Questions
4/16/23, 1:26 PM Chapter 5 Managing Risk to an Acceptable Level | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/016-9781466551282-005.xhtml 1/38
5
Managing Risk to an Acceptable Level
Attachment is the great fabricator of illusions; reality can be attained only by
someone who is detached.
Simone Weil, 1909–1943
Risk analysis is a much discussed area in the information security field
for several reasons. First, risk analysis is core to understanding the state
of information security that exists within the company. The process of
risk analysis uncovers how well the control environment is protecting the
information assets. Second, risk analysis helps organizations target the in-
formation security expenditures where they are most needed and are
used to allocate funds to the appropriate security controls. Finally, risk
analysis and management is very subjective in nature and tends to be
4/16/23, 1:26 PM Chapter 5 Managing Risk to an Acceptable Level | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/016-9781466551282-005.xhtml 2/38
more art than science. Even though the process may be more art than sci-
ence, there are still processes that can be followed to increase the likeli-
hood that the risk analysis will be useful to the organization and provide
visibility into the risks that the organization is exposed to. Artists are very
creative in nature and can look at an object and see something different
that a normal person may see. He then paints that object using tech-
niques, or the science, that he has learned to create the appropriate tex-
ture, shading, design, symmetry, and so forth to express the image he is
feeling. Many times the artist explores with different substances and
types of painting, drawing, sculpturing, and so on to provide the desired
end state through trial and error. The security officer or risk manager
creates a risk assessment in a similar manner, starting with a methodol-
ogy, concepts, and experiences, and formulating the best depiction of the
organization. Just as the finished painting is an expression of a snapshot
in time, so is the risk assessment.
Risk in Our Daily Lives
Everyday we are subject to threats and are vulnerable to some event hap-
pening that is not desired and not within our control. We cannot stop the
4/16/23, 1:26 PM Chapter 5 Managing Risk to an Acceptable Level | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/016-9781466551282-005.xhtml 3/38
threat from occurring, however, we can minimize the impact of the event
by the steps that we have taken or will take when the event happens.
Consider the protection we implement daily to protect our automobiles
from theft. Most of us lock the car doors when we park our car at the
mall. The car manufacturers have decided that on more expensive cars
that the risk of being stolen is perceived to be greater and therefore have
implemented alarms and flashing lights inside the cars to act as a deter-
rent. Some consumers feel an alarm is not enough and have equipped
their vehicles with a tracking device, such as one made by LoJack, to no-
tify the police of vehicles’ whereabouts if stolen. Other consumers have
felt that a lock over the steering wheel, known as the “club” would pro-
vide the adequate level of protection. And then there is the limousine
driver that would not leave his vehicle unattended under any conditions.
In the automobile example, each of us may make a different decision
when it comes to the security that we would place on our car. We arrive
at our decisions based upon our past experiences, the value we place on
our cars, the likelihood that we believe it will be stolen, will be reim-
bursed for the car if it is stolen through insurance, or our general feeling
that society is either a good place with primarily good people or an inher-
4/16/23, 1:26 PM Chapter 5 Managing Risk to an Acceptable Level | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/016-9781466551282-005.xhtml 4/38
ently bad place with many ill-intentioned people. Some individuals may
feel it is perfectly normal to leave the engine running while running into
the mall for “just a second.”
We take risks unconsciously every day whether or not we recognize it
at the time. We may cross the street 30 times a day and it never enters our
mind of the risks we are taking. Then one day, you receive a phone call
that your 17-year-old son has been hit by a car going 25 miles per hour
through a crosswalk protected by a school crossing guard. Is the solution
to keep him home from school in the future? Erect a bridge over the
street to cross? Put up additional signs advising cars to slow down more
in the school zone? Each of these could be implemented, albeit at differ-
ent costs. So we accept the risk, and after an event happens, we are typi-
cally more cautious and aware of the potential dangers. Our goal should
be to identify as many threats up front so that we do not have to incur the
damage of each event to learn from it. We should not need to be hit by a
car to understand the risks of crossing the street or have our car stolen
before we lock our car doors.
Accepting Organizational Risk
4/16/23, 1:26 PM Chapter 5 Managing Risk to an Acceptable Level | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/016-9781466551282-005.xhtml 5/38
Just as we accept a certain amount of risk in our daily lives, organizations
accept daily risk also, whether or not they have completed a formal risk
analysis. Risk in inherent in everything that we do and there is no such
thing as a risk-free activity. Why do banks offer an interest rate to hold
your money in the form of a certificate of deposit (CD)? Because there is a
risk that the money will be worth less in the future due to inflation and
we need to be compensated for that risk that our money will be worth
less in the future. The stock market compensates traditionally at 11% over
time for stocks. Why? Because of the risk we are taking in investing in
these companies that their products or services may not produce the ex-
pected income. Whether investors recognize this or not, whether invest-
ing in CDs or stocks, they are taking on risk and are being compensated
for the risk.
The danger for an organization occurs when risks are being accepted
implicitly without providing the visibility that the risk is being accepted.
In this scenario, the company may be taking on more risk than they can
afford to take on. For example, say that a small office space is available at
a great price on the second floor of a building occupied by other tenants.
The company could proceed on the basis that the office space is the per-
4/16/23, 1:26 PM Chapter 5 Managing Risk to an Acceptable Level | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/016-9781466551282-005.xhtml 6/38
fect size and very cost competitive. However, if the buildings surround-
ings were not evaluated properly, they may be taking on too much risk. If,
for example, there was a restaurant directly below them, they would be
taking on the risk of business disruption or permanent loss should the
restaurant have a fire. A risk analysis would reveal the threat, and while
the threat could still be accepted (e.g., off-site backups or paperless scan-
ning put in place to minimize the impact of the damage should a fire oc-
cur), the acceptance would be a conscious decision based upon review of
the facts. This approach is much better than waiting until the event hap-
pens and being unaware of the risks that are being implicitly accepted.
Just Another Set of Risks
Executives face risk-based decisions every day. Should the new product
be launched? Should we open 100 more stores? Does it make sense to
merge with this other organization? Should we close this factory and
move the jobs to another state? Should we compete for this business? And
so on. The risks related to protecting the information assets of the organi-
zation represent just another set of risks.
4/16/23, 1:26 PM Chapter 5 Managing Risk to an Acceptable Level | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/016-9781466551282-005.xhtml 7/38
The security officer needs to be cognizant of this fact when delivering
the risk message. Just as the executive must accept a certain amount of
risk to proceed with any plan, the security officer must be willing to facili-
tate the risk discussion without an all-or-nothing approach to risk.
Security departments traditionally have been criticized for their first re-
action to a new idea being similar to “No, we can’t do that, it would not be
secure.” This posturing has earned many security departments of the dis-
tinction of being the “‘no’ department.” What does this say about the level
of risk acceptance that the security officers feel the organization should
accept? The answer is none. A better approach is to examine what the de-
sired end state the executive is trying to achieve and work toward a solu-
tion to enable the use of the technology or process in a secure manner.
Management Owns the Risk Decision
The security officer acts as the facilitator for the risk decisions and should
not be the one making them. Risk is owned by the management of the
company, as it is through their operational areas that the risk is present
and through their areas with which the risk must be controlled. The secu-
rity officer must manage risk within his or her own departments as well,
4/16/23, 1:26 PM Chapter 5 Managing Risk to an Acceptable Level | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/016-9781466551282-005.xhtml 8/38
and they are the owners ensuring that agreed upon policies and proce-
dures are followed to mitigate the risk.
Security officers and their teams bring security expertise to the discus-
sion, which will assist in management making informed decisions.
Alternatives can be presented and recommendations made, however, the
level of risk accepted is decided by management after the information
has been presented. One useful technique to ensure that risk is appropri-
ately understood and accepted is to formally require that the person ac-
cepting the risk sign a document accepting the risk. When some people
have to apply their signature to a document, they tend to review what is
being agreed upon more closely.
A risk acceptance agreement could include the following key items:
Description of the threat/vulnerability
Description of the mitigating controls currently implemented
Residual (remaining) risk to the organization
Controls evaluated but not implemented and reason why
Justification for accepting risk
Level of risk (high, medium, low)
4/16/23, 1:26 PM Chapter 5 Managing Risk to an Acceptable Level | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/016-9781466551282-005.xhtml 9/38
Timeframe of the acceptance (typically no more than 1 year)
Future plans to mitigate risk
Departments impacted
Approximate dollar impact expected should the vulnerability be
exploited
Signature(s)/title(s)
By including these variables, it should be clear that the risk must have a
business justification, is not approved for an indefinite period, and must
have a plan for mitigating the risk now as well as providing for a future
scenario where the acceptance form is not needed.
Qualitative versus Quantitative Risk Analysis
One of the difficulties with performing risk analysis is the availability of
objective risk information from past experiences. Companies do not typi-
cally share information of the risks they have accepted or the occurrence
of unfavorable events. Consulting firms typically establish a practice for
risk consulting and leverage their firm’s internal knowledge across
4/16/23, 1:26 PM Chapter 5 Managing Risk to an Acceptable Level | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/016-9781466551282-005.xhtml 10/38
clients, or databases that have been accumulated by the government of
other software companies producing risk management products.
Quantitative risk analysis attempts to place a dollar value on the cost of
accepting risk versus the cost of implementing controls to reduce the risk
level. These analysis can be very voluminous as each risk is measured us-
ing statistical information or historical dollar values and probabilities of
the event occurring.
Qualitative risk analysis is widely used due to the relative each of un-
derstanding and speed of the analysis. This analysis estimates the poten-
tial loss or impact and the likelihood that the events would occur in a
manner similar to the quantitative analysis, with the exception of using
values such as Low, Medium, and High for probabilities and impacts. This
is in contrast to attempting to use dollar values for the impacts, which is
very difficult to obtain agreement, and probability factors for the likeli-
hood. Since there is no universally accepted master accurate “probability
database,” the quantitative method tends to try to apply precision to an
assessment that is inherently subjective. For this reason, the quantitative
method has limited use and the qualitative method is easier for manage-
4/16/23, 1:26 PM Chapter 5 Managing Risk to an Acceptable Level | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/016-9781466551282-005.xhtml 11/38
ment to quickly grasp the risks of terms of Low, Medium, and High
values.
Risk Management Process
The quantitative risk analysis process has the ability to provide a great
deal of information, however, for many organizations, a qualitative risk
analysis can arrive at similar conclusions in less time with less cost.
Quantitative analyses give the appearance of providing precise measure-
ments or dollar amounts related to the risk; however, these calculations
are also many times based upon the same subjective probability mea-
sures that the qualitative measures are based upon. In practice, manage-
ment seems to grasp the more simplistic high, medium, and low assign-
ments to risk coming out of the qualitative analysis. For this reason, the
subsequent sections outline a very pragmatic step-by-step approach to
risk analysis that can be used for almost any size organization. Those fa-
miliar with the NIST 800-30 risk management process will recognize the
approach, as this is consistent with the concepts articulated there (NIST,
2002).
4/16/23, 1:26 PM Chapter 5 Managing Risk to an Acceptable Level | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/016-9781466551282-005.xhtml 12/38
Risk Analysis Involvement
To properly conduct a security risk analysis, the right technical and man-
agement staff need to be included. The resulting analysis is only as good
as the accurate picture that can be painted of the current environment.
The list of involved participants should include
Chief information officer
Chief security officer/security director/security manager
Senior management
Middle management
Internal audit
System and information owners
Business and functional management owners
IT security practitioners
Infrastructure personnel
There will be others that may need to be called into the process to par-
ticipate in the interviews, such as facilities, data center manager, human
resources, and physical security.
4/16/23, 1:26 PM Chapter 5 Managing Risk to an Acceptable Level | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/016-9781466551282-005.xhtml 13/38
Step 1: Categorize the System
Documenting the business application of the system ensures that the sys-
tem or area being assessed is clear to those involved in the interviews
and the person analyzing the system. The business description should in-
clude only the business specifics of the system. What is the system being
used for? Who will be the users? What is the primary functionality? The
definition establishes the scope and boundaries under review.
Once the business functions have been written, the technical descrip-
tion of the infrastructure, at a high level, is documented. This provides
the basis for review of the technical components of the system that is sup-
porting the business function.
The controls that are implemented to protect a system and its informa-
tion ultimately depend upon the criticality and sensitivity categorization
of the system. For low criticality systems, it would be unnecessary to
spend the same amount for controls as what is spent to protect systems
that have been categorized as high criticality or sensitivity. This is analo-
gous to building a 15-foot-high fence around your house to keep the
neighbors from looking into your yard.
4/16/23, 1:26 PM Chapter 5 Managing Risk to an Acceptable Level | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/016-9781466551282-005.xhtml 14/38
The Federal Information Processing Standard (FIPS) 199 provides guid-
ance for categorizing systems according to their attributes of confidential-
ity, integrity, and availability (NIST, 2004). As shown in Table 5.1, a system
is categorized as high for confidentiality if the loss of confidentiality
could be expected to have a severe or catastrophic adverse effect on orga-
nizational operations, organizational assets, or individuals. If the loss of
confidentiality was deemed to have a serious effect, then the system
would be categorized as medium with respect to confidentiality. Likewise,
if the effect is determined to be limited, then categorization would be low
for confidentiality.
Table 5.1 System Categorization
FIPS
PUBLICATION
199
LOW MODERATE HIGH
Confidentiality The loss of
confidentiality
could be expected
to have a limited
The loss of
confidentiality
could be expected
to have a serious
The loss of
confidentiality
could be expected
to have a severe or
4/16/23, 1:26 PM Chapter 5 Managing Risk to an Acceptable Level | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/016-9781466551282-005.xhtml 15/38
adverse effect on
organizational
operations,
organizational
assets, or
individuals.
adverse effect on
organizational
operations,
organizational
assets, or
individuals.
catastrophic
adverse effect on
organizational
operations,
organizational
assets, or
individuals.
Integrity The loss of
integrity could be
expected to have
a limited adverse
effect on
organizational
operations,
organizational
assets, or
individuals.
The loss of
integrity could be
expected to have
a serious adverse
effect on
organizational
operations,
organizational
assets, or
individuals.
The loss of integrity
could be expected
to have a severe or
catastrophic
adverse effect on
organizational
operations,
organizational
assets, or
individuals.
Availability The loss of
availability could
be expected to
The loss of
availability could
be expected to
The loss of
availability could
be expected to
4/16/23, 1:26 PM Chapter 5 Managing Risk to an Acceptable Level | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/016-9781466551282-005.xhtml 16/38
have a limited
adverse effect on
organizational
operations,
organizational
assets, or
individuals.
have a serious
adverse effect on
organizational
operations,
organizational
assets, or
individuals.
have a severe or
catastrophic
adverse effect on
organizational
operations,
organizational
assets, or
individuals.
Source: National Institute of Standards and Technology (NIST). 2004. Standards for secu-
rity categorization of federal information and information systems, FIPS PUB 199.
http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf
The categorization continues by looking at the dimensions of integrity
and availability using similar criteria. If the loss of integrity could be ex-
pected to have a severe or catastrophic effect on organizational opera-
tions, assets, or individuals, this would cause the categorization with re-
spect to integrity to be categorized as high, serious would cause the cate-
gorization to be medium, and if limited it would be low. Similarly, the
availability dimension is categorized as high, medium, and low depend-
4/16/23, 1:26 PM Chapter 5 Managing Risk to an Acceptable Level | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/016-9781466551282-005.xhtml 17/38
ing upon the severe or catastrophic, serious, or limited effects of a loss of
availability.
The final categorization of the system is done by reviewing each of the
categorizations for confidentiality, integrity, and availability, and select-
ing the categorization that best protects the system. For example, if both
confidentiality and availability are considered high, and integrity is con-
sidered a medium concern, then an appropriate response would be to se-
lect those controls that would provide a high level of assurance. For ex-
ample, the Centers for Medicare and Medicaid Services (CMS) determined
that the health records of the Medicare population should be rated as
high, primarily due to the high confidentiality requirement and the dam-
age that would be caused if the records were inadvertently disclosed to
the wrong parties (CMS, 2009). This would undermine the trust in the
government’s (and their contractors) ability to protect the health insur-
ance information. Availability is important, but a lesser concern, as the
information is not needed on an immediate, real-time basis for the pay-
ment of claims. This would contrast with a provider of ATM services,
where although confidentiality would be very important, availability
would be very important as well.
4/16/23, 1:26 PM Chapter 5 Managing Risk to an Acceptable Level | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/016-9781466551282-005.xhtml 18/38
By now the question that may be coming to mind is, “How do I accu-
rately decide between severe, catastrophic, serious, or limited?” This as-
sessment, as with much of risk analysis as previously stated, is of a sub-
jective nature. The best way to answer this is to evaluate what the impact
would be in terms of shutting down the business for a few days, or caus-
ing a high public relations nightmare, or causing an unrecoverable situa-
tion. The higher the categorization of the system, the more stringent and
more expense will have to be incurred to protect the system. Google and
Yahoo Internet-facing search engines would assuredly garner a high
availability rating and require security controls of high redundancy hard-
ware to ensure the availability. They would also need extensive monitor-
ing for attacks and proactive measures to detect denial of service attacks.
In other words, classifying the system is an important step as all other
controls that are selected flow from the categorization. The NIST 800-53
controls (shown in Chapters 8 to 10) provide a set of controls and en-
hancements to the controls based upon the categorization of the system
(high, medium, or low).
Step 2: Identify Potential Dangers (Threats)
4/16/23, 1:26 PM Chapter 5 Managing Risk to an Acceptable Level | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/016-9781466551282-005.xhtml 19/38
Threats are those dangers that have the potential to cause harm to our
business and the systems that we support. Threats are not necessarily
what have happened in the past but rather those dangers that our organi-
zations face that we should have a response in place for. A threat may or
may not be exploited, as we may not be vulnerable to that threat because
of other control measures that have been implemented. Each organiza-
tion should brainstorm the specific threats specific to their industry,
which may include human, environmental/physical, or technical threats.
Human Threats As long as we have people working in our organiza-
tions, they will be our most valuable asset and also at the same time con-
sidered a threat. Through acts of carelessness, inadvertent compromises
of security or malicious intent, the human factor must be considered as a
threat source. A listing of potential human threats are shown in Figure
5.1
4/16/23, 1:26 PM Chapter 5 Managing Risk to an Acceptable Level | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/016-9781466551282-005.xhtml 20/38
Figure 5.1 Human threats.
Environmental/Physical Threats Environmental risks typically are fo-
cused on the environmental systems protecting the computing environ-
ments in data centers and server rooms where temperature and humidity
control is important to protect the associated equipment. Other threats
such as fires, lack of power, and so forth are noted in Figure 5.2.
4/16/23, 1:26 PM Chapter 5 Managing Risk to an Acceptable Level | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/016-9781466551282-005.xhtml 21/38
Figure 5.2 Environmental/physical threats.
Technical Threats Technical threats such as authorized access, infra-
structure intrusion, or inadvertent configuration errors can permit an in-
truder to exploit the vulnerabilities of the system and compromise or
gain access to information. Technical threats are shown in Figure 5.3.
4/16/23, 1:26 PM Chapter 5 Managing Risk to an Acceptable Level | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/016-9781466551282-005.xhtml 22/38
Figure 5.3 Technical threats.
Step 3: Identify Vulnerabilities That Could Be Exploited
Once the threat has been defined, the next step is to identify the vulnera-
bilities that can be exploited by the threat. The threat may be thought of
as the source of the attack, and the vulnerability is that which is exploited
to cause harm. A burglar standing outside a warehouse may be consid-
ered a threat, and the degree that he will be able to break into the ware-
house depends upon the level of vulnerabilities that exist within the
warehouse. Vulnerability may be that the windows could be broken, the
doorjamb could possibly be opened with a credit card, or the lock could
4/16/23, 1:26 PM Chapter 5 Managing Risk to an Acceptable Level | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/016-9781466551282-005.xhtml 23/38
be picked. The burglar could also pose as a warehouse worker and gain
entry during the daytime hours.
Vulnerabilities may exist within our computing environments if we
have not applied the most current patch levels or applied a consistent,
current baseline configuration to our systems. The intruder decides to
gain unauthorized access (the threat) and exploit one or more vulnerabil-
ities, such as a vulnerability found within the Windows 7 operating sys-
tem, application software, in-house developed software, or a customized
vendor product.
A good question to ask when determining vulnerabilities that may be
exploited is to ask the question: What could go wrong? A technique that
may have been invented by 3-year-olds worldwide is to ask why five
times to get to the real root cause of the issue, while along the way this
will also identify the vulnerabilities and the controls that could be imple-
mented. After the vulnerabilities are determined, the risk analysis can
proceed forward with examining the existing controls.
Step 4: Identify Existing Controls
4/16/23, 1:26 PM Chapter 5 Managing Risk to an Acceptable Level | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/016-9781466551282-005.xhtml 24/38
Since our organizations are not starting at day one when the risk analysis
is conducted, odds are that we have implemented controls to manage
some of the risk. In the warehouse burglar example noted earlier, we
may have implemented bars over the windows, cameras scanning the
parking lot, visitor badge control, and a night-duty guard to protect the
premises. We may have also placed steel plates over the doorjambs to
prevent tampering with the door. The controls that we believe are miti-
gating some of the risk of exploitation of the vulnerability should be
listed.
The chapters on managerial, technical, and operational controls
(Chapters 8, 9, and 10) provide a good starting reference to determine
what types of controls should be considered. There tends to be a prefer-
ence to provide automated controls to replace manual controls, however,
there are instances where the manual controls may still be more effec-
tive. For example, few organizations have done away completely with se-
curity guards, as they still provide an effective deterrent when used in ad-
dition to technical controls such as mounted cameras, proximity readers,
and alarm systems.
4/16/23, 1:26 PM Chapter 5 Managing Risk to an Acceptable Level | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/016-9781466551282-005.xhtml 25/38
Step 5: Determine Exploitation Likelihood Given Existing Controls
Step 5 is where the rubber starts to meet the road, where an assessment
of the first factor in determining risk, likelihood, or probability is deter-
mined. This is not a mathematical calculation based upon statistical prob-
abilities as may be the case in the quantitative method. This value is an
expression of the likelihood that the vulnerability is likely to be exploited
given the existing control environment. A qualitative description is as-
signed to the likelihood starting from a low of negligible likelihood (un-
likely to occur) to extreme (likely to occur multiple times per day) as
shown in Figure 5.4.
4/16/23, 1:26 PM Chapter 5 Managing Risk to an Acceptable Level | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/016-9781466551282-005.xhtml 26/38
Figure 5.4 Likelihood of occurrence.
This assessment should be made by individuals responsible for the
business and facilitated by the security officer. Ownership of the likeli-
hood determination cannot occur if the security officer is determining
how often an event may occur, unless it is related to vulnerability within
his domain that he has knowledge of. Let’s say for example that there is a
policy in place that users are not to share user accounts, but there is no
control in place that would prevent concurrent logins other than a formal
policy instructing the users not to share an account. The security officer
4/16/23, 1:26 PM Chapter 5 Managing Risk to an Acceptable Level | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/016-9781466551282-005.xhtml 27/38
may learn through the incident reporting process that individuals are
sharing an account at least several times a month. In the absence of a
technical control to prevent this access, this would be assigned a likeli-
hood of very high based upon the frequency of the event.
An important point to note is that likelihood is one component of risk,
and at this point the “risk level” has not been determined. It is advisable
to keep the conversation about the likelihood of occurrence and not about
risk, or managers will immediately jump to discussing high, medium, or
low risk level without having the complete foundation (likelihood and im-
pact) to determine risk. A “hold off, we’re getting to that next” stance is
warranted here.
The warehouse burglar in the earlier example may have had a low like-
lihood of exploiting the vulnerability given the existing controls that were
in place, as it appears that most of the known areas of vulnerability were
already implemented (since this company was broken into frequently in
the past, last year it upgraded its control environment as a result of the
prior risk analysis).
4/16/23, 1:26 PM Chapter 5 Managing Risk to an Acceptable Level | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/016-9781466551282-005.xhtml 28/38
As with the rest of the risk analysis, the likelihood should be examined
with a fresh set of eyes, meaning that what was decided as the likelihood
last year is irrelevant. New controls may have been put in place, existing
controls may have been removed, and the intensity of the threat may
have changed. For example, tracks may have been laid for a new high-
speed train going past the data center or a fuel storage plant may be con-
structed, both creating potential vulnerabilities that did not previously
exist. Alternatively, an office may have closed and the vulnerabilities that
were identified with the office are no longer relevant. A prudent ap-
proach is to review and update the risk assessment annually and perform
a ground-up risk assessment every 3 years.
Step 6: Determine Impact Severity
This step assumes that the vulnerability has been exploited and now the
organization must deal with the harm that was done by the action. An im-
pact designed as minor, according to Figure 5.5, would require minimal
effort to repair the system. If the impact was large, designated as critical,
then the impact would be expected to result in an extended outage.
Figure 5.5 provides a quick means to assign an impact to the event.
4/16/23, 1:26 PM Chapter 5 Managing Risk to an Acceptable Level | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/016-9781466551282-005.xhtml 29/38
4/16/23, 1:26 PM Chapter 5 Managing Risk to an Acceptable Level | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/016-9781466551282-005.xhtml 30/38
Figure 5.5 Severity of impact.
Management and technical staff are in the best position to explain what
would happen if the system was lost for a day or a shipment was not de-
livered. Finance areas are also excellent sources of information when cal-
culating the loss of productivity per hour when a system is down. E-com-
merce websites can calculate the approximate lost dollar volume when
their sites become unavailable. Depending upon the time of year, the
severity may increase, such as online retailers during the holiday season.
A recently quoted statistic indicated that 13% of Black Friday sales came
from Cyber Monday (the Monday following Black Friday).
If the burglar was able to break into the warehouse in our example,
this would have caused considerable damage, as the warehouse was full
of shipments to a key manufacturer that needed the goods shipped to-
morrow. If those goods were damaged or stolen, we could have lost a
client. According to Figure 5.5, this may be assessed as damaging, or
damage to reputation, loss of public confidence.
Step 7: Determine Risk Level
4/16/23, 1:26 PM Chapter 5 Managing Risk to an Acceptable Level | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/016-9781466551282-005.xhtml 31/38
Step 7 is where the risk level is determined based upon the likelihood and
the impact level. Using the table shown in Figure 5.6, the likelihood of oc-
currence is located in the first column, and the impact severity is located
in the row across the top. These are then used to find where the likeli-
hood and impact intersect in the table, indicating a risk level of low, mod-
erate (or medium), or high. For example, in our burglar example, the like-
lihood was low and the impact severity was damaging, resulting in a risk
level of moderate.
Figure 5.6 Risk determination.
4/16/23, 1:26 PM Chapter 5 Managing Risk to an Acceptable Level | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/016-9781466551282-005.xhtml 32/38
This process is repeated for each of the threat and vulnerability pairs
until each has been addressed and assigned a risk level. The risks are
then prioritized from high to medium to low. The low risks should be
worked on only after the high and medium risks have been addressed,
unless they are simple changes that will not divert substantial resources
from addressing the higher risk items.
The best part about this method is that the risk was determined by fo-
cusing the discussion on (1) likelihood of occurrence and (2) impact sever-
ity. Nowhere in the discussion was risk mentioned up until this step. This
step still does not debate risk but merely establishes the risk based upon
the matrix. Management can always decide to raise or lower the risk level
at this point; however, it should be cautioned that this should be based
upon a reevaluation of the likelihood or the severity. Sometime manage-
ment may have good reason to increase the risk rating to ensure that it
receives some attention within the organization.
Step 8: Determine Additional Controls
Now that the risks have been identified, it is necessary to identify controls
to mitigate or reduce the risk level to an acceptable level. Typically the fo-
4/16/23, 1:26 PM Chapter 5 Managing Risk to an Acceptable Level | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/016-9781466551282-005.xhtml 33/38
cus is on the high risks that should be remediated as soon as is feasible.
Moderate or medium risks should also be handled urgently and plans cre-
ated to address their implementation. It may not be clear at the moment
precisely what solutions will be implemented at this juncture, but plans
of action to investigate the alternatives can be created until it is clear
what solutions will be implemented.
Once the control has been identified that will reduce the risk, the resid-
ual likelihood, residual severity impact, and the resulting residual risk is
recalculated. Controls should at least bring the high risks to medium, the
mediums to lows, and if the lows are addressed at this time, they should
be eliminated. Some organizations will retain all risks as a low risk, be-
cause even though the vulnerability has been addressed by a control,
there is always a risk (albeit low) that the vulnerability may be exploited.
Other organizations take the viewpoint that they do not want to see any
mitigated vulnerabilities on the report, as it gives the wrong impression.
The security officer needs to be aware of the culture of the organization
and how the risk level will be perceived.
Risk Mitigation Options
4/16/23, 1:26 PM Chapter 5 Managing Risk to an Acceptable Level | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/016-9781466551282-005.xhtml 34/38
The preceding overview of the risk analysis process provides a frame-
work for conducting a risk analysis. The most likely outcome is that new
risks will be uncovered through the analysis and the company can focus
resources toward mitigating the vulnerabilities and reducing the risk lev-
els. In addition to implementing their own controls to resolve the issue,
there are other additional options for managing the risk.
Risk Assumption
The organization may decide that the risk does not represent an unac-
ceptable risk outside the company’s risk appetite and chooses to accept
the risk. The organization may continue to operate, or plan to implement
additional controls in the future. This strategy is perfectly acceptable pro-
vided that the risk being assumed has been analyzed and the financial
implications have been accepted by the appropriate parties. As indicated
in an earlier section, formalizing this process with a risk acceptance letter
is preferable.
Risk Avoidance
4/16/23, 1:26 PM Chapter 5 Managing Risk to an Acceptable Level | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/016-9781466551282-005.xhtml 35/38
Risk can be avoided by eliminating the cause of the risk or the conse-
quence. A server may have an old version of the operating system, such
as Windows 2000, which has much vulnerability that can be exploited
due to the aging of the system. Instead of upgrading the system to a new
operating system, the system itself may be retired, thus eliminating the
vulnerability.
Risk Limitation
Adding other preventative or detective controls to the process might re-
duce the adverse impact of the risk. In the earlier example of shared lo-
gins, software may be purchased to prevent the concurrent login on those
systems (such as windows) that do not have the native capability and con-
figuration settings made on other systems that do. Monitoring of logs
could also be implemented.
Risk Planning
All vulnerabilities may not be able to be addressed at the present time
and the construction of a plan for mitigating the current and future vul-
nerabilities would be put in place.
4/16/23, 1:26 PM Chapter 5 Managing Risk to an Acceptable Level | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/016-9781466551282-005.xhtml 36/38
Risk Research
If the vulnerability cannot be immediately remediated, the fact that the
vulnerability exists may be acknowledged with plans to research viable
alternatives.
Risk Transference
Losses are compensated for by purchasing insurance or transferring risk
via contract. Rates are many times dependent upon the level of security
controls that exist or external evaluations of the controls.
Conclusion
Risk analysis must be done for each organization to address the unique
circumstances and risks they face. The process described in this chapter
provides a very logical, systematic process for determining the risks that
are specific to the company. If these processes are followed consistently,
over time the review process of the existing threats becomes easier and
more time can be spent addressing the new threats to the organization.
4/16/23, 1:26 PM Chapter 5 Managing Risk to an Acceptable Level | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/016-9781466551282-005.xhtml 37/38
1.
2.
3.
The process does not have to be a lengthy one either. The facilitated
risk analysis process (FRAP), for example, may be completed in days ver-
sus weeks or months (Peltier, 2001). Having personally been involved in
the FRAP for an electronic commerce site, whereby a group of individuals
get together for a couple of days in a conference room to analyze and
come to consensus on the risks, there are clearly approaches such as this
that can gather information quickly and provide an assessment of the
risk that can be very effective. The risks determined from these ap-
proaches can then be managed according to their risk level and be man-
aged as part on an ongoing risk management program.
Suggested Reading
National Institute of Standards and Technology (NIST).Iuly 2002. Risk manage-
ment guide for information technology systems.
http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
Centers for Medicare and Medicaid Services. March 19, 2009. CMS information se-
curity risk assessment (IS RA) procedure. Version 1.0-Final.
http://www.cms.gov/informationsecurity/downloads/IS_RA_Procedure
Peltier, T. R. 2001. Information security risk analysis. New York Auerbach.
4/16/23, 1:26 PM Chapter 5 Managing Risk to an Acceptable Level | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/016-9781466551282-005.xhtml 38/38
4. National Institute of Standards and Technology (NIST). 2004. Standards for secu-
rity categorization of federal information and information systems, FIPS PUB 199.
http://csrc.nist.gov/publications/fips/fipsl99/FIPS-PUB-199-final.pdf