Once we know our weaknesses,

they cease to do us any harm.

(G.C 1742-1799, German
Physicist, Philosopher)

RISK
MANAGEMENT

Information Security

Chapter 4, Principles of Information Security, 4th Edition

 • After learning this, you should be able to:
• Define risk management, risk identification, and
risk control
• Describe how risk is identified and assessed
Learning • Assess risk based on probability of occurrence and
likely impact
Objectives • Explain the fundamental aspects of documenting
risk via the process of risk assessment
• Describe the various risk mitigation strategy
options
• Identify the categories that can be used to classify
controls

2
Why to know and learn? ISRM

The average cost of data breaches is increasing every year. In 2022, businesses
$4.35 million

lost $4.35 million, $0.11 million more than in 2021, and 12.7% higher than in 2020.

Data breaches are at a historic high, with approximately 15 million records exposed
during 2022's third quarter.

$3 billion

Companies lost over $3 billion in 2021 to decentralized finance (DeFi) thefts.

57,116 DDoS attacks

The DDoS Intelligence system by Kaspersky noted a whopping 57,116 DDoS

57,116 DDoS attacks

attacks during 2022's third quarter.

3
Threat & Vulnerability

If you're trying to protect an asset, then you'll be shielding it from a threat. The
term refers to anything that can accidentally or intentionally exploit a vulnerability
and damage, destroy, or obtain an asset. (Intentional, Unintentional, Natural)

Online, your company website and data are the assets. A hacker and their tools
(like malicious code) would be a cyber threat. The criminal can install the code on
your site, which can infiltrate your platform and shut it down or install viruses.

Small to medium-sized businesses tend to be more vulnerable to attacks.

Vulnerability refers to a weakness in your hardware, software, or procedures. It’s a

gap through which a bad actor can gain access to your assets. In other words,
threats exploit vulnerabilities.

4
 Risk
• Where vulnerabilities and threats
intersect.
• At its core, risk refers to the possible
implication of the damage or loss of
business assets and data.
• Cyber risk is a function of threats
leveraging system vulnerabilities to
access and compromise or steal assets.
• It's best summed up with this formula

Risk = Threat + Vulnerability

5
Risk (Conti…)

Examples of cyber risk include:

• Theft of sensitive or regulated information
• Hardware damage and subsequent data loss
• Malware and viruses
• Compromised credentials
• Company website failure
• Natural disasters that could damage servers

6
 Organizations must design and create
safe environments in which business
processes and procedures can function
Information
Security Risk Risk management: process of identifying
Management and controlling risks facing an
organization

(ISRM) Risk identification: process of examining

an organization’s current information
technology security situation

Risk control: applying controls to reduce

risks to an organization’s data and
information systems

7
“If you know the enemy and know yourself,
you need not fear the result of a hundred
battles. If you know yourself but not the
enemy, for every victory gained you will also
suffer a defeat. If you know neither the
enemy nor yourself, you will succumb in
every battle.”

(Chinese General Sun Tzu Wu, The Art of War)

8
An Overview of Risk Management Remember
Sec-SDLC
before proceeding
next(for better
understanding)
Risk Management

Know yourself: identify, examine, and understand

the information and systems currently in place

Know the enemy: identify, examine, and understand

threats facing the organization

Responsibility of each community of interest within an

organization to manage risks that are encountered

9
Figure 4-1 Components of Risk Management

10
11
12
The Roles of the
Communities of Interest

• Information security, management and

users, and information technology all
must work together
• Communities of interest are responsible
for:
• Evaluating the risk controls
• Determining which control options are
cost effective for the organization
• Acquiring or installing the needed
controls
• Ensuring that the controls remain
effective

13
 Identifying
Risk Risk management Classifying
Identification involves
•Software •Network topologyPrioritizing an
organization’s assets
•Hardware •Information storage
•Data protection
•Interfaces •Information flow
A threat assessment process identifies
•Users quantifies security
•Technical
and the risks facing each asset
•Support personnel controls
•Criticality •Physical security
•Functional environment People
requirements •Environmental
Components of risk
Procedures

•IT security policies security

identification
Data

•IT security Software

architecture Hardware
14
Plan and Organize the Process

• First step in the Risk Identification process is : follow your project

management principles
• Begin by organizing a team with representation across all affected
groups
• The process must then be planned out
• Periodic deliverables
• Reviews
• Presentations to management
• Tasks laid out, assignments made and timetables discussed

15
Figure 4-2 Components of Risk Identification

16
 Iterative process; begins with
identification of assets, including all
elements of an organization’s system
(people, procedures, data and
information, software, hardware,
networking)
Asset
Identification
and Inventory

Assets are then classified and

categorized

17
Table 4-1 Categorizing the Components of an Information System

18
People, Procedures, and Data Asset
Identification
Human resources, People: position
documentation, and data name/number/ID; supervisor;
information assets are more security clearance level;
difficult to identify special skills

Procedures: description;
intended purpose; what
Important asset attributes: elements it is tied to; storage
location for reference; storage
location for update

Data: classification;
owner/creator/ manager; data
structure size; data structure
used; online/offline; location;
backup procedures employed19
Hardware, Software, and
Network Asset Identification

• What information attributes to be tracked; are

dependent on:
• Needs of organization/risk management
efforts
• Preferences/needs of the security and
information technology communities
• Asset attributes to be considered are: name; IP
address; MAC address; element type; serial
number; manufacturer name; model/part
number; software version; physical or logical
location; controlling entity
• Automated tools can identify system elements
for hardware, software, and network
components

20
 Data Classification
and Management

• Variety of classification schemes

used by corporate and military
organizations like Confidential,
Secret, and Top Secret, Public, Office
Use Only, Sensitive, System
Use/Configuration etc.
• Information owners responsible for
classifying their information assets
• Information classifications must be
reviewed periodically
• Most organizations do not need
detailed level of classification used
by military or federal agencies;
however, organizations may need to
classify data to provide protection

21
Data Classification and Management (cont’d.)
Each data user assigned a single level of authorization
indicating classification level
Security Clearance Structure Before accessing specific set of data, employee must meet
need-to-know requirement

Management of Classified Data

Storage, Distribution, Portability, and Destruction of Classified Data

Clean Desk Policy

Dumpster Diving (Recycle Bin exploitation)

22
Classifying and Prioritizing
Information Assets
• Many organizations have data classification schemes
(e.g., confidential, internal, public data)
• Classification of components must be specific to allow
determination of priority levels
• Categories must be comprehensive and mutually
exclusive

23
 Information Asset
Valuation
• Questions help develop criteria for
asset valuation
• Which information asset:
• Is most critical to organization’s
success?
• Generates the most
revenue/profitability?
• Would be most expensive to
replace or protect?
• Would be the most
embarrassing or cause greatest
liability if revealed?

24
Figure 4-5 Sample Inventory Worksheet

25
Information Asset Valuation
(cont’d.)
• Information asset prioritization
• Create weighting for each category based on the
answers to questions
• Calculate relative importance of each asset using
weighted factor analysis
• List the assets in order of importance using a
weighted factor analysis worksheet

26
27
Identifying and Prioritizing Threats

• Realistic threats need investigation;

unimportant threats are set aside
• Threat assessment:
• Which threats present danger to
assets?
• Which threats represent the most
danger to information?
• How much would it cost to
recover from attack?
• Which threat requires greatest
expenditure to prevent?

28
29
Vulnerability Identification

Specific avenues threat agents can exploit to attack an

information asset are called vulnerabilities

Examine how each threat could be perpetrated and list

organization’s assets and vulnerabilities

Process works best when people with diverse backgrounds

within organization work iteratively in a series of
brainstorming sessions

At end of risk identification process, list of assets and their

vulnerabilities is achieved

30
31
RISK ASSESSMENT
ISRM…

32
 Risk Assessment
• Risk assessment evaluates the
relative risk for each vulnerability
• Assigns a risk rating or score to
each information asset
• The goal at this point: create a
method for evaluating the
relative risk of each listed
vulnerability

33
• A prioritized list of assets
• A prioritized list of threats facing those assets

34
T1V1A1—Vulnerability 1 that exists between
Threat 1 and Asset 1
T2V1A1—Vulnerability 1 that exists between
Threat 2 and Asset 1

35
 • The probability that a specific vulnerability will
be the object of a successful attack

Likelihood • Assign numeric value: number between a0.1

(low) and 1.0 (high), or a number between 1
and 100
• Zero not used since vulnerabilities with zero
likelihood are removed from
asset/vulnerability list
• Use selected rating model consistently
• Use external references for values that have
been reviewed/adjusted for your
circumstances

36
37
Clearwater IRM risk rating matrix

38
 Risk Determination

• Asset—List each vulnerable asset.

• Vulnerability—List each uncontrolled vulnerability.
• Likelihood—State the likelihood of the realization of the
vulnerability by a threat agent, as indicated in the vulnerability
analysis step.
• Impact—Show the results for this asset from the weighted factor
analysis worksheet.
• Risk-rating factor—Enter the figure calculated by multiplying the
asset impact and its likelihood.

40
Risk Rating Worksheet

41
 Identify Possible Controls

For each threat and associated vulnerabilities that

have residual risk, create preliminary list of control
ideas

Residual risk is risk that remains to information

asset even after existing control has been applied

Policies
There are three general Programs
categories of controls:
Technologies

42
Documenting the Results of Risk Assessment

Final summary comprised in ranked vulnerability risk

worksheet

Worksheet details asset, asset impact, vulnerability,

vulnerability likelihood, and risk-rating factor

Ranked vulnerability risk worksheet is initial working

document for next step in risk management process:
assessing and controlling risk

43
Risk Control
Strategies

• Once ranked vulnerability risk

worksheet complete, must choose
one of five strategies to control
each risk:
• Defend
• Transfer
• Mitigate
• Accept
• Terminate

46
 • Attempts to prevent exploitation of the
vulnerability
• Preferred approach
• Accomplished through countering threats,
removing asset vulnerabilities, limiting
asset access, and adding protective

Defend safeguards
• Three common methods of risk avoidance:
• Application of policy
• Training and education
• Applying technology

47
Transfer

• Control approach that attempts to shift

risk to other assets, processes, or
organizations
• If lacking, organization should hire
individuals/firms that provide security
management and administration
expertise
• Organization may then transfer risk
associated with management of complex
systems to another organization
experienced in dealing with those risks

48
Mitigate
Attempts to reduce impact of
vulnerability exploitation through
planning and preparation

Approach includes three types of

plans

• Incident response plan (IRP): define the

actions to take while incident is in progress
• Disaster recovery plan (DRP): most common
mitigation procedure
• Business continuity plan (BCP): encompasses
continuation of business activities if
catastrophic event occurs

49
Accept

Doing nothing to protect a

vulnerability and accepting
the outcome of its
exploitation

Valid only when the

particular function, service,
information, or asset does
not justify cost of protection

50
Terminate

Directs the organization

to avoid those business
activities that introduce
uncontrollable risks

May seek an alternate

mechanism to meet
customer needs

51
Selecting a Risk Control Strategy
• Level of threat and value of asset play major role in
selection of strategy
• Rules of thumb on strategy selection can be
applied:
• When a vulnerability exists, implement assurance
techniques to reduce the likelihood of a vulnerability
being exercised.
• When a vulnerability can be exploited, apply layered
protections, architectural designs, and administrative
controls to minimize the risk or prevent this occurrence.
• When the attacker’s cost is less than his or her potential
gain, apply protections to increase the attacker’s cost.
• When potential loss is substantial, apply design
principles, architectural designs, and technical and
nontechnical protections to limit the extent of the attack,
thereby reducing the potential for loss. 52
Thank You

53