Risk management concepts and the CISSP (part 1) [updated 2021]
The Certified Information Systems Security Professional (CISSP) is an information security certification that was developed by the International Information Systems Security Certification Consortium, also known as (ISC)².
Risk management is one of the modules of CISSP training that entails the identification of an organization’s information assets and the development, documentation, implementation and updating of policies, standards, procedures and guidelines that ensure confidentiality, integrity and availability.
Management tools such as risk assessment and risk analysis are used to identify threats, classify assets and rate their vulnerabilities so that effective security measures and controls can be implemented. The process of risk management is carried out to identify potential risks, tools, practices and rates and reduce the risk to specific resources of an organization.
Risk management concepts
Beyond basic security fundamentals, the concepts of risk management are perhaps the most important and complex part of the information security and risk management domain. The candidate must understand all the core concepts of risk management like risk assessment methodologies, risk calculations and safeguard selection criteria and objectives.
A risk comprises a threat and a vulnerability of an asset, defined as follows:
- Threat: Any natural or man-made circumstance that could harm an organizational asset
- Vulnerability: The absence or weakness of a safeguard in an asset that makes a threat potentially more likely to occur, or likely to occur more frequently
- Asset: An asset is a resource, process, product or system that has some value to an organization and must be protected
The threat, vulnerability and assets are known as the risk management triples. It is the main concept that is covered in risk management from the CISSP exam perspective. Risk can never be completely eliminated. Any system or environment, no matter how secure, can eventually be compromised.
Threat x vulnerability = risk
Some threats or events, such as natural disasters, are largely unpredictable. Therefore, the main goal of risk management is risk mitigation that involves reducing risk to a level that’s acceptable to an organization. There are three main elements of which risk management is comprised of:
Risk identification is the initial step in risk management that involves identifying specific elements of the three components of risk: assets, threats and vulnerabilities.
To determine the appropriate level of security, the identification of an organization’s assets and determining their value is a critical step. The value of an asset to an organization can be both quantitative (related to its cost) and qualitative (its relative importance).
Any inaccurate asset valuation may result in:
- Poorly chosen or improperly implemented controls
- Controls that aren’t cost-effective
- Controls protect the wrong asset
A properly conducted asset valuation process has several benefits to an organization:
- Supports quantitative and qualitative risk assessments, business impact assessments and security auditing
- Facilitates cost-benefit analysis and supports management decisions regarding the selection of appropriate safeguards
- Can be used to determine insurance requirements, budgeting and replacement costs
- Help demonstrate due care and limit personal liability
Three main elements are used to determine the value of assets:
- Initial and maintenance costs: This is most often a tangible dollar value and may include purchasing, licensing, development, maintenance and support costs
- Organizational value: This is often a difficult and intangible value; it may include the cost of creating, acquiring, re-creating information and the business impact or loss if the information is lost or compromised
- Public value: Includes the loss of proprietary information or processes and loss of business reputation
In the process of risk management, we perform two different analyses that include:
- Threat analysis
- Risk analysis
- Quantitative analysis
- Qualitative analysis
Threat analysis is a process of examining the sources of cyberthreats and evaluating them to the information system’s vulnerabilities. The objective of the analysis is to identify the threats that endanger a particular information system in a specific environment.
It consists of four steps that include:
- Define the actual threat.
- Identify possible consequences to the organization if the threat is realized.
- Determine the probable frequency of a threat.
- Assess the probability that a threat will materialize.
An organization should be well prepared for all type of threats, the number and types of threats can be overwhelming but can generally be categorized as:
- Natural: Earthquakes, floods, hurricanes, lightning, fire and so on.
- Man-made: Unauthorized access, data entry errors, strikes/labor disputes, theft, terrorism, social engineering, malicious code and viruses and so on.
The next element in risk management is risk analysis. A risk analysis brings together all the elements of risk management (identification, analysis and control) and is critical to an organization for developing an effective risk management strategy.
It consists of four steps:
- Identify the assets to be protected, including their relative value, sensitivity or importance to the organization; this is a component of risk identification (asset valuation)
- Define specific threats, including threat frequency and impact data; this is a component of risk identification (threat analysis)
- Calculate annualized loss expectancy (ALE)
- Select appropriate safeguards; this is a component of both risk identification and risk control
The (ALE) provides a standard, quantifiable measure of the impact that a realized threat has on an organization’s assets. ALE is particularly useful for determining the cost-benefit ratio of a safeguard or control. ALE is determined by this formula:
Single loss expectancy (SLE) x annualized rate of occurrence (ARO) = (ALE)
- (SLE) is a measure of the loss incurred from a single realized threat or event, expressed in dollars; it is calculated as asset value ($) x exposure factor (EF)
- EF is a measure of the negative effect or impact that a realized threat or event would have on a specific asset, expressed as a percentage
- ARO is the estimated annual frequency of occurrence for a threat or event
Goals of risk analysis
The process of conducting a risk analysis is very similar to identifying an acceptable risk level. Essentially, you do a risk analysis on the organization as a whole to determine the acceptable risk level.
A risk analysis has four main goals:
- Identify assets and their values
- Identify vulnerabilities and threats
- Quantify the probability and business impact of these potential threats
- Provide an economic balance between the impact of the threat and the cost of the countermeasure
Identify assets and their values
In the process of identifying assets and their value we consider the value placed on assets (including information), what work was required to develop them, how much it costs to maintain, what damage would result if it were lost or destroyed and what benefit another party would gain if it were to obtain it.
Understanding the value of an asset is the first step to understanding what security mechanisms should be put in place and what funds should go toward protecting it.
The following issues should be considered when assigning values to assets:
- Cost to acquire or develop the asset
- Cost to maintain and protect the asset
- Value of the asset to owners and users
- Value of the asset to adversaries
- Value of intellectual property that went into developing the information
- Price others are willing to pay for the asset
- Cost to replace the asset if lost
- Operational and production activities affected if the asset is unavailable
- Liability issues if the asset is compromised
- Usefulness and role of the asset in the organization
Identify vulnerabilities and threats
Once the assets have been identified and assigned values, all of the vulnerabilities and associated threats need to be identified that could affect each asset’s integrity, availability or confidentiality requirements.
Since there is a large number of vulnerabilities and threats that can affect the different assets, it is important to be able to properly categorize and prioritize them so that the most critical items can be taken care of first.
Quantify the probability and business impact of these potential threats
The team carrying out the risk assessment needs to figure out the business impact of the identified threats. To estimate potential losses posed by threats, answer the following questions:
What physical damage could the threat cause, and how much would that cost?
How much productivity loss could the threat cause, and how much would that cost?
- What is the value lost if confidential information is disclosed?
- What is the cost of recovering from a virus attack?
- What is the cost of recovering from a hacker attack?
- What is the value lost if critical devices were to fail?
- What is the SLE for each asset and each threat?
These are some general questions, while the specific questions will depend upon the types of threats the team uncovers. The team then needs to calculate the probability and frequency of the identified vulnerabilities being exploited.
Identify countermeasures and determine cost/benefit
The team then needs to identify countermeasures and solutions to reduce the potential damages from the identified threats. A security countermeasure must make good business sense, meaning that it is cost-effective and that its benefit outweighs its cost. This requires another type of analysis: a cost/benefit analysis.
A commonly used cost/benefit calculation can be given as the value of safeguard to the company = (ALE before implementing safeguard) – (ALE after implementing safeguard) – (annual cost of safeguard).
For example, if the ALE of the threat of a hacker bringing down a web server is $12,000 before implementing the suggested safeguard, $3,000 after implementing the safeguard, and the annual cost of maintenance and operation of the safeguard is $650, then the value of this safeguard to the company is $8,350 each year.
The following items need to be considered and evaluated when deriving the full cost of a countermeasure:
- Product costs
- Design/planning costs
- Implementation costs
- Environment modifications
- Compatibility with other countermeasures
- Maintenance requirements
- Testing requirements
- Repair, replacement or update costs
- Operating and support costs
- Effects on productivity
The team must know how to calculate the actual cost of a countermeasure to properly weigh it against the benefit and savings the countermeasure is supposed to provide.
The following is a shortlist of what generally is expected from the results of risk analysis:
- Monetary values are assigned to assets
- Comprehensive list of all possible and significant threats
- Probability of the occurrence rate of each threat
- Loss potential the company can endure per threat in 12 months
- Recommended safeguards, countermeasures and actions
Risk analysis can be divided into two major types:
- Quantitative risk analysis
- Qualitative risk analysis
Quantitative risk analysis
A Quantitative risk analysis attempts to assign an objective numeric value (cost) to the components (assets and threats) of the risk analysis. In quantitative risk analysis all elements of the process, including asset value, impact, threat frequency, safeguard effectiveness, safeguard costs, uncertainty and probability are measured and assigned a numeric value. However, achieving a purely quantitative risk analysis is impossible.
Qualitative risk analysis
A qualitative risk analysis is scenario-driven and doesn’t attempt to assign numeric values to the components (assets and threats) of the risk analysis. In qualitative risk analysis, we develop realistic scenarios that describe a threat and potential losses to organizational assets. Unlike a quantitative risk analysis, it’s possible to conduct a purely qualitative risk analysis.
As far as CISSP is concerned, the candidate must know all the core elements of risk management that include control. Risk control is a safeguard or countermeasure that reduces the risk associated with a specific threat. The absence of a safeguard against a threat creates vulnerability and increases the risk.
Risk control can be done through one of three general remedies:
Mitigating risk by implementing the necessary security controls, policies and procedures to protect an asset. This can be achieved by altering, reducing or eliminating the threat and/or vulnerability associated with the risk.
To avoid the outcomes of risk, we can assign the potential loss associated with a risk to a third party, such as an insurance company.
It involves the acceptance of the loss associated with a potential risk.
However, in risk management, we mitigate the threats that themselves should not introduce new vulnerabilities. It’s an ongoing process that must be conducted by organizations to prevent cyberattacks. The above-discussed management techniques and processes are fundamental and are also included in the CISSP exam by International Information Systems Security Certification Consortium.
For more on this topic, read Risk management concepts and the CISSP (Part 2). For more CISSP-related resources, see our CISSP certification hub.