1.3 Risk Management

Question 1

Terminology: threat, vulnerability, likelihood/impact, countermeasures, gap analysis

Answer 1

• Threat: Anything that has the capacity to carry out malicious activity on things we want to protect
• Vulnerability: Anything that allows the threat to execute its attack – ones you have a threat and vulnerability then you must determine the risk by looking at the likelihood and impact
• Likelihood and impact: How likely is it to happen and how much impact will it have? Likelihood constantly changes as tools evolve and become available on the internet – so you must monitor the world for events that changes the threat profile. You have to do things like purchase threat feeds to monitor new tools that are becoming available. For impact, most companies look at the monetary aspect, but that depends on the organization - a hospital may look at impacts to operations, and therefore, the lose of life.
• Countermeasures/safeguard: These are measures that we take to mitigate the vulnerability from being exploited – they may be policies, procedures, and technical measures.
• Gap analysis: How you identify and close the gap between the risk and the existing countermeasures in the most efficient and cost-effective ways possible
  o The process is complex
  o You first identify the gap between the level of risk and countermeasure
  o What part of the risk does your countermeasure not address
  o Once you know that gap, you go about closing the gap in the most cost effective way possible
   New and improved countermeasures
   Deciding which are the best approach
   Comparing and selecting vendor products
   Negotiating contract, price, and licensing
   Implementing the selected countermeasures
   Performing metric measurements to determine fi the countermeasures are as effective as you hoped

Question 2

Risk management cycle, asset identification, asset valuation, threat analysis, vulnerability analysis, likelihood, impact, gap analysis, countermeasure identification

Answer 2

• Asset identification: what are you trying to protect – what is the most valuable assets you want to protect both tangible (laptops) and non-tangible (reputation… etc, more difficult to quantify)
• Asset valuation: How much do you value the asset – every dollar you spend on an asset devalues the asset (if something costs a million dollars and you spend a million dollars to protect it, then the asset is worth nothing)
• Threat analysis: What are the threats and dangers to the assets?
• Vulnerability analysis: Which one of those threats can cause problems?
• Likelihood: How likely are those threats to happen? This changes overtime
• Impact: If/when they do happen, how bad will it be?
• Gap analysis: Is there a gap between the problem and our protections? If so, how do we close the gap in the most efficient and most cost-effective way possible?
• Countermeasure identification: How can we most effectively close the gap?

Question 3

Prudent person rule

Answer 3

• Legal requirements for an organization (the senior manager in particular) are imposed to protect the assets of that organization and maintain it as a viable entity.
• Prudent person rule: there are legal obligations to ask whether the organization acted as a prudent person in protecting an asset
  o Due diligence: did they implement best practices considered prudent
  o Due care: actions that a reasonable person would exercise to protect assets
• Can a senior manager convince a judge that they followed the prudent person rule?

Question 4

Quantitate risk management

Answer 4

• Quantitative deals with the quantity of dollars
  o A number of calculations are necessary to determine the appropriate expenditures for countermeasures.
  o Asset value – self-explanatory for physical assets but harder for intangibles like reputation, how do we value that? Remember that every dollar you spend to protect an asset devalues it by that amount
  o Exposure factor: The percentage of the asset value lost if a particular risk is realized. How much would you lose if the bad thing happened?
  o Single Loss Expectancy: How much will it cost each time the threat happens? If you take the asset value times the exposure factor you have the single loss expectancy. E.g., 500,000 (AV) x 10% (EF) = 50,000 (SLE)
  o Annual rate of occurrence: How often do you expect a threat to occur? 2.0 twice a year, 1.0 once a year, 0.5 every other year, 0.2 every 5 years, 0.1 every 10 years, 0.05 every 20 years. Of course you can’t predict the future but you can make the best informed decision possible.
  o Annual loss expectancy: this is the number we have been working towards. It is the single expectancy annualized. You calculate it by taking the SLE and times the ARO. You could show that if something is going to cost you 10k a year you can justify spending up to that amount to prevent the loss.

Question 5

Qualitative risk management (picture in page 6)

Answer 5

o Qualitative approach places risk into severity scales, instead of a million dollar threat, you have a level 10 threat.
o Delphi method: Interactive forecasting methodology relying SMEs who use a numeric scale to rate the likelihood and severity of each threat. This process can continue more than one round until the goal of consensus is reached.
o This is for prioritization – we want to focus on threats with higher numbers

• Combined risk assessment process: quantitative lends itself to easier communication with management, easier to say we have a million dollar problem than a level 9 severity.
• Qualitative is more difficult to communicate but it has an element of precognition (predicting the future) when you try to estimate the likelihood, rate of occurrence, and impact, with a team of SMEs you can get these estimates fairly close to reality. Qualitative also has fewer complex calculations but remember that it relies on the quality of the SMEs
• You should leverage both, use qualitative to identify the top threats, prioritize those threats then apply quantitative to monetize those concerns.

Question 6

Control/countermeasures/safeguards

Answer 6

• Part of the risk management process is determining the lowering the risk to the organization. There are control areas and control types.
• Control areas are:
  o Administrative controls – policy procedure, standards, guidelines, and compliance, awareness training
  o Technical controls – firewalls, AV, encryption
  o Physical controls – guns, gates, locks, fences, CCTV, heating, HVAC – limiting physical access
• Control types:
  o Prevent: authentication, firewalls
  o Detective: logging/auditing, IDS
  o Response: Incident response plans, backup/recovery capability

Question 7

Risk strategies

Answer 7

• We have looked at identifying our level of risk, now let’s look at the possible management decisions regarding that risk. They may decide to do the following:
  o Risk mitigation: you need to implement countermeasures to mitigate the level of risk
  o Risk avoidance: stop the activity that causes the risk – windows has viruses, let’s use Mac
  o Risk deterrence: we will detect wrongdoing and take swift, decisive, and harsh action – firing employees for inappropriate use of systems/resources
  o Risk acceptance: You mitigate, avoid, and deter as much as possible, but there is some residual risk left over – some risks cannot be mitigated at any cost – risk/reward eventually it gets to the point where spending more doesn’t make sense
  o Risk transference: take the residual risk and transfer it to an insurance company – cyber insurance
  o Risk ignorance: Management in small companies don’t believe they are big enough to attract attention, however, for that reason they are targeted more – this method is NOT allowed