Dr. Benjamin Khookkhoo@nyit.edu

New York Institute of TechnologyNew York Institute of TechnologySchool of ManagementSchool of Management

3.1 Risk = someone or something that creates or suggests a hazard

3.2 Risk Assessment Process:+ must support the business mission/objectives+ accepted by the user community

◆ Meet with the client to determine:1. what to review2. kinds of risk elements to be

examined3. deliverables or results from the

process

◆ find business friendly controls or counter-measures

2

3.3 Information is an Asset

Goal of an enterprisewide information security program is to determine the threat impact to information assets based on:

1. Integrity – information is as intended without inappropriate modification or corruption

2. Confidentiality – information is protected from unauthorized or accidental disclosure

3. Availability – Authorized users can access applications and systems when required

See Table 3.1 for more specific definition.

3

Business manager owner determine the value of the information asset by:cost of producing information assetvalue on the open marketcost of reproducing information asset is destroyedbenefit to the enterprisecost to the enterprise if released, altered or destroyedrepercussions to the enterprise information asset is destroyedloss of client or customer confidenceloss of public credibility

4

3.4 Risk Assessment MethodologyConsists of:

1. assets scoped2. threats identified3. risk level established4. possible controls selected

Assets types: 1. Physical e.g. people, telecom infrastructure,

hardware, software, data, information, procedures, etc.2. Logical e.g. intellectual assets, goodwill,

brand name, etc.

5

3.4.1 Threat Identificationthreat = an indication of an impending undesirable event

Sources of threat:1. natural2. human – accidental or deliberate3. environmental

See Table 3.2 for source, motivation & threat.

6

3.4.1.1 Elements of Threats3 elements of threats:

1. agent ⇒ catalyst2. motive ⇒ causes3. results ⇒ outcome

Factors that impact a threat: Geographical location – infrastructure Facility Your neighbors

See Table 3.3 7

3.4.1.2 Threat Occurrence Rates

Value of Asset X Likelihood = Annual Loss Exposure(this figure can be

deceiving)Likelihood of Occurrence:Natural threats === local (or National) weather centers

by yearsCriminal activities === local law enforcement,

FBI, state agenciesOther threats === insurance companies

Use something like Table 3.4 8

3.4.1.3 Risk Level Determination⇨ how lightly that threat is to

occur2 ways to assess:1. establish probability without consideration for existing control e.g. initial assessment2. establish probability taking into account the

existing control e.g. assessing specific LAN, application or subnet.

See Table 3.5 for probability level definitions

9

Before impact analysis, consider:1. asset mission === from project scope2. information sensitivity3. asset criticality === importance to

the organization

Impact measure:Quantitative = loss revenue, cost of repairing the system, level of effect required to correct, etcIntangible = loss of public confidence, loss of creditability, damage to reputation, etc

See Figure 3 (Probability vs Impact)

10

3.4.1.4 Controls and SafeguardsIdentify controls to mitigate the risk to an acceptable level

Control factors: How effective is the recommended control? Legal & regulatory requirements? Operational impact to the organization? Safety & reliability of the control? Rule of thumb == cost > asset ⇒ bad ROI Cross reference threats mitigated for each

control == good ROI?Analyze the controls , see Table 3.7

11

Types of ControlsTechnical = safeguards for hardware, software, control mechanisms, identification & authentication processes,

encryption tools, intrusion detection software, etc

Non-technical = management & operational controls – policies, procedures, standards, personnel security, environmental control mechanisms, etc

12

Control Categories: Avoidance controls = minimize risk Assurance controls = ensure the on-going

effectiveness Detection Controls = early detection,

interception & response to breaches

Recovery Controls = restore secure environment

See Table 3.8Can also map controls to enterprise – operations,

applications, systems, security, etcInternational standard ISO 1799 (cf Table 3.11)

13

3.4.1.5 Cost-Benefit AnalysisConsider:

• cost of implementation• operational effectiveness• additional policies needed?• additional staff needed?• cost of training, etc.

14

The End

15