Multiple choice

Akash

Chapter-05.pptx

Home >Computer Science homework help >Multiple choice

Managing Risk in Information Systems

Lesson 5

Defining Risk Assessment Approaches

www.jblearning.com

Components of Risk Management

Hardware Assets

Software Assets

Personnel Assets

Information / Data Assets

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

Reviewing this slide from Chapter #4, a Risk Assessment approach is a major part of the Risk Management process. It includes identifying the risks, analyzing these risks and the prioritizing the mitigation of the risks.

Also we want to remember that we are concerned about the company’s Hardware, Software, Data and Information, and People Assets.

Each of these should be considered when considering a Risk Assessment approach.

What Is Risk Assessment?

Determination of quantitative or qualitative value of risk

Identifies which systems/assets to protect

Gives insight into which controls provide the most value

Required for evaluating risk or control

Often conducted after implementation of a control

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

The book tells us that there are 2 primary methods to assess risks:

Quantitative: using formulas to calculate the value of the risk

Qualitative: using judgment to assign value to the probability of the risk

Once we calculate the value, we can prioritize and decide which assets to protect and analyze

In the Cost Benefit Analysis, we can identify and evaluate the value of the controls needed to mitigate the risk

Purpose of a Risk Assessment?

Support Decision Making

Evaluate Control Effectiveness

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

The steps needed in the Risk Assessment process include

pair the threats and vulnerabilities

Identify the likeliness a risks will occur

Based on historical data or expert opinions

Identify asset values

Determine the impact of a risk

Determine the usefulness of the control

The Risk Assessment prioritizes the risks and allow management to decide whether to Avoid the risk, Mitigate the risk, Transfer the risk, or Accept the risk.

In this process we evaluate the controls to determine if they are effective and worth implementing.

When Should a Risk Assessment Be Conducted?

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

In Risk Management you have identified assets, paired threats to vulnerabilities and defined risks. Risk Assessment is needed to

Evaluate the risk. It is important to prioritize the risks to determine which ones should be evaluated first and which risks can be accepted

Evaluate the control. The control must be able to mitigate the risk. If it is not useful then it may not be worth implementing. Remember these controls must be presented to management so they can decide which controls to use and which risks to mitigate or accept

And follow-up periodically to re-evaluate the risk and corresponding controls. Assessments look at threats, vulnerabilities and controls at a point-in-time. Risks change over time so the assessment must be re-applied periodically to protect assets.

When evaluating risk

When evaluating a control

Periodically after a control has been implemented

Critical Components of Risk Assessment

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

We discussed Scope and Scope Creep in the previous chapter. For Assessments, you must define what assets to assess. The textbook gives the example of the DMZ and Internal architecture– the Web Server within the DMZ and the database server inside the network. Does the assessment include both components or just those within the DMZ.

From our earlier discussion about the south Texas University, we identified equipment within the IT data center, servers within Enrollment Management as well as servers within each college. We chose to only analyze the servers outside the data center. Had this been too complex or had there been resistance to assess the college servers, the boundaries (or scope) of the assessment might have only been Enrollment Management.

We also discovered that the Report server was allowing users to download national ID’s which could lead to data breaches that could be critical. Correcting this problem was critical to resolving the breaches that had the president’s visibility.

Working on this problem required identifying both systems administrators and users who could analyze the report server functionality and prioritize the risk mitigation. Let’s say there were 20 reports containing national IDs. 3 were annual reports and would not be needed for 6 months; 5 were quarterly reports and would not be needed for 2 months; 5 were used by people who never downloaded data; the remaining 7 were downloaded. These are the ones to prioritize.

Identify scope of assessment

Identify critical areas

Identify team

Quantitative and Qualitative RAs

Quantitative Risk Assessments

Uses numbers such as dollar values

Calculates absolute financial values, losses, and costs

Qualitative Risk Assessments

Calculates relative values, losses, and costs

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

Let’s dive deeper into the Quantitative and Qualitative Assessments.

Quantitative uses formulas to determine values. Qualitative is subjective and is based on opinions of experts. Whereas Quantitative uses values, Qualitative often uses words like Low, Medium, Hight.

Let’s look as some examples. If the threat is that someone will steal a server, there is a cost-to-replace associated with that piece of hardware and a cost-to-install associated with preparing the server for operations.

What is the cost of the data that might be stolen from that server? If the system was backed-up, there would be the time (hours worked time salary) to reload the data. If the system was not backed-up, what is the cost to recreate the data.

If the data were protected by law (i.e. a national ID), a value of $10,000 might be assigned for each instance of data being lost. How do you calculate the number of instances and the law-suits that might be filed.

Quantitative Risk Assessment Key Terms

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

A Single Loss Expectancy (SLE) refers to a one-time loss. When the faculty member lost the flash drive with data, it was a SLE. We might estimate the loss based on law suits might calculated as $20,000 per occurrence.

An Annual Rate of Occurrence (ARO) refers to the number of times an incident is expected to occur. The Enrollment Management Enterprise system required the National ID as the primary identifier of the students. A new Enterprise system was purchased and used a student ID as the primary identifier and limited the use of the National ID to federal government reporting. If implementation of the new system might take a year and the probability of that National ID’s would be lost every quarter until the new system is implemented, the ARO could be calculated as 4 (4 quarters).

The Annual Loss Expectancy (ALE) is calculated as SLE x ARO (for our example, SLE was $20,000 and ARO was 4 giving us an $80,000 ALE).

The Safeguard value is the cost of a control to safeguard the asset. When students needed help from Financial Aid, the Bursar’s or Registrar’s office, they would walk up to the counter and tell the specialist their National ID so their record could be looked-up. The threat was that someone would overhear the National ID and use it illegally. A solution was to purchase key-pads, connected to the computer, where the student could enter the National ID and not have to say the ID publically. Assuming $30 per computer and 10 computers, the value would be $300 to eliminate one or more losses of data.

Single loss expectancy (SLE)

Annual rate of occurrence (ARO)

Annual loss expectancy (ALE)

Safeguard value

Quantitative Risk Assessment Benefits

Becomes a simple math problem

Provides a cost-benefit analysis (CBA)

Accurate values for SLE, ARO, and safeguard value let’s you calculate CBA

Management understands quantitative methods

Formulas use verifiable and objective measurements

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

As you can see, the Quantitative Risk Assessment is a simple math problem.

It also provide a Cost-Benefit Analysis as long as the values for SLE, ARO and safeguard values are accurate.

Also management is often familiar with other quantitative methods and it makes it easy to grasp the concepts and the details needed to make decisions.

Finally, the costs are often easily seen – the cost of a lost laptop is $2500.

Quantitative Risk Assessment Limitations

Accurate data isn’t always available

Especially true when identifying ARO reductions

Ensuring that people use the control as expected

May need to take additional steps, such as training, to ensure users are aware of the importance of the control

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

The biggest limitation for the quantitative method is that not all costs can be defined. If you lose a server, the cost of the replacement equipment might be easy to calculate but what about the cost of the data or the time to install the software? If you are talking about the potential loss of data, how do you guess how many times during a year will data be lost?

As discussed early in the semester, one of the other issues is that controls must be executed. If policy dictates that a laptop must be connected to a locking device when docked in the office, it assumes the user will actually follow policy. If policy dictates that no National IDs be downloaded to flash drives, how do you ensure this policy is followed. One way to mitigate this weakness is to provide additional training on policy and awareness. Some organizations make this training mandatory and often an annual requirement.

Qualitative Risk Assessment

Subjective

Probability

The likelihood that a threat will exploit a vulnerability

Impact

The negative result if a risk occurs

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

As discussed earlier, Qualitative methods are subjective, using opinion of experts and others who may or may not accurately determine the risk. What dictates a Low risk versus a Medium risk? Maybe you choose to describe it using more descriptors such as Low, Medium-Low, Medium, Medium-High, or High.

If probability is based on ranges (10% is low; 50% is medium, 80% is high), is 10.5% still low; what about 11%. The textbook has a table that shows examples of Probability

Impact is similar to Probability. It may be a Low impact or Medium impact or High impact OR an impact of 10 versus 50 versus 80. The textbook has a table that shows examples of Impact.

The Risk Level is calculated as the Probability x Impact

Using a Risk Matrix

Matching probability and impact

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

The textbook provides a number of Risks, Probabilities and Impacts.

The DoS attack was a High Probability/High Impact: 100% (or 1) probability; 100 impact resulting in a 100 Risk level.

The Web Defacing was a Medium Probability/High Impact 50% (or .5) probability; 90 impact resulting in a 45 Risk level

The Loss of WebSite data was a Medium-Low Probability/Medium-High Impact 30% (or .3) probability; 90 impact resulting in a 27 Risk Level

The Data Loss was a Medium-Low Probability/Low-Impact 30% (or .3) probability; 10 impact resulting in a 3 Risk Level

The priority would be the define the controls needed for the highest Risk Level (DoS attack), followed by Web Defacing; then Loss of WebSite and finally Data Loss (unless the risk is accepted).

Qualitative Risk Assessment Benefits

Uses the opinions of experts

Is easy to complete

Uses words that are easy to express and understand

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

We have discussed the benefits of Qualitative before. One of the problems however is finding experts and even then finding experts who provide solid opinions. Since opinions are subjective, they may vary based on who provides them.

As seen, there is no need to research costs as required in Quantitative – these are easy to complete and use words that are expressive

One method to help generate Qualitative assessments is to discuss the probability and impact with other experts to come up with a consensus opinion.

Qualitative Risk Assessment Limitations

Subjective

Based on expertise of the experts

Value of the assessment is only as valuable as the expertise of the experts

No CBA

No real standards

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

Unlike Quantitative assessments that use know values, this method is subjective and is only as good as the experts who provide the opinions.

If a group consensus is used, ‘group think’ may create a problem. If one expert is forceful in his or her opinion, it may cause others to accept that opinion even if they don’t necessarily agree.

Qualitative assessments cannot provide a Cost-Benefit-Analysis since there is no exact value calculated.

Finally, how does the company decide on whether to use words or scales. Is it going to be Low, Medium or High or 10%, 50% and 80%. Unless the standards are set up-front and used across all assessments, the assessments may be incomplete.

The textbook provides some topics that could be included in a Risk Assessment report: Introduction; Approach; System specifications; Threat statement; Results; Controls and Summary.

Comparing Assessment Methods

Quantitative

Objective

Monetary values

Historical data

Key terms:

SLE, ARO, ALE

Qualitative

Subjective

Word values

Expert opinions

Key terms:

Probability and impact

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

This slides provides a quick, side-by-side comparison of the two methods.

Risk Assessment Challenges

Using static process to evaluate a moving target

Availability of Resources & Data

Data consistency

Estimating impact effects

Providing results that support resource allocation and risk acceptance

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

The author had an excellent example “Successful attacks force security experts to implement controls that are effective but attackers find new methods of attack that must be controlled”. The problem is that often we think the controls will solve the problem and we don’t have to continuously evaluate and refine. Consider Anti-virus software. It is continuously being updated because new threats are developed and old threats are refined.

Availability of dedicated Resources includes team members with the experts on the functional and technical aspects. Management must be committed to providing the best to work on the team regardless of its immediate impact on operations. Availability of quality Data is essential to the quality of the assessment. How do you find the best historical and operational data needed to project accurate assessments.

Data Consistency includes data format, data collection and business change. When we converted our Enterprise Systems in south Texas, we had to migrate data into the new database structures. We found the new system’s data definitions did not match the old – 2 fields had to be merged into 1 – a another field had to be split into 2. Some historical data had to be lost because no-one remembered what the old values really meant. Uncertainty levels may need to be applied that indicate the validity of the data.

Loss of experts who quit or move to other positions in an organization makes it harder to estimate impact effects. The more knowledge and experience, the better the expert is in providing solid estimates. One of the problems when we converted the system is that experts left the organization to better jobs or because of burn-out.

Resource Allocation and Risk Acceptance must deal with Cost-benefit considerations. Remember our discussion that security experts want to secure everything even if it costs too much while users are more willing to take the risk to keep costs down or minimize operational impact.

Best Practices for Risk Assessment

Start with clear goals and a defined scope.

Enlist senior management support.

Build a strong RA team.

Repeat the RA regularly.

Define a methodology to use.

Provide a report of clear risks and clear recommendations.

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

Summary

Definition of a risk assessment

Components of risk assessments

Qualitative vs. quantitative risk assessment

When to perform risk assessments

Page ‹#›

Managing Risk in Information Systems