BME Department of Telecommunications (Híradástechnikai Tanszék) Mark Felegyhazi, CrySyS Lab,

Transcription

1 Security is risk management IT risk management IT risk management Economics of Security and Privacy (BMEVIHIAV15) Mark Felegyhazi assistant professor CrySyS Lab. risk: Merriam-Webster (1): possibility of loss or injury Dictionary (1): exposure to the chance of injury or loss; a hazard or dangerous chance: Wikipedia: Risk is the potential that a chosen action or activity (including the choice of inaction) will lead to a loss (an undesirable outcome). The notion implies that a choice having an influence on the outcome exists (or existed). BME Department of Telecommunications (Híradástechnikai Tanszék) mfelegyhazi(atat)crysys(dot)hu IT risk management Security is risk management risk management: Wikipedia: risk management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities. CISA Review Manual: Risk management is the process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization. More concepts vulnerability = a possibility to attack flaw or weakness in the hardware, software or design ex: software bugs threat agent (= attacker) threat = potential for a threat agent to exploit a vulnerability ex: disk is not encrypted, but the device is fixed anyway also need motivation for an attacker risk = threat realization with considered impact IT risk management 3 IT risk management 4 1

2 Risk management (simplified) Goal of risk management? $ risk manager 1 3 vulnerabilities threats incidents losses Goal: Minimize the costs associated with risks (threats) IT risk management 5 IT risk management 6 Risk management lifecycle source: Systems Engineering Fundamentals. Defense Acquisition University Press, 001 Risk management standards ISO/IEC 7000 series - Information security management systems 7005:011 - Information security risk management generally accepted guidelines of implementing information management systems and also serves to perform audits open source support: Enterprise Security Information System (ESIS) NIST SP ISACA Risk IT Open Source Security Testing Methodology Manual (OSSTMM) ISO/IEC Common Criteria for Information Technology Security Evaluation (abbreviated as Common Criteria or CC) IT risk management 7 IT risk management 8

3 "$%&'(')*+*(, -./.0/1..0 *F'+8C*;8*>=+"$%G*',+*(,H,?=A,,?*8*>=+'(:*=>"$%6$$*$$+*(,= 8*>=+"$%6$$*$$+*(,'(B,?*(8=:**BB*:,C<H,?=,?*':,K,*$=>45&5D G?*B*'C$*LA*(:*>=,?*8*>=+'(:*=>,?*8=:*$$*$=>"$%&'(')*+*(,$,=$,', Management process (ENISA) 6::*8,'(:*ND ='/+'/,&"( ;$5(<,%,4"0"%&( "$%$&$'%('()*'+"(,%-./,0"1'/('/(&3"( 0,%,4"0"%&('(/$55 "$%$&$'%('(67&"/%,8(6%$/'%0"%& :"%"/,&$'%('(;$5(<,%,4"0"%&( ='%&"7& 6,8>,&$'%('(;$ THE RISK IT FMEWORK 4. THE RISK IT FMEWORK The Risk IT framework is built on the principles laid out in chapter 3 and further developed into a comprehensive process model (figure 6). The risk management process model groups key activities into a number of processes. These processes are grouped into three domains. The process model will appear familiar to users of COBIT and Val IT: substantial guidance is provided on the key activities within each process, responsibilities for the process, information flows between processes and performance management of the process. Risk Management process (Risk-IT) The three domains of the Risk IT framework Risk Governance, Risk Evaluation and Risk Response each contain three processes, as shown in figure 6. Figure 6 Risk IT Framework Ensure that IT risk management practices are embedded in the enterprise, enabling it to secure optimal risk-adjusted return. Establish and Maintain a Common Risk View Integrate With ERM Make Risk-aware Business ;"*>//"%*" -./&%'$( )*++,'&%'$( "$%&%'$( ;$55(='00>%$*,&$'% ;$55(?1,/"%"55 ='%5>8&$%4 C,88(,5+"*&5($%*8>-"-($%(&3"($%&"/,*" 1$&3('&3"/('+"/,&$'%,8('/(+/'->*&(+/'*"55"5F <'%$&'/(,%-(;"$"1(C+8,%5D(""%&5D(E>,8$&AF ;$5?**"+&,%*" "$%&'()*+'&,--./.-'01,345,6,$'7'68&0.'33 4,$H=,?+*(,=(();,?',(=*>>*:,K*"$%&'(')*+*(,$<$,*+:'(@**$,'@C$?*B( IT risk management '(=)'(E',=(;>,C':%$$A:?(,*>':*$'(B*$8*:'CC<,==,?**C*K'(,=8*',=('C= 8=BA:,8=:*$$*$M$D@=F',,?*,=8=>,?*>)A*ND4(,$>A,A*H=%=("$% &'(')*+*(,;3456HCC*C'@=',**F'+8C*$,=B*+=($,',*H'<$,=(,*)',*"$% &'(')*+*(,':,K,*$(+8=,'(,=8*',=('C8=:*$$*$M*D)D8=:A*+*(,;$=>,H'* European Network and Information Security Agency (ENISA), Risk Management: Implementation principles and Inventories for Risk Management/Risk Assessment methods and tools, June 006 G+&$'%,8 Articulate Risk Manage Risk React to Events Ensure that IT-related risk issues, opportunities and events are addressed in a cost-effective manner and in line with business priorities. The following chapters contain a number of essential practices and techniques for each of the three domains of the Risk IT framework. The model is explained in full detail in chapter 11. IT risk management 10 Collect Data 00 ISACA. ALL RIGHTS RESERVED. Analyse Risk Maintain Risk Profile Ensure that IT-related risks and opportunities are identified, analysed and presented in business terms. ISACA, Risk-IT framework, Risk management phases Decision-makers RG risk governance (RG) risk mgmt context define criteria - profile definition - requirements resources risk monitoring and review (RM) monitoring communication awareness risk assessment () risk analysis - identification - estimation risk evaluation risk treatment (RT) prevent mitigate transfer accept senior management chief information officer (CIO) information system security officer (ISSO) system and information owners security practitioners (sysadmins, security specialists) security awareness trainers ISACA, Risk-IT framework, 00 IT risk management 11 IT risk management 1 3

4 practical guidance can be found in The Risk IT Practitioner Guide. The topics discussed here include: Risk management planning and governance develop an enterprise risk management strategy establish and maintain a risk management plan risk appetite risk tolerance ensure that IT risk management is embedded in the system integrate with business processes provide resources for risk management establish responsibilities and accountability generic control of risk management RG IT risk management 13 Risk Appetite and Tolerance COSO Definition Risk appetite and tolerance are concepts that are frequently used, but the potential for misunderstanding is high. Some people use the Behavior towards risks Establish and maintain a common risk view. ISACA, Risk-IT framework, 00 Risk Appetite risk appetite: the property of engaging with risks risk-averse risk-neutral risk-taking accept to pursue a return? risk tolerance: tolerance towards the difference from the risk level as defined in risk appetite Risk appetite can be defined in practice in terms of combinations of frequency and magnitude of a risk. Risk appetite can and will be Risk appetite can be defined using risk maps. Different bands of risk significance can be defined, indicated by coloured bands on the risk map shown in figure 7. this band might trigger an immediate risk response. The enterprise might, as a matter of policy, require mitigation or another adequate response to be defined within certain time boundaries. responses found by decreasing the degree of control or where opportunities for assuming more risk might arise Figure 7 Risk Map Indicating Risk Appetite Bands Opportunity Acceptable Unacceptable Really Unacceptable RG IT risk management 14 opportunity seeking. There is no universal right or wrong, but it needs to be defined, well understood and communicated. Risk appetite and Magnitude Frequency Key factors to success continuous support from top management central management common strategy successful integration with business processes optimize tasks and controls (avoid over-control) compliant with company s business philosophy continuous training never-ending process IT risk management 15 Risk Tolerance RG ENISA, Risk Management: Implementation principles and Inventories for Risk Management/Risk Assessment methods and tools, June 006 Risk assessment 00 ISACA. ALL RI GHTS RE S E R VED. "$% &'()*+((,((-,"%*+.%'/'%',( 0$%$% =B./*:M0356(4B =B./*:N35C/-05. =B./*:(56G(/( 4-/-C(7-/B =B./*:(56G(/( *5.-/-H-/B <&='*+'' <8-&0'?4;%;:&%"F;"51 =E(46F(4* =01/F(4* =B./*:-5/*41(C*. =G(/(( :(/-05 ="*0?7* =B./*:: *(//(/*:*5/ <&='@+'' A4%&;'B6&1"C":;"51 =E-./04B01.B./*:(//(C@ =G(/(140:-5/*77-)*5C* ()*5C-*.OIJ"OPJQO N*6J>O:(..:*6-(O,-./01"0/*5/-(7 ;375*4(<-7-/-*. <&='(+'' D$71&%;E"7"8'B6&1"C":;"51 =>*?04/.140:? @ (..*..:*5/. =A5B(36-/C0::*5/. =*C34-/B4*D3-4*:*5/. =*C34-/B/*./4*.37/.,-./01344*5/(56 "7(55*605/407. =344*5/C05/407. ="7(55*6C05/407. IT risk management 16,-@*7-006>(/-5) <&='G+'' H".&7"4556'I&&%0"1;"51 = 84*(/&.034C*:0/-H(/-05 =84*(/C(?(C-/B =I(/34*01H375*4(<-7-/B =344*5/C05/ = K :?(C/(5(7B.-. J:?(C/>(/-5) =,0..01J5/*)4-/B =,0..01AH(-7(<-7-/B =, *5/-(7-/B =A..*/C4-/-C(7-/B(..*..:*5/ =G(/(C4-/-C(7-/B =G(/(.*5.-/-H-/B =,-@* /4*(/ *L?70-/(/-05 >-.@.(56 A..0C-(/*6>-.@,*H*7. <&='L+'',"-.'I&&%0"1;"51 =K()5-/36*01-:?(C/ =A6*D3(CB01?7(55*604 C344*5/C05/407. >*C0::*56*6 05/407. <&='>+''?51%57'/1;78-"- <&='K+''B0=;:'/1;78-"- <&='M+''?51%57',&:500&16;"51- NIST SP800-30, Risk Management Guide for Information Technology Systems, July 00 >-.@A..*..:*5/ >*?04/ <&='J+'',&-$7-'I5:$0&1;"51 "$%&'()*+'',"-.'/--&--0&1'3& '75:4;%'' "$%%&'% "()*+ 4

5 =E(46F(4* =01/F(4* =B./*:-5/*41(C*. =G(/(( :(/-05 ="*0?7* =B./*:: =G(/(140:-5/*77-)*5C* ()*5C-*.OIJ"OPJQO N*6J>O:(..:*6-(O (..*..:*5/. =A5B(36-/C0::*5/. =*C34-/B4*D3-4*:*5/. =*C34-/B/*./4*.37/. =344*5/C05/407. ="7(55*6C05/407. =84*(/C(?(C-/B =I(/34*01H375*4(<-7-/B =344*5/C05/407. =A..*/C4-/-C(7-/B(..*..:*5/ =G(/(C4-/-C(7-/B =G(/(.*5.-/-H-/B *L?70-/(/-05 =K()5-/36*01-:?(C/ =A6*D3(CB01?7(55*604 C344*5/C05/407. <&='*+'' <8-&0'?4;%;:&%"F;"51 =,0..01AH(-7(<-7-/B =, *5/-(7-/B =B./*:M0356(4B =B./*:N35C/-05. =B./*:(56G(/( 4-/-C(7-/B =B./*:(56G(/( *5.-/-H-/B 84*(//(/*:*5/,-./01"0/*5/-(7 ;375*4(<-7-/-*.,-./01344*5/(56 J:?(C/>(/-5) >*C0::*56*6 05/407. >*?04/ "$ %&'($)&*&+,*&-.$'*%,*/+0$ Risk assessment Risk assessment identification - persons, assets and system info - technical / mgmt / operational controls - information gathering info sources - threat sources attacker model - vulnerability identification analysis / estimation - control analysis security options (ROSI) - categorize threats by likelihood - impact analysis system critical incidents evaluation - risk determination "$%%&'% "()*+ IT risk management 17 "$% &'()*+((,((-,"%*+.%'/'%',( 0$%$% = 84*(/&.034C*:0/-H(/-05 = K :?(C/(5(7B.-. Measuring risks: simplified Annualized Loss Expectancy (ALE) ALE = ARO * SLE = ARO * AV * EF example: - ARO Annualized Rate of Occurrence (likelihood) - AV Asset Value (impact) - EF Exposure Factor prob. of a server failing 0.01 data worth $ most probably 30% destroyed ALE = 0.01 *$ * 0.3 = $15000 <&='@+'' A4%&;'B6&1"C":;"51 <&='(+'' D$71&%;E"7"8'B6&1"C":;"51 <&='G+'' H".&7"4556'I&&%0"1;"51 =,0..01J5/*)4-/B <&='L+'',"-.'I&&%0"1;"51 <&='>+''?51%57'/1;78-"- <&='K+''B0=;:'/1;78-"- <&='M+''?51%57',&:500&16;"51- <&='J+'',&-$7-'I5:$0&1;"51 "$%&'()*+'',"-.'/--&--0&1'3& '75:4;%'' Problems IT risk management 1 *,-./0(,()*0*,113*0-44-.,.5,*/46,.5-,)13*7.1*,1-(8/-464(,/*:.00*,*:.,1/.84 0(;(46<=3*,(,>,*/53(1:-/:>041(,:*443.>8?1(6*(:1-.,@=3*,43(88?-078*0*,1 13*4*:.,1/ )(1*13*/-46(,7/.1*:1.>/./)(,-A(1-.,@B C3*/ )(1-.,:3(/1-,D-)>/*E&F(/*44*413*4*G>*41-.,4HI77/.7/-(1*7.-,14J./ -078*0*,1(1-.,.J:.,1/.8(:1-.,4(/*-,-:(1*-,13-4J-)>/*K;13*5./LMH Risk analysis flowchart *D?4@3 ':=?B4 ' $<=>4?@A>4M.-.:$%7; %7; /C73 0/',33@B;4?G H:3$I$+@7 0/' /CE>:73@A>4M.-.:$%7; 0/' <=>4?@A7>731 3:$,33@B; /C73 loss rather than The the variance preceding of three loss risk because metrics the can standard be illustrated deviation with of loss an example. is measured Let in X the be a random J:,37B7E@34K 0/' L$*D?4D:>K F@BB4E3@A>4 %7; same units variable (dollars, representing for example) the loss as the (in expected millions loss of dollars) and expected attributable severe to loss. a breach. Suppose for a.-.- proposal (called Proposal 1) for enhancing information security activities, X has the following %7;$,BB4E3 %7;$,BB4E3 variable discrete representing uniform the distribution: loss (in millions of dollars) attributable to a breach. Suppose for a loss rather NIST SP800-30, N78=?4$OP"$$%7;$)7378@37:$,B37:$Q:73$ Risk Management Guide for Information Technology Systems, July 00 proposal than (called the variance P[X=x] Proposal = of.1 1) loss for for because enhancing x = 0, 1, the, information standard,. deviation security activities, of loss is X measured has the following the IT risk management 18 loss rather than the variance of loss because the standard deviation of loss is measured in the C3-441/(1*);-4J>/13*/(/1-:>8(1*-,13*J.88.5-,)/>8*4.J13>0K53-:37/.N-*)>-(,:*., same discrete units (dollars, Therefore, uniform for distribution: the example) expected as loss the expected from a breach, loss and E[X], expected under Proposal severe loss. 1 is given by: (:1-., )(1*/-464J/.0-,1*,1-.,(83>0(,13/*(14O same units (dollars, for example) as the expected loss and expected severe loss. The preceding P[X=x] = [.1 three ] for risk x = metrics 0, 1,, can, be. illustrated with an example. Let X be a random RD4$S=>4?@A7>731$T:?$U>@VW$V4@;4X$4C73$$-078*0*,1(44>/(,:*1*:3,-G>*4 The preceding three [ xxpxxe ] 0 [.1] 1 [.1]... [.1] 4.5 risk metrics can be illustrated with an example. Let X be a random variable 1./*>:*13*8-6*8-3...J(N>8,*/(K-8-1;P4K*-,)*Q*/:-4*H Therefore, representing the expected the loss loss (in from millions a breach, of dollars) E[X], attributable under Proposal to a 1 breach. is given Suppose by: for a variable representing RD4$@$S=>4?@A7>731$B@$A4$4C4?B74K$$(778;8(;*/*7/.1*:1-.,4(/:3-1*:1>/(8 In order the to loss calculate (in millions the expected of dollars) severe attributable loss, the to a decision-maker breach. Suppose must for a first specify a proposal (called *4-),4(,(0-,-41/(1-N*:.,1/ ,-0-A*13*/-46.J./7/*N*,113-4 Percieved Proposal 1) for enhancing composite information security risk activities, (PCR) X has the following proposal (called [ ] Proposal [ 1) for xxpxxe ] enhancing 0 [.1] 1information [.1]... security [.1] 4.5 activities, X has the following threshold level. Suppose the threshold level, denoted by T, is judged to be 8, i.e., any breach.::>//*,:*h L.D. Bodin, L.A. Gordon, M.P. Loeb, discrete assume discrete uniform uniform distribution: distribution: Information security and risk management, RD4$3D4$@33@B;4?G$B:3$7$>4$3D@$3D4$E:3437@>$8@7$$(778;7/.1*:1-.,41. In whose order cost to calculate is $8 million the expected or greater severe is believed Communications loss, the to put decision-maker the of survivability the ACM, must 008 of first the specify organization a at risk. *:/*(4*(,(11(:6*/P40.1-N(1-.,K;-,:/*(4-,)13*(11(:6*/P4:.41R*H)H>4*.J4;41*0 P[X=x] P[X=x] = = for for x = x 0, = 0, 1, 1,,,,.,. :.,1/.844>:3( ,)53(1(4;41*0>4*/:(,(::*44(,.:(,4-),-J-:(,18; threshold The where level. expected x Suppose severe is in $ the loss millions threshold under level, Proposal denoted 1, denoted by T, is by judged E[severe to be loss] 8, i.e.,, is any given breach by: Therefore, /*>:*(,(11(:6*/P4)(-,SH Therefore, the expected the expected loss loss from from a a breach, E[X], under Proposal 1 is is given by: by: whose expected cost is loss $8 RD4$>:$7$3::$8?4@3$$(778;*4-),7/-,:-78*4(/:3-1*:1>/(8*4-),4(,1*:3,-:(8 E[severe million loss] or greater is believed to put the survivability of the organization at risk. xp[ X x] 8 [.1] [.1] 1.7 (,,.,1*:3,-:(87/.1*:1-., **Q1*,1.J13*(11(:613*/*K;/*>:-,)13* [ ] [ ] [ [ ] xxpxxe ] 0 0 x [.1] [.1] 8 11[.1] [.1] [.1] 4.5 The expected severe loss under Proposal 1, denoted by E[severe loss], is given by: 7.1*,1-(8J./8.44H expected severe The standard loss deviation of loss, denoted by, under the loss function defined for Computing the Expected Perceived Composite Risk (PCR) In order to calculate the expected severe loss, the decision-maker must first specify a In order E[severe to calculate loss] the expected xp[ X xsevere ] 8 [.1] loss, the [.1] decision-maker 1.7 must first specify a C3*41/(1*);.>18-,*(K.N*5-1313**Q:*71-.,.J13*13-/8-41-1*0R<=3*,13*(11(:6*/P4:.41 Proposal 1 is given x8by: -48*4413(,13*7.1*,1-(8)(-,BS(84.(778-*41.13*0-1-)(1-.,.J/-464(/-4-,)J/.0*,N-/.,0*,1(8 threshold threshold standard level. For level. Suppose deviation Suppose a given the set the of threshold the threshold of information loss level, denoted security by T, activities, is judged to the be PCR 8, i.e., is any a linear breach combination of the level, denoted by T, is judged to be 8, i.e., any breach The standard deviation of loss, denoted by, under the loss function defined for whose cost is $8 million or greater expected is believed to put the survivability of the organization risk. whose cost is $8 million loss, ( the [ expected ]) [ severe xxpxex ] loss, 8.5and.87 the standard deviation of loss that can be attributable or greater is believed to put the survivability of the organization at risk. Proposal The expected 1 is given severe by: loss under Proposal 1, denoted by E[severe loss], is given by: "$%%&'% to a breach. Specifically, The expected severe loss under Proposal 1, denoted by E[severe loss], is given by: "()*+$ We now present the PCR metric. E[severe ( PCR [ loss] ]) E xp[ X x] 8 [.1] [.1] 1.7 [ [ X ] [ xxpxex B] / A] 8.5 E[severe.87loss] [ C/ A] x8 E[severe loss] P[ X x] 8 [.1] [.1] 1.7 x8 where IT risk management We now The present standard the weights the deviation A, B, PCR metric. of and loss, C denoted are determined by, under from the loss the AHP. function The defined weights, for A, B, and C are 0 The standard deviation of loss, denoted by, under the loss function defined for Proposal positive, 1 is given sum by: to one, and reflect the relative importance of the performance metrics to the Proposal 1 is given by: decision maker. An overview of the AHP (in an information security investment context) is ( [ ]) [ xxpxex ] loss rather than the variance of loss because the standard deviation of loss is measured in the same units (dollars, for example) as the expected loss and expected severe loss. The preceding three risk metrics can be illustrated with an example. Let X be a random ( given [ in ]) Bodin, [ Gordon, xxpxex ] and 8.5Loeb.87 (006). We now present the PCR metric. 3 Before turning to the question of how these weights are derived using AHP, we We now present the PCR metric. summarize the properties of the PCR: 5

6 In establishing this pairwise comparison matrix, the assumption Probability of Loss Proposal in the example is that the Probability of Loss Proposal expected loss (E[X]) and Probability of Loss Proposal expected severe loss (E[X X T]) Probability of Loss Proposal are equally important criteria, both slightly more preferred than Table. Probability the three risk measures for each of the three proposals; of losses under three the standard-deviation-of-loss information security it also lists the value of the PCR for each proposal, () criterion.thepairwisecomparisons The approach that represent ofthis using judg- the expected loss duesome to a problems breach as with using the popular metric of project proposals. assuming that A = 0.4, B = 0.4, and C = 0.. PCR: calculate weights the ranking ment are realized criterion by setting givesathe 1 = CISO a narrow analysis expectedof loss theasalternatives a sole measure of risk are apparent by 1, a 1 =1,a 13 =,a and 3 =,a may PCR 31 =1/,anda leadexample to misleading 3 =1/.Further, the diagonal elements, a 11,a,anda 33,areset loss metric, Proposal 3 is the preferred proposal, fol- examining Tables and 3. According to the expected results. equal to 1, since a criterion is equally important as lowed in order by Proposal 1, Proposal, and Proposal itself. A = 0.4, B = 0.4, C = Note that although Proposal 3 minimizes the CISO decides about the importance of these factors matrix in columns For and a given rowsdecision 4 maker for which AHP reveals Losses fromexpected an inf ormation loss, security it br each also(in generates $ millions) the second highest in the table these (for more, weights A see [1]). = 0.4, B = 0.4, and C = 0. here probability of threatening the survivability of the A + B + C = 1 and A,B,C > Other values In establishing the value this of pairwise the PCR for Proposal 1: organization (Pr [X 8]=0.4) and generates the highest Probability of Loss Proposal weights calculated using Analytic Hierarchy Process (AHP) comparison matrix, the assumption in the PCR example is(proposal that the 1) = $4.5+[.4/.4] Table 3 also indicates that based on the expected standard deviation of loss. Probability of Loss Proposal (check on Wikipedia, it s quite interesting) Probability of Loss Proposal expected [$1.7M]+[./.4].[$.87M]=$4.5M+$1.7M+$1.43 loss (E[X]) and severe loss criterion, Proposal is the preferred proposal, followed in order Probability of Loss Proposal 4 expected severe loss (E[X X T]) M=$7.636M are equally important criteria, by Proposal 1, Proposal 3, both slightly more preferred than Table. Probability Expected the threeexpected risk measures Standard for each of Perceived the three proposals; EVALUATING FOUR of losses under three Loss E[X] Severe Loss Deviation of Composite Risk and Proposal 4. Further, the standard-deviation-of-loss information security it also lists E[X Xthe T] valueloss of the PCR PCR for each proposal, PROPOSALS based on the standard () criterion.thepairwisecomparisons that project Proposal proposals. 1 assuming 14.5 that 1.7 A = 0.4,.87B = 0.4, and C = 0.. In represent order to this demonstrate judgment are realized PCR use, by setting assume a that Some problems with using the popular metric deviation of criterion, Proposalby 4 is the preferred Proposal = the expected loss as a sole measure of risk are apparent Proposal , a 1 =1,a 13 CISO =,a 3 must =,a 31 select =1/,anda from 3 =1/.Further, the diagonal amongelements, four equal a 11,a examining Tables and 3. According to the expected proposal, followed in Proposal 4 cost ,anda 33,areset loss metric, Proposal 3 is the preferred proposal, order followed in order by Proposal 1, Proposal, and posal Pro- 1, and Proposal 3. by Proposal, Pro- equal to 1, proposals since a criterion for enhancing Bold indicates column minimums is equally important as itself. an organization s information security. Suppose posal 4. Note the that Table although 3. Risk measures Proposal for3the minimizes Thus, thea decision maker IT risk management three proposals (where T=8, For a given CISO decision andmaker his/her for staff which have AHP estimated reveals the expected loss Department probabilities = 0.4, associated B = 0.4, with and C the = 0. here three proposed probability sets of of threatening the survivability the of risk the of a breach could loss, of Telecommunications, it also generates BME A=0.4, B=0.4, and C=0.. the second interested highest in minimizing these weights A is the value of information the PCR forsecurity Proposalactivities. 1: The estimated organization loss(pr rationally [X 8]=0.4) select and generates Proposal the, Proposal highest 3, or Proposal 4, probabilities associated with each proposal standard are broken down into 1) the 10 = discrete $4.5+[.4/.4] amounts in Table3. also indicates The PCR that based combines on the the expected three risk measures deviation depending of loss. on the risk metric being considered. PCR (Proposal [$1.7M]+[./.4].[$.87M]=$4.5M+$1.7M+$1.43 We continue to assume that the threshold severe level, loss T, criterion, Proposal is the preferred proposal, followed in order the decision through a procedure that determines 6M=$7.636M of a severe loss is $8 million. Table 3 lists the values of ALE method s failure Improved methods maker s relative weighting of the risk criteria. The by Proposal 1, Proposal 3, Expected Expected Standard Perceived EVALUATING FOUR Loss E[X] Severe Loss Deviation of Composite Risk and Proposal 4. Further, E[X X T] Loss PCR PROPOSALS COMMUNICATIONS based on the OF THE standard ACM April 008/Vol. 51, No ALE method s failure Proposal simplify 1.7 tractable.87 way to analyze risks In order to demonstrate deviation criterion, Proposal 4 is the preferred Proposal too many details PCR use, assume that the Proposal CISO must select from Integrated Business Risk management proposal, framework followed in - difficult to implement Proposal 4 among four equal cost order by Proposal, Proposal 1, and Proposal 3. focuses on impact and added value proposals for enhancing Bold indicates column minimums - number of scenarios is too high an organization s information security. Suppose the Table 3. Risk measures for the security like other business risks Thus, a decision maker technology view on risk three proposals (where T=8, CISO and his/her staff have estimated the loss probabilities associated with the three proposed simplifies sets ofmanagement - deterministic rather than probabilistic the risk of a breach could A=0.4, B=0.4, and C=0.. interested in minimizing information security activities. The estimated loss rationally select Proposal, Proposal 3, or Proposal 4, dependence on information valuation-driven methods probabilities associated with each proposal are broken depending on the risk metric being considered. down into the 10 discrete amounts in Table. The PCR combines the three risk measures new methods no data We continue to assume that the threshold level, T, through a procedure that determines the decision simplify risk analysis of a severe loss is $8 million. Table 3 lists the ignore values incident of maker s likelihoods relative weighting and focus ofon theasset risk criteria. value The mostly short-term suffer the simplification IT risk management 1 K. Soo Hoo, How Much Is Enough? A Risk- Management Approach to Computer Security, PhD thesis, Stanford 000 IT risk management 3 COMMUNICATIONS OF THE ACM April 008/Vol. 51, No IT risk management 4 6

7 Improved methods (cont d) Quantitative risk management scenario analysis qualitative quantitative methods share information often used to dramatize impact (by consultants) Key enabler: information = data (potentially historic) limited scope good practices common engineering response vulnerabilities incidents losses effectiveness of countermeasures conformance to policies results in (some) protection steps also protects against liability claims de-coupled from data collection and analysis efficiency depends on - compliance costs register incidents proper forensics report summarize in a central(ized) database driving force insurance??? (more in Chapter 10) - process to define practices / rules governments? IT risk management 5 IT risk management 6 Risk treatment options RT Risk treatment controls RT avoidance mitigation eliminate incidents testing reduce impact sharing / transfer disclaimer: no party is responsible agreement: responsibility transferred compensation - risk pooling: share losses - risk hedging: bet for losses acceptance / retention self-insure accept losses determine the appropriate controls partially from: Blakley, B. and McDermott, E. and Geer, D., Information security is information risk management, Proceedings of the 001 workshop on New security paradigms, 001 IT risk management 7 select risk treatment controls prevention - firewall, authentication, locks detection - IDS recovery - backup, forensics management - better data center for security information collection - information sharing (more in Chapter 6) training / awareness - employee training sessions IT risk management 8 7

8 Risk treatment action plan RT Risk monitoring and review RM action plan = prioritize + implement actions / controls prioritize controls / actions cost-benefit analysis (more in Chapter 4) importance of risk (impact) effectiveness difficult quantify benefit of unrealized losses (ROSI) get approval for the action plan top mgmt support is essential implement the action plan develop a policy w/ security policy assign responsibility performance measures and reporting residual risks and acceptance review and update processes and policies document each stage of the risk management process development and action plan (reasons and analysis) changes and efficiency legal basis reuse of information IT risk management IT risk management 30 THE RISK IT FMEWORK Risk communication RM Reading for next time Status: Risk Profile, Key Risk Indicators, Loss Data, etc. Figure IT Risk Communication Components Expectation: Strategy, Policies, Procedures, Awareness, Training, etc. Effective IT Risk Communication Capability: Risk Management Process Maturity Risk Communication What to Communicate? IT risk communication covers a broad array of information flows. Risk IT distinguishes amongst the following major types of IT risk communication, as shown in figure : policies, procedures, awareness training, continuous reinforcement of principles, etc. This is essential communication on the enterprise s overall strategy towards IT risk, and it drives all subsequent efforts on risk management. It sets the overall expectations from risk management. monitoring of the state of the risk management engine in the enterprise, and is a key indicator for good risk management. It has predictive value for how well the enterprise is managing risk and reducing exposure. information such as: Risk profile of the enterprise, i.e., the overall portfolio of (identified) risks to which the enterprise is exposed KRIs to support management reporting on risk Event/loss data Root cause of loss events Options to mitigate (cost and benefits) risks Gordon, L.A. and Loeb, M.P., The economics of information security investment, ACM Transactions on Information and System Security (TISSEC), vol 5 nr 4, 00 optional: Gordon, L.A. and Loeb, M.P. and Lucyshyn, W., Information Security Expenditures and Real Options: A Wait-and-See Approach, Computer Security Journal, vol. 1 nr., 003 Böhme, R. and Moore, T., The iterated weakest link, IEEE Security and Privacy vol 8 nr 1, 010 To be effective, all information exchanged, regardless ISACA, of its type, Risk-IT should be: framework, 00 Mark Felegyhazi, CrySyS Lab, communication on risk. This includes the avoidance of jargon and technical terms regarding risk since the intended audiences are generally not deeply technologically skilled. hinder, rather than enable, a clear view of risk. originate when an inadequate IT organisation is set up, and the business consequence is inefficient IT operations and service delivery. In another example, the origination point may be project failure, and the business consequence is delayed business initiatives. Communication is timely when it allows action to be taken at the appropriate moments to identify and treat the risk. It serves no useful purpose to communicate a project delay a week before the deadline. and enabling informed decisions. In this process, aggregation must not hide root causes of risk. For example, a security officer needs technical IT data on intrusions and viruses to deploy solutions. An IT steering committee may not need this level of detail, but it does need IT risk management 31 IT risk management 3 8