Exhibit 2. 16) Size of Loss Repu- Lawtation suit Loss Fines/ Reg. Loss Market Loss Exp. Yearly Loss $10 M Hacker steals customer data; publicly blackmails company 1 -10 K $1 MRecor $20 M ds $1 M$10 M $1 M$35 M $1 M$5 M Employee steals strategic plan; sells data to competitor 3 -year Min. $20 M $2 M Backup tapes and Cust. data found in garbage; makes front-page news 10 M $20 M Recor ds $20 M $10 M $5 M $200 K $10 M Min. $200 K Contractor steals employee 10 K $5 M data; sells data to hackers Recor ds

Step 1: Determine Value of Assets Asset Name $ Value Direct Loss: Replacement Laptop $1, 000 Equipment $10, 000 $ Value Consequential Financial Loss Mailings= $130 x #Cust àReputation = $9, 000 $2 k per day in income Work book Confidentiality, Integrity, and Availability Notes Conf. , Avail. Breach Notification Law Availability (e. g. , due to fire or theft)

Step 2: Determine Loss Due to Threats Natural: Flood, fire, cyclones, rain/hail/snow, plagues and earthquakes Unintentional: Fire, water, building damage/collapse, loss of utility services, and equipment failure Intentional: Fire, water, theft, vandalism Intentional, non-physical: Fraud, espionage, hacking, identity theft, malicious code, social engineering, phishing, denial of service

Threat Agent Types Hackers/ Crackers Criminals Challenge, rebellion Terrorists Destruction/ revenge/ extortion Competitive advantage Industry Spies Insiders Financial gain, Disclosure/ destruction of info. Opportunity, personal issues Unauthorized access Fraud, computer crimes DOS, info warfare Info theft, econ. exploitation Fraud/ theft, malware, abuse

Step 2: Determine Threats Due to Vulnerabilities System Vulnerabilities Behavioral: Misinterpretation: Poorly-defined procedures, Disgruntled employee, employee error, uncontrolled processes, Insufficient staff, poor network design, Inadequate mgmt, improperly configured Inadequate compliance equipment enforcement Coding Problems: Security ignorance, poorly-defined requirements, defective software, unprotected communication Physical Vulnerabilities: Fire, flood, negligence, theft, kicked terminals, no redundancy

Step 3: Estimate Likelihood of Exploitation Best sources: n Past experience n National & international standards & guidelines: NIPC, OIG, Fed. CIRC, mass media n Specialists and expert advice n Economic, engineering, or other models n Market research & analysis n Experiments & prototypes If no good numbers emerge, estimates can be used, if management is notified of guesswork

Likelihood of Exploitation: Sources of Losses Source: 2006 Annual Study: Cost of a Data Breach, PGP/Vontu Evaluation of 31 organizations

Step 4: Compute Expected Loss Risk Analysis Strategies Qualitative: Prioritizes risks so that highest risks can be addressed first n Based on judgment, intuition, and experience n May factor in reputation, goodwill, nontangibles Quantitative: Measures approximate cost of impact in financial terms Semiquantitative: Combination of Qualitative & Quantitative techniques

Step 4: Compute Loss Using Qualitative Analysis is used: n As a preliminary look at risk n With non-tangibles, such as reputation, image -> market share, share value n When there is insufficient information to perform a more quantified analysis

Vulnerability Assessment Quadrant Map Snow emergency Intruder Work book Threat (Probability) Hacker/Criminal Malware Disgruntled Employee Vulnerability (Severity) Flood Spy Fire Terrorist

Step 4: Compute Loss Using Semi-Quantitative Analysis 1. 2. 3. 4. 5. Impact Likelihood Insignificant: No 1. Rare meaningful impact 2. Unlikely: Not seen within the last 5 years Minor: Impacts a small part of the business, < 3. Moderate: Occurred in $1 M last 5 years, but not in last year Major: Impacts company brand, >$1 M 4. Likely: Occurred in last year Material: Requires external reporting, 5. Frequent: Occurs on a >$200 M regular basis Catastrophic: Failure or downsizing of company Risk = Impact * Likelihood

Semi. Quantitative Impact Matrix SE Catastrophic (5) VE IU ED M Minor (2) W LO Insignificant (1) H G HI Major (3) M Impact RE Material (4) Rare(1) Unlikely(2) Moderate(3) Likely (4) Frequent(5) Likelihood

Step 4: Compute Loss Using Quantitative Analysis Single Loss Expectancy (SLE): The cost to the organization if one threat occurs once ¨ Eg. Stolen laptop= n n n ¨ Replacement cost + Cost of installation of special software and data Assumes no liability SLE = Asset Value (AV) x Exposure Factor (EF) n With Stolen Laptop EF > 1. 0 Annualized Rate of Occurrence (ARO): Probability or frequency of the threat occurring in one year ¨ If a fire occurs once every 25 years, ARO=1/25 Annual Loss Expectancy (ALE): The annual expected financial loss to an asset, resulting from a specific threat ¨ ALE = SLE x ARO

Risk Assessment Using Quantitative Analysis Quantitative: n Cost of HIPAA accident with insufficient protections ¨ SLE = $50 K + (1 year in jail: ) $100 K = $150 K ¨ Plus loss of reputation… Estimate of Time = 10 years or less = 0. 1 n Annualized Loss Expectancy (ALE)= n ¨ $150 x. 1 =$15 K

Annualized Loss Expectancy Asset Value-> 1 Yr 5 Yrs 10 Yrs 20 Yrs $1 K $100 K $1 M 1 K 200 100 50 10 K 2 K 1 K 1 K 100 K 20 K 10 K 5 K 1000 K 200 K 100 K 50 K Asset Costs $10 K Risk of Loss 20% per Year Over 5 years, average loss = $10 K Spend up to $2 K each year to prevent loss

Quantitative Risk Work book Asset Threat Single Loss Annualized Expectancy Rate of (SLE) Occurrence (ARO) Building Fire $1 M. 05 (20 years) Laptop Stolen $1 K + $9 K (breach notif) 0. 2 (5 years) Annual Loss Expectancy (ALE) $50 K $1 K

Step 5: Treat Risk Acceptance: Handle attack when necessary n E. g. : Comet hits n Ignore risk if risk exposure is negligible Risk Avoidance: Stop doing risky behavior n E. g. : Do not use Social Security Numbers Risk Mitigation: Implement control to minimize vulnerability n E. g. Purchase & configure a firewall Risk Transference: Pay someone to assume risk for you n E. g. , Buy malpractice insurance (doctor) n While financial impact can be transferred, legal responsibility cannot Risk Planning: Implement a set of controls

Input Hardware, software Company history Intelligence agency data: NIPC, OIG Audit & test results Current and Planned Controls Threat motivation/ capacity Business Impact Analysis Data Criticality & Sensitivity analysis Likelihood of threat exploitation Magnitude of impact Plan for risk NIST Risk Assessment Methodology Activity System Characterization Identify Threats Output System boundary System functions System/data criticality System/data sensitivity Identify Vulnerabilities List of threats & vulnerabilities Analyze Controls List of current & planned controls Determine Likelihood Rating Analyze Impact Rating Determine Risk Documented Risks Recommend Controls Recommended Controls Document Results Risk Assessment Report

Control Types Compensating Control Threat Deterrent Control Reduces likelihood of Detective Control Tri gge Reduces likelihood of Creates rs Attack Vulnerability rs ve co s i D Corrective Control ts c e t ro P Decreases Preventive Control Results in Red u ces Impact

THREAT Deterrent control R i s k P r o b a b i l i t y Mitigating control Detective control Preventive control V U L N E R A B I L I T Y Corrective control I M P A C T Residual risk

Controls & Countermeasures Cost of control should never exceed the expected loss assuming no control n Countermeasure = Targeted Control n ¨ Aimed at a specific threat or vulnerability ¨ Problem: Firewall cannot process packets fast enough due to IP packet attacks ¨ Solution: Add border router to eliminate invalid accesses

Analysis of Risk vs. Controls Workbook Risk ALE or Score Control Cost of Control Stolen Laptop $1 K ($9 K Breach Notif. Law) $3 K per day Encryption $60 RAID $750 $9 K Breach Notif. Law Firewall $1 K Disk Failure Hacker Cost of Some Controls is shown in Case Study Appendix

Extra Step: Step 6: Risk Monitoring Stolen Laptop In investigation $2 k, legal issues HIPAA Incident Response Procedure being defined – incident response $200 K Cost overruns Internal audit investigation $400 K HIPAA: Physical security Training occurred $200 K Security Dashboard, Heat chart or Stoplight Chart Report to Mgmt status of security n Metrics showing current performance n Outstanding issues n Newly arising issues n How handled – when resolution is expected

Training n n n n Importance of following policies & procedures Clean desk policy Incident or emergency response Authentication & access control Privacy and confidentiality Recognizing and reporting security incidents Recognizing and dealing with social engineering

Security Control Baselines & Metrics Baseline: A measurement of performance n Metrics are regularly and consistently measured, quantifiable, inexpensively collected n Leads to subsequent performance evaluation n E. g. How many viruses is help desk reporting? (Company data - Not real)

Risk Management is aligned with business strategy & direction n Risk mgmt must be a joint effort between all key business units & IS n Business-Driven (not Technology-Driven) n Steering Committee: • Sets risk management priorities • Define Risk management objectives to achieve business strategy

Risk Management Roles Governance & Sr Mgmt: Info. Security Mgr Allocate resources, assess Develops, collaborates, and & use risk assessment results manages IS risk mgmt process Business Managers (Process Owners) Make difficult decisions relating to priority to achieve business goals System / Info Owners Responsible to ensure controls in place to address CIA. Sign off on changes Chief Info Officer IT planning, budget, performance incl. risk IT Security Practitioners Implement security requirem into IT systems: network, system, DB, app, admin. Security Trainers Develop appropriate training materials, including risk assessment, to educate end users.

Due Diligence = Did careful risk assessment (RA) Due Care = Implemented recommended controls from RA Liability minimized if reasonable precautions taken res u d e c o r P & s Comp olicie P l i a nce t n e m Ade s s e s qua s A te S ecur Risk ity C Bac Senior Mgmt Support ontr kup ols &R ecov & ery y t i inu t n o C y s g r s n e e i v r n i us eco ito B R n r o e s t M c s i r a t s e Di M &

Question Risk Assessment includes: 1. The steps: risk analysis, risk treatment, risk acceptance, and risk monitoring 2. Answers the question: What risks are we prone to, and what is the financial costs of these risks? 3. Assesses controls after implementation 4. The identification, financial analysis, and prioritization of risks, and evaluation of controls

Question Risk Management includes: 1. The steps: risk analysis, risk treatment, risk acceptance, and risk monitoring 2. Answers the question: What risks are we prone to, and what is the financial costs of these risks? 3. Assesses controls after implementation 4. The identification, financial analysis, and prioritization of risks, and evaluation of controls

Question The FIRST step in Security Risk Assessment is: 1. Determine threats and vulnerabilities 2. Determine values of key assets 3. Estimate likelihood of exploitation 4. Analyze existing controls

Question Single Loss Expectancy refers to: 1. The probability that an attack will occur in one year 2. The duration of time where a loss is expected to occur (e. g. , one month, one year, one decade) 3. The cost of losing an asset once 4. The average cost of loss of this asset per year

Question The role(s) responsible for deciding whether risks should be accepted, transferred, or mitigated is: 1. The Chief Information Officer 2. The Chief Risk Officer 3. The Chief Information Security Officer 4. Enterprise governance and senior business management

Question Which of these risks is best measured using a 1. 2. 3. 4. qualitative process? Temporary power outage in an office building Loss of consumer confidence due to a malfunctioning website Theft of an employee’s laptop while traveling Disruption of supply deliveries due to flooding

Question The risk that is assumed after implementing controls is known as: 1. Accepted Risk 2. Annualized Loss Expectancy 3. Quantitative risk 4. Residual risk

Question The primary purpose of risk management is to: 1. Eliminate all risk 2. Find the most cost-effective controls 3. Reduce risk to an acceptable level 4. Determine budget for residual risk

Question Due Diligence ensures that 1. An organization has exercised the best possible security practices according to best practices 2. An organization has exercised acceptably reasonable security practices addressing all major security areas 3. An organization has implemented risk management and established the necessary controls 4. An organization has allocated a Chief Information Security Officer who is responsible for securing the organization’s information assets

Question ALE is: 1. The average cost of loss of this asset, for a single incident 2. An estimate using quantitative risk management of the frequency of asset loss due to a threat 3. An estimate using qualitative risk management of the priority of the vulnerability 4. ALE = SLE x ARO

Jamie Ramon MD Doctor Chris Ramon RD Dietician Terry Pat Licensed Software Consultant Practicing Nurse HEALTH FIRST CASE STUDY Analyzing Risk

Step 1: Define Assets

Step 1: Define Assets Consider Consequential Financial Loss Asset Name $ Value Confidentiality, Integrity, and Availability Notes Direct Loss: Consequential Financial Replacement Loss Medical DB C? I? A? Daily Operation (DO) Medical Malpractice (M) HIPAA Liability (H) Notification Law Liability (NL)

Step 1: Define Assets Consider Consequential Financial Loss Asset Name $ Value Confidentiality, Integrity, and Availability Notes Direct Loss: Consequential Financial Replacement Loss Medical DB DO+M_H+NL C IA Daily Operation (DO) $ Medical Malpractice (M) $ HIPAA Liability (H) $ Notification Law Liability (NL) $

HIPAA Criminal Penalties $ Penalty Imprisonment Offense Up to $50 K Up to one year Wrongful disclosure of individually identifiable health information Up to $100 K Up to $500 K Up to 5 years Up to 10 years …committed under false pretenses … with intent to sell, achieve personal gain, or cause malicious harm Then consider bad press, state audit, state law penalties, civil lawsuits, lost claims, …

Step 2: Estimate Potential Loss for Threats Step 3: Estimate Likelihood of Exploitation Normal threats: Threats common to all organizations n Inherent threats: Threats particular to your specific industry n Known vulnerabilities: Previous audit reports indicate deficiencies. n

Step 2: Estimate Potential Loss for Threats Step 3: Estimate Likelihood of Exploitation

Step 4: Compute Expected Loss Step 5: Treat Risk Step 4: Compute E(Loss) ALE = SLE * ARO Asset Threat Single Annual Loss ized Expect Rate of ancy Occurr ence (SLE) Annual Loss Expect ancy (ALE) n n (ARO) Step 5: Treat Risk n Risk Acceptance: Handle attack when necessary Risk Avoidance: Stop doing risky behavior Risk Mitigation: Implement control to minimize vulnerability Risk Transference: Pay someone to assume risk for you Risk Planning: Implement a set of controls

Reference Slide # Slide Title Source of Information 6 Risk Management Process CISM: page 97 Exhibit 2. 2 8 Continuous Risk Mgmt Process CISM: page 97 Exhibit 2. 3 9 Security Evaluation: Risk Assessment CISM: page 100 12 Matric of Loss Scenario CISM: page 114 Exhibit 2. 15 14 Step 2: Determine Loss Due to Threats CISM: page 105 16 Step 2: Determine Threats Due to Vulnerabilities CISM: page 105 17 Step 3: Estimate Likelihood of Exploitation CISM: page 107 -110 18 Likelihood of Exploitation Sources of Losses CISM: page 118 Exhibit 2. 11 19 Step 4; Compute Expected Loss Risk Analysis Strategies CISM: page 108 - 110 20 Step 4: Compute Loss Using Qualitative Analysis CISM: page 108 22 Step 4: Compute Loss Using Semi- Quantitative Analysis CISM: page 108, 109 23 Semi. Quantitative Impact Matrix CISM: page 109 Exhibit 2. 12 24 Step 4: Compute Loss Using Quantitative Analysis CISM: page 109, 110 26 Annualized Loss Expectancy CISM: page 110 28 Step 5: Treat Risk CISM: page 110, 111 29 NIST Risk Assessment Methodology CISM: page 102 Exhibit 2. 7 30 Control Types CISM: page 186 Exhibit 3. 18 32 Controls & Countermeasures CISM: page 184, 185 36 Security Control Baselines & Metrics CISM: page 191 -193 37 Risk Management CISM: page 91, 92 38 Risk Management Roles CISM: page 94