Data classification schemes should categorize information assets based on which of the following?

RISK MITIGATION AND THREAT IDENTIFICATION

Introduction

Information security in a modern organization exists primarily to manage information technology

(IT) risk. Managing risk is one of the key responsibilities of every manager within an

organization. In any well-developed risk management program, two formal processes are at

work. The first, risk identification and assessment, is discussed in this chapter; the second,

risk control, is the subject of the next chapter.

Each manager in the organization, regardless of his or her affiliation with one of the three

communities of interest, should focus on reducing risk as follows:

● General management must structure the IT and information security functions in ways

that will result in the successful defense of the organization’s information assets,

including data, hardware, software, procedures, and people.

● IT management must serve the information technology needs of the broader organization

and at the same time exploit the special skills and insights of the information

security community.

● Information security management must lead the way with skill, professionalism, and

flexibility as it works with the other communities of interest to balance the constant

trade-offs between information system utility and security.

Risk Management

If you know the enemy and know yourself, you need not fear the result of a hundred

battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you

will succumb in every battle.1

Accountability for Risk Management

All three communities of interest bear responsibility for the management of risks, and each

has a particular strategic role to play.

● Information security: Because members of the information security community best

understand the threats and attacks that introduce risk, they often take a leadership

role in addressing risk.

● Information technology: This group must help to build secure systems and ensure their

safe operation. For example, IT builds and operates information systems that are mindful

of operational risks and have proper controls implemented to reduce risk.

Management and users: When properly trained and kept aware of the threats faced by

the organization, this group plays a part in the early detection and response process.

Members of this community also ensure that sufficient resources (money and personnel)

are allocated to the information security and information technology groups to

meet the security needs of the organization. For example, business managers must

ensure that supporting records for orders remain intact in case of data entry error

or transaction corruption. Users must be made aware of threats to data and systems,

and educated on practices that minimize those threats.

All three communities of interest must work together to address every level of risk, ranging

from full-scale disasters (whether natural or human-made) to the smallest mistake made by

an employee. To do so, they must be actively involved in the following activities:

● Evaluating the risk controls

● Determining which control options are cost effective

● Acquiring or installing the appropriate controls

● Overseeing processes to ensure that the controls remain effective

● Identifying risks, which includes:

● Creating an inventory of information assets

● Classifying and organizing those assets into meaningful groups

● Assigning a value to each information asset

● Identifying threats to the cataloged assets

● Pinpointing vulnerable assets by tying specific threats to specific assets

● Assessing risks, which includes:

● Determining the likelihood that vulnerable systems will be attacked by specific threats

● Assessing the relative risk facing the organization’ s information assets, so that risk

management and control activities can focus on assets that require the most urgent

and immediate attention

● Calculating the risks to which assets are exposed in their current setting

● Looking in a general way at controls that might come into play for identified

vulnerabilities and ways to control the risks that the assets face

● Documenting the findings of risk identification and assessment

● Summarizing the findings, which involves stating the conclusions of the analysis stage

of risk assessment in preparation for moving into the stage of controlling risk by exploring methods to mitigate risk

Risk Identification

Risk identification begins with the process of self-examination. At this stage, managers identify

the organization’s information assets, classify and categorize them into useful groups, and prioritize them by their overall importance. This can be a daunting task, but it must be done

to identify weaknesses and the threats they present.

Creating an Inventory of Information Assets

The risk identification process begins with the identification of information assets, including

people, procedures, data, software, hardware, and networking elements. This step should be

done without prejudging the value of each asset; values will be assigned later in the process.

Standard IT system components (people, procedures, data, software, hardware,

and networks) alongside a risk management breakdown of those components.More specifically:

People are divided into insiders (employees) and outsiders (nonemployees). Insiders

come in two categories: either they hold trusted roles and have correspondingly

greater authority and accountability, or they are regular staff without any special

privileges. The group of outsiders consists of other users who have access to the

organization’s information assets.

● Procedures are assets since they are used to create value for the organization. They are

split into two categories: IT and business standard procedures, and IT and business

sensitive procedures. Sensitive procedures have the potential to enable an attack or to

otherwise introduce risk to the organization. For example, the procedures used by a

telecommunications company to activate new circuits pose special risks because they

reveal aspects of the inner workings of a critical process that can be subverted by

outsiders for the purpose of obtaining unbilled, illicit services.

● Data components account for information in all states: transmission, processing, and storage.

These categories expand the conventional use of the term data, which is usually associated

with databases, not the full range of information used by modern organizations.

● Software elements can be inventoried in one of three categories: applications, operating

systems, or security components. Software components that provide security controls

may fall into the operating systems or applications category, but are differentiated by

the fact that they are part of the information security control environment and must be

protected more thoroughly than other systems components.

● Hardware is split into two categories: the usual systems devices and their peripherals,

and the devices that are part of information security control systems. The latter must

be protected more thoroughly than the former.

● Networking components are extracted from software and hardware because networking

subsystems are often the focal point of attacks against a system. Of course, most

computer systems today include networking elements. You will have to determine

whether a device is primarily a computer or primarily a networking device. A server

computer that is used exclusively as a proxy server or bastion host may be classified

as a networking component, while an identical server configured as a database server

may be classified as hardware. For this reason, they should be considered separately,

rather than combined with general hardware and software components.

Identifying Hardware, Software, and Network Assets Many organizations

use purchased asset inventory systems to keep track of their hardware, network, and perhaps

software components. Numerous packages are available in the market today, and it is up to the

CISO or CIO to determine which package best serves the needs of the organization. Organizations

that do not use an automated inventory system must create an equivalent manual process.

Whether automated or manual, the inventory process requires a certain amount of planning.

Most importantly, you must determine which attributes of each of these information assets

should be tracked. That determination will depend on the needs of the organization and its

risk management efforts, as well as the preferences and needs of the information security

and information technology communities. When deciding which attributes to track for each

information asset, consider the following list of potential attributes:

● Name: A list of all names commonly used for the device or program; some organizations

may have several names for the same product, and each of them should be

cross-referenced in the inventory. This redundancy accommodates the usage across the

organization and makes it accessible for everyone. No matter how many names you

track or how you select a name, always provide a definition of the asset in question.

Adopt naming standards that do not convey critical information to potential system

attackers. For instance, a server named CASH1 or HQ_FINANCE may entice attackers.

● Asset Tag: Used to facilitate tracking of assets; asset tags are unique numbers assigned

to assets during the acquisition process.

● IP address: An attribute that is useful for network devices and servers but rarely

applies to software; you can, however, use a relational database and track software

instances on specific servers or networking devices. Many larger organizations use the

Dynamic Host Control Protocol (DHCP) within TCP/IP, which reassigns IP numbers

to devices as needed, making the use of IP numbers as part of the asset identification

process very difficult.

● MAC address: Also called an electronic serial number or hardware address; as

per the TCP/IP standard, all network interface hardware devices have a unique

number. The network operating system uses this number to identify specific network

devices. The client’ s network software uses it to recognize traffic that it needs to

process. In most settings, MAC addresses can be a useful way to track connectivity,

but they can be spoofed by some hardware/software combinations.

● Asset type: An attribute that describes the function of each asset; for hardware assets,

develop a list of possible asset types that includes servers, desktops, networking

devices, and test equipment. For software assets, develop a list that includes operating

systems, custom applications by type (accounting, human resources, or payroll, to

name a few), and packaged applications and/or specialty applications (such as firewall

programs). The degree of specificity is determined by the needs of the organization.

Asset types can be recorded at two or more levels of specificity by first recording one

attribute that classifies the asset at a high level, and then adding attributes for more

detail. For example, one server might be listed as follows:

DeviceClass . S (server)

DeviceOS . W2K (Windows 2000)

DeviceCapacity . AS (Advanced Server)

● Serial number: A number that uniquely identifies a specific device; some software

vendors also assign a software serial number to each instance of the program licensed

by the organization.

● Manufacturer name: An attribute that can be useful for analyzing threat outbreaks

when certain manufacturers announce specific vulnerabilities.

● Manufacturer’ s model or part number: A number that identifies exactly what the asset

is; it can be very useful in later analysis of vulnerabilities, because some threats apply

only to specific models of certain devices and/or software components.

● Software version, update revision, or FCO number: Current information about

software and firmware versions and, for hardware devices, the current field change

order (FCO) number; a field change order occurs when a manufacturer performs an upgrade to a hardware component at the customer’ s premises. Tracking this

information is particularly important when inventorying networking devices that

function mainly through the software running on them. For example, firewall

devices often have three versions: an operating system version, a software version,

and a Basic Input/Output System (BIOS) firmware version. Depending on an organization’ s

needs, the inventory may have to track each of those version values for

each asset.

● Physical location: An attribute that does not apply to software elements; nevertheless,

some organizations may have license terms that indicate where software can be used.

● Logical location: An attribute that specifies where an asset can be found on the organization’ s

network; the logical location is most applicable to networking devices and

indicates the logical network segment (sometimes labeled a VLAN) that houses the

device.

● Controlling entity: The organizational unit that controls the asset; a remote location’ s

on-site staff may sometimes be placed in control of network devices; at other organizations,

a central corporate group may control all network devices. The inventory

should determine which group controls each specific asset, as the controlling group

will want a voice in determining how much risk that device can tolerate and how

much expense it can sustain to add controls.

Identifying People, Procedures, and Data Assets Unlike hardware and software,

human resources, documentation, and data information assets are not as readily identified

and documented. Responsibility for identifying, describing, and evaluating these information

assets should be assigned to managers who possess the necessary knowledge, experience, and

judgment. As these assets are identified, they should be recorded via a reliable data-handling

process like the one used for hardware and software.

The record-keeping system should be flexible, allowing you to link assets to attributes based

on the nature of the information asset being tracked. Some basic attributes for various classes

of assets are:

People

● Position name/number/ID: Avoid names; use position titles, roles, or functions

● Supervisor name/number/ID: Avoid names; use position titles, roles, or functions

● Security clearance level

● Special skills

Procedures

● Description

● Intended purpose

● Software/hardware/networking elements to which it is tied

● Location where it is stored for reference

● Location where it is stored for update purposes

Data

● Classification

● Owner/creator/manager

● Size of data structure

● Data structure used; for example, sequential or relational

● Online or offline

● Location

● Backup procedures

Consider carefully what should be tracked for specific assets. Often larger organizations find

that that they can effectively track only a few valuable facts about the most critical information

assets. For instance, a company may track only IP address, server name, and device

type for its mission-critical servers. The organization might forgo additional attribute tracking

on all devices, and completely omit the tracking of desktop or laptop systems.

Classifying and Categorizing Assets

Once the initial inventory is assembled, you must determine whether its asset categories are

meaningful to the organization’s risk management program. Such a review may cause managers

to further subdivide the categories listed in Table 8-1 or to create new categories that

better meet the needs of the risk management program. For example, if the category Internet

components is deemed too general, it could be further divided into subcategories of servers,

networking devices (routers, hubs, switches), protection devices (firewalls, proxies), and

cabling.

The inventory should also reflect the sensitivity and security priority assigned to each information

asset. A classification scheme should be developed (or reviewed, if already in place)

that categorizes these information assets based on their sensitivity and security needs. Consider

the following classification scheme for an information asset: confidential, internal, and

public. Each of these classification categories designates the level of protection needed for a

particular information asset. Some asset types, such as personnel, may require an alternative

classification scheme that would identify the information security processes used by the asset

type. For example, based on need-to-know and right-to-update, an employee might be given

a certain level of security clearance, which identifies the level of information that individual is

authorized to use. A more detailed discussion of classification schemes is provided later in

this chapter in the section entitled “Data Classification Model.”

Classification categories must be comprehensive and mutually exclusive. Comprehensive

means that all inventoried assets fit into a category; mutually exclusive means that each

asset is found in only one category. For example, an organization may have a public key

infrastructure certificate authority, which is a software application that provides cryptographic

key management services. Using a purely technical standard, a manager could categorize

the application in the asset list of Table 8-1 as software, a general grouping with no

special classification priority. Because the certificate authority must be carefully protected as

part of the information security infrastructure, it should be categorized into a higher priority

classification, such as software/security component/cryptography, and it should be verified

that no overlapping category exists, such as software/security component/PKI.

Assessing Values for Information Assets

As each information asset is identified, categorized, and classified, a relative value must also

be assigned to it. Relative values are comparative judgments intended to ensure that the

most valuable information assets are given the highest priority when managing risk. It may

be impossible to know in advance—in absolute economic terms—what losses will be incurred

if an asset is compromised; however, a relative assessment helps to ensure that the highervalue

assets are protected first.

As each information asset is assigned to its proper category, posing the following basic questions

can help you develop the weighting criteria to be used for information asset valuation

or impact evaluation. It may be useful to refer to the information collected in the BIA process

(covered in Chapter 3) to help you assess a value for an asset. You can use a worksheet, such

as the one shown in Figure 8-2, to collect the answers for later analysis.

● Which information asset is the most critical to the success of the organization?

When determining the relative importance of each information asset, refer to the

organization’s mission statement or statement of objectives. From this source, determine

which assets are essential for meeting the organization’s objectives, which assets

support the objectives, and which are merely adjuncts. For example, a manufacturing

company that makes aircraft engines may decide that the process control systems that control the machine tools on the assembly line are the first order of importance.

While shipping and receiving data entry consoles are important to those functions,

they may be less critical if alternatives are available or can be easily arranged. Another

example is an online organization such as Amazon.com. The Web servers that

advertise the company’ s products and receive its orders 24 hours a day are essential,

whereas the desktop systems used by the customer service department to answer

customer e-mails are less critical.

● Which information asset generates the most revenue? The relative value of an information

asset depends on how much revenue it generates— or, in the case of a nonprofit

organization, how critical it is to service delivery. Some organizations have different

systems in place for each line of business or service they offer. Which of these assets

plays the biggest role in generating revenue or delivering services?

● Which information asset generates the highest profitability? Managers should evaluate

how much profit depends on a particular asset. For instance, at Amazon.com, some

servers support the book sales operations, others support the auction process, and still

others support the customer book review database. Which of these servers contributes

the most to the profitability of the business? Although important, the review database

server does not directly generate profits. Note the distinction between revenues and

profits: Some systems on which revenues depend operate on thin or nonexistent margins

and do not generate profits. In nonprofit organizations, you can determine what

percentage of the agency’ s clientele receives services from the information asset being

evaluated.

● Which information asset is the most expensive to replace? Sometimes an information

asset acquires special value because it is unique. If an enterprise still uses a Model-129

keypunch machine to create special punch-card entries for a critical batch run, for

example, that machine may be worth more than its cost, because spare parts or service

providers may no longer be available. Another example is a specialty device with

a long delivery time frame because of manufacturing or transportation requirements.

Organizations must control the risk of loss or damage to such unique assets— for

example, by buying and storing a backup device.

● Which information asset is the most expensive to protect? Some assets are by their

nature difficult to protect, and formulating a complete answer to this question may

not be possible until after the risk identification phase is complete, because the costs

of controls cannot be computed until the controls are identified. However, you can

still make a preliminary assessment of the relative difficulty of establishing controls

for each asset.

● Which information asset’s loss or compromise would be the most embarrassing or

cause the greatest liability? Almost every organization is aware of its image in the

local, national, and international spheres. Loss or exposure of some assets would

prove especially embarrassing. Microsoft’ s image, for example, was tarnished when

an employee’ s computer system became a victim of the QAZ Trojan horse, and the

latest version of Microsoft Office was stolen.2

You may also need to identify and add other institution-specific questions to the evaluation process.

Listing Assets in Order of Importance

The final step in the risk identification process is to list the assets in order of importance.

This goal can be achieved by using a weighted factor analysis worksheet similar to the one

shown in Table 8-2. In this process, each information asset is assigned a score for each critical

factor. Table 8-2 uses the NIST SP 800-30 recommended values of 0.1 to 1.0. (NIST SP

800-30, Risk Management for Information Technology Systems, is published by the National

Institute of Standards and Technology and is covered in detail in Chapter 9. Your organization

may choose to use another weighting system.) Each criterion has an assigned weight

showing its relative importance in the organization.

A quick review of Table 8-2 shows that the Customer order via SSL (inbound) data flow is

the most important asset on this worksheet, and that the EDI Document Set 2—Supplier fulfillment

advice (inbound) is the least critical asset.

Threat Identification

As mentioned at the beginning of this chapter, the ultimate goal of risk identification is to

assess the circumstances and setting of each information asset to reveal any vulnerabilities.

Armed with a properly classified inventory, you can assess potential weaknesses in each

information asset—a process known as threat identification.

Any organization typically faces a wide variety of threats. If you assume that every threat can

and will attack every information asset, then the project scope becomes too complex. To

make the process less unwieldy, each step in the threat identification and vulnerability identification

processes is managed separately and then coordinated at the end. At every step the

manager is called on to exercise good judgment and draw on experience to make the process

function smoothly.

Identify and Prioritize Threats and Threat Agents Chapter 2 identified 12

categories of threats to information security, which are listed alphabetically in Table 8-3.

Each of these threats presents a unique challenge to information security and must be handled

with specific controls that directly address the particular threat and the threat agent’s

attack strategy. Before threats can be assessed in the risk identification process, however,

each threat must be further examined to determine its potential to affect the targeted information

asset. In general, this process is referred to as threat assessment. Posing the following

questions can help you understand the threat and its potential effects on an information

asset:

● Which threats present a danger to this organization’s information assets in its current

environment? Not all threats endanger every organization, of course. Examine each of

the categories in Table 8-3, and eliminate any that do not apply to your organization.

While it is unlikely that you can eliminate an entire category of threats, if you can, it

speeds the threat assessment process. The Offline feature entitled “ Threats to Information

Security” describes the threats that some CIOs of major companies identified

for their organizations. Although the Offline feature directly addresses only information

security, note that a weighted ranking of threats should be compiled for any

information asset that is at risk. Once you have determined which threats apply to

your organization, identify particular examples of threats within each category, eliminating

those that are not relevant. For example, a company with offices on the 23rd

floor of a high-rise building in Denver, Colorado, might not be subject to flooding.

Similarly, a firm with an office in Oklahoma City, Oklahoma, might not be concerned

with landslides.

● Which threats represent the gravest danger to the organization’s information assets?

The amount of danger posed by a threat is sometimes difficult to assess. It may be

simply the probability of a threat attacking the organization, or it may reflect the

amount of damage that the threat could create or the frequency with which an attack

can occur. During this preliminary assessment phase, the analysis is limited to examining

the existing level of preparedness and improving the strategy of information

security. The results should give a quick overview of the components involved.

As you will discover in Chapter 9, you can use both quantitative and qualitative measures to

rank values. Since information in this case is preliminary, the organization may want to

rank threats subjectively in order of danger. Alternatively, it may simply rate each of the

threats on a scale of 1 to 5, with 1 designating insignificant threats and 5 designating highly

significant threats.

Frequency of Attacks Remarkably, detected attacks are decreasing. After a peak in

2000, the number of organizations reporting unauthorized use of computer systems has

been declining steadily, while the amount reporting no unauthorized access has been increasing.

Unfortunately, the number of organizations reporting that they just do not know is

holding steady.3 The fact is, almost every company has experienced an attack. Whether that

attack was successful depends on the company’s security efforts; whether the perpetrators

were caught or the organization was willing to report the attack is another matter entirely.

● How much would it cost to recover from a successful attack? One of the calculations

that guides corporate spending on controls is the cost of recovery operations if an

attack occurs and is successful. At this preliminary phase, it is not necessary to conduct

a detailed assessment of the costs associated with recovering from a particular attack.

Instead, organizations often a create subjective ranking or listing of the threats based on

recovery cost. Alternatively, you could assign a rating for each threat on a scale of 1 to

5, with 1 representing “not expensive at all” and 5 representing “extremely expensive.”

If the information is available, a raw value (such as $5,000, $10,000, or $2 million) can

be assigned. In other words, the goal at this phase is to provide a rough assessment of

the cost to recover operations should the attack interrupt normal business operations.

Which threats would require the greatest expenditure to prevent? Another factor that

affects the danger posed by a particular threat is the amount it would cost to protect

against that threat. Controlling some threats has a nominal cost, as in protections from

malicious code, while other protective strategies are very expensive, as in protections

from forces of nature. Here again the manager ranks, rates, or attempts to quantify the

level of danger associated with protecting against a particular threat by using the same

techniques outlined earlier for calculating recovery costs. Look at the Offline feature on

expenditure for threats to see how some top executives recently handled this issue.

This list of questions may not cover everything that affects risk identification. An organization’s

specific guidelines or policies should influence the process and will inevitably require

that some additional questions be answered.

Vulnerability Assessment Once you have identified the information assets of the

organization and documented some threat assessment criteria, you can begin to review every information asset for each threat. This review leads to the creation of a list of vulnerabilities

that remain potential risks to the organization. What are vulnerabilities? They are

specific avenues that threat agents can exploit to attack an information asset. In other

words, they are chinks in the asset’ s armor— a flaw or weakness in an information asset,

security procedure, design, or control that can be exploited accidentally or on purpose to

breach security. For example, Table 8-4 analyzes the threats to and possible vulnerabilities

of a DMZ router.

A list like the one in Table 8-4 must be created for each information asset to document its

vulnerability to each possible or likely attack. This list is usually long and shows all the vulnerabilities

of the information asset. Some threats manifest themselves in multiple ways,

yielding multiple vulnerabilities for that asset– threat pair. Of necessity, the process of listing

vulnerabilities is somewhat subjective and is based on the experience and knowledge of the

people who create the list. Therefore, the process works best when groups of people with

diverse backgrounds work together in a series of brainstorming sessions. For instance, the

team that reviews the vulnerabilities for networking equipment should include networking

specialists, the systems management team that operates the network, information security

risk specialists, and even technically proficient users of the system.

The TVA Worksheet

At the end of the risk identification process, an organization should have a prioritized list of

assets and their vulnerabilities. This list serves as the starting point (with its supporting documentation

from the identification process) for the next step in the risk management process—

risk assessment. Another list prioritizes threats facing the organization based on the weighted

table discussed earlier. These two lists can be combined into a Threats-Vulnerabilities-Assets

(TVA) worksheet, in preparation for the addition of vulnerability and control information

during risk assessment. Along one axis lies the prioritized set of assets. Table 8-5 shows the

placement of assets along the horizontal axis, with the most important asset at the left. The

prioritized list of threats are placed along the vertical axis, with the most important or most

dangerous threat listed at the top. The resulting grid provides a convenient method of examining

the “exposure” of assets, allowing a simplistic vulnerability assessment. We now have a

starting point for our risk assessment, along with the other documents and forms.

As you begin the risk assessment process, create a list of the TVA “triples” to facilitate your

examination of the severity of the vulnerabilities. For example, between Threat 1 and Asset 1

there may or may not be a vulnerability. After all, not all threats pose risk to all assets. If a

pharmaceutical company’s most important asset is its research and development database,

and that database resides on a stand-alone network (that is, one that is not connected to the

Internet), then there may be no vulnerability to external hackers. If the intersection of T1 and

A1 has no vulnerability, then the risk assessment team simply crosses out that box. It is much more likely, however, that one or more vulnerabilities exist between the two, and as these

vulnerabilities are identified, they are categorized as follows:

T1V1A1— Vulnerability 1 that exists between Threat 1 and Asset 1

T1V2A1— Vulnerability 2 that exists between Threat 1 and Asset 1

T2V1A1— Vulnerability 1 that exists between Threat 2 and Asset 1…

and so on.

In the risk assessment phase, discussed in the next section, not only are the vulnerabilities

examined, but the assessment team also analyzes any existing controls that protect the asset

from the threat, or mitigates the losses that may occur. Cataloging and categorizing these

controls is the next step in the TVA spreadsheet.

Risk Assessment

Assessing the relative risk for each vulnerability is accomplished via a process called risk

assessment. Risk assessment assigns a risk rating or score to each specific vulnerability. While

this number does not mean anything in absolute terms, it enables you to gauge the relative

risk associated with each vulnerable information asset, and it facilitates the creation of comparative

ratings later in the risk control process.

Introduction to Risk Assessment

The goal at this point is to create a method to evaluate the relative risk of each listed vulnerability.

Chapter 9 describes how to determine more precise cost estimates for vulnerabilities as

well as projected expenses for the controls that reduce the risks. For now, you can use the

simpler risk model shown in Figure 8-3 to evaluate the risk for each information asset. The

next section describes the factors used to calculate the relative risk for each vulnerability.

Likelihood

Likelihood is the overall rating— a numerical value on a defined scale— of the probability that

a specific vulnerability will be exploited. In Special Publication 800-30, NIST recommends

that vulnerabilities be assigned a likelihood rating between 0.1 (low) and 1.0 (high). For

example, the likelihood of an employee or system being struck by a meteorite while indoors

would be rated 0.1, while the likelihood of receiving at least one e-mail containing a virus

or worm in the next year would be rated 1.0. You could also choose to use a number

between 1 and 100, but not 0, since vulnerabilities with a 0 likelihood should have already

been removed from the asset/vulnerability list. Whatever rating system you employ for assigning

likelihood, use professionalism, experience, and judgment to determine the rating— and

use it consistently. Whenever possible, use external references for likelihood values, after

reviewing and adjusting them for your specific circumstances. For many asset/vulnerability

combinations, existing sources have already determined their likelihood. For example,

● The likelihood of a fire has been estimated actuarially for each type of structure.

● The likelihood that any given e-mail will contain a virus or worm has been

researched.

● The number of network attacks can be forecast depending on how many network

addresses the organization has assigned.

Assessing Potential Loss

Using the information documented during the risk identification process, you can assign

weighted scores based on the value of each information asset. The actual number used will

vary according to the needs of the organization. Some groups use a scale of 1 to 100, with

100 being reserved for those information assets whose loss would stop company operations

within a few minutes. Other recommended scales, including the one in NIST SP 800-30, use

assigned weights in broad categories, with all-important assets having a value of 100, lowcriticality

assets having a value of 1, and all other assets having a medium value of 50. Still

other scales employ weights from 1 to 10, or assigned values of 1, 3, and 5 to represent

low-, medium-, and high-valued assets, respectively. Alternatively, you can create unique

weight values customized to your organization’ s specific needs.

To be effective, the values must be assigned by asking the questions listed earlier in the section

entitled “ Identify and Prioritize Threats and Threat Agents.” These questions are

restated here for easy reference:

● Which threats present a danger to this organization’ s assets in its current

environment?

● Which threats represent the gravest danger to the organization’ s information assets?

● How much would it cost to recover from a successful attack?

● Which threats would require the greatest expenditure to prevent?

After reconsidering these questions, use the background information from the risk identification

process and add to that information by posing yet another question:

● Which of the aforementioned questions is the most important to the protection of

information from threats within this organization?

The answer to this question determines the priorities used in the assessment of vulnerabilities.

Which is the most important to the organization— the cost to recover from a threat attack or

the cost to protect against a threat attack? More generally, which of the threats has the highest

probability of successful attack? Recall that the purpose of risk assessment is to look at the

threats an organization faces in its current state. Once these questions are answered, move to

the next step in the process: examining how current controls can reduce the risk faced by specific

vulnerabilities.

Percentage of Risk Mitigated by Current Controls

If a vulnerability is fully managed by an existing control, it can be set aside. If it is partially

controlled, estimate what percentage of the vulnerability has been controlled.

Uncertainty

It is not possible to know everything about every vulnerability, such as how likely an attack

against an asset is, or how great an impact a successful attack would have on the organization.

The degree to which a current control can reduce risk is also subject to estimation

error. A factor that accounts for uncertainty must always be added to the equations; it consists

of an estimate made by the manager using good judgment and experience.

Risk Determination

For the purpose of relative risk assessment, risk equals likelihood of vulnerability occurrence

times value (or impact) minus percentage risk already controlled plus an element of uncertainty.

To see how this equation works, consider the following scenario:

● Information asset A has a value score of 50 and one vulnerability: Vulnerability 1 has

a likelihood of 1.0 with no current controls. You estimate that assumptions and data

are 90 percent accurate.

● Information asset B has a value score of 100 and two vulnerabilities: Vulnerability 2

has a likelihood of 0.5 with a current control that addresses 50 percent of its risk;

vulnerability 3 has a likelihood of 0.1 with no current controls. You estimate that

assumptions and data are 80 percent accurate.

The resulting ranked list of risk ratings for the three vulnerabilities described above is as follows

[(value times likelihood) minus risk mitigated plus uncertainty]:

● Asset A: Vulnerability 1 rated as 55 . (50 _ 1.0) _ 0% . 10% where

55 . (50 _ 1.0) – ((50 _ 1.0) _ 0.0) . ((50 _ 1.0) _ 0.1)

55 . 50 _ 0 . 5

● Asset B: Vulnerability 2 rated as 35 . (100 _ 0.5) – 50% . 20% where

35 . (100 _ 0.5) – ((100 _ 0.5) _ 0.5) . ((100 _ 0.5) _ 0.2)

35 . 50 _ 25 . 10

Likelihood and Consequences

Another approach to calculating risk based on likelihood is the likelihood and consequences

rating from the Australian and New Zealand Risk Management Standard 4360,4 which uses

qualitative methods to determine risk based on a threat’s probability of occurrence and

expected results of a successful attack. Qualitative risk assessment is examined elsewhere in

this chapter, but consists of using categories instead of actual numbers to determine risk.

Identify Possible Controls

For each threat and its associated vulnerabilities that have residual risk, create a preliminary

list of control ideas. The purpose of this list, which begins with the identification of extant

controls, is to identify areas of residual risk that may nor may not need to be reduced. Residual

risk is the risk that remains even after the existing control has been applied. Controls, safeguards,