- Email: [email protected]
Risk Assessment
Information Security Technical Report, Vol 6, No. 3 (2001) 19-27
Risk Assessment Jonathan Tregear, Senior Consultant, Insight Consulting
Introduction The aim of this paper is provide an overview of information security risk assessment. It is aimed at senior managers, or others who may be responsible for commissioning such studies, with the intention of providing an understanding of: • The drivers for such assessment; • The key terms used in this area;
• We have, perhaps subconsciously, placed a value on the extent of the consequences should the threat actually occur, i.e. how much we value our lives; • We balance these risks against our need to get across the road. On the result of these factors we choose a course of action to ensure that we have the level of protection that we desire. These choices could be: • Decide to wait until the on-coming car has passed;
• The different approaches that can be taken;
• Walk down the street until you find a pedestrian crossing;
• The benefits that can be gained.
• Choose to run across the road.
What is Risk Assessment?
So if you are asked: ‘why did the chicken cross the road?’ One possible answer is because it had assessed the risks involved and decided that the situation presented was an acceptable risk.
Every day we all make many risk assessments probably without even realising that we are doing so. For example, we take a risk every time we cross a road, and our decision about when to cross the road or not is based on an examination of the risks, and a decision on whether or not to take that particular risk. Even in this simple example we can see the basic elements that make up any risk assessment: • We examine the situation for potential threats, such as an on-coming car; • We make an assessment of the level of threat they pose, i.e. the car’s distance from us and its current speed; • We make a judgement on the chances of the threat causing an impact. This is based on factors such as our assessment of how quickly we can cross the road, what are the chances that we might slip, etc;
Information Security Technical Report, Vol. 6, No. 3
Taking a less light-hearted view of the subject, in order to ensure the security of information systems and data, organizations need to have a sound information security programme that identifies, measures, monitors, and manages potential risk exposure. Fundamental to effective information security management is an ongoing risk assessment of threats and vulnerabilities surrounding the information and the systems on which it depends. It must identify all of the threats that could affect those assets. It must assess the risks that these threats pose and identify what actions are going to be taken to protect against these risks. Ultimately, the nature of an organization’s information security management system must reflect the risks associated with the organization’s business.
19
Risk Assessment
Why would I want to carry out a Risk Assessment?
• How can I justify security expenditure to the board?;
Performing a sound risk assessment is critical to establishing an effective Information Security Management System (ISMS). The risk assessment provides the framework for establishing policy guidelines and identifying the necessary controls and procedures that may be appropriate to protect the organization.
• How can I demonstrate to others that the protection we have in place is sufficient given the threats that we face?
• The assessment of threats, vulnerabilities and potential impacts has been conducted in a comprehensive and objective manner;
When organizations contract with third-party providers for information system services, they must of have a sound understanding of the risks involved and who is responsible for handling each of the risks identified. The organization needs to conduct a sufficient analysis of the provider’s information security management programme, including how the provider uses available risk assessment tools and practices.
• The conclusions reached about the requirements for security can be agreed by all parties involved;
Other examples of questions that may be considered during the risk assessment process include:
• There is a common basis on which to discuss the need or otherwise for particular countermeasures;
• Identify mission-critical information systems;
The risk assessment is necessary to ensure:
• The results have been documented in such a manner that they can be shared with people, such as external auditors who have not been involved in the original assessment. A risk assessment that has as its objective being the foundation of the ISMS would be very wide ranging. However, a risk assessment can be very specific, focusing on specific question(s). The types of questions that may be addressed by a risk assessment assignment include: • What level of authentication is required for our new e-business application?; • How can I assess what cryptographic services are required?; • Does our existing security infrastructure provide adequate protection for our new ERP system?; • Is the physical security at our data centre adequate?;
20
• Determine the extent of compliance with information security standards, such as BS 7799; • Determine the effectiveness of current information security programs; • Demonstrate that controls are appropriate to meet business need as indicated in initiatives such as the Turnbull report; • Assess the importance and sensitivity of information, and the likelihood of outside break-ins (e.g. by hackers) and insider misuse of information; • Assess the risks posed by electronic connections with business partners. The other entity may have poor access controls that could potentially lead to an indirect compromise of the organization's system; • Determine legal implications and contingent liability concerns associated with any of the above. For example,
Information Security Technical Report, Vol. 6, No. 3
Risk Assessment
if hackers successfully access an organization's system and use it to subsequently attack others, the organization may be liable for damages incurred by the party that is attacked.
Why does a Risk Assessment have to be a formal method? Reliably assessing information security risks can be more difficult than assessing other types of risks, because the value of the data as well as the level of risk is continually changing. For example: • Data is limited on certain threats, such as the likelihood of a sophisticated hacker attack and the costs of damage, loss, or disruption caused by events that exploit security weaknesses; • Some costs, such as loss of customer confidence or disclosure of sensitive information, are inherently difficult to quantify; • Although the cost of the hardware and software needed to strengthen controls may be known, it is often not possible to precisely estimate the related indirect costs, such as the possible loss of productivity that may result when new controls are implemented; and • Even if precise information were available, it would soon be out of date due to fastpaced changes in technology and factors such as improvements in tools available to would-be intruders. This lack of reliable and current data often prevents precise determinations of which information security risks are the most significant and comparisons of which controls are the most cost-effective. As a result of these limitations, it is important that organizations identify and employ methods that efficiently achieve the benefits of risk assessment whilst avoiding costly attempts to develop seemingly
Information Security Technical Report, Vol. 6, No. 3
precise results that are of questionable reliability. The method has to be formal because: • It needs to be ‘repeatable’, so that if two people were to conduct a risk assessment on the system they would identify the same problems; • The results should be based on known and accepted standards; • The results can be explained to people from outside of the organization, as well as people inside the organization.
How Risk Assessments are conducted As reliance on computer systems and electronic data has grown, information security risk has joined the array of risks that governments and businesses must manage. Regardless of the types of risk being considered, risk assessments generally include the following elements: • Identifying threats that could harm and thus, adversely affect critical operations and assets. Threats include such things as intruders, criminals, disgruntled employees, terrorists, and natural disasters; • Estimating the likelihood that such threats will occur based on historical information and the judgement of knowledgeable individuals; • Identifying and ranking the value, sensitivity, and criticality of the operations and assets that could be affected should a threat occur, in order to determine which operations and assets are the most important; • Estimating, for the most critical and sensitive assets and operations, the potential losses or damage that could occur if a threat was to occur, including recovery costs;
21
Risk Assessment
• Identifying cost-effective actions to mitigate or reduce the risk. These actions can include implementing new organizational policies and procedures as well as technical or physical controls; • Documenting the results and developing an action plan. There are various models and methods for assessing risk and the extent of an analysis and the resources expended can vary depending on the scope of the assessment and the availability of reliable data on risk factors. Risk assessment methods can be roughly divided into two basic approaches: • Quantitative assessments; • Qualitative assessments. When reliable data on likelihood and costs are not available, a qualitative approach can be taken by defining risk in more subjective and general terms such as high, medium, and low. Qualitative assessments are likely to depend more on the expertise, experience, and judgement of those conducting the assessment. This distinction can become blurred in some cases, because it is possible to use a combination of quantitative and qualitative methods in the same risk assessment.
Quantitative Risk Analysis A quantitative approach generally estimates the monetary cost of risk and risk reduction techniques based on: • The likelihood that a damaging event will occur; • The costs of potential losses; • The likelihood that the damaging event will actually cause the potential losses; • The costs of mitigating actions that could be taken.
22
Quantitative risk analysis makes use of a single figure produced from these elements. This is called the ‘Annual Loss Expectancy (ALE)’ or the ‘Estimated Annual Cost (EAC)’. This is calculated for an event by simply multiplying the potential loss by the probability. It is therefore theoretically possible to rank events in order of risk (ALE) and to make decisions based upon this. There are two great problems that afflict Quantitative Risk Assessments. First, calculating all the outage costs is very difficult and subject to great debate among management. This time consuming activity may delay plan development for many months. Moreover, once the cost figures are finalised, they are subject to constant change due to the changing business climate and practices. The second great problem is calculating the probabilities. This is also very difficult and often requires many subjective conclusions. For example, what is the effect of modernising the sprinkler system on the level of damage experienced by a particular type of fire? Each countermeasure can significantly alter both the cost and the probability. Moreover, the probability of any particular event tends to be quite small, often less than one percent. Such low probability figures tend to cause management to decide against disaster recovery planning by fostering the idea that no disaster will befall them - many believe that disasters only happen to others.
Qualitative Risk Analysis This is by far the most widely used approach to risk analysis. Probability data is not required and only estimated potential loss is used. Most qualitative risk analysis methodologies make use of a number of interrelated elements:
Information Security Technical Report, Vol. 6, No. 3
Risk Assessment
Threats
These are things that can go wrong or that can ‘attack’ the system. Examples might include fire or fraud. Threats are ever present for every system. Vulnerabilities
These make a system more prone to attack by a threat or make an attack more likely to have some success or impact. For example, for fire a vulnerability would be the presence of inflammable materials (e.g. paper). Controls
These are the countermeasures to the threats. There are five basic types: • Deterrent controls reduce the likelihood of a threat occurring; • Preventative controls protect vulnerabilities and make an attack unsuccessful or reduce its impact; • Corrective controls reduce the effect of threat; • Detective controls discover attacks and trigger preventative or corrective controls; • Recovery controls help restore the situation to normal after an incident has occurred. These elements can be illustrated in the following simple risk model:
What threats should a Risk assessment cover? Range of threats
A sound risk assessment method can cover many threats, including: • Deliberate threats to the information system, such as hacking, viruses, unauthorised use of the system; • Communication threats, such as mis-routing, non-delivery, repudiation of messages; • Failures of equipment, such as servers or gateways, or failures of supporting services such as power or air conditioning units; • Errors by people, including those by operators, programmers and users; • Physical threats, such as theft or wilful damage, or environmental threats, such as fire or flood. When management is setting up a review, it is essential that they should identify which threats they are concerned about and where appropriate, focus the risk assessment on those areas that are relevant to the problems that they are facing. This section presents some of the sources of threat that are relevant to information systems. Deliberate threats to information systems
ASSETS
THREATS
VULNERABILITIES
ANALYSIS RISKS MANAGEMENT
COUNTERMEASURES
Information Security Technical Report, Vol. 6, No. 3
The Internet provides a wealth of information to organizations and hackers alike on known security flaws in hardware and software. Using almost any search engine, the average Internet user can quickly find information describing how to break into various systems by exploiting known security flaws and software bugs. Hackers also may breach security by misusing vulnerability assessment tools to probe
23
Risk Assessment
network systems, then exploiting any identified weaknesses to gain unauthorised access to a system. In reality, the threat from internal sources is typically greater than that posed by external sources. It should not be overlooked that insiders now have the same level of access to all the information about weaknesses and tools to exploit those weaknesses that is documented on the Internet as the most experienced hacker. Communications Threats
Listed below are a few of the more common forms of communications threats: • Denial of service attacks, which is where an attacker attempts to prevent a system or gateway from operating as it is intended;
manner in which they work. Organizations are no longer constrained to operating from fixed locations, or having all their staff working from the office.
• Internet Protocol (IP) spoofing is a form of attack that allows an intruder via the Internet to effectively impersonate a local system’s IP address in an attempt to gain access to that system;
These benefits have also brought risks. The more businesses exploit the advantages of the modern networking technologies the greater they come to rely on that technology. Therefore, when planning or enhancing a network, it is essential that resilience is built into its design.
• Viruses, which are computer programs that may be embedded in other code and can self-replicate. Once active, they may take unwanted and unexpected actions that can result in either non-destructive or destructive outcomes in the host computer programs.
As the diagram above shows, a loss of service on the network can arise from many causes, including: • Failure of the hosts; • Breaks in the cables;
Failures of Equipment or Support Services
Over the last few years the pace of change in networking technology has been breathtaking. Types of network that were considered state of the art only two or three years ago are now considered to be yesterday’s technology. The introduction of more modern networks has increased the performance and capacity of the networking infrastructure to such an extent that businesses are now in position change the
24
• Power failures; • Operator errors; • Network software failures. Errors by people
Errors by people can lead to just as damaging consequences as some deliberate attacks, but such mistakes occur significantly more frequently.
Information Security Technical Report, Vol. 6, No. 3
Risk Assessment
The types of errors that need to be covered include:
the basic skills and knowledge of the risk analyst.
• Operator errors;
The types of considerations that you need to bear in mind include:
• Application programmer errors; • Hardware and software maintenance errors;
Organizational Standards
• User errors.
Is the tool consistent with the standards that apply to your organization? If the method is qualitative, are the metrics and sources of expertise that it is built upon ones that you would accept?
Physical and Environmental Threats
Organizations have always faced physical and environmental threats but the consequences of the loss of centralised information systems means that the consequences of these threats can be far more significant than used to be the case. Even threats such as theft have changed as a result of changes in technology. The amount of information that can be removed by a thief on a lap-top or even a single CD would have previously required the thief to have carried of a large filing cabinet.
What tools are available to support Risk Assessments? Prior to the introduction of software based risk management packages, it was not uncommon for a risk assessment project to involve a team of three to six for anywhere up to six months. Nowadays, there are many sophisticated software packages that assist in conducting risk assessment exercises, which makes the process of conducting the reviews much quicker, and allows the information gathered to be shared with other reviews that follow the original review. The process of selecting risk assessment software is not substantially different from that used to select any other software package. When selecting a package, you should bear in mind that the package is a tool not a solution. The package provides the structure, based on an underlying method, but it does not replace
Information Security Technical Report, Vol. 6, No. 3
Training
Is there training in the use of the method available? What type of training is required? Type of Reports required
What types of report can the tool deliver? Is there any ad-hoc reporting capability? Data entry
How is data entered into the tool? Is it possible to copy selectively data from one assessment to another? Consulting
Is there consultancy support available, if required? Is there any method support included within the cost of the tool? Configuration management
What requirements are necessary for updates or new versions of software? What is the cost of updates? What is the cost of on-going maintenance? User friendliness
Is the software ‘menu driven’ so that the user is guided through the various functions of the software? How useful/comprehensive is the on-line help? Is the underlying method easy to understand?
25
Risk Assessment
Modelling capabilities
Can the product provide the capability to perform ‘what if’ modelling? Cost
What is included in the cost of the product? Can the software run on more than one machine? Are there quantity discounts? If you are geographically dispersed organization with multiple sites do you have to purchase a copy for each site? There are over 100 risk assessment packages on the market place at the moment, so the table below has only listed a few of the leading packages:
steps for preventing or mitigating situations that could interfere with accomplishing the organization’s mission. Second, risk assessments help personnel throughout the organization better understand the risks to their business operations; giving them the motivation to avoid risky practices, such as disclosing passwords or other sensitive information, to be alert for suspicious events and to support security improvements. This understanding grew, in part, from improved communication between business managers, system support staff, and security specialists.
Evidence from organizations that have used formal risk assessment programs indicates that such work is important in supporting their business activities and provides several benefits.
Further, risk assessments provide a mechanism for reaching a consensus on which risks were the greatest and what steps were appropriate for mitigating them. The process of conducting a risk assessment encourages discussion and enables disagreements to be resolved. This, in turn, made it more likely that business managers understand the need for agreed upon controls, feel that the controls are aligned with the unit’s business goals, and therefore support their effective implementation.
First, and perhaps most importantly, risk assessment programs help ensure that the greatest risks to business operations are identified and addressed on a continuing basis. Such programs help ensure that the expertise and best judgments of their personnel were tapped to develop reasonable
Finally, a formal risk assessment program provides an efficient means for communicating assessment findings and recommended actions to business unit managers as well as to senior corporate officials. Standard report formats and the periodic nature of the assessments provides organizations with a means of readily
A more comprehensive table of risk assessment methods is available in Appendix B.
What can Risk Assessments achieve?
Package
Supplier
Web Site
Cobra
C & A System Security
http://www.securityrisk.co.uk/ bs7799/riskmeth.htm
CRAMM
Insight Consulting
http://www.insight.co.uk/ home.htm
MARION Risk Watch
26
http://www.pix.za/irc/ marion.htm Risk Watch
http://www.riskwatch.com/
Information Security Technical Report, Vol. 6, No. 3
Risk Assessment
understanding reported information and comparing results among units over time.
http://www.infosec.spectria.com/articles/ar t-gcc.htm
Appendix A - REFERENCES
Appendix B – Risk Management Software
http://www.fdic.gov/news/news/financial /1999/FIL9968a.HTML
The following table shows some of the risk assessment methods that are currently on the marketplace, in alphabetic order. This list is not intended to be comprehensive.
http://www.gao.gov/special.pubs/ ai00033.pdf http://www.security-riskanalysis.com/introduction.htm
@Risk
Control Matrix
IBM
QuikRisk
ALARM
Control-IT
ICI
RA/SYS
Analyze
COSECO
IFAL
RANK-IT
ARES
CRITI-CALC
JANBER
REASSURE
AROME
CSAEP
LAVA
RISK
ASIS
CVRP
LRAM
RiskCalc
BDSS
DDIS
MACS
Risk Manager
BP
DHSS
MARION
RiskPAC
BRISK
DIAPASON
MELISA
RiskWatch
Buddy System
EBP
M2 Risk
Sara/Sprint
BULLRAM
EDVS
MicroSecure
SISS
CBISS
FIPS Pub 65
MINIRISK
Sofine
CRAMM
Fitzgerald’s
PARI/AEROSPATIALE
SOS
Chase Manhattan
GRA/SYS
Predict
SPAN
Citicorp Risk Assessment
GRAM
PRISM
SBA
COBRA
IST/RAMP
PSICHE
US Navy Risk Assessment Method
Information Security Technical Report, Vol. 6, No. 3
27
Risk Assessment Jonathan Tregear, Senior Consultant, Insight Consulting
Introduction The aim of this paper is provide an overview of information security risk assessment. It is aimed at senior managers, or others who may be responsible for commissioning such studies, with the intention of providing an understanding of: • The drivers for such assessment; • The key terms used in this area;
• We have, perhaps subconsciously, placed a value on the extent of the consequences should the threat actually occur, i.e. how much we value our lives; • We balance these risks against our need to get across the road. On the result of these factors we choose a course of action to ensure that we have the level of protection that we desire. These choices could be: • Decide to wait until the on-coming car has passed;
• The different approaches that can be taken;
• Walk down the street until you find a pedestrian crossing;
• The benefits that can be gained.
• Choose to run across the road.
What is Risk Assessment?
So if you are asked: ‘why did the chicken cross the road?’ One possible answer is because it had assessed the risks involved and decided that the situation presented was an acceptable risk.
Every day we all make many risk assessments probably without even realising that we are doing so. For example, we take a risk every time we cross a road, and our decision about when to cross the road or not is based on an examination of the risks, and a decision on whether or not to take that particular risk. Even in this simple example we can see the basic elements that make up any risk assessment: • We examine the situation for potential threats, such as an on-coming car; • We make an assessment of the level of threat they pose, i.e. the car’s distance from us and its current speed; • We make a judgement on the chances of the threat causing an impact. This is based on factors such as our assessment of how quickly we can cross the road, what are the chances that we might slip, etc;
Information Security Technical Report, Vol. 6, No. 3
Taking a less light-hearted view of the subject, in order to ensure the security of information systems and data, organizations need to have a sound information security programme that identifies, measures, monitors, and manages potential risk exposure. Fundamental to effective information security management is an ongoing risk assessment of threats and vulnerabilities surrounding the information and the systems on which it depends. It must identify all of the threats that could affect those assets. It must assess the risks that these threats pose and identify what actions are going to be taken to protect against these risks. Ultimately, the nature of an organization’s information security management system must reflect the risks associated with the organization’s business.
19
Risk Assessment
Why would I want to carry out a Risk Assessment?
• How can I justify security expenditure to the board?;
Performing a sound risk assessment is critical to establishing an effective Information Security Management System (ISMS). The risk assessment provides the framework for establishing policy guidelines and identifying the necessary controls and procedures that may be appropriate to protect the organization.
• How can I demonstrate to others that the protection we have in place is sufficient given the threats that we face?
• The assessment of threats, vulnerabilities and potential impacts has been conducted in a comprehensive and objective manner;
When organizations contract with third-party providers for information system services, they must of have a sound understanding of the risks involved and who is responsible for handling each of the risks identified. The organization needs to conduct a sufficient analysis of the provider’s information security management programme, including how the provider uses available risk assessment tools and practices.
• The conclusions reached about the requirements for security can be agreed by all parties involved;
Other examples of questions that may be considered during the risk assessment process include:
• There is a common basis on which to discuss the need or otherwise for particular countermeasures;
• Identify mission-critical information systems;
The risk assessment is necessary to ensure:
• The results have been documented in such a manner that they can be shared with people, such as external auditors who have not been involved in the original assessment. A risk assessment that has as its objective being the foundation of the ISMS would be very wide ranging. However, a risk assessment can be very specific, focusing on specific question(s). The types of questions that may be addressed by a risk assessment assignment include: • What level of authentication is required for our new e-business application?; • How can I assess what cryptographic services are required?; • Does our existing security infrastructure provide adequate protection for our new ERP system?; • Is the physical security at our data centre adequate?;
20
• Determine the extent of compliance with information security standards, such as BS 7799; • Determine the effectiveness of current information security programs; • Demonstrate that controls are appropriate to meet business need as indicated in initiatives such as the Turnbull report; • Assess the importance and sensitivity of information, and the likelihood of outside break-ins (e.g. by hackers) and insider misuse of information; • Assess the risks posed by electronic connections with business partners. The other entity may have poor access controls that could potentially lead to an indirect compromise of the organization's system; • Determine legal implications and contingent liability concerns associated with any of the above. For example,
Information Security Technical Report, Vol. 6, No. 3
Risk Assessment
if hackers successfully access an organization's system and use it to subsequently attack others, the organization may be liable for damages incurred by the party that is attacked.
Why does a Risk Assessment have to be a formal method? Reliably assessing information security risks can be more difficult than assessing other types of risks, because the value of the data as well as the level of risk is continually changing. For example: • Data is limited on certain threats, such as the likelihood of a sophisticated hacker attack and the costs of damage, loss, or disruption caused by events that exploit security weaknesses; • Some costs, such as loss of customer confidence or disclosure of sensitive information, are inherently difficult to quantify; • Although the cost of the hardware and software needed to strengthen controls may be known, it is often not possible to precisely estimate the related indirect costs, such as the possible loss of productivity that may result when new controls are implemented; and • Even if precise information were available, it would soon be out of date due to fastpaced changes in technology and factors such as improvements in tools available to would-be intruders. This lack of reliable and current data often prevents precise determinations of which information security risks are the most significant and comparisons of which controls are the most cost-effective. As a result of these limitations, it is important that organizations identify and employ methods that efficiently achieve the benefits of risk assessment whilst avoiding costly attempts to develop seemingly
Information Security Technical Report, Vol. 6, No. 3
precise results that are of questionable reliability. The method has to be formal because: • It needs to be ‘repeatable’, so that if two people were to conduct a risk assessment on the system they would identify the same problems; • The results should be based on known and accepted standards; • The results can be explained to people from outside of the organization, as well as people inside the organization.
How Risk Assessments are conducted As reliance on computer systems and electronic data has grown, information security risk has joined the array of risks that governments and businesses must manage. Regardless of the types of risk being considered, risk assessments generally include the following elements: • Identifying threats that could harm and thus, adversely affect critical operations and assets. Threats include such things as intruders, criminals, disgruntled employees, terrorists, and natural disasters; • Estimating the likelihood that such threats will occur based on historical information and the judgement of knowledgeable individuals; • Identifying and ranking the value, sensitivity, and criticality of the operations and assets that could be affected should a threat occur, in order to determine which operations and assets are the most important; • Estimating, for the most critical and sensitive assets and operations, the potential losses or damage that could occur if a threat was to occur, including recovery costs;
21
Risk Assessment
• Identifying cost-effective actions to mitigate or reduce the risk. These actions can include implementing new organizational policies and procedures as well as technical or physical controls; • Documenting the results and developing an action plan. There are various models and methods for assessing risk and the extent of an analysis and the resources expended can vary depending on the scope of the assessment and the availability of reliable data on risk factors. Risk assessment methods can be roughly divided into two basic approaches: • Quantitative assessments; • Qualitative assessments. When reliable data on likelihood and costs are not available, a qualitative approach can be taken by defining risk in more subjective and general terms such as high, medium, and low. Qualitative assessments are likely to depend more on the expertise, experience, and judgement of those conducting the assessment. This distinction can become blurred in some cases, because it is possible to use a combination of quantitative and qualitative methods in the same risk assessment.
Quantitative Risk Analysis A quantitative approach generally estimates the monetary cost of risk and risk reduction techniques based on: • The likelihood that a damaging event will occur; • The costs of potential losses; • The likelihood that the damaging event will actually cause the potential losses; • The costs of mitigating actions that could be taken.
22
Quantitative risk analysis makes use of a single figure produced from these elements. This is called the ‘Annual Loss Expectancy (ALE)’ or the ‘Estimated Annual Cost (EAC)’. This is calculated for an event by simply multiplying the potential loss by the probability. It is therefore theoretically possible to rank events in order of risk (ALE) and to make decisions based upon this. There are two great problems that afflict Quantitative Risk Assessments. First, calculating all the outage costs is very difficult and subject to great debate among management. This time consuming activity may delay plan development for many months. Moreover, once the cost figures are finalised, they are subject to constant change due to the changing business climate and practices. The second great problem is calculating the probabilities. This is also very difficult and often requires many subjective conclusions. For example, what is the effect of modernising the sprinkler system on the level of damage experienced by a particular type of fire? Each countermeasure can significantly alter both the cost and the probability. Moreover, the probability of any particular event tends to be quite small, often less than one percent. Such low probability figures tend to cause management to decide against disaster recovery planning by fostering the idea that no disaster will befall them - many believe that disasters only happen to others.
Qualitative Risk Analysis This is by far the most widely used approach to risk analysis. Probability data is not required and only estimated potential loss is used. Most qualitative risk analysis methodologies make use of a number of interrelated elements:
Information Security Technical Report, Vol. 6, No. 3
Risk Assessment
Threats
These are things that can go wrong or that can ‘attack’ the system. Examples might include fire or fraud. Threats are ever present for every system. Vulnerabilities
These make a system more prone to attack by a threat or make an attack more likely to have some success or impact. For example, for fire a vulnerability would be the presence of inflammable materials (e.g. paper). Controls
These are the countermeasures to the threats. There are five basic types: • Deterrent controls reduce the likelihood of a threat occurring; • Preventative controls protect vulnerabilities and make an attack unsuccessful or reduce its impact; • Corrective controls reduce the effect of threat; • Detective controls discover attacks and trigger preventative or corrective controls; • Recovery controls help restore the situation to normal after an incident has occurred. These elements can be illustrated in the following simple risk model:
What threats should a Risk assessment cover? Range of threats
A sound risk assessment method can cover many threats, including: • Deliberate threats to the information system, such as hacking, viruses, unauthorised use of the system; • Communication threats, such as mis-routing, non-delivery, repudiation of messages; • Failures of equipment, such as servers or gateways, or failures of supporting services such as power or air conditioning units; • Errors by people, including those by operators, programmers and users; • Physical threats, such as theft or wilful damage, or environmental threats, such as fire or flood. When management is setting up a review, it is essential that they should identify which threats they are concerned about and where appropriate, focus the risk assessment on those areas that are relevant to the problems that they are facing. This section presents some of the sources of threat that are relevant to information systems. Deliberate threats to information systems
ASSETS
THREATS
VULNERABILITIES
ANALYSIS RISKS MANAGEMENT
COUNTERMEASURES
Information Security Technical Report, Vol. 6, No. 3
The Internet provides a wealth of information to organizations and hackers alike on known security flaws in hardware and software. Using almost any search engine, the average Internet user can quickly find information describing how to break into various systems by exploiting known security flaws and software bugs. Hackers also may breach security by misusing vulnerability assessment tools to probe
23
Risk Assessment
network systems, then exploiting any identified weaknesses to gain unauthorised access to a system. In reality, the threat from internal sources is typically greater than that posed by external sources. It should not be overlooked that insiders now have the same level of access to all the information about weaknesses and tools to exploit those weaknesses that is documented on the Internet as the most experienced hacker. Communications Threats
Listed below are a few of the more common forms of communications threats: • Denial of service attacks, which is where an attacker attempts to prevent a system or gateway from operating as it is intended;
manner in which they work. Organizations are no longer constrained to operating from fixed locations, or having all their staff working from the office.
• Internet Protocol (IP) spoofing is a form of attack that allows an intruder via the Internet to effectively impersonate a local system’s IP address in an attempt to gain access to that system;
These benefits have also brought risks. The more businesses exploit the advantages of the modern networking technologies the greater they come to rely on that technology. Therefore, when planning or enhancing a network, it is essential that resilience is built into its design.
• Viruses, which are computer programs that may be embedded in other code and can self-replicate. Once active, they may take unwanted and unexpected actions that can result in either non-destructive or destructive outcomes in the host computer programs.
As the diagram above shows, a loss of service on the network can arise from many causes, including: • Failure of the hosts; • Breaks in the cables;
Failures of Equipment or Support Services
Over the last few years the pace of change in networking technology has been breathtaking. Types of network that were considered state of the art only two or three years ago are now considered to be yesterday’s technology. The introduction of more modern networks has increased the performance and capacity of the networking infrastructure to such an extent that businesses are now in position change the
24
• Power failures; • Operator errors; • Network software failures. Errors by people
Errors by people can lead to just as damaging consequences as some deliberate attacks, but such mistakes occur significantly more frequently.
Information Security Technical Report, Vol. 6, No. 3
Risk Assessment
The types of errors that need to be covered include:
the basic skills and knowledge of the risk analyst.
• Operator errors;
The types of considerations that you need to bear in mind include:
• Application programmer errors; • Hardware and software maintenance errors;
Organizational Standards
• User errors.
Is the tool consistent with the standards that apply to your organization? If the method is qualitative, are the metrics and sources of expertise that it is built upon ones that you would accept?
Physical and Environmental Threats
Organizations have always faced physical and environmental threats but the consequences of the loss of centralised information systems means that the consequences of these threats can be far more significant than used to be the case. Even threats such as theft have changed as a result of changes in technology. The amount of information that can be removed by a thief on a lap-top or even a single CD would have previously required the thief to have carried of a large filing cabinet.
What tools are available to support Risk Assessments? Prior to the introduction of software based risk management packages, it was not uncommon for a risk assessment project to involve a team of three to six for anywhere up to six months. Nowadays, there are many sophisticated software packages that assist in conducting risk assessment exercises, which makes the process of conducting the reviews much quicker, and allows the information gathered to be shared with other reviews that follow the original review. The process of selecting risk assessment software is not substantially different from that used to select any other software package. When selecting a package, you should bear in mind that the package is a tool not a solution. The package provides the structure, based on an underlying method, but it does not replace
Information Security Technical Report, Vol. 6, No. 3
Training
Is there training in the use of the method available? What type of training is required? Type of Reports required
What types of report can the tool deliver? Is there any ad-hoc reporting capability? Data entry
How is data entered into the tool? Is it possible to copy selectively data from one assessment to another? Consulting
Is there consultancy support available, if required? Is there any method support included within the cost of the tool? Configuration management
What requirements are necessary for updates or new versions of software? What is the cost of updates? What is the cost of on-going maintenance? User friendliness
Is the software ‘menu driven’ so that the user is guided through the various functions of the software? How useful/comprehensive is the on-line help? Is the underlying method easy to understand?
25
Risk Assessment
Modelling capabilities
Can the product provide the capability to perform ‘what if’ modelling? Cost
What is included in the cost of the product? Can the software run on more than one machine? Are there quantity discounts? If you are geographically dispersed organization with multiple sites do you have to purchase a copy for each site? There are over 100 risk assessment packages on the market place at the moment, so the table below has only listed a few of the leading packages:
steps for preventing or mitigating situations that could interfere with accomplishing the organization’s mission. Second, risk assessments help personnel throughout the organization better understand the risks to their business operations; giving them the motivation to avoid risky practices, such as disclosing passwords or other sensitive information, to be alert for suspicious events and to support security improvements. This understanding grew, in part, from improved communication between business managers, system support staff, and security specialists.
Evidence from organizations that have used formal risk assessment programs indicates that such work is important in supporting their business activities and provides several benefits.
Further, risk assessments provide a mechanism for reaching a consensus on which risks were the greatest and what steps were appropriate for mitigating them. The process of conducting a risk assessment encourages discussion and enables disagreements to be resolved. This, in turn, made it more likely that business managers understand the need for agreed upon controls, feel that the controls are aligned with the unit’s business goals, and therefore support their effective implementation.
First, and perhaps most importantly, risk assessment programs help ensure that the greatest risks to business operations are identified and addressed on a continuing basis. Such programs help ensure that the expertise and best judgments of their personnel were tapped to develop reasonable
Finally, a formal risk assessment program provides an efficient means for communicating assessment findings and recommended actions to business unit managers as well as to senior corporate officials. Standard report formats and the periodic nature of the assessments provides organizations with a means of readily
A more comprehensive table of risk assessment methods is available in Appendix B.
What can Risk Assessments achieve?
Package
Supplier
Web Site
Cobra
C & A System Security
http://www.securityrisk.co.uk/ bs7799/riskmeth.htm
CRAMM
Insight Consulting
http://www.insight.co.uk/ home.htm
MARION Risk Watch
26
http://www.pix.za/irc/ marion.htm Risk Watch
http://www.riskwatch.com/
Information Security Technical Report, Vol. 6, No. 3
Risk Assessment
understanding reported information and comparing results among units over time.
http://www.infosec.spectria.com/articles/ar t-gcc.htm
Appendix A - REFERENCES
Appendix B – Risk Management Software
http://www.fdic.gov/news/news/financial /1999/FIL9968a.HTML
The following table shows some of the risk assessment methods that are currently on the marketplace, in alphabetic order. This list is not intended to be comprehensive.
http://www.gao.gov/special.pubs/ ai00033.pdf http://www.security-riskanalysis.com/introduction.htm
@Risk
Control Matrix
IBM
QuikRisk
ALARM
Control-IT
ICI
RA/SYS
Analyze
COSECO
IFAL
RANK-IT
ARES
CRITI-CALC
JANBER
REASSURE
AROME
CSAEP
LAVA
RISK
ASIS
CVRP
LRAM
RiskCalc
BDSS
DDIS
MACS
Risk Manager
BP
DHSS
MARION
RiskPAC
BRISK
DIAPASON
MELISA
RiskWatch
Buddy System
EBP
M2 Risk
Sara/Sprint
BULLRAM
EDVS
MicroSecure
SISS
CBISS
FIPS Pub 65
MINIRISK
Sofine
CRAMM
Fitzgerald’s
PARI/AEROSPATIALE
SOS
Chase Manhattan
GRA/SYS
Predict
SPAN
Citicorp Risk Assessment
GRAM
PRISM
SBA
COBRA
IST/RAMP
PSICHE
US Navy Risk Assessment Method
Information Security Technical Report, Vol. 6, No. 3
27