Loading...

Messages

Proposals

Stuck in your homework and missing deadline? Get urgent help in $10/Page with 24 hours deadline

Get Urgent Writing Help In Your Essays, Assignments, Homeworks, Dissertation, Thesis Or Coursework & Achieve A+ Grades.

Privacy Guaranteed - 100% Plagiarism Free Writing - Free Turnitin Report - Professional And Experienced Writers - 24/7 Online Support

Data classification schemes should categorize information assets based on which of the following?

15/12/2020 Client: saad24vbs Deadline: 2 Day

RISK MITIGATION AND THREAT IDENTIFICATION


Introduction


Information security in a modern organization exists primarily to manage information technology


(IT) risk. Managing risk is one of the key responsibilities of every manager within an


organization. In any well-developed risk management program, two formal processes are at


work. The first, risk identification and assessment, is discussed in this chapter; the second,


risk control, is the subject of the next chapter.


Each manager in the organization, regardless of his or her affiliation with one of the three


communities of interest, should focus on reducing risk as follows:


● General management must structure the IT and information security functions in ways


that will result in the successful defense of the organization’s information assets,


including data, hardware, software, procedures, and people.


● IT management must serve the information technology needs of the broader organization


and at the same time exploit the special skills and insights of the information


security community.


● Information security management must lead the way with skill, professionalism, and


flexibility as it works with the other communities of interest to balance the constant


trade-offs between information system utility and security.


Risk Management


If you know the enemy and know yourself, you need not fear the result of a hundred


battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you


will succumb in every battle.1


Accountability for Risk Management


All three communities of interest bear responsibility for the management of risks, and each


has a particular strategic role to play.


● Information security: Because members of the information security community best


understand the threats and attacks that introduce risk, they often take a leadership


role in addressing risk.


● Information technology: This group must help to build secure systems and ensure their


safe operation. For example, IT builds and operates information systems that are mindful


of operational risks and have proper controls implemented to reduce risk.


Management and users: When properly trained and kept aware of the threats faced by


the organization, this group plays a part in the early detection and response process.


Members of this community also ensure that sufficient resources (money and personnel)


are allocated to the information security and information technology groups to


meet the security needs of the organization. For example, business managers must


ensure that supporting records for orders remain intact in case of data entry error


or transaction corruption. Users must be made aware of threats to data and systems,


and educated on practices that minimize those threats.


All three communities of interest must work together to address every level of risk, ranging


from full-scale disasters (whether natural or human-made) to the smallest mistake made by


an employee. To do so, they must be actively involved in the following activities:


● Evaluating the risk controls


● Determining which control options are cost effective


● Acquiring or installing the appropriate controls


● Overseeing processes to ensure that the controls remain effective


● Identifying risks, which includes:


● Creating an inventory of information assets


● Classifying and organizing those assets into meaningful groups


● Assigning a value to each information asset


● Identifying threats to the cataloged assets


● Pinpointing vulnerable assets by tying specific threats to specific assets


● Assessing risks, which includes:


● Determining the likelihood that vulnerable systems will be attacked by specific threats


● Assessing the relative risk facing the organization’ s information assets, so that risk


management and control activities can focus on assets that require the most urgent


and immediate attention


● Calculating the risks to which assets are exposed in their current setting


● Looking in a general way at controls that might come into play for identified


vulnerabilities and ways to control the risks that the assets face


● Documenting the findings of risk identification and assessment


● Summarizing the findings, which involves stating the conclusions of the analysis stage


of risk assessment in preparation for moving into the stage of controlling risk by exploring methods to mitigate risk


Risk Identification


Risk identification begins with the process of self-examination. At this stage, managers identify


the organization’s information assets, classify and categorize them into useful groups, and prioritize them by their overall importance. This can be a daunting task, but it must be done


to identify weaknesses and the threats they present.


Creating an Inventory of Information Assets


The risk identification process begins with the identification of information assets, including


people, procedures, data, software, hardware, and networking elements. This step should be


done without prejudging the value of each asset; values will be assigned later in the process.


Standard IT system components (people, procedures, data, software, hardware,


and networks) alongside a risk management breakdown of those components.More specifically:


People are divided into insiders (employees) and outsiders (nonemployees). Insiders


come in two categories: either they hold trusted roles and have correspondingly


greater authority and accountability, or they are regular staff without any special


privileges. The group of outsiders consists of other users who have access to the


organization’s information assets.


● Procedures are assets since they are used to create value for the organization. They are


split into two categories: IT and business standard procedures, and IT and business


sensitive procedures. Sensitive procedures have the potential to enable an attack or to


otherwise introduce risk to the organization. For example, the procedures used by a


telecommunications company to activate new circuits pose special risks because they


reveal aspects of the inner workings of a critical process that can be subverted by


outsiders for the purpose of obtaining unbilled, illicit services.


● Data components account for information in all states: transmission, processing, and storage.


These categories expand the conventional use of the term data, which is usually associated


with databases, not the full range of information used by modern organizations.


● Software elements can be inventoried in one of three categories: applications, operating


systems, or security components. Software components that provide security controls


may fall into the operating systems or applications category, but are differentiated by


the fact that they are part of the information security control environment and must be


protected more thoroughly than other systems components.


● Hardware is split into two categories: the usual systems devices and their peripherals,


and the devices that are part of information security control systems. The latter must


be protected more thoroughly than the former.


● Networking components are extracted from software and hardware because networking


subsystems are often the focal point of attacks against a system. Of course, most


computer systems today include networking elements. You will have to determine


whether a device is primarily a computer or primarily a networking device. A server


computer that is used exclusively as a proxy server or bastion host may be classified


as a networking component, while an identical server configured as a database server


may be classified as hardware. For this reason, they should be considered separately,


rather than combined with general hardware and software components.


Identifying Hardware, Software, and Network Assets Many organizations


use purchased asset inventory systems to keep track of their hardware, network, and perhaps


software components. Numerous packages are available in the market today, and it is up to the


CISO or CIO to determine which package best serves the needs of the organization. Organizations


that do not use an automated inventory system must create an equivalent manual process.


Whether automated or manual, the inventory process requires a certain amount of planning.


Most importantly, you must determine which attributes of each of these information assets


should be tracked. That determination will depend on the needs of the organization and its


risk management efforts, as well as the preferences and needs of the information security


and information technology communities. When deciding which attributes to track for each


information asset, consider the following list of potential attributes:


● Name: A list of all names commonly used for the device or program; some organizations


may have several names for the same product, and each of them should be


cross-referenced in the inventory. This redundancy accommodates the usage across the


organization and makes it accessible for everyone. No matter how many names you


track or how you select a name, always provide a definition of the asset in question.


Adopt naming standards that do not convey critical information to potential system


attackers. For instance, a server named CASH1 or HQ_FINANCE may entice attackers.


● Asset Tag: Used to facilitate tracking of assets; asset tags are unique numbers assigned


to assets during the acquisition process.


● IP address: An attribute that is useful for network devices and servers but rarely


applies to software; you can, however, use a relational database and track software


instances on specific servers or networking devices. Many larger organizations use the


Dynamic Host Control Protocol (DHCP) within TCP/IP, which reassigns IP numbers


to devices as needed, making the use of IP numbers as part of the asset identification


process very difficult.


● MAC address: Also called an electronic serial number or hardware address; as


per the TCP/IP standard, all network interface hardware devices have a unique


number. The network operating system uses this number to identify specific network


devices. The client’ s network software uses it to recognize traffic that it needs to


process. In most settings, MAC addresses can be a useful way to track connectivity,


but they can be spoofed by some hardware/software combinations.


● Asset type: An attribute that describes the function of each asset; for hardware assets,


develop a list of possible asset types that includes servers, desktops, networking


devices, and test equipment. For software assets, develop a list that includes operating


systems, custom applications by type (accounting, human resources, or payroll, to


name a few), and packaged applications and/or specialty applications (such as firewall


programs). The degree of specificity is determined by the needs of the organization.


Asset types can be recorded at two or more levels of specificity by first recording one


attribute that classifies the asset at a high level, and then adding attributes for more


detail. For example, one server might be listed as follows:


DeviceClass . S (server)


DeviceOS . W2K (Windows 2000)


DeviceCapacity . AS (Advanced Server)


● Serial number: A number that uniquely identifies a specific device; some software


vendors also assign a software serial number to each instance of the program licensed


by the organization.


● Manufacturer name: An attribute that can be useful for analyzing threat outbreaks


when certain manufacturers announce specific vulnerabilities.


● Manufacturer’ s model or part number: A number that identifies exactly what the asset


is; it can be very useful in later analysis of vulnerabilities, because some threats apply


only to specific models of certain devices and/or software components.


● Software version, update revision, or FCO number: Current information about


software and firmware versions and, for hardware devices, the current field change


order (FCO) number; a field change order occurs when a manufacturer performs an upgrade to a hardware component at the customer’ s premises. Tracking this


information is particularly important when inventorying networking devices that


function mainly through the software running on them. For example, firewall


devices often have three versions: an operating system version, a software version,


and a Basic Input/Output System (BIOS) firmware version. Depending on an organization’ s


needs, the inventory may have to track each of those version values for


each asset.


● Physical location: An attribute that does not apply to software elements; nevertheless,


some organizations may have license terms that indicate where software can be used.


● Logical location: An attribute that specifies where an asset can be found on the organization’ s


network; the logical location is most applicable to networking devices and


indicates the logical network segment (sometimes labeled a VLAN) that houses the


device.


● Controlling entity: The organizational unit that controls the asset; a remote location’ s


on-site staff may sometimes be placed in control of network devices; at other organizations,


a central corporate group may control all network devices. The inventory


should determine which group controls each specific asset, as the controlling group


will want a voice in determining how much risk that device can tolerate and how


much expense it can sustain to add controls.


Identifying People, Procedures, and Data Assets Unlike hardware and software,


human resources, documentation, and data information assets are not as readily identified


and documented. Responsibility for identifying, describing, and evaluating these information


assets should be assigned to managers who possess the necessary knowledge, experience, and


judgment. As these assets are identified, they should be recorded via a reliable data-handling


process like the one used for hardware and software.


The record-keeping system should be flexible, allowing you to link assets to attributes based


on the nature of the information asset being tracked. Some basic attributes for various classes


of assets are:


People


● Position name/number/ID: Avoid names; use position titles, roles, or functions


● Supervisor name/number/ID: Avoid names; use position titles, roles, or functions


● Security clearance level


● Special skills


Procedures


● Description


● Intended purpose


● Software/hardware/networking elements to which it is tied


● Location where it is stored for reference


● Location where it is stored for update purposes


Data


● Classification


● Owner/creator/manager


● Size of data structure


● Data structure used; for example, sequential or relational


● Online or offline


● Location


● Backup procedures


Consider carefully what should be tracked for specific assets. Often larger organizations find


that that they can effectively track only a few valuable facts about the most critical information


assets. For instance, a company may track only IP address, server name, and device


type for its mission-critical servers. The organization might forgo additional attribute tracking


on all devices, and completely omit the tracking of desktop or laptop systems.


Classifying and Categorizing Assets


Once the initial inventory is assembled, you must determine whether its asset categories are


meaningful to the organization’s risk management program. Such a review may cause managers


to further subdivide the categories listed in Table 8-1 or to create new categories that


better meet the needs of the risk management program. For example, if the category Internet


components is deemed too general, it could be further divided into subcategories of servers,


networking devices (routers, hubs, switches), protection devices (firewalls, proxies), and


cabling.


The inventory should also reflect the sensitivity and security priority assigned to each information


asset. A classification scheme should be developed (or reviewed, if already in place)


that categorizes these information assets based on their sensitivity and security needs. Consider


the following classification scheme for an information asset: confidential, internal, and


public. Each of these classification categories designates the level of protection needed for a


particular information asset. Some asset types, such as personnel, may require an alternative


classification scheme that would identify the information security processes used by the asset


type. For example, based on need-to-know and right-to-update, an employee might be given


a certain level of security clearance, which identifies the level of information that individual is


authorized to use. A more detailed discussion of classification schemes is provided later in


this chapter in the section entitled “Data Classification Model.”


Classification categories must be comprehensive and mutually exclusive. Comprehensive


means that all inventoried assets fit into a category; mutually exclusive means that each


asset is found in only one category. For example, an organization may have a public key


infrastructure certificate authority, which is a software application that provides cryptographic


key management services. Using a purely technical standard, a manager could categorize


the application in the asset list of Table 8-1 as software, a general grouping with no


special classification priority. Because the certificate authority must be carefully protected as


part of the information security infrastructure, it should be categorized into a higher priority


classification, such as software/security component/cryptography, and it should be verified


that no overlapping category exists, such as software/security component/PKI.


Assessing Values for Information Assets


As each information asset is identified, categorized, and classified, a relative value must also


be assigned to it. Relative values are comparative judgments intended to ensure that the


most valuable information assets are given the highest priority when managing risk. It may


be impossible to know in advance—in absolute economic terms—what losses will be incurred


if an asset is compromised; however, a relative assessment helps to ensure that the highervalue


assets are protected first.


As each information asset is assigned to its proper category, posing the following basic questions


can help you develop the weighting criteria to be used for information asset valuation


or impact evaluation. It may be useful to refer to the information collected in the BIA process


(covered in Chapter 3) to help you assess a value for an asset. You can use a worksheet, such


as the one shown in Figure 8-2, to collect the answers for later analysis.


● Which information asset is the most critical to the success of the organization?


When determining the relative importance of each information asset, refer to the


organization’s mission statement or statement of objectives. From this source, determine


which assets are essential for meeting the organization’s objectives, which assets


support the objectives, and which are merely adjuncts. For example, a manufacturing


company that makes aircraft engines may decide that the process control systems that control the machine tools on the assembly line are the first order of importance.


While shipping and receiving data entry consoles are important to those functions,


they may be less critical if alternatives are available or can be easily arranged. Another


example is an online organization such as Amazon.com. The Web servers that


advertise the company’ s products and receive its orders 24 hours a day are essential,


whereas the desktop systems used by the customer service department to answer


customer e-mails are less critical.


● Which information asset generates the most revenue? The relative value of an information


asset depends on how much revenue it generates— or, in the case of a nonprofit


organization, how critical it is to service delivery. Some organizations have different


systems in place for each line of business or service they offer. Which of these assets


plays the biggest role in generating revenue or delivering services?


● Which information asset generates the highest profitability? Managers should evaluate


how much profit depends on a particular asset. For instance, at Amazon.com, some


servers support the book sales operations, others support the auction process, and still


others support the customer book review database. Which of these servers contributes


the most to the profitability of the business? Although important, the review database


server does not directly generate profits. Note the distinction between revenues and


profits: Some systems on which revenues depend operate on thin or nonexistent margins


and do not generate profits. In nonprofit organizations, you can determine what


percentage of the agency’ s clientele receives services from the information asset being


evaluated.


● Which information asset is the most expensive to replace? Sometimes an information


asset acquires special value because it is unique. If an enterprise still uses a Model-129


keypunch machine to create special punch-card entries for a critical batch run, for


example, that machine may be worth more than its cost, because spare parts or service


providers may no longer be available. Another example is a specialty device with


a long delivery time frame because of manufacturing or transportation requirements.


Organizations must control the risk of loss or damage to such unique assets— for


example, by buying and storing a backup device.


● Which information asset is the most expensive to protect? Some assets are by their


nature difficult to protect, and formulating a complete answer to this question may


not be possible until after the risk identification phase is complete, because the costs


of controls cannot be computed until the controls are identified. However, you can


still make a preliminary assessment of the relative difficulty of establishing controls


for each asset.


● Which information asset’s loss or compromise would be the most embarrassing or


cause the greatest liability? Almost every organization is aware of its image in the


local, national, and international spheres. Loss or exposure of some assets would


prove especially embarrassing. Microsoft’ s image, for example, was tarnished when


an employee’ s computer system became a victim of the QAZ Trojan horse, and the


latest version of Microsoft Office was stolen.2


You may also need to identify and add other institution-specific questions to the evaluation process.


Listing Assets in Order of Importance


The final step in the risk identification process is to list the assets in order of importance.


This goal can be achieved by using a weighted factor analysis worksheet similar to the one


shown in Table 8-2. In this process, each information asset is assigned a score for each critical


factor. Table 8-2 uses the NIST SP 800-30 recommended values of 0.1 to 1.0. (NIST SP


800-30, Risk Management for Information Technology Systems, is published by the National


Institute of Standards and Technology and is covered in detail in Chapter 9. Your organization


may choose to use another weighting system.) Each criterion has an assigned weight


showing its relative importance in the organization.


A quick review of Table 8-2 shows that the Customer order via SSL (inbound) data flow is


the most important asset on this worksheet, and that the EDI Document Set 2—Supplier fulfillment


advice (inbound) is the least critical asset.


Threat Identification


As mentioned at the beginning of this chapter, the ultimate goal of risk identification is to


assess the circumstances and setting of each information asset to reveal any vulnerabilities.


Armed with a properly classified inventory, you can assess potential weaknesses in each


information asset—a process known as threat identification.


Any organization typically faces a wide variety of threats. If you assume that every threat can


and will attack every information asset, then the project scope becomes too complex. To


make the process less unwieldy, each step in the threat identification and vulnerability identification


processes is managed separately and then coordinated at the end. At every step the


manager is called on to exercise good judgment and draw on experience to make the process


function smoothly.


Identify and Prioritize Threats and Threat Agents Chapter 2 identified 12


categories of threats to information security, which are listed alphabetically in Table 8-3.


Each of these threats presents a unique challenge to information security and must be handled


with specific controls that directly address the particular threat and the threat agent’s


attack strategy. Before threats can be assessed in the risk identification process, however,


each threat must be further examined to determine its potential to affect the targeted information


asset. In general, this process is referred to as threat assessment. Posing the following


questions can help you understand the threat and its potential effects on an information


asset:


● Which threats present a danger to this organization’s information assets in its current


environment? Not all threats endanger every organization, of course. Examine each of


the categories in Table 8-3, and eliminate any that do not apply to your organization.


While it is unlikely that you can eliminate an entire category of threats, if you can, it


speeds the threat assessment process. The Offline feature entitled “ Threats to Information


Security” describes the threats that some CIOs of major companies identified


for their organizations. Although the Offline feature directly addresses only information


security, note that a weighted ranking of threats should be compiled for any


information asset that is at risk. Once you have determined which threats apply to


your organization, identify particular examples of threats within each category, eliminating


those that are not relevant. For example, a company with offices on the 23rd


floor of a high-rise building in Denver, Colorado, might not be subject to flooding.


Similarly, a firm with an office in Oklahoma City, Oklahoma, might not be concerned


with landslides.


● Which threats represent the gravest danger to the organization’s information assets?


The amount of danger posed by a threat is sometimes difficult to assess. It may be


simply the probability of a threat attacking the organization, or it may reflect the


amount of damage that the threat could create or the frequency with which an attack


can occur. During this preliminary assessment phase, the analysis is limited to examining


the existing level of preparedness and improving the strategy of information


security. The results should give a quick overview of the components involved.


As you will discover in Chapter 9, you can use both quantitative and qualitative measures to


rank values. Since information in this case is preliminary, the organization may want to


rank threats subjectively in order of danger. Alternatively, it may simply rate each of the


threats on a scale of 1 to 5, with 1 designating insignificant threats and 5 designating highly


significant threats.


Frequency of Attacks Remarkably, detected attacks are decreasing. After a peak in


2000, the number of organizations reporting unauthorized use of computer systems has


been declining steadily, while the amount reporting no unauthorized access has been increasing.


Unfortunately, the number of organizations reporting that they just do not know is


holding steady.3 The fact is, almost every company has experienced an attack. Whether that


attack was successful depends on the company’s security efforts; whether the perpetrators


were caught or the organization was willing to report the attack is another matter entirely.


● How much would it cost to recover from a successful attack? One of the calculations


that guides corporate spending on controls is the cost of recovery operations if an


attack occurs and is successful. At this preliminary phase, it is not necessary to conduct


a detailed assessment of the costs associated with recovering from a particular attack.


Instead, organizations often a create subjective ranking or listing of the threats based on


recovery cost. Alternatively, you could assign a rating for each threat on a scale of 1 to


5, with 1 representing “not expensive at all” and 5 representing “extremely expensive.”


If the information is available, a raw value (such as $5,000, $10,000, or $2 million) can


be assigned. In other words, the goal at this phase is to provide a rough assessment of


the cost to recover operations should the attack interrupt normal business operations.


Which threats would require the greatest expenditure to prevent? Another factor that


affects the danger posed by a particular threat is the amount it would cost to protect


against that threat. Controlling some threats has a nominal cost, as in protections from


malicious code, while other protective strategies are very expensive, as in protections


from forces of nature. Here again the manager ranks, rates, or attempts to quantify the


level of danger associated with protecting against a particular threat by using the same


techniques outlined earlier for calculating recovery costs. Look at the Offline feature on


expenditure for threats to see how some top executives recently handled this issue.


This list of questions may not cover everything that affects risk identification. An organization’s


specific guidelines or policies should influence the process and will inevitably require


that some additional questions be answered.


Vulnerability Assessment Once you have identified the information assets of the


organization and documented some threat assessment criteria, you can begin to review every information asset for each threat. This review leads to the creation of a list of vulnerabilities


that remain potential risks to the organization. What are vulnerabilities? They are


specific avenues that threat agents can exploit to attack an information asset. In other


words, they are chinks in the asset’ s armor— a flaw or weakness in an information asset,


security procedure, design, or control that can be exploited accidentally or on purpose to


breach security. For example, Table 8-4 analyzes the threats to and possible vulnerabilities


of a DMZ router.


A list like the one in Table 8-4 must be created for each information asset to document its


vulnerability to each possible or likely attack. This list is usually long and shows all the vulnerabilities


of the information asset. Some threats manifest themselves in multiple ways,


yielding multiple vulnerabilities for that asset– threat pair. Of necessity, the process of listing


vulnerabilities is somewhat subjective and is based on the experience and knowledge of the


people who create the list. Therefore, the process works best when groups of people with


diverse backgrounds work together in a series of brainstorming sessions. For instance, the


team that reviews the vulnerabilities for networking equipment should include networking


specialists, the systems management team that operates the network, information security


risk specialists, and even technically proficient users of the system.


The TVA Worksheet


At the end of the risk identification process, an organization should have a prioritized list of


assets and their vulnerabilities. This list serves as the starting point (with its supporting documentation


from the identification process) for the next step in the risk management process—


risk assessment. Another list prioritizes threats facing the organization based on the weighted


table discussed earlier. These two lists can be combined into a Threats-Vulnerabilities-Assets


(TVA) worksheet, in preparation for the addition of vulnerability and control information


during risk assessment. Along one axis lies the prioritized set of assets. Table 8-5 shows the


placement of assets along the horizontal axis, with the most important asset at the left. The


prioritized list of threats are placed along the vertical axis, with the most important or most


dangerous threat listed at the top. The resulting grid provides a convenient method of examining


the “exposure” of assets, allowing a simplistic vulnerability assessment. We now have a


starting point for our risk assessment, along with the other documents and forms.


As you begin the risk assessment process, create a list of the TVA “triples” to facilitate your


examination of the severity of the vulnerabilities. For example, between Threat 1 and Asset 1


there may or may not be a vulnerability. After all, not all threats pose risk to all assets. If a


pharmaceutical company’s most important asset is its research and development database,


and that database resides on a stand-alone network (that is, one that is not connected to the


Internet), then there may be no vulnerability to external hackers. If the intersection of T1 and


A1 has no vulnerability, then the risk assessment team simply crosses out that box. It is much more likely, however, that one or more vulnerabilities exist between the two, and as these


vulnerabilities are identified, they are categorized as follows:


T1V1A1— Vulnerability 1 that exists between Threat 1 and Asset 1


T1V2A1— Vulnerability 2 that exists between Threat 1 and Asset 1


T2V1A1— Vulnerability 1 that exists between Threat 2 and Asset 1…


and so on.


In the risk assessment phase, discussed in the next section, not only are the vulnerabilities


examined, but the assessment team also analyzes any existing controls that protect the asset


from the threat, or mitigates the losses that may occur. Cataloging and categorizing these


controls is the next step in the TVA spreadsheet.


Risk Assessment


Assessing the relative risk for each vulnerability is accomplished via a process called risk


assessment. Risk assessment assigns a risk rating or score to each specific vulnerability. While


this number does not mean anything in absolute terms, it enables you to gauge the relative


risk associated with each vulnerable information asset, and it facilitates the creation of comparative


ratings later in the risk control process.


Introduction to Risk Assessment


The goal at this point is to create a method to evaluate the relative risk of each listed vulnerability.


Chapter 9 describes how to determine more precise cost estimates for vulnerabilities as


well as projected expenses for the controls that reduce the risks. For now, you can use the


simpler risk model shown in Figure 8-3 to evaluate the risk for each information asset. The


next section describes the factors used to calculate the relative risk for each vulnerability.


Likelihood


Likelihood is the overall rating— a numerical value on a defined scale— of the probability that


a specific vulnerability will be exploited. In Special Publication 800-30, NIST recommends


that vulnerabilities be assigned a likelihood rating between 0.1 (low) and 1.0 (high). For


example, the likelihood of an employee or system being struck by a meteorite while indoors


would be rated 0.1, while the likelihood of receiving at least one e-mail containing a virus


or worm in the next year would be rated 1.0. You could also choose to use a number


between 1 and 100, but not 0, since vulnerabilities with a 0 likelihood should have already


been removed from the asset/vulnerability list. Whatever rating system you employ for assigning


likelihood, use professionalism, experience, and judgment to determine the rating— and


use it consistently. Whenever possible, use external references for likelihood values, after


reviewing and adjusting them for your specific circumstances. For many asset/vulnerability


combinations, existing sources have already determined their likelihood. For example,


● The likelihood of a fire has been estimated actuarially for each type of structure.


● The likelihood that any given e-mail will contain a virus or worm has been


researched.


● The number of network attacks can be forecast depending on how many network


addresses the organization has assigned.


Assessing Potential Loss


Using the information documented during the risk identification process, you can assign


weighted scores based on the value of each information asset. The actual number used will


vary according to the needs of the organization. Some groups use a scale of 1 to 100, with


100 being reserved for those information assets whose loss would stop company operations


within a few minutes. Other recommended scales, including the one in NIST SP 800-30, use


assigned weights in broad categories, with all-important assets having a value of 100, lowcriticality


assets having a value of 1, and all other assets having a medium value of 50. Still


other scales employ weights from 1 to 10, or assigned values of 1, 3, and 5 to represent


low-, medium-, and high-valued assets, respectively. Alternatively, you can create unique


weight values customized to your organization’ s specific needs.


To be effective, the values must be assigned by asking the questions listed earlier in the section


entitled “ Identify and Prioritize Threats and Threat Agents.” These questions are


restated here for easy reference:


● Which threats present a danger to this organization’ s assets in its current


environment?


● Which threats represent the gravest danger to the organization’ s information assets?


● How much would it cost to recover from a successful attack?


● Which threats would require the greatest expenditure to prevent?


After reconsidering these questions, use the background information from the risk identification


process and add to that information by posing yet another question:


● Which of the aforementioned questions is the most important to the protection of


information from threats within this organization?


The answer to this question determines the priorities used in the assessment of vulnerabilities.


Which is the most important to the organization— the cost to recover from a threat attack or


the cost to protect against a threat attack? More generally, which of the threats has the highest


probability of successful attack? Recall that the purpose of risk assessment is to look at the


threats an organization faces in its current state. Once these questions are answered, move to


the next step in the process: examining how current controls can reduce the risk faced by specific


vulnerabilities.


Percentage of Risk Mitigated by Current Controls


If a vulnerability is fully managed by an existing control, it can be set aside. If it is partially


controlled, estimate what percentage of the vulnerability has been controlled.


Uncertainty


It is not possible to know everything about every vulnerability, such as how likely an attack


against an asset is, or how great an impact a successful attack would have on the organization.


The degree to which a current control can reduce risk is also subject to estimation


error. A factor that accounts for uncertainty must always be added to the equations; it consists


of an estimate made by the manager using good judgment and experience.


Risk Determination


For the purpose of relative risk assessment, risk equals likelihood of vulnerability occurrence


times value (or impact) minus percentage risk already controlled plus an element of uncertainty.


To see how this equation works, consider the following scenario:


● Information asset A has a value score of 50 and one vulnerability: Vulnerability 1 has


a likelihood of 1.0 with no current controls. You estimate that assumptions and data


are 90 percent accurate.


● Information asset B has a value score of 100 and two vulnerabilities: Vulnerability 2


has a likelihood of 0.5 with a current control that addresses 50 percent of its risk;


vulnerability 3 has a likelihood of 0.1 with no current controls. You estimate that


assumptions and data are 80 percent accurate.


The resulting ranked list of risk ratings for the three vulnerabilities described above is as follows


[(value times likelihood) minus risk mitigated plus uncertainty]:


● Asset A: Vulnerability 1 rated as 55 . (50 _ 1.0) _ 0% . 10% where


55 . (50 _ 1.0) – ((50 _ 1.0) _ 0.0) . ((50 _ 1.0) _ 0.1)


55 . 50 _ 0 . 5


● Asset B: Vulnerability 2 rated as 35 . (100 _ 0.5) – 50% . 20% where


35 . (100 _ 0.5) – ((100 _ 0.5) _ 0.5) . ((100 _ 0.5) _ 0.2)


35 . 50 _ 25 . 10


Likelihood and Consequences


Another approach to calculating risk based on likelihood is the likelihood and consequences


rating from the Australian and New Zealand Risk Management Standard 4360,4 which uses


qualitative methods to determine risk based on a threat’s probability of occurrence and


expected results of a successful attack. Qualitative risk assessment is examined elsewhere in


this chapter, but consists of using categories instead of actual numbers to determine risk.


Identify Possible Controls


For each threat and its associated vulnerabilities that have residual risk, create a preliminary


list of control ideas. The purpose of this list, which begins with the identification of extant


controls, is to identify areas of residual risk that may nor may not need to be reduced. Residual


risk is the risk that remains even after the existing control has been applied. Controls, safeguards,

Homework is Completed By:

Writer Writer Name Amount Client Comments & Rating
Instant Homework Helper

ONLINE

Instant Homework Helper

$36

She helped me in last minute in a very reasonable price. She is a lifesaver, I got A+ grade in my homework, I will surely hire her again for my next assignments, Thumbs Up!

Order & Get This Solution Within 3 Hours in $25/Page

Custom Original Solution And Get A+ Grades

  • 100% Plagiarism Free
  • Proper APA/MLA/Harvard Referencing
  • Delivery in 3 Hours After Placing Order
  • Free Turnitin Report
  • Unlimited Revisions
  • Privacy Guaranteed

Order & Get This Solution Within 6 Hours in $20/Page

Custom Original Solution And Get A+ Grades

  • 100% Plagiarism Free
  • Proper APA/MLA/Harvard Referencing
  • Delivery in 6 Hours After Placing Order
  • Free Turnitin Report
  • Unlimited Revisions
  • Privacy Guaranteed

Order & Get This Solution Within 12 Hours in $15/Page

Custom Original Solution And Get A+ Grades

  • 100% Plagiarism Free
  • Proper APA/MLA/Harvard Referencing
  • Delivery in 12 Hours After Placing Order
  • Free Turnitin Report
  • Unlimited Revisions
  • Privacy Guaranteed

6 writers have sent their proposals to do this homework:

University Coursework Help
Top Essay Tutor
Homework Guru
Helping Hand
Best Coursework Help
Innovative Writer
Writer Writer Name Offer Chat
University Coursework Help

ONLINE

University Coursework Help

Hi dear, I am ready to do your homework in a reasonable price.

$77 Chat With Writer
Top Essay Tutor

ONLINE

Top Essay Tutor

I have more than 12 years of experience in managing online classes, exams, and quizzes on different websites like; Connect, McGraw-Hill, and Blackboard. I always provide a guarantee to my clients for their grades.

$80 Chat With Writer
Homework Guru

ONLINE

Homework Guru

Hi dear, I am ready to do your homework in a reasonable price and in a timely manner.

$77 Chat With Writer
Helping Hand

ONLINE

Helping Hand

I am an Academic writer with 10 years of experience. As an Academic writer, my aim is to generate unique content without Plagiarism as per the client’s requirements.

$75 Chat With Writer
Best Coursework Help

ONLINE

Best Coursework Help

I am an Academic writer with 10 years of experience. As an Academic writer, my aim is to generate unique content without Plagiarism as per the client’s requirements.

$75 Chat With Writer
Innovative Writer

ONLINE

Innovative Writer

I have read and understood all your initial requirements, and I am very professional in this task, I would be the best choice for this project, I am a PhD writer with 6-7 years of experience and can deliver quality notes to tight deadlines. I can generally compile up to 10 pages of lecture notes per day. I am known as Unrivaled Quality, Written to Standard, providing Plagiarism-free woork, and Always on Time

$70 Chat With Writer

Let our expert academic writers to help you in achieving a+ grades in your homework, assignment, quiz or exam.

Similar Homework Questions

Toyota ls2 ad158 203 manual - Psychotherapy With Individuals - Average household budget pie chart - Introduction to programming using python daniel liang pdf - Brent staples just walk on by ethos - What are biotic and abiotic resources - Burgener clean warm up - You conduct a dihybrid cross. a ________ ratio would make you suspect that the genes are linked. - Article reflection - 5 year old well child soap note - Top hat organizer - Ilkley moor bar t at chords - Mathmatics computing - Plc maintenance engineer resume - Steve jobs biography by nick bilton pdf - Http www yourleadershiplegacy com assessment html - Www youtube com watch v iyhcn0jf46u - The unadjusted trial balance columns of a worksheet total 84000 - Ethics game ethical lens inventory - Maximo rest api documentation - Cubic spline interpolation algorithm source code - Starbucks mission social responsibility and brand strength case study - Internet - Drawing a genogram on microsoft word - Foundations of Financial 4 - bound - University of phoenix college algebra - Wave on a string phet lab worksheet answer key - Politics and the Patient Protection and Affordable Care Act - St john's ambulance cadets uniform female - Global training at google case study - Bio 290 university of phoenix - Discussion Post :research question/problem u - Jeffrey allen books pdf - The wooing of ariadne full story - What is specific to sap implementation in a hospital - What are five recommended steps to make ethical decisions - Edgar allan poe black death - What factors contributed to eurodisney poor performance - Accenture high performance delivered - Hmac authentication failure airwatch - Graph the inequality on a plane 3y 4x 12 - Btec work skills level 2 - Sss sas asa rhs - Spirituality in nursing standing on holy ground pdf - Week 4 no plagiarism - Evaluating limits khan academy - HW 2 - Presented below are three independent situations - Bunsen burner chemical equation - History 100 Presentation Assistance - The south division of wiig company reported - Cyber cafe business proposal - Introduction to literature 12th edition - Father and son relationship in the kite runner - For leaders, pushing beyond the comfort zone and facing the internal "wall of fear" is an act of: - Point loma application essay - A view of cloud computing pdf - English 30 2 literary exploration topics - State and Federal legal systems - Highfields awarding body for compliance habc - Ransom chapter 1 summary - What is the molecularity of the following elementary reaction - Stage 1 pdhpe units of work - I ate the divorce papers analysis - Charting method of note taking - DISCUSSION POST T4:DQ2 - 4810 kj to calories - Lrt kelana jaya fare - Business Desertation - Rivers and roads uke - Week 6 Crisis intervention - Middle adulthood social development - Assignment OM - Closing entries are journalized and posted - Lab report heat of reaction - 49 amherst street cammeray - What did the coinage act call for - Explain how wheeled coach implements abc analysis - Cooking cod in microwave - Latent heat of freezing - Coding with mosh sql - Sound ethical decisions - 2 x 2 perceptual positioning map - Marketing real people real choices 7th edition ebook - Readiness for enhanced knowledge related to newborn care - Self Awarness - Escience labs biology answer key - Database input node in iib - Health spa business plan - Marketing channels and value networks - American college of radiology - Market Opportunity - How to do sum of squares in r - Average daily census formula example - Summaries of saudis expand regional power as others falter - We still live here full movie - Provide financial and business performance information assignment - Beginning inventory plus net purchases minus ending inventory - Telstra international day pass business - Penguin chick syllable patterns v cv vc v answers