Risk management is difficult because we are looking at the future. Most of the time enterprises have the question, "what is acceptable risk level". They have to comply with the regulations, look at their assets that they have to protect, asses the importance of their assets to understand their sufficient security level. How much enough security is a cost benefit balance.
(1) Planing the risk management:
- Identify Teams
- Identify Scope
- Identify Methods (Qualitative and quantitative)
- Identify tools
- Understand acceptable risk level
every company has a different risk appetite.That means how much risk they are willing to take.acceptable risk level has to be set in the enterprise. business derives are going to help define the acceptable risk level and the management has to set the level. Team is just bring the information to the management.But this is very abstract. Then we define security policies. Security policies should reflect the acceptable risk level in the system.
(2) Collect Information:
- Identify Assets
- Assign value to assets
- Identify vulnerability and threats
- Calculate risks
- Cost/benefit analysis
- Uncertainty analysis
Collecting information is a time consuming process.it is really important to identify the assets that are to be protected.There are tangible(hardware) and intangible(data, reputation) assets. Intangible assets are harder to protect. how to assign a value to an assets?Have to determine the cost, adversary, reliability and criticallily.We have to consider if something happen to a specific asset what will cost to the company in near term and long term.
We have to determine the type of analysis we are going to carried out. whether it is qualitative or quantitative is depends on the requirement of the company. managers like to see quantitative analysis. Quantitative has do with monetary values and qualitative is opinion based.
Qualitative analysis is commonly used in the industry.Experts will rate the level of risk.If we defines levels according to the probability of occurrence vs consequences of occurrence, there are levels like minor risks,high incidence risks, contingency risks and significant risks. we have to address the significant risk first and then the rest.
Single Loss expectancy (SLE) = Asset value x exposure factor
Exposure factor is the percentage of the damage that we think take place if the vulnerability is exploited. We look at one asset and one threat, then we calculate the cost impact of this on the company.
Probability of something to take place, we call it Annual rate of occurrence (ARO). ARO is number of expected incidents annually. ARO is annual metric. once year means ARM is 1.0.
Annual loss expectancy (ALE) = SLE x ARO
ALE is the potential loos that company can be gone through.This is how we determine which risk we correct first. This help us to categorize the treats and define the road map and budget allocation.
Purely quantitative analysis can't take place, but purely qualitative analysis can. We can be exact on the values that will happen in the future. That is why most of the industries choose qualitative analysis over quantitative analysis.
Losses can be potential or delayed.We have to look at what are the potential losses and what the delayed loses. Potential means what will happen quickly.Incident of a virus attack, the potential loss will be the inaccessibility of server. And the delayed loss will be loss of reputation.
cost/benefit calculation for countermeasure system also depends on lot of variables.It depends on variables like cost, maintenance fee, impact on productivity and number of man powers.
Value of countermeasure = (ALE before we put the counter measure) - (ALE after putting the countermeasure) - Annual cost of the countermeasure
If this value is negative it means implementing the countermeasure is not cost beneficial.Not just cost, there are whole list of things that we have to look at in a countermeasure. Does it fall in to least privilege, is it flexible, does it provide uniform protection, is it modular in nature,does it require human intervention, does is provide auditing functionality,does it been tested and can it be tested. when when people are involved that is where mistakes are taken place.
Disadvantages of quantitative analysis are it requires large amount of preliminary work, formulas are complex and inflexible and there are no real standards on how to carry this out.In qualitative approach assigning rating values are simple, allow for flexibility in processes and reporting results and it requires less preliminary work. Disadvantages of qualitative analysis are it is subjective, it is opinion and hard to map in to the budget. But this the most used in the industry.
Following formulas are conceptual formulas and you can not put values in to those.
Total risk = Threats x vulnerability x asset value
Total risk is when we didn't put any countermeasures in place. If we act upon the vulnerability that is the residual risk.Residual risk shows that countermeasure reduced the risk but not get rid of all the threats.
Residual risk = Threats x vulnerability x asset value x control gap
(control gap = what the control can not protect against)
Total risk - Controls = Residual risk
When we showed the results of the analysis they need some confidence on the information that used for the analysis. uncertainty analysis assign the amount of trust on the information that we are using.
Management is liable to take action on the risks.Four ways to dealing with risks: mitigation, transfer, acceptance and avoidance.Management need to know what to do with the information they collected.
(3) Management's responses to identified risks:
- Risk mitigation - implement countermeasures
- Risk transfer - Third-party involvement like purchasing cyber insurance
- Risk acceptance - Informed decision, no action taken when it is not cost beneficial
- Risk avoidance - decide to stop activity
Risk acceptance:
- cost decision
- pain decision
- visibility decision
RISK MANAGEMENT
PLAN -> COLLECT INFORMATION -> DEFINE RECOMMENDATIONS
