Risk Management Concepts and the CISSP (Part 1)
The Certified Information Systems Security Professional (CISSP) is an information security certification that was developed by the International Information Systems Security Certification Consortium, also known as (ISC) ². The risk management is one of the modules of CISSP training that entails the identification of an organization’s information assets and the development, documentation, implementation, and updating of policies, standards, procedures, and guidelines that ensure confidentiality, integrity, and availability.
Management tools such as risk assessment and risk analysis are used to identify threats, classify assets, and to rate their vulnerabilities so that effective security measures and controls can be implemented. The process of risk management is carried out to identify potential risks, tools, practices, rate and reduce the risk to specific resources of an organization.
Risk Management Concepts
Beyond basic security fundamentals, the concepts of risk management are perhaps the most important and complex part of the information security and risk management domain. It is necessary for the candidate to understand all the core concepts of risk management like risk assessment methodologies, risk calculations, and safeguard selection criteria and objectives.
A risk comprises a threat and a vulnerability of an asset, defined as follows:
Threat: Any natural or man-made circumstance that could have an adverse impact on an organizational asset.
Vulnerability: The absence or weakness of a safeguard in an asset that makes a threat potentially more likely to occur, or likely to occur more frequently.
Asset: An asset is a resource, process, product, or system that has some value to an organization and must, therefore, be protected.
The Threat, Vulnerability, and Assets are known as the risk management triples. It is the main concept that is covered in risk management from CISSP exam perspective. Risk can never be completely eliminated. Any system or environment, no matter how secure, can eventually be compromised.
Threat x Vulnerability = Risk
Some threats or events, such as natural disasters are largely unpredictable. Therefore, the main goal of risk management is risk mitigation that involves reducing risk to a level that’s acceptable to an organization. There are three main elements of which risk management is comprised of:
Risk identification is the initial step in the risk management that involves identifying specific elements of the three components of risk: assets, threats, and vulnerabilities.
To determine the appropriate level of security, the identification of an organization’s assets and determining their value is a critical step. The value of an asset to an organization can be both quantitative (related to its cost) and qualitative (its relative importance).
Any inaccurate asset valuation may result in:
- Poorly chosen or improperly implemented controls.
- Controls that isn’t cost-effective.
- Controls protect the wrong asset.
While a properly conducted asset valuation process has several benefits to an organization:
- Supports quantitative and qualitative risk assessments, business impact assessments, and security auditing.
- Facilitates cost-benefit analysis and supports management decisions regarding the selection of appropriate safeguards.
- Can be used to determine insurance requirements, budgeting, and replacement costs.
- Helps demonstrate due care and limit personal liability.
There are three main elements that are used to determine the value of assets:
- Initial and maintenance costs: This is most often a tangible dollar value and may include purchasing, licensing, development, maintenance, and support costs.
- Organizational value: This is often a difficult and intangible value. It may include the cost of creating, acquiring, and re-creating information, and the business impact or loss if the information is lost or compromised.
- Public value: Public value can include loss of proprietary information or processes and loss of business reputation.
In the process of risk management, we perform two different analyses that include:
- Threat Analysis
- Risk Analysis
- Quantitative Analysis
- Qualitative Analysis
Threat analysis is a process of examining the sources of cyber threats and evaluating them in relation to the information system’s vulnerabilities. The objective of the analysis is to identify the threats that endanger a particular information system in a specific environment.
It consists of four steps that include:
- Define the actual threat.
- Identify possible consequences to the organization if the threat is realized.
- Determine the probable frequency of a threat.
- Assess the probability that a threat will actually materialize.
An organization should be well prepared for all type of threats, the number and types of threats can be overwhelming but can generally be categorized as
- Natural: Earthquakes, floods, hurricanes, lightning, fire, and so on.
- Man-made: Unauthorized access, data entry errors, strikes/labor disputes, theft, terrorism, social engineering, malicious code and viruses, and so on.
The next element in risk management is risk analysis. A risk analysis brings together all the elements of risk management (identification, analysis, and control) and is critical to an organization for developing an effective risk management strategy.
It consists of four steps that include:
- Identify the assets to be protected, including their relative value, sensitivity, or importance to the organization. This is a component of risk identification (asset valuation).
- Define specific threats, including threat frequency and impact data. This is a component of risk identification (threat analysis).
- Calculate Annualized Loss Expectancy (ALE).
- Select appropriate safeguards. This is a component of both risk identification and Risk Control.
The Annualized Loss Expectancy (ALE) provides a standard, quantifiable measure of the impact that a realized threat has on an organization’s assets. ALE is particularly useful for determining the cost-benefit ratio of a safeguard or control. ALE is determined by this formula:
Single Loss Expectancy (SLE) x Annualized Rate of Occurrence (ARO) = Annualized Loss Expectancy (ALE)
- Single Loss Expectancy (SLE) is a measure of the loss incurred from a single realized threat or event, expressed in dollars. It is calculated as Asset Value ($) x Exposure Factor (EF).
- Exposure Factor (EF) is a measure of the negative effect or impact that a realized threat or event would have on a specific asset, expressed as a percentage.
- Annualized Rate of Occurrence (ARO) is the estimated annual frequency of occurrence for a threat or event.
Goals of Risk Analysis:
The process of conducting a risk analysis is very similar to identifying an acceptable risk level. Essentially, you do a risk analysis on the organization as a whole to determine the acceptable risk level.
A risk analysis has four main goals:
- Identify assets and their values.
- Identify vulnerabilities and threats.
- Quantify the probability and business impact of these potential threats.
- Provide an economic balance between the impact of the threat and the cost of the countermeasure.
Identify assets and their values:
In the process of identifying assets and its value we consider the value placed on assets (including information), what work was required to develop it, how much it costs to maintain, what damage would result if it were lost or destroyed, and what benefit another party would gain if it were to obtain it.
Understanding the value of an asset is the first step to understanding what security mechanisms should be put in place and what funds should go toward protecting it.
The following issues should be considered when assigning values to assets:
- Cost to acquire or develop the asset
- Cost to maintain and protect the asset
- Value of the asset to owners and users
- Value of the asset to adversaries
- Value of intellectual property that went into developing the information
- Price others are willing to pay for the asset
- Cost to replace the asset if lost
- Operational and production activities that are affected if the asset is unavailable
- Liability issues if the asset is compromised
- Usefulness and role of the asset in the organization
Identify vulnerabilities and threats:
Once the assets have been identified and assigned values, all of the vulnerabilities and associated threats need to be identified that could affect each asset’s integrity, availability or confidentiality requirements.
Since there is a large amount of vulnerabilities and threats that can affect the different assets, it is important to be able to properly categorize and prioritize them so that the most critical items can be taken care of first.
Quantify the probability and business impact of these potential threats:
The team carrying out the risk assessment needs to figure out the business impact of the identified threats. To estimate potential losses posed by threats, answer the following questions:
What physical damage could the threat cause, and how much would that cost?
How much productivity loss could the threat cause, and how much would that cost?
- What is the value lost if confidential information is disclosed?
- What is the cost of recovering from a virus attack?
- What is the cost of recovering from a hacker attack?
- What is the value lost if critical devices were to fail?
- What is the single loss expectancy (SLE) for each asset and each threat?
These are some general questions, while the specific questions will depend upon the types of threats the team uncovers. The team then needs to calculate the probability and frequency of the identified vulnerabilities being exploited.
Identify countermeasures and determine cost/benefit:
The team then needs to identify countermeasures and solutions to reduce the potential damages from the identified threats. A security countermeasure must make good business sense, meaning that it is cost-effective and that its benefit outweighs its cost. This requires another type of analysis: a cost/benefit analysis.
A commonly used cost/benefit calculation can be given as:
Value of safeguard to the company =
(ALE before implementing safeguard) – (ALE after implementing safeguard) – (annual cost of safeguard)
For example, if the ALE of the threat of a hacker bringing down a Web server is $12,000 prior to implementing the suggested safeguard, $3,000 after implementing the safeguard, and the annual cost of maintenance and operation of the safeguard is $650, then the value of this safeguard to the company is $8,350 each year.
The following items need to be considered and evaluated when deriving the full cost of a countermeasure:
- Product costs
- Design/planning costs
- Implementation costs
- Environment modifications
- Compatibility with other countermeasures
- Maintenance requirements
- Testing requirements
- Repair, replacement or update costs
- Operating and support costs
- Effects on productivity
It is important that the team knows how to calculate the actual cost of a countermeasure to properly weigh it against the benefit and savings the countermeasure is supposed to provide.
The following is a short list of what generally is expected from the results of a risk analysis:
- Monetary values assigned to assets
- Comprehensive list of all possible and significant threats
- Probability of the occurrence rate of each threat
- Loss potential the company can endure per threat in a 12-month time span
- Recommended safeguards, countermeasures, and actions
Risk analysis can be divided into two major types:
- Quantitative Risk Analysis
- Qualitative Risk Analysis
Quantitative Risk Analysis:
A Quantitative risk analysis attempts to assign an objective numeric value (cost) to the components (assets and threats) of the risk analysis. In quantitative risk analysis all elements of the process, including asset value, impact, threat frequency, safeguard effectiveness, safeguard costs, uncertainty, and probability are measured and assigned a numeric value. However, achieving a purely quantitative risk analysis is impossible.
Qualitative Risk Analysis:
A qualitative risk analysis is scenario-driven and doesn’t attempt to assign numeric values to the components (assets and threats) of the risk analysis. In qualitative risk analysis, we develop real scenarios that describe a threat and potential losses to organizational assets. Unlike a quantitative risk analysis, it’s possible to conduct a purely qualitative risk analysis.
As far as CISSP is concerned, the candidate must know all the core element of risk management that also includes control. Risk Control is a safeguard or countermeasure that reduces risk associated with a specific threat. The absence of a safeguard against a threat creates vulnerability and increases the risk.
Risk control can be done through one of three general remedies:
Mitigating risk by implementing the necessary security controls, policies, and procedures to protect an asset. This can be achieved by altering, reducing, or eliminating the threat and/or vulnerability associated with the risk.
To avoid the outcomes of risk, we can assign the potential loss associated with a risk to a third party, such as an insurance company.
It involves the acceptance of the loss associated with a potential risk.
However, in risk management, we mitigate the threats that itself should not introduce new vulnerabilities. It’s an ongoing process that must be conducted by organizations in order to prevent cyber attacks. The above discussed management techniques and processes are the basic and fundamental and are also included in CISSP exam by International Information Systems Security Certification Consortium.