INFORMATION SECURITY MANAGEMENT LECTURE 8: RISK MANAGEMENT CONTROLLING RISK You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi Berra
Dec 21, 2015
INFORMATION SECURITY MANAGEMENT
LECTURE 8: RISK MANAGEMENTCONTROLLING RISK
You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi Berra
Introduction
To keep up with the competition, organizations must design and create a safe environment in which business processes and procedures can
function
Risk Control Strategies
Choose one of four basic strategies:
Avoidance Transference Mitigation Acceptance
Avoidance
The risk control strategy that attempts to prevent the exploitation of the vulnerability
•Examples
Transference
The control approach that attempts to shift the risk to other assets, other processes, or other organizations
•Examples
Mitigation
The control approach that attempts to reduce the damage caused by exploitation of vulnerability
•Types of Mitigation Plans
Managing Risk – Residual Risk
• Residual Risk is a combined function of:– Threats, vulnerabilities and assets, less the effects of the
safeguards in place
Managing Risk – Residual Risk
• Once a control strategy has been selected and implemented:
– The effectiveness of controls should be monitored and measured on an ongoing basis (remember our discussion on metrics and baselining)
• determines effectiveness and accuracy of the residual risk estimate
Managing Risk – Risk Control
• Risk control involves selecting one of the four risk control strategies
Should the organization ever accept the risk?
Feasibility and Cost-Benefit Analysis
• There are a number of ways to determine the advantage or disadvantage of a specific control• The primary means are based on the value of the
information assets that it is designed to protect
• Economic feasibility– Evaluating the worth of the information assets to be
protected and the loss in value if those information assets are compromised
Cost-Benefit Analysis: Cost
• Factors that affect the cost of a safeguard– Cost of development or acquisition of hardware,
software, and services– Training fees – Cost of implementation – Service and maintenance costs
Cost-Benefit Analysis: Benefit
The value to the organization of using controls to prevent losses associated with a specific vulnerability
Cost-Benefit Analysis: Asset Valuation
The process of assigning financial value or worth to each information asset
Involves estimation of real and perceived costs associated with the design, development, installation, maintenance, protection, recovery, and defense against loss and litigation
• An organization must be able to place a dollar value on each information asset it owns
• Potential loss is that which could occur from the exploitation of vulnerability or a threat occurrence
Cost-Benefit Analysis: Asset Valuation
Cost-Benefit Analysis Calculation
• CBA determines whether or not a control alternative is worth its associated cost
• CBAs may be calculated before a control or safeguard is implemented Or calculated after controls have been implemented and have been functioning for a time
Cost-Benefit Analysis Calculation
CBA = ALE(prior) – ALE(post) – ACS
– ALE (prior to control) is the annualized loss expectancy of the risk before the implementation of the control
– ALE (post-control) is the ALE examined after the control has been in place for a period of time
– ACS is the annual cost of the safeguard
Example of Cost-Benefit Analysis Calculation
Dropping an iPad and breaking the screenAsset value: $700
Exposure factor: 50% SLE = ? ARO = 25% chance of damaging ALE (prior) = ? Assume the ARO is reduced to 5% by using control ALE (post) = ?
CBA (cost of case = $30) CBA = ALE(prior) – ALE(post) – ACS CBA = ?
Example of Cost-Benefit Analysis Calculation
Unprotected customer databaseAsset value: $200,000
Exposure factor: 50% SLE = ? ARO = 75% chance of occurring ALE (prior) = ? Assume the ARO is reduced to 5% by using control ALE (post) = ?
CBA (ACS = $5,000) CBA = ALE(prior) – ALE(post) – ACS CBA = ?
Other Methods of Establishing Feasibility
• Organizational feasibility analysis • Operational feasibility• Technical feasibility• Political feasibility
Alternatives to Feasibility Analysis
• Benchmarking• Due care and due diligence• Best business practices• Gold standard• Government recommendations• Baseline