Risk Management

Chao-Hsien Chu, Ph.D.

College of Information Sciences and Technology
The Pennsylvania State University
University Park, PA 16802
chu@ist.psu.edu

ry
o
e
Th
e
c
i
ct
a
Pr

Le
ar
n
by ing
Do
in
g
IST 515

Objectives
This module will familiarize you with the following:
The basic terminology used in risk management
The role and importance of risk management
practices.
The identification of asset, threat, and vulnerability.
Risk assessment methodologies.
Risk assessment process.
Risk management principles.
Controls to identify, rate, and reduce the risk to
specific information assets.

Readings
Tipton, H. and Henry, K. (Eds.), Official (ISC)2 Guide to the
CISSP CBK, Auerbach, 2007. Domain 1 (Required).
Stoneburner, G., Goguen, A. and Feringa, A., Risk Management
Guide for Information Technology Systems, NIST SP 800-30,
July 2002. (Required)
Stine, K., Kissel, R., Barker, W. C., Fahlsing, J. and Gulick, J.,
Guide for Mapping Types of Information and Information
Systems to Security Categories, NIST SP 800-60, August 2008.
Wikipedia, Failure Mode and Effects Analysis,
http://en.wikipedia.org/wiki/Failure_mode_and_effects_analysis
Marquis, H., Ten Steps to Do It Yourself CRAMM, 2006.
http://www.itsmsolutions.com/newsletters/DITYvol2iss8.htm

Readings - Examples
Tan, D., Quantitative Risk Analysis Step-By-Step, SANS
Institute, 2002.
R. Marchany, Conducting a Risk Analysis, in Mark Luker
and Rodney Petersen (Eds), Computer and Network Security
in Higher Education, Chapter 3, EDUCAUSE. (STAR
Project).
H. P. In, Y.-G. Kim, T. Lee, C.-J. Moon, Y. J., and I. Kim, "A
Security Risk Analysis Model for Information Systems," D.-K.
Baik (Ed.): AsiaSim 2004, LNAI 3398, Springer, pp.
505513, 2005. (Quantitative Method)

Essential Terminologies
Vulnerability:

A flaw or weakness in a system security procedures,

design, implementation, or internal controls that could be
exercised and result in a security breach or a violation of
the systems security policy.

Threat:

The potential for a threat-source to exercise (accidentally

trigger or intentionally exploit) a specific vulnerability.

Threat-Source:

Either (1) intent and method targeted at the intentional

exploitation of a vulnerability or (2) a situation and
method that may accidentally trigger a vulnerability.

Elements of Risk Management

Risk Assessment

Assets

Safeguards

at
e
r
h
T

Risk Management

Data
Facilities
Hardware
Software

Vulnerability

Risk

Threat

Th
re
at
(NIST-SP-800-12)

Safeguards

Vulnerability

Risk avoidance.
Risk transfer.
Risk mitigation.
Risk acceptance.

Essential Terminologies
Risk:

The possibility of loss (American Heritage Dictionary).

The net negative impact of the exercise of a vulnerability, considering
both the probability and the impact of occurrence (NIST SP 800-30).
A function of the likelihood of a given threat-sources exercising a
particular potential vulnerability, and the resulting impact of the adverse
event on the organization.

Risk Management:

The technique or profession of assessing, minimizing, and preventing

accidental loss to a business, as through the use of insurance, safety
measures (Random House Dictionary).
Reduces risks by defining and controlling threats and vulnerabilities
((ISC)2).
The process of identifying risk, assessing risk, and taking steps to
reduce risk to an acceptable level (NIST SP 800-30).

Examples of Critical Assets

People and skills
Goodwill
Intellectual Property
Hardware/Software
Data
Documentation
Supplies
Physical plant
Money

Logical
Asset
Value
Physical
Asset

Common Computer Threats

Errors and omissions.

Fraud and theft.
Employee sabotage.
Loss of physical and infrastructure support.
Malicious hackers.
Industrial espionage.
Malicious code.
Threats to personal privacy.
Insider threats.

Common Threat Sources

Natural Threats. Floods, earthquakes, tornadoes,

landslides, avalanches, electrical storms, and other such
events.

Human Threats. Malicious outsider or insider, terrorist, spy

political, human intervention.

Environmental Threats. Long-term power failure, pollution,

chemicals, liquid leakage.

Technical Threats. Hardware/software failure, malicious

code, unauthorized use.

Physical Threats. Closed-circuit TV failure, perimeter

defense failure.

Operational Threats. Automated or manual process.

Human Threats
Threat-Source

Motivation

Threat Actions

Hacker
Cracker

Challenge
Ego
Rebellion

Hacking
Social engineering
System intrusion, break-ins
Unauthorized system access

Computer
criminal

Destruction of information
Illegal information
disclosure
Monetary gain
Unauthorized data alteration

Computer crime
Fraudulent act
Information bribery
Spoofing
System intrusion

Bomb/Terrorism
Information warfare
System attack
System penetration
System tampering

Terrorist

Blackmail
Destruction
Exploitation
Revenge

Threat-Source

Industrial
espionage

Insider

Motivation

Threat Actions

Competitive advantage
Economic espionage

Assault on an employee
Blackmail
Browsing of proprietary
information
Computer abuse
Fraud and theft
Information bribery
Input of falsified, corrupted data
Interception
Malicious code
Sale of personal information
System bugs
System intrusion
System sabotage
Unauthorized system access

Curiosity
Ego
Intelligence
Monetary gain
Revenge
Unintentional errors and
omissions

Economic exploitation
Information theft
Intrusion on personal privacy
Social engineering
System penetration
Unauthorized system access

Vulnerabilities
Flaw or weakness in system that can be exploited
to violate system integrity.
Security Procedures
Design
Implementation
Threats trigger vulnerabilities:
Accidental
Malicious

Vulnerability Sources

Previous risk assessment document of the IT system

assessed.
Audit reports, system anomaly reports, security review
reports, and system test and evaluation reports.
Vulnerability lists such as NIST I-CAT vulnerability
database (http://icat.nist.gov)
Security advisors.
Vendor advisories.
Commercial computer/incident/emergency response teams
and post list (e.g., SecurityFocus.com)
Information Assurance Vulnerability Alert and bulletins for
military systems.
System software security analyses.

Vulnerability/Threat Pairs
Vulnerability
Terminated employees
system ID are not removed
from the system
Company firewall allows
inbound telnet and guest ID
enabled on XYZ server
The vendor has identified
flaws in the security design
of the system

Threat-Source

Threat Action

Terminated employees

Dialing into the companys

network and assessing
company proprietary data

Unauthorized users

Using telnet to XYZ server

and browsing system files
with the guest ID

Unauthorized users

Obtaining unauthorized
access to sensitive system
files based on known
system vulnerabilities

Data center uses water

sprinklers to suppress fire;
tarpaulins to protect
Fire, negligent persons
hardware and equipment
from water damage are not in
place

Water sprinklers being

turned on in the data center

Types of Risk Analysis

Quantitative:
Assigns real numbers to costs of safeguards and damage
Annual loss exposure (ALE)
Probability of event occurring
Can be unreliable/inaccurate
Qualitative:
Judges an organizations risk to threats
Based on judgment, intuition, and experience
Ranks the seriousness of the threats for the sensitivity of
the asserts
Subjective, lacks hard numbers to justify return on
investment

Process of Quantitative Analysis

Seek initial management approval.
Establish a risk assessment team.
Review information currently available within the
organization.
Estimate the loss SLE (Single Loss Expectancy )
SLE = asset value (in $) exposure factor (loss in successful
threat exploit, as %)
Calculate the Annualized Rate of Occurrence (ARO) - how
often a threat will be successful in exploiting a vulnerability
over the period of a year (or Likelihood of Exploitation)
Calculate the Annualized Loss Expectancy (ALE):
ALE = ARO SLE

Example of Quantitative Analysis

Risk = Risk-impact x Risk-Probability
Loss of car: risk-impact is cost to replace car,
e.g. $10,000
Probability of car loss: 0.10
Risk = 10,000 x 0.10 = 1,000
General measured per year
Annual Loss Exposure (ALE)

Elements of Security Risks

Classification of Assets, Threats and

Vulnerabilities
Asset

Threat

Vulnerability

1. Information/Data

1. Human/Non-human

2. Documents

2. Network/Physical

Documents, Personnel,

3. Hardware

3.Technical/Environment

Regulation

4. Software

4. Inside/Outside

5. Human Resource

5. Accidental/Deliberate

6. Circumstances

1. Administering

2. Physical Circumstances
or Facilities
3. Technical Hardware,
Software, Communication/
Network

Example of Risk Analysis

Logic of Risk Analysis

RISK = Loss * Probability
Loss means the decline of asset value when an asset is
exposed to some vulnerabilities.
Probability means the probability of threat-occurrence
from the corresponding vulnerabilities.
Total Risk of AM3
= 100 x (0.8 x 0.5 + 0.9 x 0.7 + 0.6 x 0.4) / 3
= 100 x 1.27 / 3
= 42.3

The effectiveness of Risk Mitigation

Methods

Mitigation Method
Vulnerability Model

Vaccine

Smart Card

Firewall

VM1 (unprotected major

communication facilities)

0.2

0.6

0.1*

VM2 (unfit network management)

0.6

0.5

0.5

VM3 (unprotected storage devices)

0.3

0.2

0.1

Mitigation Effect
Applying a risk mitigation method to some
vulnerabilities can reduce the rate of not only one
vulnerability but also several related vulnerabilities
simultaneously.
We can get the rate of risk reduction effectively with
considering which vulnerabilities can be affected by
selecting some risk mitigation methods.
Risk reduction after applying firewall
= 100 * (0.1 * 0.5 + 0.5 * 0.7 + 0.1 * 0.4) / 3
= 100 * 0.44 / 3 = 14.7

Risk Analysis
What kind of threats can be reduced?
What are residual risks if the risk mitigations are
applied?
What is the ROI of each risk mitigation?
ROI = Benefit / Cost
Benefit = (initial risk) - (residual risk after the risk
mitigation method is applied)
Total Cost = Acquisition Cost + Operation Cost +
Business Opportunity Cost

Process of Qualitative Assessment

Seek management approval to conduct analysis.

Form a risk assessment team.
Request related documents.
Setup interviews with organizational members to identify
vulnerabilities, threats and countermeasures.
Analyze the data. Matching the threat to a vulnerability,
matching threats to assets, determining how likely the
threat is to exploit the vulnerability, determining the impact
to the organization in the event an exploit is successful and
matching current and planned countermeasures (that is,
protection) to the threatvulnerability pair.
Calculate risk.
Recommend countermeasures and calculate residual risk.

Likelihood Definitions
Likelihood
Level

Likelihood Definition

High

The threat-source is highly motivated and sufficiently

capable, and controls to prevent the vulnerability from
being exercised are ineffective.

Medium

Low

The threat-source is motivated and capable, but

controls are in place that may impede successful
exercise of the vulnerability.
The threat-source lacks motivation or capability, or
controls are in place to prevent, or at least
significantly impede, the vulnerability from being
exercised.

Magnitude of Impact Definitions

Magnitude
of Impact

Impact Definition

High

Exercise of the vulnerability (1) may result in the highly

costly loss of major tangible assets or resources; (2) may
significantly violate, harm, or impede an organizations
mission, reputation, or interest; or (3) may result in human
death or serious injury.

Medium

Exercise of the vulnerability (1) may result in the costly

loss of tangible assets or resources; (2) may violate, harm,
or impede an organizations mission, reputation, or interest;
or (3) may result in human injury.

Low

Exercise of the vulnerability (1) may result in the loss of

some tangible assets or resources or (2) may noticeably
affect an organizations mission, reputation, or interest.

Risk-Level Matrix
Threat
Likelihood

Impact
Low
(10)

Medium
(50)

High
(100)

High (1.0)

Low
10 x 1.0 = 10

Medium
50 x 1.0 = 50

High
100 x 1.0 = 100

Medium (0.5)

Low
10 x 0.5 = 5

Medium
50 x 0.5 = 25

Medium
100 x 0.5 = 50

Low (0.1)

Low
10 x 0.1 = 1

Low
50 x 0.1 =5

Low
100 x 0.1 = 10

Risk Scale and Necessary Actions

Risk Level

Risk Description and Necessary Actions

High

If an observation or finding is evaluated as a high

risk, there is a strong need for corrective measures.
An existing system may continue to operate, but a
corrective action plan must be put in place as soon as
possible.

Medium

If an observation is rated as medium risk, corrective

actions are needed and a plan must be developed to
incorporate these actions within a reasonable period
of time.

Low

If an observation is described as low risk, the

systems DAA must determine whether corrective
actions are still required or decide to accept the risk.

Example of Risk Scales

Likelihood
Impact

5. Extreme
4. Very High
3. Medium
2. Low
1. Negligible

1
Rare

2
Unlikely

3
Moderate

4
Likely

5
Almost
Certain

Comments
Because of the time constraint, I will not
continue to cover the remaining slides. As you
can see, there are more materials and examples
that we can cover in a class lesson. If you are
interested in the topic, please read the materials
by yourself or consider to take an in-depth
course like IST 564 or SRA 330. Both courses
cover extensively on risk management.

Assets and Their Priority

Description of Asset
Authentication-authorization services
DNS name server
Physical plant, environmental servers
DNS name server (secondary)
Network (routers, servers, modems, etc.)
HR database server
Payroll server
Production control servers
Client systems (Win95/NT, Macs)
Database group crash-and-burn system

Machine Name Priority+

host1.dept.edu
C
host2.dept.edu
C
host3.dept.edu
C
host4.dept.edu
C
host5.dept.edu
C
host6.dept.edu
E
host7.dept.edu
E
host8.dept.edu
N
host9.dept.edu
N
host10.dept.edu
N

+ C, critical element; E, essential; N, normal

STAR Project

Definition of Priority
Critical: If the loss of its function would result
in the university ceasing to function as a
business entity.
Essential: The loss of asset would cripple the
universitys capacity to function, but it could
survive for a week or so without the asset. All
effort would be made to restore the function
within a week.
Normal: If the loss of asset resulted in some
inconvenience.
STAR Project

Asset Weight Matrix to Prioritize IT Assets

A/A
Authenticationauthorization services

DNS(p)

Plant

DNS(s) Network

4.5

4.5

DNS name server (primary)

Physical plant,
environmental Servers
DNS name server
(secondary)
Network (routers, servers,
modems, etc.)

3.5

3.5

7.5

22

28.5

10.5

45

HR database server
Total Votes

HR

19.5

STAR Project

List of Controls for Critical Risks

Risk
Clear text

Description
Clear text data moving among our systems and networks

Client system access control

Construction mistakes
Key person dependency

Control of access to distributed desktop client workstations

Service interruptions during construction, renovations
Too few staff to cover critical responsibilities

Natural disaster

Flood, earthquake, fire, etc.

Passwords

Selection, security, number of passwords, etc.

Physical security (IS internal)

Physical security (IS external)

IS private space (machine room, wire closets, offices, etc.)

IS public space (laboratories, classrooms, library, etc.)

Spoofing

E-mail and IP address forgery or circumvention

Data disclosure
Inappropriate acquisition or release of university data
System administration practices Adequacy of knowledge, skills, and procedures
Operational policies

Appropriate strategies, directions, and policies

STAR Project

Summary of Compliance Matrix

STAR Project

Risk Assessment Methodologies

NIST SP 800-30 and 800-66 (HIPAA).
OCTAVE (Operationally Critical Threat, Asset
and Vulnerability Evaluation). Carnegie Mellon
University.
FRAP (Facilitated Risk Analysis Process). Tom
Peltier.
CRAMM (CCTA Risk Analysis and Management
Method).
Spanning Tree Analysis.
Failure Modes and Effect Analysis.

Risk Assessment Methodologies

Method

Source

Feature

Industry

NIST SP 800-30; 800-66

NIST

Qualitative

Healthcare;
HIPAA

OCAVE

Carnegie Mellon Univ.

Software Institute

Qualitative

Software

FRAP (Facilitated Risk

Analysis Process)

Tom Peltier, 2005

Qualitative

General

CRAMM (CCTA Risk

Analysis and Management
Method)

Central Computing and

Telecommunications
Agency, 2007

Qualitative

NATO; Unisys;
RAC

Spanning Tree Analysis

(ISC)2 Information Systems

Security Engineering
Professional

Quantitative

FMEA (Failure Modes and

Effect Analysis)

US Military, 1940

Quantitative

Hardware &
software systems
Aerospace;
Automotive

Risk Assessment Process -NIST

System characterization.
Vulnerability identification.
Threat identification.
Countermeasure identification.
Likelihood determination.
Impact determination.
Risk determination.
Additional countermeasures recommendations.
Document results.

Input

Risk Assessment Activities

Output

Hardware/software
System interfaces
Data & information
People
System mission

1. System Characterization

System boundary
System functions
Systems and data
criticality
System and data
sensitivity

History of attack
Data from intelligence
agencies

2. Threat Identification

Threat statement

Reports from prior risk

assessment
Audit comments
Security requirements
Security test results

3. Vulnerability Identification

List of potential
vulnerabilities

Current controls
Planned controls

Threat-source motivation
Threat capacity
Nature of vulnerability
Current controls

4. Control Analysis

List of current and

planned controls

5. Likelihood Determination

Likelihood rating

Input

Risk Assessment Activities

Mission impact analysis

Asset criticality
assessment
Data criticality
Data sensitivity

6. Impact Analysis

Likelihood of threat
exploitation
Magnitude of impact
Adequacy of planned or
current controls

Loss of integrity
Loss of availability
Loss of confidentiality

Output

Impact rating

7. Risk Determination

Risk and
associated risk
levels

8. Control Recommendation

Recommended
controls

9. Result Documentation

Risk assessment
report

Risk Mitigation Action Points

Threat
Source

System
Design

Vulnerable

Yes

Exploitable

No

No

No Risk

No Risk

Risk
Exists

Attackers
Cost < Gain
No
Accept Risk

Yes

Yes

Vulnerability
to attack exists

Loss
Anticipated
> Threshold
No
Accept Risk

Yes

&

Unacceptable
Risk

How Risk Management Work?

Risk Assessment

Define
Boundaries,
Scope, and
methodology

in
a
t
r
e

tain
r
e
nc
USelect
y
Safeguard*

c
Un
Collect and
y
Synthesize
Data

rta
e
c
Un
y

Risk Mitigation

Interpret
Results

Implement

Accept
Residual
Risk

Control

int

* There are many approaches to safeguard selection

tain
r
e
c
Un
y

Risk Management Cycle

From GAO/AIMD-99-139

Risk Management Principles

Risk Avoidance. Is the practice of coming up with

alternatives so that the risk in question is not realized.
Risk Transfer. Is the practice of passing on the risk in
question to another entity, such as an insurance company.
Risk Mitigation. Is the practice of eliminating or
significantly decreasing the level of risk presented. E.g.,
company can put countermeasure such as firewall, IDS etc.
in place to deter malicious from accessing the highly
sensitive information.
Risk Acceptance. Is the practice of simply accepting
certain risk (s), typically based on a business decision that
may also weigh the cost versus the benefit of dealing with
the risk in another way.

Risk Mitigation Options

Risk Assumption. To accept the potential risk and continue operating

the IT system or to implement controls to lower the risk to an
acceptable level.
Risk Avoidance. To avoid the risk by eliminating the risk cause and/or
consequence (e.g., forgo certain functions of the system or shut down
the system when risks are identified)
Risk Limitation. To limit the risk by implementing controls that
minimize the adverse impact of a threats exercising a vulnerability
(e.g., use of supporting, preventive, detective controls).
Risk Planning. To manage risk by developing a risk mitigation plan that
prioritizes, implements, and maintains controls.
Research and Acknowledgment. To lower the risk of loss by
acknowledging the vulnerability or flaw and researching controls to
correct the vulnerability.
Risk Transference. To transfer the risk by using other options to
compensate for the loss, such as purchasing insurance.

Risk Management Actions

Impact

Likelihood
Low

Medium

High

Significant

Considerable
management
required

Must manage
and monitor risks

Extensive
management
essential

Moderate

Risks may be
worth accepting
with monitoring

Management
effort worthwhile

Management
effort required

Minor

Accept risks

Accept, but
monitor risks

Manage and
monitor risks

Controls
Mechanisms or procedures for mitigating
vulnerabilities
Prevent
Detect
Recover
Understand cost and coverage of control
Controls follow vulnerability and threat
analysis

Risk Mitigation Strategy

When vulnerability (or flaw, weakness) exists implement
assurance techniques to reduce the likelihood of a vulnerabilitys
being exercised.
When a vulnerability can be exercised apply layered
protections, architectural designs, and administrative controls to
minimize the risk of or prevent this occurrence.
When the attackers cost is less than the potential gain apply
protections to decrease an attackers motivation by increasing the
attackers cost (e.g., use of system controls such as limiting what a
system user can access and do can significantly reduce an attackers
gain).
When loss is too great apply design principles, architectural
designs, and technical and nontechnical protections to limit the
extent of the attack, thereby reducing the potential for loss.

Input
Risk levels from
the risk assessment
report
Risk assessment
report

Risk Mitigation Activities

Output

1. Prioritize Actions

Actions ranking
from high to low

2. Evaluate Recommended
Control Options

List of possible
controls

Feasibility
Effectiveness

3. Conduct Cost-Benefit Analysis

Impact of implementing
Impact of not implementing
Associated costs

4. Select Controls

Selected controls

5. Assign Responsibility

List of responsible
persons

Risks and associated risk

levels
Prioritized actions
Recommended controls
Selected planned controls
Responsible persons
Start date
Target completion date
Maintenance requirements

Cost-benefit
analysis

6. Develop Safeguard
Implementation Plan

Safeguard
implementation
plan

7. Implement Selected Controls

Residual risks

Categories of Security Control

Security controls, when used appropriately, can prevent, limit, or deter
threat-source damage to an organizations mission. An organization
should consider technical, management, and operational security
control, or a combination of such controls, to maximum the
effectiveness of controls for their IT systems and organization.

Technical Controls. These controls usually involve system

architecture, engineering disciplines, and security packages with a
mix of hardware, software, and firmware.
Management Controls. These controls focus on the stipulation of
information protection policy, guidelines, and standards.
Operational Controls. These controls ensure that security procedures
are properly enforced and implemented in accordance with the
organizations goals and mission.

Framework of Technical Security Controls

Transaction
Privacy
User
or
Process

Authentication

Nonrepudiation

Authorization

Audit

Access Control
Enforcement

Proof of
Wholeness

Intrusion Detection
and Containment

Resource

State Restore

Protected Communications
(Safe from disclosure, substitution, modifications & replay)
Identification
Cryptographic Key Management
Security Administration
System Protections
(least privilege, object reuse, process separation)

Prevent
Detect, Recover
Support

Management Security Controls

Preventive:
Assign security responsibility.
Develop and maintain system security plan.
Implement personnel security controls such as separation of
duties, least privilege, and user computer access registration
and termination.
Conduct security awareness and technical training.
Detection:
Implement personnel security controls such as personnel
clearance, background investigations, rotation of duties.
Conduct periodic review of security controls.
Perform periodic system audits.
Conduct ongoing risk management.
Authorize IT systems to address and accept residual risk.

Management Security Controls

Recovery:
Provide continuity of support and develop, test, and
maintain the continuity of operations plan.
Establish an incident response capability to prepare for,
recognize, report, and respond to the incident and return
the system to operational status.

Operational Security Controls

Preventive:
Control data media access and disposal (e.g., physical access
control, degaussing method)
Limit external data distribution (e.g., use of labeling)
Control software viruses
Safeguard computing facility
Secure wiring closets that house hubs and cables
Provide backup capability
Establish off-site storage procedures and security
Protect laptops, personal computers (PC), workstations
Protect IT assets from fire damage
Provide emergency power source
Control the humidity and temperature of the computing facility
Detection:
Provide physical security
Ensure environmental security.

Potential Projects

Developing a risk management plan.

A qualitative risk assessment approach to xxx
A quantitative risk assessment approach to xxx
A comparative analysis of risk assessment
methods.