RISK MANAGEMENT An Overview NIPC Model 4 2

RISK MANAGEMENT An Overview: NIPC Model 4 -2 -04, SB IT Security Workshop for Higher Education April 2, 2004

Movement from Risk Avoidance to Risk Management • Risk Avoidance Model – Focus on preventing loss or damage without reference to the degree of risk • Risk Management – Systematic and analytical process by which an organization identifies, reduces, and controls its potential risks and losses 1/15/2022 4 -2 -04, SB 2

What are some drivers? • IT is intertwined and interdependent with • critical institutional business processes Regulatory Imperatives – State and federal (GLB, FERPA, HIPAA, SOX, ECPA, CFAA, USA Patriot Act, Teach Act, etc) • Pace of Technological Change – Centuries, decades (automobiles), now continuous • Increasing sophistication of attack methods and • attackers Enabling the integration and managing the risks of introducing emerging technologies 1/15/2022 4 -2 -04, SB 3

What is risk? • Risk is a function of: – Assets, threats, and vulnerabilities • Risk is the potential for an unwanted event to occur – The higher the probability and the greater the consequences, the greater the risk 1/15/2022 4 -2 -04, SB 4

Risk Management Approaches • Due Diligence Process • Probabilistic Risk Assessment • Expert-facilitated Risk Assessment • Scenario-based Risk Assessment • Game Theory Approaches • Systems Analysis • High-level Business Impact Analysis / Protection Posture Assessments 1/15/2022 4 -2 -04, SB 5

Risk Analysis Terms • Threat – Capability and intention of an adversary to take actions that are detrimental to an organization • Vulnerability – Any weakness in a control or a countermeasure that can be exploited by an adversary • Asset – Anything of value such as people, information, hardware, software, facilities, reputation, activities, and operations 1/15/2022 4 -2 -04, SB 6

Reassessing Risk and Risk Management Decisions • High-Threat, High-Consequence – Almost continuous assessment with weekly updates to top management • Medium-Threat, Medium-Consequence – 3 to 9 -month reassessment with quarterly updates to top management • Low-Threat, Medium Consequence – Annual reassessment and annual updates to top management 1/15/2022 4 -2 -04, SB 7

Some Common Errors in Risk Management • Too much trust in existing systems and • • • protection Downplaying insider and B 2 B threats Lack of attention to business risks Underestimating interdependencies and complexities Misinterpretation of statistical data Underestimating the impact of incremental changes Adopting a reactive approach to risk mgmt 1/15/2022 4 -2 -04, SB 8

A Five Step Risk Assessment Model - NIPC • Asset assessment • Threat assessment • Vulnerability assessment • Risk assessment – Risk = Consequence X (Threat X Vulnerability) • Countermeasures or controls identification 1/15/2022 4 -2 -04, SB 9

Risk Assessment - OCTAVE • Operationally Critical Threat, Asset, and Vulnerability Evaluation • Eight Processes • Organizational and Technological Views 1/15/2022 4 -2 -04, SB 10

Risk Assessment Threat Examples • Key personnel • File Servers • Student data Injury, death DOS attack Unauthorized insider access • Production facility Natural disaster 1/15/2022 4 -2 -04, SB 11

Risk Assessment Vulnerability Examples • Key personnel • File Servers No access controls Ineffective patch management • Student data Unchecked 3 rd party • Production facility Weak physical access controls 1/15/2022 4 -2 -04, SB 12

What are some benefits? • Cost Justification • Enhanced Productivity • Self Analysis: Organizational Integration • Targeted Security • Increased Security Awareness • Baseline Security and Policy • Consistency • Communication 1/15/2022 4 -2 -04, SB 13

References / Contact Information • “Risk Management: An Essential Guide to Protecting Critical Assets”, NIPC, 11/2002 • suresh@usmd. edu 1/15/2022 4 -2 -04, SB 14