riskmanagement · •introduction to risk management •risk management frameworks –iso standards...
TRANSCRIPT
Pattern Recognitionand Applications Lab
Universityof Cagliari, Italy
Department of Electrical and Electronic Engineering
Risk Management
Giorgio Fumera
Cybersecurity – Spring semester 2020-2021
http://pralab.diee.unica.it
Outline
• Introduction to risk management• Risk management frameworks
– ISO standards– NIST guidelines
• The risk assessment process– NIST guidelines– qualitative and quantitative risk assessment– risk assessment techniques
• Risk treatment• Data collection and processing for risk assessment• Real-world examples of risk assessment
1
http://pralab.diee.unica.it
Resources
2
PART THREE – Management IssuesCh. 14 IT Security Management
and Risk Assessment
Ch. 10 Management and IncidentsPar. 10.4 Risk Analysis
• ISO standards (available through the Faculty library)• NIST documents
http://pralab.diee.unica.it
Introduction to Risk Management
3
http://pralab.diee.unica.it
What is risk?
A concept inherently present in every human activity
Non-technical definition of "risk" (Oxford Dictionary of English)A situation involving exposure to danger:all outdoor activities carry an element of risk– the possibility that something unpleasant or unwelcome will happen:
reduce the risk of heart disease
4
http://pralab.diee.unica.it
What is risk?
A concept inherently present in every human activity
Non-technical definition of "risk" (Oxford Dictionary of English)A situation involving exposure to danger:all outdoor activities carry an element of risk– the possibility that something unpleasant or unwelcome will happen:
reduce the risk of heart disease
Examples from everyday life activities– walking along or crossing a road– driving a motorcycle– choosing a master course– ...
5
http://pralab.diee.unica.it
What is risk?
A concept inherently present in every human activity
Technical definition of "risk" (Oxford Dictionary of English)A situation involving exposure to danger:all outdoor activities carry an element of risk– the possibility that something unpleasant or unwelcome will happen:
reduce the risk of heart disease– a possibility of harm or damage against which something is insured:
all-risks insurance for professional photographers– the possibility of financial loss:
the Bank is rigorous when it comes to analysing and evaluating risk
6
http://pralab.diee.unica.it
What is risk?
A concept inherently present in every human activity
A situation involving exposure to danger:all outdoor activities carry an element of risk– the possibility that something unpleasant or unwelcome will happen:
reduce the risk of heart disease– a possibility of harm or damage against which something is insured:
all-risks insurance for professional photographers– the possibility of financial loss:
the Bank is rigorous when it comes to analysing and evaluating risk
risk is always related to uncertainty on future events
7
http://pralab.diee.unica.it
Dealing with risk
8
Examples from everyday life activities– walking along or crossing a road– driving a motorcycle– choosing a master course– ...
Avoiding risk entirely is not possible
Risk can only be reduced or mitigated,at some cost
http://pralab.diee.unica.it
Organizations' view of risks
• Private organizations (companies, industry, financial institutions, etc.)
• Public organizations/services (education system, health system, etc.)
• Cross-sector organizations: critical infrastructures(transports, communications, energy, etc.)
• States (health, climate change, pollution, etc.)
9
organization'sassets
risk mitigation actions
undesired events
http://pralab.diee.unica.it
Assets and risks in different sectors
• Enterprises• Industry• Financial institutions• Process plants (e.g., nuclear and chemical plants)• Civil engineering (buildings, infrastructures)• Environmental engineering• Transports• Aerospace• Military• Energy• Communications• Health system• ...
10
http://pralab.diee.unica.it
The main elements of risk analysis
11
consequences
organization'sassets
likelihood
undesired event
level of risk
risk mitigation actionsdecision-making:top management or political level
http://pralab.diee.unica.it
Risk management initiatives
Risk management initiatives have been undertaken over the years in many sectors
– involvement of public and private bodies– normative outcomes: regulations, standards, guidelines– technical outcomes: methodolgies, techniques
Examples– nuclear field: International Atomic Energy Agency (IAEA)– banking: Basel Committee– industry: International Organization for Standards (ISO)
National Institute of Standards and Technology (NIST)
12
http://pralab.diee.unica.it
Risk management: historical notes
Enterprise sector (1900's –):– beginning of the 20th cent.: management model in the financial sector– 1950's: application to the insurance sector (USA)
– 1960's: application to engineering & construction companies
– 1990's: Enterprise Risk Management model –global, integrated view into organizations' life
– 2009: formalization in the ISO 31000 standard
Banking sector (1974 –)– beginning of the 20th cent.: management model in the financial sector– 1974: Basel Committee (Banking Regulations and Supervisory Practices)
– 1988 – 2017: Basel accords
13
http://pralab.diee.unica.it
Risk management: historical notes
Industrial sectors (1950's –):
– chemical plants
EC (European Commission) Seveso Directive – Technological Disaster Risk Reduction (1982)
http://ec.europa.eu/environment/seveso/index.htm
– aerospaceNASA (National Aeronautics and Space Administration, USA)
1986: Space Shuttle Challenger disaster
https://sma.nasa.gov/sma-disciplines/risk-management
– nuclear plants
IAEA (International Atomic Energy Agency), https://www.iaea.org
1986: Chernobyl accident
14
http://pralab.diee.unica.it
Cybersecurity risks
15
Risks related to information systems
Who is affected by cybersecurity risks?– organizations that develop and provide ICT products and services– individuals and organizations that use ICT products and services
EnterprisesIndustryFinancial institutionsProcess plantsCivil engineeringEnvironmental engineeringTransports
AerospaceMilitaryEnergyCommunicationsHealth system...
http://pralab.diee.unica.it
Cybersecurity risks: an example
16
Industrial automation and control systems
Supervisory Control And
Data Acquisition
Manufactory Execution
System
Enterprise Resource
Planning
Programmable Logic
Controller
Abdo et al., A safety/security risk analysis approach of Industrial Control Systems,
Computers & Security 72 (2018) 175–195
http://pralab.diee.unica.it
Risk management in cybersecurity
A still evolving field, building on results from other sectors– principles– frameworks– standards– methodologies– specific techniques
The main actors involved:– International Organization for Standards (ISO)– National Institute of Standards and Technology (NIST)
17
http://pralab.diee.unica.it
The risk management process
18
April 16, 2018 Cybersecurity Framework Version 1.1
This publication is available free of charge from: https://doi.org/10.6028/NIST.CSWP.04162018 12
2.4 Coordination of Framework Implementation
Figure 2 describes a common flow of information and decisions at the following levels within an organization:
x Executive x Business/Process x Implementation/Operations
The executive level communicates the mission priorities, available resources, and overall risk tolerance to the business/process level. The business/process level uses the information as inputs into the risk management process, and then collaborates with the implementation/operations level to communicate business needs and create a Profile. The implementation/operations level communicates the Profile implementation progress to the business/process level. The business/process level uses this information to perform an impact assessment. Business/process level management reports the outcomes of that impact assessment to the executive level to inform the organization’s overall risk management process and to the implementation/operations level for awareness of business impact.
Figure 2: Notional Information and Decision Flows within an Organization An example for the enterprise sector (NIST Cybersecurity Framework, 2018)
Risk management: fundamental component of any organizationBroad involvement of all organizational levels
http://pralab.diee.unica.it
International Organization for Standards (ISO)
https://www.iso.orgMain facts
– worldwide federation of national standard bodies– develops and publishes international standards for most industry sectors – some standards can be certified by external certification bodies– liasies with other governmental and non-governmental organizations– collaborates with the International Electrotechnical Commission (IEC) on
electrotechnical standardization matters– ISO standards are not available for free
How to consult ISO standards at UNICA– free access provided by the Faculty Library (computer room) to UNICA
students, through UNI – Ente Nazionale Italiano di Normazionehttps://www.uni.com (ask the Library staff for instructions)
– requires UNICA student's account– documents are only available for consultation
19
http://pralab.diee.unica.it
National Institute of Standards and Technology (NIST)
https://www.nist.gov/
Main facts– founded in 1901– part of the U.S. Department of Commerce– industry-related standards, guidelines and best practices– all NIST documents are publicly available
20