RISK MITIGATION AND THREAT IDENTIFICATION
Introduction
Information security in a modern organization exists primarily to manage information technology
(IT) risk. Managing risk is one of the key responsibilities of every manager within an
organization. In any well-developed risk management program, two formal processes are at
work. The first, risk identification and assessment, is discussed in this chapter; the second,
risk control, is the subject of the next chapter.
Each manager in the organization, regardless of his or her affiliation with one of the three
communities of interest, should focus on reducing risk as follows:
● General management must structure the IT and information security functions in ways
that will result in the successful defense of the organization’s information assets,
including data, hardware, software, procedures, and people.
● IT management must serve the information technology needs of the broader organization
and at the same time exploit the special skills and insights of the information
security community.
● Information security management must lead the way with skill, professionalism, and
flexibility as it works with the other communities of interest to balance the constant
trade-offs between information system utility and security.
Risk Management
If you know the enemy and know yourself, you need not fear the result of a hundred
battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you
will succumb in every battle.1
Accountability for Risk Management
All three communities of interest bear responsibility for the management of risks, and each
has a particular strategic role to play.
● Information security: Because members of the information security community best
understand the threats and attacks that introduce risk, they often take a leadership
role in addressing risk.
● Information technology: This group must help to build secure systems and ensure their
safe operation. For example, IT builds and operates information systems that are mindful
of operational risks and have proper controls implemented to reduce risk.
Management and users: When properly trained and kept aware of the threats faced by
the organization, this group plays a part in the early detection and response process.
Members of this community also ensure that sufficient resources (money and personnel)
are allocated to the information security and information technology groups to
meet the security needs of the organization. For example, business managers must
ensure that supporting records for orders remain intact in case of data entry error
or transaction corruption. Users must be made aware of threats to data and systems,
and educated on practices that minimize those threats.
All three communities of interest must work together to address every level of risk, ranging
from full-scale disasters (whether natural or human-made) to the smallest mistake made by
an employee. To do so, they must be actively involved in the following activities:
● Evaluating the risk controls
● Determining which control options are cost effective
● Acquiring or installing the appropriate controls
● Overseeing processes to ensure that the controls remain effective
● Identifying risks, which includes:
● Creating an inventory of information assets
● Classifying and organizing those assets into meaningful groups
● Assigning a value to each information asset
● Identifying threats to the cataloged assets
● Pinpointing vulnerable assets by tying specific threats to specific assets
● Assessing risks, which includes:
● Determining the likelihood that vulnerable systems will be attacked by specific threats
● Assessing the relative risk facing the organization’ s information assets, so that risk
management and control activities can focus on assets that require the most urgent
and immediate attention
● Calculating the risks to which assets are exposed in their current setting
● Looking in a general way at controls that might come into play for identified
vulnerabilities and ways to control the risks that the assets face
● Documenting the findings of risk identification and assessment
● Summarizing the findings, which involves stating the conclusions of the analysis stage
of risk assessment in preparation for moving into the stage of controlling risk by exploring methods to mitigate risk
Risk Identification
Risk identification begins with the process of self-examination. At this stage, managers identify
the organization’s information assets, classify and categorize them into useful groups, and prioritize them by their overall importance. This can be a daunting task, but it must be done
to identify weaknesses and the threats they present.
Creating an Inventory of Information Assets
The risk identification process begins with the identification of information assets, including
people, procedures, data, software, hardware, and networking elements. This step should be
done without prejudging the value of each asset; values will be assigned later in the process.
Standard IT system components (people, procedures, data, software, hardware,
and networks) alongside a risk management breakdown of those components.More specifically:
People are divided into insiders (employees) and outsiders (nonemployees). Insiders
come in two categories: either they hold trusted roles and have correspondingly
greater authority and accountability, or they are regular staff without any special
privileges. The group of outsiders consists of other users who have access to the
organization’s information assets.
● Procedures are assets since they are used to create value for the organization. They are
split into two categories: IT and business standard procedures, and IT and business
sensitive procedures. Sensitive procedures have the potential to enable an attack or to
otherwise introduce risk to the organization. For example, the procedures used by a
telecommunications company to activate new circuits pose special risks because they
reveal aspects of the inner workings of a critical process that can be subverted by
outsiders for the purpose of obtaining unbilled, illicit services.
● Data components account for information in all states: transmission, processing, and storage.
These categories expand the conventional use of the term data, which is usually associated
with databases, not the full range of information used by modern organizations.
● Software elements can be inventoried in one of three categories: applications, operating
systems, or security components. Software components that provide security controls
may fall into the operating systems or applications category, but are differentiated by
the fact that they are part of the information security control environment and must be
protected more thoroughly than other systems components.
● Hardware is split into two categories: the usual systems devices and their peripherals,
and the devices that are part of information security control systems. The latter must
be protected more thoroughly than the former.
● Networking components are extracted from software and hardware because networking
subsystems are often the focal point of attacks against a system. Of course, most
computer systems today include networking elements. You will have to determine
whether a device is primarily a computer or primarily a networking device. A server
computer that is used exclusively as a proxy server or bastion host may be classified
as a networking component, while an identical server configured as a database server
may be classified as hardware. For this reason, they should be considered separately,
rather than combined with general hardware and software components.
Identifying Hardware, Software, and Network Assets Many organizations
use purchased asset inventory systems to keep track of their hardware, network, and perhaps
software components. Numerous packages are available in the market today, and it is up to the
CISO or CIO to determine which package best serves the needs of the organization. Organizations
that do not use an automated inventory system must create an equivalent manual process.
Whether automated or manual, the inventory process requires a certain amount of planning.
Most importantly, you must determine which attributes of each of these information assets
should be tracked. That determination will depend on the needs of the organization and its
risk management efforts, as well as the preferences and needs of the information security
and information technology communities. When deciding which attributes to track for each
information asset, consider the following list of potential attributes:
● Name: A list of all names commonly used for the device or program; some organizations
may have several names for the same product, and each of them should be
cross-referenced in the inventory. This redundancy accommodates the usage across the
organization and makes it accessible for everyone. No matter how many names you
track or how you select a name, always provide a definition of the asset in question.
Adopt naming standards that do not convey critical information to potential system
attackers. For instance, a server named CASH1 or HQ_FINANCE may entice attackers.
● Asset Tag: Used to facilitate tracking of assets; asset tags are unique numbers assigned
to assets during the acquisition process.
● IP address: An attribute that is useful for network devices and servers but rarely
applies to software; you can, however, use a relational database and track software
instances on specific servers or networking devices. Many larger organizations use the
Dynamic Host Control Protocol (DHCP) within TCP/IP, which reassigns IP numbers
to devices as needed, making the use of IP numbers as part of the asset identification
process very difficult.
● MAC address: Also called an electronic serial number or hardware address; as
per the TCP/IP standard, all network interface hardware devices have a unique
number. The network operating system uses this number to identify specific network
devices. The client’ s network software uses it to recognize traffic that it needs to
process. In most settings, MAC addresses can be a useful way to track connectivity,
but they can be spoofed by some hardware/software combinations.
● Asset type: An attribute that describes the function of each asset; for hardware assets,
develop a list of possible asset types that includes servers, desktops, networking
devices, and test equipment. For software assets, develop a list that includes operating
systems, custom applications by type (accounting, human resources, or payroll, to
name a few), and packaged applications and/or specialty applications (such as firewall
programs). The degree of specificity is determined by the needs of the organization.
Asset types can be recorded at two or more levels of specificity by first recording one
attribute that classifies the asset at a high level, and then adding attributes for more
detail. For example, one server might be listed as follows:
DeviceClass . S (server)
DeviceOS . W2K (Windows 2000)
DeviceCapacity . AS (Advanced Server)
● Serial number: A number that uniquely identifies a specific device; some software
vendors also assign a software serial number to each instance of the program licensed
by the organization.
● Manufacturer name: An attribute that can be useful for analyzing threat outbreaks
when certain manufacturers announce specific vulnerabilities.
● Manufacturer’ s model or part number: A number that identifies exactly what the asset
is; it can be very useful in later analysis of vulnerabilities, because some threats apply
only to specific models of certain devices and/or software components.
● Software version, update revision, or FCO number: Current information about
software and firmware versions and, for hardware devices, the current field change
order (FCO) number; a field change order occurs when a manufacturer performs an upgrade to a hardware component at the customer’ s premises. Tracking this
information is particularly important when inventorying networking devices that
function mainly through the software running on them. For example, firewall
devices often have three versions: an operating system version, a software version,
and a Basic Input/Output System (BIOS) firmware version. Depending on an organization’ s
needs, the inventory may have to track each of those version values for
each asset.
● Physical location: An attribute that does not apply to software elements; nevertheless,
some organizations may have license terms that indicate where software can be used.
● Logical location: An attribute that specifies where an asset can be found on the organization’ s
network; the logical location is most applicable to networking devices and
indicates the logical network segment (sometimes labeled a VLAN) that houses the
device.
● Controlling entity: The organizational unit that controls the asset; a remote location’ s
on-site staff may sometimes be placed in control of network devices; at other organizations,
a central corporate group may control all network devices. The inventory
should determine which group controls each specific asset, as the controlling group
will want a voice in determining how much risk that device can tolerate and how
much expense it can sustain to add controls.
Identifying People, Procedures, and Data Assets Unlike hardware and software,
human resources, documentation, and data information assets are not as readily identified
and documented. Responsibility for identifying, describing, and evaluating these information
assets should be assigned to managers who possess the necessary knowledge, experience, and
judgment. As these assets are identified, they should be recorded via a reliable data-handling
process like the one used for hardware and software.
The record-keeping system should be flexible, allowing you to link assets to attributes based
on the nature of the information asset being tracked. Some basic attributes for various classes
of assets are:
People
● Position name/number/ID: Avoid names; use position titles, roles, or functions
● Supervisor name/number/ID: Avoid names; use position titles, roles, or functions
● Security clearance level
● Special skills
Procedures
● Description
● Intended purpose
● Software/hardware/networking elements to which it is tied
● Location where it is stored for reference
● Location where it is stored for update purposes
Data
● Classification
● Owner/creator/manager
● Size of data structure
● Data structure used; for example, sequential or relational
● Online or offline
● Location
● Backup procedures
Consider carefully what should be tracked for specific assets. Often larger organizations find
that that they can effectively track only a few valuable facts about the most critical information
assets. For instance, a company may track only IP address, server name, and device
type for its mission-critical servers. The organization might forgo additional attribute tracking
on all devices, and completely omit the tracking of desktop or laptop systems.
Classifying and Categorizing Assets
Once the initial inventory is assembled, you must determine whether its asset categories are
meaningful to the organization’s risk management program. Such a review may cause managers
to further subdivide the categories listed in Table 8-1 or to create new categories that
better meet the needs of the risk management program. For example, if the category Internet
components is deemed too general, it could be further divided into subcategories of servers,
networking devices (routers, hubs, switches), protection devices (firewalls, proxies), and
cabling.
The inventory should also reflect the sensitivity and security priority assigned to each information
asset. A classification scheme should be developed (or reviewed, if already in place)
that categorizes these information assets based on their sensitivity and security needs. Consider
the following classification scheme for an information asset: confidential, internal, and
public. Each of these classification categories designates the level of protection needed for a
particular information asset. Some asset types, such as personnel, may require an alternative
classification scheme that would identify the information security processes used by the asset
type. For example, based on need-to-know and right-to-update, an employee might be given
a certain level of security clearance, which identifies the level of information that individual is
authorized to use. A more detailed discussion of classification schemes is provided later in
this chapter in the section entitled “Data Classification Model.”
Classification categories must be comprehensive and mutually exclusive. Comprehensive
means that all inventoried assets fit into a category; mutually exclusive means that each
asset is found in only one category. For example, an organization may have a public key
infrastructure certificate authority, which is a software application that provides cryptographic
key management services. Using a purely technical standard, a manager could categorize
the application in the asset list of Table 8-1 as software, a general grouping with no
special classification priority. Because the certificate authority must be carefully protected as
part of the information security infrastructure, it should be categorized into a higher priority
classification, such as software/security component/cryptography, and it should be verified
that no overlapping category exists, such as software/security component/PKI.
Assessing Values for Information Assets
As each information asset is identified, categorized, and classified, a relative value must also
be assigned to it. Relative values are comparative judgments intended to ensure that the
most valuable information assets are given the highest priority when managing risk. It may
be impossible to know in advance—in absolute economic terms—what losses will be incurred
if an asset is compromised; however, a relative assessment helps to ensure that the highervalue
assets are protected first.
As each information asset is assigned to its proper category, posing the following basic questions
can help you develop the weighting criteria to be used for information asset valuation
or impact evaluation. It may be useful to refer to the information collected in the BIA process
(covered in Chapter 3) to help you assess a value for an asset. You can use a worksheet, such
as the one shown in Figure 8-2, to collect the answers for later analysis.
● Which information asset is the most critical to the success of the organization?
When determining the relative importance of each information asset, refer to the
organization’s mission statement or statement of objectives. From this source, determine
which assets are essential for meeting the organization’s objectives, which assets
support the objectives, and which are merely adjuncts. For example, a manufacturing
company that makes aircraft engines may decide that the process control systems that control the machine tools on the assembly line are the first order of importance.
While shipping and receiving data entry consoles are important to those functions,
they may be less critical if alternatives are available or can be easily arranged. Another
example is an online organization such as Amazon.com. The Web servers that
advertise the company’ s products and receive its orders 24 hours a day are essential,
whereas the desktop systems used by the customer service department to answer
customer e-mails are less critical.
● Which information asset generates the most revenue? The relative value of an information
asset depends on how much revenue it generates— or, in the case of a nonprofit
organization, how critical it is to service delivery. Some organizations have different
systems in place for each line of business or service they offer. Which of these assets
plays the biggest role in generating revenue or delivering services?
● Which information asset generates the highest profitability? Managers should evaluate
how much profit depends on a particular asset. For instance, at Amazon.com, some
servers support the book sales operations, others support the auction process, and still
others support the customer book review database. Which of these servers contributes
the most to the profitability of the business? Although important, the review database
server does not directly generate profits. Note the distinction between revenues and
profits: Some systems on which revenues depend operate on thin or nonexistent margins
and do not generate profits. In nonprofit organizations, you can determine what
percentage of the agency’ s clientele receives services from the information asset being
evaluated.
● Which information asset is the most expensive to replace? Sometimes an information
asset acquires special value because it is unique. If an enterprise still uses a Model-129
keypunch machine to create special punch-card entries for a critical batch run, for
example, that machine may be worth more than its cost, because spare parts or service
providers may no longer be available. Another example is a specialty device with
a long delivery time frame because of manufacturing or transportation requirements.
Organizations must control the risk of loss or damage to such unique assets— for
example, by buying and storing a backup device.
● Which information asset is the most expensive to protect? Some assets are by their
nature difficult to protect, and formulating a complete answer to this question may
not be possible until after the risk identification phase is complete, because the costs
of controls cannot be computed until the controls are identified. However, you can
still make a preliminary assessment of the relative difficulty of establishing controls
for each asset.
● Which information asset’s loss or compromise would be the most embarrassing or
cause the greatest liability? Almost every organization is aware of its image in the
local, national, and international spheres. Loss or exposure of some assets would
prove especially embarrassing. Microsoft’ s image, for example, was tarnished when
an employee’ s computer system became a victim of the QAZ Trojan horse, and the
latest version of Microsoft Office was stolen.2
You may also need to identify and add other institution-specific questions to the evaluation process.
Listing Assets in Order of Importance
The final step in the risk identification process is to list the assets in order of importance.
This goal can be achieved by using a weighted factor analysis worksheet similar to the one
shown in Table 8-2. In this process, each information asset is assigned a score for each critical
factor. Table 8-2 uses the NIST SP 800-30 recommended values of 0.1 to 1.0. (NIST SP
800-30, Risk Management for Information Technology Systems, is published by the National
Institute of Standards and Technology and is covered in detail in Chapter 9. Your organization
may choose to use another weighting system.) Each criterion has an assigned weight
showing its relative importance in the organization.
A quick review of Table 8-2 shows that the Customer order via SSL (inbound) data flow is
the most important asset on this worksheet, and that the EDI Document Set 2—Supplier fulfillment
advice (inbound) is the least critical asset.
Threat Identification
As mentioned at the beginning of this chapter, the ultimate goal of risk identification is to
assess the circumstances and setting of each information asset to reveal any vulnerabilities.
Armed with a properly classified inventory, you can assess potential weaknesses in each
information asset—a process known as threat identification.
Any organization typically faces a wide variety of threats. If you assume that every threat can
and will attack every information asset, then the project scope becomes too complex. To
make the process less unwieldy, each step in the threat identification and vulnerability identification
processes is managed separately and then coordinated at the end. At every step the
manager is called on to exercise good judgment and draw on experience to make the process
function smoothly.
Identify and Prioritize Threats and Threat Agents Chapter 2 identified 12
categories of threats to information security, which are listed alphabetically in Table 8-3.
Each of these threats presents a unique challenge to information security and must be handled
with specific controls that directly address the particular threat and the threat agent’s
attack strategy. Before threats can be assessed in the risk identification process, however,
each threat must be further examined to determine its potential to affect the targeted information
asset. In general, this process is referred to as threat assessment. Posing the following
questions can help you understand the threat and its potential effects on an information
asset:
● Which threats present a danger to this organization’s information assets in its current
environment? Not all threats endanger every organization, of course. Examine each of
the categories in Table 8-3, and eliminate any that do not apply to your organization.
While it is unlikely that you can eliminate an entire category of threats, if you can, it
speeds the threat assessment process. The Offline feature entitled “ Threats to Information
Security” describes the threats that some CIOs of major companies identified
for their organizations. Although the Offline feature directly addresses only information
security, note that a weighted ranking of threats should be compiled for any
information asset that is at risk. Once you have determined which threats apply to
your organization, identify particular examples of threats within each category, eliminating
those that are not relevant. For example, a company with offices on the 23rd
floor of a high-rise building in Denver, Colorado, might not be subject to flooding.
Similarly, a firm with an office in Oklahoma City, Oklahoma, might not be concerned
with landslides.
● Which threats represent the gravest danger to the organization’s information assets?
The amount of danger posed by a threat is sometimes difficult to assess. It may be
simply the probability of a threat attacking the organization, or it may reflect the
amount of damage that the threat could create or the frequency with which an attack
can occur. During this preliminary assessment phase, the analysis is limited to examining
the existing level of preparedness and improving the strategy of information
security. The results should give a quick overview of the components involved.
As you will discover in Chapter 9, you can use both quantitative and qualitative measures to
rank values. Since information in this case is preliminary, the organization may want to
rank threats subjectively in order of danger. Alternatively, it may simply rate each of the
threats on a scale of 1 to 5, with 1 designating insignificant threats and 5 designating highly
significant threats.
Frequency of Attacks Remarkably, detected attacks are decreasing. After a peak in
2000, the number of organizations reporting unauthorized use of computer systems has
been declining steadily, while the amount reporting no unauthorized access has been increasing.
Unfortunately, the number of organizations reporting that they just do not know is
holding steady.3 The fact is, almost every company has experienced an attack. Whether that
attack was successful depends on the company’s security efforts; whether the perpetrators
were caught or the organization was willing to report the attack is another matter entirely.
● How much would it cost to recover from a successful attack? One of the calculations
that guides corporate spending on controls is the cost of recovery operations if an
attack occurs and is successful. At this preliminary phase, it is not necessary to conduct
a detailed assessment of the costs associated with recovering from a particular attack.
Instead, organizations often a create subjective ranking or listing of the threats based on
recovery cost. Alternatively, you could assign a rating for each threat on a scale of 1 to
5, with 1 representing “not expensive at all” and 5 representing “extremely expensive.”
If the information is available, a raw value (such as $5,000, $10,000, or $2 million) can
be assigned. In other words, the goal at this phase is to provide a rough assessment of
the cost to recover operations should the attack interrupt normal business operations.
Which threats would require the greatest expenditure to prevent? Another factor that
affects the danger posed by a particular threat is the amount it would cost to protect
against that threat. Controlling some threats has a nominal cost, as in protections from
malicious code, while other protective strategies are very expensive, as in protections
from forces of nature. Here again the manager ranks, rates, or attempts to quantify the
level of danger associated with protecting against a particular threat by using the same
techniques outlined earlier for calculating recovery costs. Look at the Offline feature on
expenditure for threats to see how some top executives recently handled this issue.
This list of questions may not cover everything that affects risk identification. An organization’s
specific guidelines or policies should influence the process and will inevitably require
that some additional questions be answered.
Vulnerability Assessment Once you have identified the information assets of the
organization and documented some threat assessment criteria, you can begin to review every information asset for each threat. This review leads to the creation of a list of vulnerabilities
that remain potential risks to the organization. What are vulnerabilities? They are
specific avenues that threat agents can exploit to attack an information asset. In other
words, they are chinks in the asset’ s armor— a flaw or weakness in an information asset,
security procedure, design, or control that can be exploited accidentally or on purpose to
breach security. For example, Table 8-4 analyzes the threats to and possible vulnerabilities
of a DMZ router.
A list like the one in Table 8-4 must be created for each information asset to document its
vulnerability to each possible or likely attack. This list is usually long and shows all the vulnerabilities
of the information asset. Some threats manifest themselves in multiple ways,
yielding multiple vulnerabilities for that asset– threat pair. Of necessity, the process of listing
vulnerabilities is somewhat subjective and is based on the experience and knowledge of the
people who create the list. Therefore, the process works best when groups of people with
diverse backgrounds work together in a series of brainstorming sessions. For instance, the
team that reviews the vulnerabilities for networking equipment should include networking
specialists, the systems management team that operates the network, information security
risk specialists, and even technically proficient users of the system.
The TVA Worksheet
At the end of the risk identification process, an organization should have a prioritized list of
assets and their vulnerabilities. This list serves as the starting point (with its supporting documentation
from the identification process) for the next step in the risk management process—
risk assessment. Another list prioritizes threats facing the organization based on the weighted
table discussed earlier. These two lists can be combined into a Threats-Vulnerabilities-Assets
(TVA) worksheet, in preparation for the addition of vulnerability and control information
during risk assessment. Along one axis lies the prioritized set of assets. Table 8-5 shows the
placement of assets along the horizontal axis, with the most important asset at the left. The
prioritized list of threats are placed along the vertical axis, with the most important or most
dangerous threat listed at the top. The resulting grid provides a convenient method of examining
the “exposure” of assets, allowing a simplistic vulnerability assessment. We now have a
starting point for our risk assessment, along with the other documents and forms.
As you begin the risk assessment process, create a list of the TVA “triples” to facilitate your
examination of the severity of the vulnerabilities. For example, between Threat 1 and Asset 1
there may or may not be a vulnerability. After all, not all threats pose risk to all assets. If a
pharmaceutical company’s most important asset is its research and development database,
and that database resides on a stand-alone network (that is, one that is not connected to the
Internet), then there may be no vulnerability to external hackers. If the intersection of T1 and
A1 has no vulnerability, then the risk assessment team simply crosses out that box. It is much more likely, however, that one or more vulnerabilities exist between the two, and as these
vulnerabilities are identified, they are categorized as follows:
T1V1A1— Vulnerability 1 that exists between Threat 1 and Asset 1
T1V2A1— Vulnerability 2 that exists between Threat 1 and Asset 1
T2V1A1— Vulnerability 1 that exists between Threat 2 and Asset 1…
and so on.
In the risk assessment phase, discussed in the next section, not only are the vulnerabilities
examined, but the assessment team also analyzes any existing controls that protect the asset
from the threat, or mitigates the losses that may occur. Cataloging and categorizing these
controls is the next step in the TVA spreadsheet.
Risk Assessment
Assessing the relative risk for each vulnerability is accomplished via a process called risk
assessment. Risk assessment assigns a risk rating or score to each specific vulnerability. While
this number does not mean anything in absolute terms, it enables you to gauge the relative
risk associated with each vulnerable information asset, and it facilitates the creation of comparative
ratings later in the risk control process.
Introduction to Risk Assessment
The goal at this point is to create a method to evaluate the relative risk of each listed vulnerability.
Chapter 9 describes how to determine more precise cost estimates for vulnerabilities as
well as projected expenses for the controls that reduce the risks. For now, you can use the
simpler risk model shown in Figure 8-3 to evaluate the risk for each information asset. The
next section describes the factors used to calculate the relative risk for each vulnerability.
Likelihood
Likelihood is the overall rating— a numerical value on a defined scale— of the probability that
a specific vulnerability will be exploited. In Special Publication 800-30, NIST recommends
that vulnerabilities be assigned a likelihood rating between 0.1 (low) and 1.0 (high). For
example, the likelihood of an employee or system being struck by a meteorite while indoors
would be rated 0.1, while the likelihood of receiving at least one e-mail containing a virus
or worm in the next year would be rated 1.0. You could also choose to use a number
between 1 and 100, but not 0, since vulnerabilities with a 0 likelihood should have already
been removed from the asset/vulnerability list. Whatever rating system you employ for assigning
likelihood, use professionalism, experience, and judgment to determine the rating— and
use it consistently. Whenever possible, use external references for likelihood values, after
reviewing and adjusting them for your specific circumstances. For many asset/vulnerability
combinations, existing sources have already determined their likelihood. For example,
● The likelihood of a fire has been estimated actuarially for each type of structure.
● The likelihood that any given e-mail will contain a virus or worm has been
researched.
● The number of network attacks can be forecast depending on how many network
addresses the organization has assigned.
Assessing Potential Loss
Using the information documented during the risk identification process, you can assign
weighted scores based on the value of each information asset. The actual number used will
vary according to the needs of the organization. Some groups use a scale of 1 to 100, with
100 being reserved for those information assets whose loss would stop company operations
within a few minutes. Other recommended scales, including the one in NIST SP 800-30, use
assigned weights in broad categories, with all-important assets having a value of 100, lowcriticality
assets having a value of 1, and all other assets having a medium value of 50. Still
other scales employ weights from 1 to 10, or assigned values of 1, 3, and 5 to represent
low-, medium-, and high-valued assets, respectively. Alternatively, you can create unique
weight values customized to your organization’ s specific needs.
To be effective, the values must be assigned by asking the questions listed earlier in the section
entitled “ Identify and Prioritize Threats and Threat Agents.” These questions are
restated here for easy reference:
● Which threats present a danger to this organization’ s assets in its current
environment?
● Which threats represent the gravest danger to the organization’ s information assets?
● How much would it cost to recover from a successful attack?
● Which threats would require the greatest expenditure to prevent?
After reconsidering these questions, use the background information from the risk identification
process and add to that information by posing yet another question:
● Which of the aforementioned questions is the most important to the protection of
information from threats within this organization?
The answer to this question determines the priorities used in the assessment of vulnerabilities.
Which is the most important to the organization— the cost to recover from a threat attack or
the cost to protect against a threat attack? More generally, which of the threats has the highest
probability of successful attack? Recall that the purpose of risk assessment is to look at the
threats an organization faces in its current state. Once these questions are answered, move to
the next step in the process: examining how current controls can reduce the risk faced by specific
vulnerabilities.
Percentage of Risk Mitigated by Current Controls
If a vulnerability is fully managed by an existing control, it can be set aside. If it is partially
controlled, estimate what percentage of the vulnerability has been controlled.
Uncertainty
It is not possible to know everything about every vulnerability, such as how likely an attack
against an asset is, or how great an impact a successful attack would have on the organization.
The degree to which a current control can reduce risk is also subject to estimation
error. A factor that accounts for uncertainty must always be added to the equations; it consists
of an estimate made by the manager using good judgment and experience.
Risk Determination
For the purpose of relative risk assessment, risk equals likelihood of vulnerability occurrence
times value (or impact) minus percentage risk already controlled plus an element of uncertainty.
To see how this equation works, consider the following scenario:
● Information asset A has a value score of 50 and one vulnerability: Vulnerability 1 has
a likelihood of 1.0 with no current controls. You estimate that assumptions and data
are 90 percent accurate.
● Information asset B has a value score of 100 and two vulnerabilities: Vulnerability 2
has a likelihood of 0.5 with a current control that addresses 50 percent of its risk;
vulnerability 3 has a likelihood of 0.1 with no current controls. You estimate that
assumptions and data are 80 percent accurate.
The resulting ranked list of risk ratings for the three vulnerabilities described above is as follows
[(value times likelihood) minus risk mitigated plus uncertainty]:
● Asset A: Vulnerability 1 rated as 55 . (50 _ 1.0) _ 0% . 10% where
55 . (50 _ 1.0) – ((50 _ 1.0) _ 0.0) . ((50 _ 1.0) _ 0.1)
55 . 50 _ 0 . 5
● Asset B: Vulnerability 2 rated as 35 . (100 _ 0.5) – 50% . 20% where
35 . (100 _ 0.5) – ((100 _ 0.5) _ 0.5) . ((100 _ 0.5) _ 0.2)
35 . 50 _ 25 . 10
Likelihood and Consequences
Another approach to calculating risk based on likelihood is the likelihood and consequences
rating from the Australian and New Zealand Risk Management Standard 4360,4 which uses
qualitative methods to determine risk based on a threat’s probability of occurrence and
expected results of a successful attack. Qualitative risk assessment is examined elsewhere in
this chapter, but consists of using categories instead of actual numbers to determine risk.
Identify Possible Controls
For each threat and its associated vulnerabilities that have residual risk, create a preliminary
list of control ideas. The purpose of this list, which begins with the identification of extant
controls, is to identify areas of residual risk that may nor may not need to be reduced. Residual
risk is the risk that remains even after the existing control has been applied. Controls, safeguards,
and countermeasures are all terms used to describe security mechanisms, policies, and
procedures. These mechanisms, policies, and procedures counter attacks, reduce risk, resolve
vulnerabilities, and otherwise improve the general state of security within an organization.
Three general categories of controls exist: policies, programs, and technical controls. You
learned about policies in Chapter 4. Programs are activities performed within the organization
to improve security; they include security education, training, and awareness programs.
Technical controls—also known as security technologies—are the technical implementations
of the policies defined by the organization. These controls, whether in place or planned,
should be added to the TVA worksheet as they are identified.
Access Controls
Access controls specifically address the admission of users into a trusted area of the organization.
These areas can include information systems, physically restricted areas such as computer
rooms, and even the organization in its entirety. Access controls usually consist of a
combination of policies, programs, and technologies.
A number of approaches to, and categories of, access controls exist. They can be mandatory,
nondiscretionary, or discretionary. Each category of controls regulates access to a particular
type or collection of information, as explained in Chapter 6.
Documenting the Results of Risk Assessment
The goal of the risk management process so far has been to identify information assets and
their vulnerabilities and to rank them according to the need for protection. In preparing this
list, a wealth of factual information about the assets and the threats they face is collected.
Also, information about the controls that are already in place is collected.
Chapter Summary
■ Risk management examines and documents an organization’s information assets.
Management is responsible for identifying and controlling the risks that an organization
encounters. In the modern organization, the information security group often
plays a leadership role in risk management.
■ A key component of a risk management strategy is the identification, classification,
and prioritization of the organization’s information assets.
■ Assessment is the identification of assets, including all of the elements of an organization’s
system: people, procedures, data, software, hardware, and networking elements.
■ The human resources, documentation, and data information assets of an organization
are not as easily identified and documented as tangible assets, such as hardware and
software. These more elusive assets should be identified and described using knowledge,
experience, and judgment.
■ You can use the answers to the following questions to develop weighting criteria for
information assets:
● Which information asset is the most critical to the success of the organization?
● Which information asset generates the most revenue?
● Which information asset generates the highest profitability?
● Which information asset is the most expensive to replace?
● Which information asset is the most expensive to protect?
● Which information asset’s loss or compromise would be the most embarrassing
or cause the greatest liability?
● What questions should be added to cover the needs of the specific organization
and its environment?
■ After identifying and performing a preliminary classification of information assets, the
threats facing an organization should be examined. There are 12 general categories of
threats to information security.
■ Each threat must be examined during a threat assessment process that addresses the
following questions: Which of these threats exist in this organization’s environment?
—are most dangerous to the organization’s information? require the greatest expenditure
for recovery? require the greatest expenditure for protection?
■ Each information asset is evaluated for each threat it faces; the resulting information
is used to create a list of the vulnerabilities that pose risks to the organization. This
process results in an information asset and vulnerability list, which serves as the starting
point for risk assessment.
■ A Threat-Vulnerability-Asset (TVA) worksheet lists the assets in priority order along
one axis, and the threats in priority order along the other axis. The resulting grid
provides a convenient method of examining the “exposure” of assets, allowing
a simple vulnerability assessment.
■ The goal of risk assessment is the assignment of a risk rating or score that represents
the relative risk for a specific vulnerability of a specific information asset.
If any specific vulnerability is completely managed by an existing control, it no longer
needs to be considered for additional controls.
■ Controls, safeguards, and countermeasures should be identified for each threat and
its associated vulnerabilities.
■ In general, three categories of controls exist: policies, programs, and technologies.
■ Access controls can be classified as mandatory, discretionary, or nondiscretionary.
■ The risk identification process should designate what function the resulting reports
serve, who is responsible for preparing them, and who reviews them. The TVA worksheet
and the ranked vulnerability risk worksheet are the initial working documents
for the next step in the risk management process: assessing and controlling risk.