Security Risk Assessment

Dr. Nada Hany Sherief

1
Agenda
• What is Risk?
• Examples of Risks
• What is Security Risk Assessment?
• Common Challenges
• How does security risk assessment work?
• Case Study: Security Risk Assessment for a Healthcare
Organization
• Quantitative vs Qualitative Risk Assessment
2
What is a Risk?
• Definition: A potential threat that
could exploit a vulnerability and
result in a negative consequence.
• Components:
• Threat: A potential danger or
harm.
• Vulnerability: A weakness or
flaw that can be exploited.
• Impact: The potential
consequences of a successful
attack. 3
Examples of Risks:
•Data breaches: Unauthorized access to sensitive data, leading to identity
theft, financial loss, or reputational damage.
•Cyberattacks: Malicious attacks on systems and networks, such as
ransomware, phishing, or denial-of-service (DoS) attacks.
•Natural disasters: Events like earthquakes, floods, or fires that can disrupt
operations and damage infrastructure.
•Human error: Mistakes made by employees that can lead to security
incidents.
•Supply chain attacks: Compromises of third-party vendors or suppliers that
can affect an organization's security.
•Regulatory non-compliance: Failure to comply with relevant security
regulations or standards.
4
•Insider threats: Malicious actions by employees or insiders with authorized
access.
What is Security Risk Assessment?

• Definition: A systematic
process to identify, analyze,
and evaluate potential
threats and vulnerabilities to
an organization's security.
• Purpose: To understand the
likelihood and impact of
security incidents and to
prioritize mitigation efforts.
5
Security Risk Assessment
• To get started with IT security risk
assessment, you need to answer
three important questions:
• What are your organization’s
critical information technology
assets — that is, the data whose
exposure would have a major
impact on your business
operations?
• What are the top five business
processes that utilize or require
this information?
6
• What threats could affect the
ability of those business functions
to operate?
Security Risk Assessment
• Before you spend a dollar of your
budget or an hour of your time
implementing a solution to reduce
risk, you should be able to answer the
following questions:
• What is the risk you are reducing?
• Is it the highest priority security
risk?
• Are you reducing it in the most
cost-effective way?

7
Example
• For example, suppose you want to assess the risk associated with
the threat of hackers compromising a particular system.
• If your network is very vulnerable (perhaps because you have no
firewall and no antivirus solution), and the asset is critical, your
risk is high.
• However, if you have good perimeter defenses and your
vulnerability is low, and even though the asset is still critical,
your risk will be medium.

8
Qualitative Risk Analysis

9
Common Challenges in Security Risk
Assessment

• Lack of data: Insufficient data to accurately assess risks.

• Subjectivity: The assessment process can be subjective and
influenced by personal biases.
• Complexity: Modern systems and networks can be complex,
making it difficult to identify all potential threats and
vulnerabilities.
• Evolving threats: New threats and vulnerabilities emerge
constantly, making it challenging to keep assessments up-to-date.
10
The 4 Steps of a Successful Security
Risk Assessment Model

11
The 4 Steps of a Successful Security Risk
Assessment Model
1. Identification.
1. Determine all critical assets of the technology infrastructure.
2. Diagnose sensitive data that is created, stored, or transmitted by these assets.
3. Create a risk profile for each.
2. Assessment.
1. Administer an approach to assess the identified security risks for critical assets.
2. Determine how to effectively and efficiently allocate time and resources towards risk
mitigation.
3. The assessment approach or methodology must analyze the correlation between assets,
threats, vulnerabilities, and mitigating controls.
3. Mitigation.
1. Define a mitigation approach
2. Enforce security controls for each risk.
4. Prevention. Implement tools and processes to minimize threats and vulnerabilities from 12
occurring in your firm’s resources.
Continuous Assessment
• It’s important to understand that a security risk assessment isn’t
a one-time security project. Rather, it’s a continuous activity that
should be conducted at least once every year.
• Continuous assessment provides an organization with a current
and up-to-date snapshot of threats and risks to which it is
exposed.

13
Case Study: Security Risk Assessment
for a Healthcare Organization

14
Step 1 - Identification
• Critical Assets:
• Electronic health records (EHR) system
• Patient data servers
• Medical devices (e.g., MRI machines, X-ray machines)
• Cloud-based services
• Healthcare network infrastructure
• Mobile devices used by healthcare staff
• Sensitive Data:
• Patient personal information (name, address, social security number)
• Medical history
• Treatment plans
• Insurance information
15
• Financial data
• Protected Health Information (PHI) as defined by HIPAA
Step 2 – Assessment (1)
• Risk Assessment Methodology: A hybrid approach combining
quantitative and qualitative methods can be used.
• Risk Factors:
• 1. Compliance Risks:
• Threat: Non-compliance with HIPAA regulations
• Vulnerability: Lack of awareness of HIPAA requirements, inadequate
security measures, or failure to conduct regular audits
• Impact: Fines, penalties, reputational damage, and legal liabilities
• Risk Prioritization: Risks can be prioritized based on likelihood and
impact. 16
Step 2 – Assessment (2)
• Risk Assessment Methodology: A hybrid approach combining
quantitative and qualitative methods was used.
• Risk Factors:
• 2. Data Breaches:
• Threat: Unauthorized access to patient data
• Vulnerability: Weak passwords, phishing attacks, social engineering,
unpatched vulnerabilities
• Impact: Identity theft, financial loss, reputational damage, legal liabilities,
and disruption of healthcare services
• Risk Prioritization: Risks can be prioritized based on likelihood and 17
impact.
Step 2 – Assessment (3)

• Risk Assessment Methodology: A hybrid approach combining

quantitative and qualitative methods was used.
• Risk Factors:
• 3. System Failures:
• Threat: Hardware or software failures
• Vulnerability: Aging equipment, outdated software, lack of redundancy
• Impact: Disruption of healthcare services, loss of data, financial loss
• Risk Prioritization: Risks can be prioritized based on likelihood and
impact. 18
Step 3 – Mitigation
• Security Controls:
• Access controls: Implement strong access controls to restrict access to patient data based
on roles and permissions.
• Encryption: Encrypt patient data at rest and in transit to protect it from unauthorized
access.
• Network security: Implement firewalls, intrusion detection systems, and other network
security measures.
• Data backup and recovery: Have a plan in place to back up patient data and restore it in
case of a data breach or system failure.
• Incident response: Develop and test an incident response plan to address security
incidents effectively.
• Resource Allocation: Allocate resources to address high-priority risks, such as 19
investing in advanced security technologies and training staff.
Step 4 - Prevention
• Security awareness training: Provide ongoing security awareness
training to all employees to educate them about the importance of
data security and their responsibilities.
• Vendor management: Ensure that third-party vendors comply with
security standards and have appropriate safeguards in place.
• Continuous monitoring: Implement continuous monitoring of
network traffic and system activity to detect and respond to
threats.
• Compliance audits: Conduct regular audits to ensure compliance
20
with HIPAA and other relevant regulations.
Quantitative vs. Qualitative Risk
Assessment

21
Qualitative Risk Assessment

• Definition: A subjective method that relies on expert

judgment and opinion to assess risks.
• Characteristics:
• Faster and less expensive to conduct.
• More flexible and adaptable to changing circumstances.
• Can be challenging to quantify risks accurately.
• May be influenced by personal biases.
22
Quantitative Risk Assessment

• Definition: A numerical method that assigns specific

values to risks based on their likelihood and impact.
• Characteristics:
• Provides more precise and objective results.
• Can be more time-consuming and expensive to conduct.
• Requires accurate data and assumptions.
• May be difficult to assign numerical values to intangible risks.
23
Quantitative Risk
Assessment Procedure
24
Step #1: Identify Asset Value
• The first step is to inventory all your
tangible and intangible assets.
• Then you assign a value to each asset.
• The value of an easily replaceable
asset, for example, a file cabinet may
be much lower, but the data stored in
that file cabinet, it may cost a lot
more to replace.

25
Step# 2: Calculate the Exposure Factor
• The exposure factor or EF can be
subjective, and it's notated as a
percentage of loss.
• For example, you’re publicly exposed
server was taken down by a denial-of-
service attack. What percentage of
operations did you lose?
• That percentage is the exposure
factor.
• Exposure factor is going to look at
each individual asset for a single
realized risk and it generally will be
26
low for a replaceable asset.
Step# 3: Calculate the Single Loss
Expectancy
• Single loss expectancy or SLE,
is calculated by multiplying
your asset value to that
asset's exposure factor.
• SLE will help you better
prioritize your assets.
• We're identifying how much
money will we lose each
time a specific threat is
realized against a specific 27
asset?
Step# 4: Identify the Annualized Rate of
Occurrence
• We identify how often a specific
threat against a specific asset comes
to life.
• For example, if your datacenter is in
Florida, how often will a hurricane be
a possibility?
• Would moving the data center to
Kansas City result in lower risk from
hurricane and increase another risk?
• For example, if a hurricane impacts
your data center five times a year,
your ARO, analyzed risk occurrence, is
28
five.
Step# 5: Calculate the Annualized
Loss Expectancy
• This will help us understand on an
annual basis, how much of a loss can
we expect for a specific asset.
• This value is the multiplication of a
single loss expectancy or SLE, with an
annualized rate of occurrence, ARO.
• The ALE, annualized loss expectancy,
helps us with the prioritization of
security and contingency efforts.
• Because now we know how much
we'll lose an asset, analyze basis or
how often would the risk occur per
29
year.
Step# 6: Cost benefit Analysis of
Countermeasures
• You begin this step by calculating how
much each safeguard or countermeasure
will cost.
• This could be, how much will an antivirus
solution cost? How much will it cost for us
to have an in-house security team?
• Then you subtract this cost from the
annualized loss expectancy.
• If the result of the calculation is negative,
then it is not financially reasonable for us
to implement a countermeasure.
• On the other hand, a positive result is the
calculation of how much organization can
possibly save by implementing a 30
countermeasure to prevent a specific
threat from affecting a specific asset.
Example 1
• Step #1: Identify Asset Value ( what is the asset worth)
• Imagine a web server has an asset value of $200,000.
• Step# 2: Calculate the Exposure Factor ( how much lost of an asset)
• If we were to have a specific threat realized against this web server, let's say denial-
of-service attack or a malicious admin, we'll lose about 10 percent of its value.
• That loss of value to a specific threat is the exposure factor.
• Step# 3: Calculate the Single Loss Expectancy ( How much money we lose)
• If this occurs once at a time, one threat being realized against our web server we’ll
lose about $20,000.
• That is $200,000,and the asset value multiplied by 10 percent of exposure factor.
31
Example 1 Cont’d
• Step# 4: Identify the Annualized Rate of Occurrence ( how many times it
happened)
• Now let's imagine that this threat is realized once a year.
• Maybe an attack on your website on your busiest day of the business.
• The ARO or analyze rate of occurrence is one.
• Step# 5: Calculate the Annualized Loss Expectancy
• The annualized loss expectancy is the product of your SLE, single loss expectancy,
and ARO, you're analyzed rate of occurrence which comes to $20,000 per year.
• Now this is the value you expect to lose once a year.

32
Example 1 Cont’d
• Step# 6: Cost benefit Analysis of Countermeasures
• We calculate how much it will cost us to implement a countermeasure for this
specific threat against a specific asset.
• Our pre-countermeasure, annualized loss expectancy or ALE is $20,000.
• If we put in countermeasures in place, that will go down to $10,000. Instead of losing
$20,000 per year, we'll lose about 10,000.
• Imagine the cost of that countermeasure was $5,000.
• We subtract them, we come back with $5,000 in the benefit, it's a positive number.
• The benefit of this countermeasure will be about $5,000 per year in savings, if the
threat against this asset comes to fruition.
• If the value was negative, we still had a benefit of understanding the risks that exist
33
for our organization.
Example 2
Case Study
• A healthcare organization is conducting a security risk assessment
for its electronic health records (EHR) system.
• They identify the EHR system as a critical asset with a value of $1
million.
Solution
• Step 1: Identify Asset Value
• Asset: EHR system
• Value: $1 million 34
Example 2 Cont’d
Case Study
They assess the risk of a data breach due to weak passwords and
determine that the exposure factor is 50%, meaning that a breach
could result in the loss of half the asset's value.
Solution
• Step 2: Calculate Exposure Factor
• Exposure Factor: 50% (assuming a data breach could result in
the loss of 50% of the asset's value)
• Step 3: Calculate Single Loss Expectancy (SLE) 35
• SLE: $1 million * 50% = $500,000
Example 2 Cont’d
Case Study
• By analyzing historical data and industry trends, they estimate that
a data breach is likely to occur once every five years, making the
Annualized Rate of Occurrence (ARO) 0.2.
Solution
• Step 4: Identify Annualized Rate of Occurrence (ARO)
• ARO: 0.2 (assuming a data breach is expected to occur once
every five years)
• Step 5: Calculate Annualized Loss Expectancy (ALE) 36
• ALE: $500,000 * 0.2 = $100,000
Example 2 Cont’d
Case Study
• To mitigate this risk, the organization considers implementing a new intrusion
detection system. They estimate the cost of the system to be $20,000.
• By implementing the system, they believe they can reduce the ARO to 0.1,
meaning a data breach is now expected to occur once every ten years.
Solution
• Cost-Benefit Analysis
• Countermeasure: Implement a new intrusion detection system
• Cost: $20,000
• Post-countermeasure ALE: $50,000 (assuming the countermeasure
37
reduces the ARO to 0.1)
Example 2 Cont’d
Solution
• Conducting a cost-benefit analysis, the organization calculates that
the expected annual loss due to data breaches before
implementing the countermeasure is $100,000 ($500,000 * 0.2).
• After implementing the countermeasure, the expected annual loss
is reduced to $50,000 ($500,000 * 0.1).
• Net Benefit: $100,000 - $20,000 - $50,000 = $30,000
• This indicates that the investment in the countermeasure is
worthwhile, as it can significantly reduce the risk of data breaches
38
and the associated financial losses.
Example 2 Conclusion
• This means that the organization can expect to save $30,000 per
year by implementing the intrusion detection system.
• This positive net benefit indicates that the investment in the
countermeasure is worthwhile and can provide a significant return
on investment.

39
Questions?
Thank you ☺

40