CHAPTER 11

Information Assurance Risk Management

Whether government or private, organizations exist to provide value and benefits to their stakeholders. At the same time, they face uncertainty, which can be either a risk or an opportunity. The challenge for management is to decide how much risk it can accept to increase stakeholders’ value. Failure to manage risk reduces the benefits to the stakeholders and potentially exposes them to loss and negative effects. To succeed, management should design a strategy that overcomes risk while maximizing opportunities that come with it.

Information assurance risk management is essential for an effective information assurance management program. It is integral to good management practice. As discussed in Chapter 12, risk assessment is one of the activities conducted during the planning stage of establishing the IAMS. It established the foundation for selecting and justifying the implementation of security controls. Initiating new ventures, implementing new services or systems, and changing processes or structure should be preceded by a security risk assessment exercise. This chapter provides an overview of the risk management concept and discusses its key elements.

Benefits of Risk Management

Organizations operate in a dynamic environment. A well-planned and executed risk management plan reduces organizational risk from an ever-changing environment. To manage risk, you must identify it.

Risks are the combination of vulnerabilities that may be exploited by threats together with the potential impact on the asset. In information assurance, risks exist when the result of the previous relationship is positive. Risk management refers to the application of a method that consists of policies, procedures, and practices used to identify these risk events. The objective is to identify, analyze, treat, evaluate, and continue to improve the way the organization manages its risk profile. In short, risk management is a means to identify, manage, and control risk.

Organizations should understand that risk identification and management is a proactive rather than a reactive process. Ignorance or mismanagement of risk results in the loss of asset values, stakeholders’ wealth and reputation, and other undesirable consequences. Risk management is not about avoiding risks altogether. It is recognizing the consequences of risks in a deliberate and systematic way, avoiding unnecessary risks and carefully managing the risks taken by accepting residual risk.

Good risk management yields a wide spectrum of benefits. Having proactive risk management evokes a sense of preparedness against unwelcome surprises or incidents. Preparedness boosts confidence and encourages positive behavior within the organizational culture. A well-done risk assessment will identify the real threats and vulnerabilities to organizational assets. If a strategy is based on this assessment, it will be better and usually more reliable. Consequently, limited resources can be focused more effectively to manage prioritized risks.

Risk Management Process

Approaches to risk management have been suggested in standards, guidelines, and reports. You should choose an approach or method that is appropriate to your organization’s business environment.

Figure 11-1 shows a model that presents the risk management process as a continuous cycle.

Figure 11-1 Risk management process

The following section shows the main elements of the risk management process, including background planning, asset analysis, threat analysis, vulnerability analysis, risk identification, risk analysis, risk treatment, and risk monitoring.

Background Planning

Establish the strategic and risk management context at the beginning of the process planning process. The following elements should be taken into consideration during the planning phase:

      • Establish the aim, scope, and boundary. It is incumbent on management to establish a clear understanding of the aim, goal, and outcomes before the risk management process begins. In this phase, required resources are specified based on the objectives, scope, and boundary of the risk assessment exercise. Defining the scope is an important exercise and can be performed by function or boundary. For example, the assessment may examine all accounting systems that support Sarbanes Oxley [SARBOX] compliance. Or, the assessment may be boundary based such as systems in the marketing and production departments. The scoping method is fundamental in determining the level of the analysis required.

      • Establish the risk evaluation criteria. As a good practice, these criteria form the basis for determining whether a risk is acceptable. Acceptability is based on operational, technical, financial, legal, social, humanitarian, and other related criteria. Additional factors will be based on the organization’s internal policy, goals, objectives, and the interests of stakeholders. In this case, a standard threat profile (STP) may be used. An STP contains values for different types of typical threats. These threats may be determined by consulting with experts and by observing actual events and incidents. The values may not be precise, but estimates are always helpful. General threat information is widely available through a variety of sources. For example, the Korea Internet & Security Agency (KISAs) has the following mission:

          • Reinforce public information security through the use of security policies and technologies. KISA provides technical experts to assist in vulnerability analysis and incident damage restorations for SCADA systems such as transportation, water purification, energy, healthcare, and railroad.

          • Operate the Privacy Incident Response System (PIRST), which works to detect personal information security breaches on domestic and international web sites.

          • Operate an information security management system dedicated to protecting the intellectual property of businesses and promoting user awareness of information security.

      • Another example is in the United States where some businesses participate in the U.S. InfraGuard Program. The program’s goals are to do the following:

          • Increase the level of information and reporting between InfraGuard members and the FBI on matters related to counterterrorism, cybercrime, and other major crime programs.

          • Increase interaction and information sharing among InfraGuard members and the FBI regarding threats to the critical infrastructures, vulnerabilities, and interdependencies.

          • Provide members with value-added threat advisories, alerts, and warnings.

          • Promote effective liaison with local, state, and federal agencies, to include the Department of Homeland Security.

          • Provide members with a forum for education and training on counterterrorism, counterintelligence cybercrime, and other matters relevant to informed reporting of potential crimes and attacks on the nation and U.S. interests.

      • Establish risk management policy. A policy should be established to convey the management’s expectation on the risk management program and define roles and responsibilities for successful implementation. Refer to Chapter 12 for details.

Asset Analysis

The process of asset analysis is often conducted in parallel or as part of asset valuation. Organizations identify the significant assets within the scope of assessment and analyze their values in terms of confidentiality, integrity, and availability. These assets will be analyzed based on their types, such as software, hardware, people, service, and platforms.

Determine the owner of each asset and its respective value and impact to the organization. Usually, but not always, the asset owner is the best person to determine the value of assets. Determine the value of the asset in terms of the following:

      • Confidentiality (consider the loss or harm that would result from unauthorized disclosure of the asset or of the information handled or protected by the asset).

      • Integrity (consider the loss or harm that would result from unauthorized modification of the asset).

      • Availability (consider the loss or harm that would result from partial or total unavailability of the asset). An asset value should reflect its replacement cost, its intrinsic value, and the impact of any form of compromise to the asset; this principle should be instilled into every employee.

With more information being processed, stored, and transmitted through the cloud, sometimes the asset owner (in this case, the cloud provider) has little to no idea what information or assets reside in the cloud. In these cases, the business line owner or mission owner must define the value of the information. System owners can enhance the understanding of assets, but the asset’s value in terms of the business or mission of the organization must always come first.

Threat Analysis

The goal of this analysis is to identify and examine threats to each asset, respectively. Threats are classified as natural or man-made. Various threat catalogs are available that can be used to examine and estimate associated risks. In practice, you initiate the threat analysis by referring to an established list, such as the one in Appendix B. Although such a list may not be appropriate in all situations, the major and common threats have been included.

The information assurance team then identifies emerging threats (which may not be in the list) or threats that are in the local environment. Other good sources of information about more recent threats are users and employees, vendors, service providers, and business partners as well as online threat advisories.

Threat analysis is the most difficult aspect of risk analysis. Threat information is not limited to merely actors who may want to steal an organization’s information but also actors who may want to damage an organization or have a personal vendetta against an organization’s employees or partners. Two important categories of threats must be understood: human and natural.

Human threats should be viewed through three dimensions: motives, means, and opportunities. Intentional human actions always have these characteristics:

      • Motive Why is a person motivated to perform an act? Common motivations are control, curiosity, duress, fame, monetary gain, nationalism, power, and revenge.

      • Means This term describes the ability to actually execute the motivation. A person may deeply desire to “hack” into a banking system, but unless they have an extensive background in technology, system cracking, and cryptography, it is unlikely they will be successful. Some may try to find individuals who have the means to perform the action on their behalf.

      • Opportunities These represent the actual moment in time when a motivated actor with means could execute an action. Opportunities may be the physical presence of an individual in a vulnerable location or may be a newly discovered firewall vulnerability.

Accidental actions are another type of human threat. Accidental actions are caused by carelessness, errors, and sometimes inadvertent omissions. While a motivation may not be present, the impact of unintentional actions can have drastic impacts on organizations. Consider the person who unwittingly disposes of a hard drive with sensitive financial information on it because they did not know what was on the drive originally. The drive could then be obtained by a competitor and used to avoid investing years of research and millions of dollars. Well-thought-out policies, procedures, guidelines, training, and technical controls are part of mature organizational processes. Mature processes increase the ability of the organization to avoid or minimize unintentional acts.

Describe human threats in terms of their relationship to the organization. Internal or “insider” threats are individuals within an organization. They are often on the payroll or doing work on behalf of the organization. Insiders can be extremely hard to find and even harder to manage because often they require legitimate access to organizational resources and assets. As noted prior, some insider threats cause unintentional damage to an organization by performing acts through negligence or “trying to do the right thing.” Unintentional insider threats are best handled using a combination of training, awareness, rules of behavior, operational controls (such as updated procedures), and technical controls. This combination should help honest insiders do their job without introducing additional risk to the organization.

Intentional human insider threats are another matter entirely. These individuals are intent on causing damage to the organization through either theft or sabotage. Strong technical monitoring controls combined with separation of duties and rotation of duties greatly increase the challenge for a malicious insider threat. Organizations must still focus on holistic information assurance programs because insider threats will often leverage “well-meaning” insiders to do their bidding.

External human threats can be foreign nation states, hackers, former employees, competitors, or industrial espionage spies working for a competitor. The only advantage an organization has against these threats is the ability to keep them out. Unlike internal actors, external human threats have no need for system or facility access. Therefore, training for all users should include external threats. External threats often engage internal actors at public events, conferences, and similar situations where they are less likely to come under suspicion. Additionally, outsiders may pose as repair personnel, janitorial services, or contractors to gain access to facilities and ultimately systems. Organizations must ensure all employees or those doing work on their behalf are familiar with an organization’s information assurance program requirements. Employees should feel empowered to report individuals or situations that do not meet the information assurance program’s requirements. Organizations should be prepared for a few false alarms. Organizations can weather numerous false alarms, but it may take only one successful outside threat to severely damage a mission!

Examples of natural threats are weather-related phenomenon (such as hurricanes, tornados, and flooding). Other less predictable natural events are volcanic eruptions, sink holes, earthquakes, and mudslides. While organizations may be unable to stop natural events, they can research the local environment and determine common issues such as the following:

      • Earthquake frequency and severity

      • Flood frequency

      • Flood plain location

      • Frequency and quantity of rainfall

      • Frequency and severity of wind

      • Nearby volcanos

      • Seismic fault line location

Excellent threat analysis requires a well-rounded team or individual with an understanding of not only technology but the natural world and human psychology.

Vulnerability Analysis

Vulnerability analysis identifies vulnerabilities for which threat events exist. The goal is to identify applicable vulnerabilities (flaws or weaknesses) that can be exploited by the potential threat (identified earlier).

Organizations should refer to an established list of common vulnerabilities. You can find a simple example in Appendix C. A process to discover vulnerabilities should be used and updated continuously; if not, lists will never be completely accurate. A vulnerability management team should identify new vulnerabilities and constantly update the new vulnerability list. As with the threat identification, users and employees, vendors, service providers, and business partners as well as online vulnerability advisories are good sources of information for more recent vulnerabilities.

Technical vulnerabilities are often the easiest to identify since several products automate the technical vulnerability scanning process. Operational and managerial vulnerabilities are substantially more difficult to identify and are often identified only through independent assessment teams and audits with proper scoping. Organizations should ensure that vulnerability analysis programs include operational, technical, and managerial vulnerability identification.

Risk Identification

Risks should be identified as early as possible. While “perceived” risks may appear to be initially true, this does not mean the identified findings will be accurate or valid subsequent to further analysis or assessment. There is no single method that will guarantee complete risk identification, especially if the approach or mechanism has flaws or is limited in scope.

A best practice for risk identification is by using a structured brainstorming session that draws on the experience of the project team. If the team lacks knowledge or experience in risk management, then bring in outside help.

Risk Analysis

During risk analysis, the sources of the risks are revisited, followed by an estimate of the likelihood of occurrence. As stated earlier, an organization should determine asset values, the probability of the threats being able to exploit the vulnerabilities, and the impacts. This allows the organization to calculate the best estimate for its exposure to risks. Mathematical techniques can also be employed to calculate the risk. A simple rule of thumb is that risk is the product of the impact and likelihood of occurrence.

Risk is estimated by considering the potential impact, as well as the likelihood of the threats being able to exploit the vulnerabilities when using current control measures. The goal of this is to derive an overall likelihood rating, which gives an estimate of the vulnerability being exploited within the associated threat environment. In contrast, consequences determine adverse impacts resulting from a successful threat exercise of vulnerability.

The last step in risk analysis is to identify existing mechanisms that control the risk, followed by an assessment of the strengths and weaknesses of the system. Once the existing controls have been identified, you can identify the consequences and likelihood of the risk occurring. Values for likelihood can be determined based on historical data or statistical analysis. Figure 11-2 shows a more detailed explanation of risk as described by the U.S. National Institute of Standards and Technology in Special Publication 800-30, Revision 1: Guide for Conducting Risk Assessments.

Figure 11-2 U.S. NIST risk analysis process

A practical but subjective qualitative approach to this is to use simple quadrants called a risk matrix, as shown in Figure 11-3. An event with high impact and high likelihood of a happening is consequently high risk. Consequently, all activities that fall into this category should be reduced if not eliminated.

Figure 11-3 Risk matrix

Risks in the medium or low cells may be accepted with minimal treatment. Nevertheless, even low accepted risks should still be monitored and periodically reviewed to ensure they remain acceptable.

Risk Treatment

Based on the gap analysis results and the risk assessment, appropriate and justified options or controls for treating risks will be identified, selected, and documented in a risk treatment plan. The options and controls selected for risk reduction to an acceptable level are decided by the organization’s management. Owners of the treatment plan will be responsible for the implementation of the plan.

The following are some of the options for the treatment of risks based on the Standard Associations of Australia (www.dtic.mil/dtic/tr/fulltext/u2/a434592.pdf):

      • Avoid risk Do not proceed with the activity likely to generate risk.

      • Reduce likelihood of occurrence Implement audit and compliance programs, formal reviews, inspection and process controls, and preventive maintenance.

      • Reduce the consequences Reduce the consequences by contingency planning, business continuity planning, or reducing the interdependence of activities.

      • Transfer risk Use insurance, partnerships, and joint ventures.

      • Accept risk Some risks cannot be eliminated or reduced. The management needs to decide what level of risk can be accepted as residual risk.

When treating risk, senior leaders must be wary of ignoring risk. Ignoring risk is simply choosing to reject the reality of risk and the potential impacts that may follow. An example of ignoring risk is the Chernobyl Blindness. Frost and Schou observed:

    An even greater danger to the individual empowerment and organizational growth is the effect known as Chernobyl Blindness. Chernobyl Blindness is characterized by going through the motions of a process, but only accomplishing the motions, not reacting to anything new or different. It was originally used to describe the reactions of a senior Soviet technician at the Chernobyl nuclear facility during its meltdown and reactor explosion.

    When the instrumentation indicated a problem with the reactor, the technician walked over to a window that overlooked what was formerly the nuclear reactor area. Now there was a hole instead of a structure and black graphite covered the area. However, the technician looked, but saw nothing new; he was blind to the fact a nuclear accident had occurred because that was impossible. His self-imposed blinders prevented him from reacting to an actual event because it was not standard operating procedure. Too often, opportunities or threats are ignored in the business environment because that is out of the “acceptable operating conditions/procedures.” This condition is sometimes referred to as paradigm paralysis.

Senior leaders must exercise caution when understanding and accepting risk. They must also be willing to accept the fact that previously secure systems may now be vulnerable in a matter of milliseconds. The worst approach a senior manager can take is to ignore risk. This position accepts risk by default without fully understanding mitigation options or impacts to the organization.

Monitoring Risk

Monitoring risk ensures all controls are monitored at a frequency commensurate with their significance to the organization. Some policies may need to be reviewed only yearly or during a major change, while vulnerability scanning should occur every week or when a new vulnerability is released.

In addition to periodical risk assessment, risk reviews should be triggered whenever there are changes to the business environment and in the IT infrastructure. Such changes may challenge the integrity and validity of the risk priorities set previously. The controls should be evaluated based on effectiveness and whether they meet the risk reduction and acceptance targets. It is good practice to maintain and update the risk register so it is possible to check the organization’s risk status at any given time.

Organizations are developing risk dashboards. Caution must be exercised when understanding what these dashboards contain and what they more importantly do not. Often, they show a network security vulnerability perspective and miss several other critical areas of the organization. Relying on only network vulnerabilities distracts from other critical business or mission areas. Organizations should determine whether the entire risk formula (impact and likelihood equals risk) is represented in the dashboard or simply a single variable such as vulnerabilities or threats.

Integration with Other Management Practices

Risk management can be linked to four other areas of management practice.

      • Budgeting Risk management addresses the need to mitigate identified risks. The treatment plan or actions require time and resources; therefore, a link to the budgeting process is useful.

      • Business planning The organization should develop business planning that is aligned to the organization’s objectives. The organization may already have carried out SWOT (strength, weakness, opportunity, and threat) and PEST (political, economic, socio-cultural, and technological) exercises in other areas, and these could be expanded into a more detailed information assurance risk analysis.

      • Internal audit Organizations should use information from information assurance risk management to contribute to the organization’s internal audit and internal control reviews.

      • Periodic reporting A periodic report is a tool that the management can use to monitor key risks. Controls should be ranked according to how critical they are to a system and the overall organization. The frequency of the reporting should be based on the impact of the control. Existing reporting lines can often be improved to cover a wider range of risks without a major overhaul.

Further Reading

      • Baker, Dixie B. Assessing Controlled Access Protection. The National Computer Security Center, Dec. 1, 2006. www.fas.org/irp/nsa/rainbow/tg028.htm.

      • Frost, James, and Schou, C.D. “Looking Inward for Competitive Strength in the International Arena.” Presented at the Mountain Plains Management Association Meetings. October 1993.

      • Gross, I., and P. Greaves. Risk Management: A Guide to Good Practice for Higher Education Institutions. HEFCE, 2001. www.hefce.ac.uk/pubs/hefce/2001/01_28/01_28.pdf.

      • Korea Internet Security Agency (KISA). www.kisa.or.kr/eng/main.jsp.

      • National Institute of Standards and Technology. Special Publication 800-12, An Introduction to Computer Security: The NIST Handbook. 1996.

      • National Institute of Standards and Technology. Special Publication 800-18, Revision 1, Guide for Developing Security Plans for Federal Information Systems. February 2006.

      • National Institute of Standards and Technology. Special Publication 800-30, Revision 1, Guide for Conducting Risk Assessments. September 2012.

      • National Institute of Standards and Technology. Special Publication 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. February 2010.

      • National Institute of Standards and Technology. Special Publication 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations. August 2009.

      • National Institute of Standards and Technology. Special Publication 800-53A, Revision 1, Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans. June 2010.

      • National Institute of Standards and Technology. Special Publication 800-137, Initial Public Draft, Information Security Continuous Monitoring for Federal Information Systems and Organizations. December 2010.

      • National Institute of Standards and Technology. Special Publication 800-53, Revision 4, Recommended Security Controls for Federal Information Systems and Organizations. DOC, April 2013.

      • Nichols, R., et al. Defending Your Digital Assets Against Hackers, Crackers, Spies, and Thieves. McGraw-Hill, 2000.

      • Risk Management AS/NZS 4360:1999, 1999. Standards Association of Australia, Australia. www.google.com/search?sourceid=navclient&ie=UTF-8&rlz=1T4GGIH_enUS242US242&q=AS%2fNZS+4360%3a1999.

      • Schou, Corey D., and D.P. Shoemaker. Information Assurance for the Enterprise: A Roadmap to Information Security. McGraw-Hill Education, 2007.

      • Tipton, Harold F., and S. Hernandez, ed. Official (ISC)² Guide to the CISSP CBK 3rd edition. ((ISC)²) Press, 2012.

Critical Thinking Exercises

        1. A CIO has just implemented a new dashboard for the organization. As part of the dashboard, the IT employees and senior management can review the vulnerability status of all IT network assets. Is this dashboard giving a holistic view of risk for the organization?

        2. An organization has approximately 20,000 workstations and 5,000 servers around the world. A new zero-day vulnerability has been published that affects 90 percent of the systems, including servers. “Zero-day” vulnerabilities are recently discovered previously unknown system or software weaknesses. How should the organization go about prioritizing mitigation efforts?