Risk acceptance mitigation transference avoidance

Risk Management: Controlling Risk

Risk Control Strategies

When an organization’s general management team determines that risks from information

security threats are creating a competitive disadvantage, it empowers the information technology

and information security communities of interest to control those risks. Once the project

team for information security development has created the ranked vulnerability worksheet

(see Chapter 8), the team must choose one of four basic strategies to control the risks that

arise from these vulnerabilities:

● Avoidance: Applying safeguards that eliminate or reduce the remaining uncontrolled

risks

● Transference: Shifting the risks to other areas or to outside entities

● Mitigation: Reducing the impact should an attacker successfully exploit the vulnerability

● Acceptance: Understanding the consequences and acknowledging the risk without any

attempts at control or mitigation

Avoidance

Avoidance is the risk control strategy that attempts to prevent the exploitation of the vulnerability.

It is the preferred approach, as it seeks to avoid risk rather than deal with it after it

has been realized. Avoidance is accomplished through the following techniques:

● Application of policy: As discussed in Chapter 4, the application of policy allows all

levels of management to mandate that certain procedures always be followed. For

example, if the organization needs to control password use more tightly, it can implement

a policy requiring passwords on all IT systems. But policy alone may not be

enough. Effective management always couples changes in policy with the training and

education of employees, or an application of technology, or both.

● Application of training and education: Communicating new or revised policy to

employees may not be adequate to assure compliance. Awareness, training, and education

are essential to creating a safer and more controlled organizational environment

and to achieving the necessary changes in end-user behavior.

● Countering threats: Risks can be avoided by countering the threats facing an asset and

by eliminating its exposure to threats. Eliminating a threat is difficult but possible. For

example, if an organization is facing a threat of loss of files made available to trading

partners in an unsecured FTP server, it can move to a more robust secure-shell or

secure-FTP server and thus eliminate the threat to the unsecured files.

● Implementation of technical security controls and safeguards: In the everyday world

of information security, technical solutions are often required to reduce risk effectively. For example, systems administrators can configure systems to use passwords

where policy requires them and where the administrators are both aware of the

requirement and trained to implement it.

Transference

Transference is the control approach that attempts to shift the risk to other assets, other processes,

or other organizations. This goal may be accomplished by rethinking how services are

offered, revising deployment models, outsourcing to other organizations, purchasing insurance,

or implementing service contracts with providers.

In the popular book In Search of Excellence , management consultants Tom Peters and Robert

Waterman present a series of case studies of high-performing corporations. They assert that

one of the eight characteristics of excellent organizations is that they “ stick to their knitting.

They stay reasonably close to the business they know.”1 What does this mean? It means that

Kodak focuses on the manufacture of photographic equipment and chemicals, while General

Motors focuses on the design and construction of cars and trucks. Neither company spends

strategic energies on the technology for developing Web sites. They focus energy and resources

on what they do best while relying on consultants or contractors for other types of expertise.

Organizations should consider this whenever they begin to expand their operations, including

information and systems management, and even information security. If an organization does

not have adequate security management and administration experience, it should hire individuals

or firms that provide expertise in these areas. For example, many organizations want

Web services, including Web presences, domain name registration, and domain and Web

hosting. Rather than implementing their own servers and hiring their own Webmasters, Web

systems administrators, and even specialized security experts, savvy organizations hire ISPs or

Web consulting organizations. This approach allows them to transfer the risk associated with

the management of these complex systems to other organizations with more experience in

dealing with those risks. A side benefit of specific contract arrangements is that the provider

is responsible for disaster recovery and, through service-level agreements, for guaranteeing

server and Web site availability.

Outsourcing, of course, is not without its own risks. It is up to the owner of the information asset,

IT management, and the information security team to ensure that the disaster recovery requirements

of the outsourcing contract are sufficient and have been met before they are needed.

Mitigation

Mitigation is the control approach that attempts to reduce, by means of planning and preparation,

the damage caused by the exploitation of vulnerability. This approach includes three

types of plans, which you learned about in Chapter 3: incident response (IR) plan, disaster

recovery (DR) plan, and business continuity (BC) plan. Mitigation depends on the ability to

detect and respond to an attack as quickly as possible.

Table 9-1 summarizes each of the three types of mitigation plans, including its characteristics

and examples.

Acceptance

As described above, mitigation is a control approach that attempts to reduce the effects of an

exploited vulnerability. In contrast, acceptance is the choice to do nothing to protect an information asset from risk, and to accept the outcome from any resulting exploitation. It may

or may not be a conscious business decision. The only use of the acceptance strategy that

industry practices recognize as valid occurs when the organization has done the following:

● Determined the level of risk posed to the information asset

● Assessed the probability of attack and the likelihood of a successful exploitation of a

vulnerability

● Approximated the annual rate of occurrence of such an attack

● Estimated the potential loss that could result from attacks

● Performed a thorough cost-benefit analysis

● Evaluated controls using each appropriate type of feasibility analysis report

● Determined that the particular function, service, information, or asset did not justify

the cost of protection

This control— or rather lack of control— assumes that it can be a prudent business decision

to examine the alternatives and conclude that the cost of protecting an asset does not justify

the security expenditure. Suppose it would cost an organization $100,000 a year to protect a

server. The security assessment determines that for $10,000 the organization could replace the

information contained in the server, replace the server itself, and cover associated recovery

costs. Under those circumstances, management may be satisfied with taking its chances and

saving the money that would otherwise be spent on protecting this particular asset.

An organization that decides on acceptance as a strategy for every identified risk of

loss may in fact be unable to conduct proactive security activities, and may have an apathetic

approach to security in general. It is not acceptable for an organization to plead

ignorance and thus abdicate its legal responsibility to protect employees’ and customers’

information. It is also unacceptable for management to hope that if they do not try to

protect information, the opposition will imagine that little will be gained by an attack.

The risks far outweigh the benefits of this approach, which usually ends in regret as the

exploitation of the vulnerabilities causes a seemingly unending series of information security

lapses.

Some practitioners use an alternate set of possible control strategies:

● Self-protection: Applying safeguards that eliminate or reduce the remaining uncontrolled

risks for the vulnerability

● Transference: Shifting the risk to other areas or to outside entities

● Mitigation: Reducing the impact should the vulnerability be exploited

● Acceptance/Self-insurance: Understanding the consequences and accepting the risk

without control or mitigation

● Avoidance: Avoiding certain activities because the risk is too great compared to the

benefits

Managing Risk

Risk appetite (also known as risk tolerance) is the quantity and nature of risk that organizations

are willing to accept as they evaluate the trade-offs between perfect security and unlimited

accessibility. For instance, a financial services company, regulated by government and

conservative by nature, seeks to apply every reasonable control and even some invasive controls

to protect its information assets. Other less closely regulated organizations may also be

conservative, and thus seek to avoid the negative publicity and perceived loss of integrity

caused by the exploitation of a vulnerability. A firewall vendor might install a set of firewall

rules that are far more stringent than necessary, simply because being hacked would jeopardize

its market. Other organizations may take on dangerous risks because of ignorance. The

reasoned approach to risk is one that balances the expense (in terms of finance and the usability

of information assets) against the possible losses if exploited.

James Anderson, Executive Consultant and Director at Emagined Security, formerly a senior

executive with Inovant (the world’s largest commercial processor of financial payment transactions),

believes that information security in today’s enterprise is a “well-informed sense of

assurance that the information risks and controls are in balance.” The key is for the organization

to find balance in its decision-making processes and in its feasibility analyses, thereby

assuring that its risk appetite is based on experience and facts, and not on ignorance or wishful

thinking.

When vulnerabilities have been controlled as much as possible, there is often remaining risk

that has not been completely removed, shifted, or planned for—in other words, residual risk.

Expressed another way, “Residual risk is a combined function of (1) a threat less the effect of

threat-reducing safeguards; (2) a vulnerability less the effect of vulnerability-reducing safeguards; and (3) an asset less the effect of asset value-reducing safeguards.”2 Figure 9-1

illustrates how residual risk persists even after safeguards are implemented.

Although it might seem counterintuitive, the goal of information security is not to bring residual

risk to zero; rather, it is to bring residual risk in line with an organization’ s risk appetite. If

decision makers have been informed of uncontrolled risks and the proper authority groups

within the communities of interest decide to leave residual risk in place, then the information

security program has accomplished its primary goal.

Figure 9-2 illustrates the process by which an organization chooses from among the four risk

control strategies. As shown in this flowchart, after the information system is designed, you

must determine whether the system has vulnerabilities that can be exploited. If a viable threat

exists, determine what an attacker would gain from a successful attack. Then estimate the

expected loss the organization will incur if the vulnerability is successfully exploited. If this

loss is within the range of losses the organization can absorb, or if the attacker’ s gain is less

than the likely cost of executing the attack, the organization may choose to accept the risk.

Otherwise, you must select one of the other control strategies.

For further guidance, some rules of thumb on strategy selection are presented below. When

weighing the benefits of the various strategies, keep in mind that the level of threat and the

value of the asset should play a major role in strategy selection.

●When a vulnerability (flaw or weakness) exists: Implement security controls to

reduce the likelihood of a vulnerability being exercised.

● When a vulnerability can be exploited: Apply layered protections, architectural designs,

and administrative controls to minimize the risk or prevent the occurrence of an attack.

● When the attacker’ s potential gain is greater than the costs of attack: Apply protections

to increase the attacker’ s cost or reduce the attacker’ s gain, by using technical

or managerial controls.

● When the potential loss is substantial: Apply design principles, architectural designs,

and technical and nontechnical protections to limit the extent of the attack, thereby

reducing the potential for loss.3

Once a control strategy has been selected and implemented, controls should be monitored and

measured on an ongoing basis to determine their effectiveness and to estimate the remaining

risk. Figure 9-3 shows how this cyclical process ensures that risks are controlled.

At a minimum, each information asset– threat pair should have a documented control strategy

that clearly identifies any residual risk that remains after the proposed strategy has been executed.

This control strategy articulates which of the four fundamental risk-reducing

approaches will be used and how the various approaches might be combined, and justifies the

findings by referencing the feasibility studies.

Some organizations document the outcome of the control strategy for each information asset–

threat pair in an action plan. This action plan includes concrete tasks with accountability for

each task being assigned to an organizational unit or to an individual. It may include hardware

and software requirements, budget estimates, and detailed timelines.

Feasibility and Cost-Benefit Analysis

Before deciding on the strategy (avoidance, transference, mitigation, or acceptance) for a specific

vulnerability, an organization must explore all readily accessible information about the

economic and noneconomic consequences of the vulnerability. This exploration attempts to

answer the question, “What are the actual and perceived advantages of implementing a control

as opposed to the actual and perceived disadvantages of implementing the control?”

While the advantages of a specific control can be identified in a number of ways, the primary

means is to determine the value of the information assets that it is designed to protect. There

are also many ways to identify the disadvantages associated with specific risk controls. The

following sections describe some of the more commonly used techniques for making these

choices. Some of these techniques use dollar-denominated expenses and savings from economic

cost avoidance, while others use noneconomic feasibility criteria. Cost avoidance is the

money saved by avoiding, via the implementation of a control, the financial ramifications of

an incident.

Cost-Benefit Analysis

The criterion most commonly used when evaluating a project that implements information

security controls and safeguards is economic feasibility. While any number of alternatives

may solve a particular problem, some are more expensive than others. Most organizations

can spend only a reasonable amount of time and money on information security, and the definition

of reasonable varies from organization to organization, and even from manager to

manager. Organizations can begin this type of economic feasibility analysis by valuing the

information assets and determining the loss in value if those information assets become

compromised. Common sense dictates that an organization should not spend more to protect an asset than it is worth. This decision-making process is called a cost-benefit analysis (CBA)

or an economic feasibility study .

Cost Just as it is difficult to determine the value of information, so it is difficult to determine

the cost of safeguarding it. Among the items that affect the cost of a control or safeguard

are the following:

● Cost of development or acquisition of hardware, software, and services

● Training fees (cost to train personnel)

● Cost of implementation (installing, configuring, and testing hardware, software, and

services)

● Service costs (vendor fees for maintenance and upgrades)

● Cost of maintenance (labor expense to verify and continually test, maintain, train, and

update)

Benefit The benefit is the value to the organization of using controls to prevent losses

associated with a specific vulnerability. It is usually determined by valuing the information

asset or assets exposed by the vulnerability and then determining how much of that value is

at risk, and how much risk exists for the asset. This result is expressed as the annualized loss

expectancy, which is defined later in this chapter.

Asset Valuation Asset valuation is the process of assigning financial value or worth to

each information asset. As you learned in Chapter 8, the value of information differs within

organizations and between organizations. Some argue that it is virtually impossible to determine

accurately the true value of information and information-bearing assets, which is perhaps

one reason why insurance underwriters currently have no definitive valuation tables

for information assets. Asset valuation can draw on the assessment of information assets

performed as part of the risk identification process you learned about in Chapter 8.

Asset valuation can involve the estimation of real or perceived costs. These costs can be selected

from any or all of those associated with the design, development, installation, maintenance,

protection, recovery, and defense against loss or litigation. Some costs are easily determined,

such as the cost to replace a network switch or the hardware needed for a specific class of

server. Other costs are almost impossible to determine, such as the dollar value of the loss in

market share if information on a firm’ s new product offerings were released prematurely and

the company lost its competitive edge. A further complication is that some information assets

acquire value over time that is beyond their intrinsic value— the essential worth— of the asset

under consideration. This higher acquired value is the more appropriate value in most cases.

Asset valuation must account for the following:

● Value retained from the cost of creating the information asset: Information is created

or acquired at a cost which can be calculated or estimated. For example, many organizations

have developed extensive cost-accounting practices to capture the costs associated

with collecting and processing data, as well as developing and maintaining software.

Software development costs include the efforts of the many people involved in the

systems development life cycle for each application and system. Although this effort

draws mainly on IT personnel, it also includes the user and general management community

and sometimes the information security staff. In today’ s marketplace, with high programmer salaries and even higher contractor expenses, the average cost to complete

even a moderately sized application can quickly escalate. For example, multimediabased

training software that requires 350 hours of development for each hour of content

will require the expenditure of as much as $10,000 per hour.

● Value retained from past maintenance of the information asset: It is estimated that for

every dollar spent to develop an application or to acquire and process data, many more

dollars are spent on maintenance over the useful life of the data or software. If actual

costs have not been recorded, the cost can be estimated in terms of the human resources

required to continually update, support, modify, and service the applications and systems.

● Value implied by the cost of replacing the information: The costs associated with

replacing information should include the human and technical resources needed to

reconstruct, restore, or regenerate the information from backups, independent transactions

logs, or even hard copies of data sources. Most organizations rely on routine

media backups to protect their information. When estimating recovery costs, keep in

mind that you may have to hire contractors to carry out the regular workload that

employees will be unable to perform during recovery efforts. Also, real-time information

may not be recoverable from a tape backup, unless the system has built-in journaling

capabilities. To restore this information, the various information sources may

have to be reconstructed, and the data reentered into the system and validated for

accuracy. This restoration can take longer than it took to create the data initially.

● Value from providing the information: Separate from the cost of developing or maintaining

the information is the cost of providing the information to those users who need

it. Such costs include the values associated with the delivery of the information through

databases, networks, and hardware and software systems. They also include the cost of

the infrastructure necessary to provide access to and control of the information.

● Value acquired from the cost of protecting the information: The value of an asset is based

in part on the cost of protecting it, and the amount of money spent to protect an asset is

based in part on the value of the asset.While this is a seemingly unending circle, estimating

the value of protecting an information asset can help you to better understand the

expense associated with its potential loss. The values listed previously are easy to calculate

with some precision. This value and those that follow are likely to be estimates of cost.

● Value to owners: How much is your Social Security number worth to you? Or your

telephone number? Placing a value on information can be quite a daunting task. A market

researcher collects data from a company’ s sales figures and determines that a new

product offering has a strong potential market appeal to members of a certain age

group. While the cost of creating this new information may be small, how much is the

new information actually worth? It could be worth millions if it successfully captures a

new market share. Although it may be impossible to estimate the value of information to

an organization or what portion of revenue is directly attributable to that information, it

is vital to understand the overall cost that could be a consequence of its loss so as to

better realize its value. Here again, estimating value may be the only method possible.

● Value of intellectual property: The value of a new product or service to a customer may

ultimately be unknowable. How much would a cancer patient pay for a cure? How

much would a shopper pay for a new flavor of cheese? What is the value of a logo or

advertising slogan? Related but separate are intellectual properties known as trade

secrets. Intellectual information assets are the primary assets of some organizations.

Value to adversaries: How much is it worth to an organization to know what the

competition is doing? Many organizations have established departments tasked with

the assessment and estimation of the activities of their competition. Even organizations

in traditionally nonprofit industries can benefit from knowing what is going on

in political, business, and competitive organizations. Stories of industrial espionage

abound, including the urban legend of Company A encouraging its employees to hire

on as janitors at Company B. As custodial workers, the employees could snoop

through open terminals, photograph and photocopy unsecured documents, and rifle

through internal trash and recycling bins. Such legends support a widely accepted

concept: Information can have extraordinary value to the right individuals. Similarly,

stories are circulated of how disgruntled employees, soon to be terminated, might steal

information and present it to competitive organizations to curry favor and land new

employment. Those who hire such applicants in an effort to gain from their larceny

should consider whether benefiting from such a tactic is wise. After all, such thieves

could presumably repeat their activities when they become disgruntled with their

newest employers.

● Loss of productivity while the information assets are unavailable: When a power failure

occurs, effective use of uninterruptible power supply (UPS) equipment can prevent

data loss, but users cannot create additional information. Although this is not an

example of an attack that damages information, it is an instance in which a threat

(deviations in quality of service from service providers) affects an organization’ s

productivity. The hours of wasted employee time, the cost of using alternatives, and

the general lack of productivity will incur costs and can severely set back a critical

operation or process.

● Loss of revenue while information assets are unavailable: Have you ever been in a

retail store when your credit card would not scan? How many times did the salesperson

rescan the card before resorting to entering the numbers manually? How long did

it take to enter the numbers manually in contrast to the quick swipe? What if the

credit card verification process was off-line? Did the organization have a manual process

to validate or process credit card payment in the absence of the familiar approval

system? Many organizations have all but abandoned manual backups for automated

processes. Sometimes, businesses may even have to turn away customers because their

automated payments systems are inoperative. Most grocery stores no longer label

each item with the price, because the UPC scanners and the related databases calculate

the costs and inventory levels dynamically. Without these systems, could your grocery

store sell goods? How much would the store lose if it could not? It has been estimated

that “ 43 percent of all businesses that close their doors due to a disaster or crisis, even

for one day, never reopen them again. An additional 28 percent fail during the next

three to five years.”4 Imagine, instead of a grocery store, an online book retailer such

as Amazon.com suffering a power outage. The entire operation is instantly closed.

Even if Amazon’ s offering system were operational, what if the payment systems were

offline? Customers could make selections, but could not complete their purchases.

While dotcom businesses may be more susceptible to suffering a loss of revenue as a

result of a loss of information, most organizations would be unable to conduct business

if certain pieces of information were unavailable.

Once an organization has estimated the worth of various assets, it can begin to calculate the

potential loss from the exploitation of vulnerability or a threat occurrence. This process yields the estimate of potential loss per risk. The questions that must be asked at this stage

include the following:

● What damage could occur, and what financial impact would it have?

● What would it cost to recover from the attack, in addition to the financial impact of

damage?

● What is the single loss expectancy for each risk?