Risk Analysis Formula
CRITICAL INFRASTRUCTURE PROTECTION (CIP)
MANAGING RISK
Tulane University School of Professional Advancement (SoPA)
Fall 2020
Instructor: Douglas Fred
CRITICAL INFRASTRUCTURE PROTECTION RISK MANAGEMENT
RISK is the potential for an unwanted outcome resulting from an incident, event,
or occurrence, as determined by its likelihood and the associated consequences.
It is influenced by the nature and magnitude of a threat or hazard, the
vulnerabilities from that threat or hazard and the consequences that could result.
CRITICAL INFRASTRUCTURE PROTECTION RISK AND VULNERABILITY ASSESSMENT MANDATE
• Presidential directives • PDD-63 (Nov 18, 1998) Clinton administration
• HSPD-7 (Dec 17, 2003) Bush administration
• On Feb. 19, 2013, President Obama issued Executive Order 13636, mandating that the government work with the private sector to defend the nation’s infrastructure and
vital assets from attacks.
• Critical Infrastructure Evaluation • Identify mission essential communications, information and other systems
• Identify significant vulnerabilities of organization minimum essential systems
• Identify any external interdependencies
• Assessments to determine vulnerabilities of department or agency minimum essential services to failures by private sector providers of their respective industrial sectors or other infrastructure services
CRITICAL INFRASTRUCTURE PROTECTION RISK MANAGEMENT FRAMEWORK
• Set Goals and Objectives: Define specific outcomes, conditions, end points, or performance targets that collectively describe an effective and desired
risk management posture.
• Identify Infrastructure: Identify assets, systems, and networks that contribute to critical functionality and collect information pertinent to risk management,
including analysis of dependencies and interdependencies.
• Assess and Analyze Risks: Evaluate the risk, taking into consideration the potential direct and indirect consequences of an incident, known
vulnerabilities to various potential threats or hazards, and general or specific
threat information.
• Implement Risk Management Activities: Make decisions and implement risk management approaches to control, accept, transfer, or avoid risks.
Approaches can include prevention, protection, mitigation, response, and
recovery activities.
• Measure Effectiveness: Use metrics and other evaluation procedures to measure progress and assess the effectiveness of efforts to secure and
strengthen the resilience of critical infrastructure.
CRITICAL INFRASTRUCTURE PROTECTION RISK ANALYSIS
1. Identifying the Threat
2. Assessing the Vulnerabilities
3. Assessing the consequence
Risk Analysis is the process of prioritizing risks based on the probability
of the risk occurring and the impact it would have.
Risk Formula: Risk = Threat x Vulnerability x Consequence
CRITICAL INFRASTRUCTURE PROTECTION QUANTITATIVE VS QUALITATIVE METHODS OF ASSESSING RISK
When reliable data and costs are available…
Quantitative assessments generally estimate monetary value/cost associated with
a risk
• Identifying the likelihood that a damaging event or occurrence will happen
• Identifying costs resulting from potential losses from the event or occurrence
• Identifying costs necessary for mitigating actions resulting from those losses
• The cost of implementing countermeasures is compared to the cost of replacing lost assets and information to determine the cost-effectiveness of the countermeasure.
When reliable data and costs are not available…
Qualitative assessments rely on the expertise, experience and judgment of the
individual(s) conducting the assessment.
• Vulnerabilities are identified and rated from high to low based on their potential impact to the overall operation.
• Likelihood is based on experts or those capable of making sound judgements and rated from high to low probability
CRITICAL INFRASTRUCTURE PROTECTION QUANTITATIVE VS QUALITATIVE METHODS OF ASSESSING RISK
• Qualitative Assessment: Using a scale of "Low, Medium, High" to indicate the
likelihood of a risk event occurring.
• Quantitative Assessment: Use of measurable, objective data to determine
asset value, probability of loss, and
associated risk(s).
Qualitative Risk Assessment Example
CRITICAL INFRASTRUCTURE PROTECTION RISK RESPONSE
4 basic strategies for response to an identified risk
1. Avoid Risk • Prevent the occurrence of the impact (examples: increased security, preventative maintenance,
relocate assets,…etc.)
2. Transfer Risk • Transfer the cost of the impact (example: purchase insurance to cover potential losses, contractually
transfer asset ownership,…etc.)
3. Mitigate Risk • Implement strategies to minimize the impact (examples: perform audits, create asset redundancy,
develop a COOP,…etc.)
4. Accept Risk • Accept the potential impact
CRITICAL INFRASTRUCTURE PROTECTION RISK ASSESSMENT BENEFITS
• Given there is only a limited budget for protecting the sector, it will help determine how best to allocate funds and resources
• Provides a fundamental understanding of what is involved in securing an organization’s or industrial sector’s infrastructure.
• Provides decision makers with information necessary in determining and understanding the factors that may negatively influence the operations
and outcomes of an organization’s operational success.
• Enables decision makers to make informed judgments concerning the extent of actions needed to reduce risk.
CRITICAL INFRASTRUCTURE PROTECTION DEFINING A THREAT
• Any agent (person, activity, or event) with the potential to cause harm to a system or operational environment.
• The existence of a threat does not imply that the system will be harmed; however, the potential for harm exists
• Threats are organized into three distinct main threat categories: • Natural
• Accidental
• Intentional or malicious
• There are two sources of threat that come from accidental and intentional: • Inside
• Outside
CRITICAL INFRASTRUCTURE PROTECTION THREAT COUNTERMEASURES
• Establish processes, procedures and system features that serve to
• Detect potential threats
• Deflect potential threats
• Reduce Impact
• Reduce the vulnerability
• Harden assets
• Relocate Assets
• Reduce Assets
CRITICAL INFRASTRUCTURE PROTECTION BASIC RISK ASSESSMENT ELEMENTS
• Identify known, apparent or evident threats
• Estimate threat occurrences
• Identify and rank value, sensitivity and criticality of operations affected
• Estimate the losses should the threat occur
• Build the threat scenario
• Identify, analyze and assess vulnerability
• Identify actions to mitigate or remove the risk
• Document, document, document
CRITICAL INFRASTRUCTURE PROTECTION IDENTIFY KNOWN, APPARENT OR EVIDENT THREATS
• It should be clear that a threat exploits a vulnerability to cause injury to an asset, leaving the entity suffering some loss
• Identify threats that can potentially disrupt, disable or adversely prevent/inhibit process operations within, throughout, and between
critical infrastructure.
• Threat may be deliberate, accidental, or natural
• If the threat is the result of a deliberate act, determine if an attacker has the knowledge, skills, abilities, resources, intent and commitment the act
• After analysis, and determine whether or not there is a sufficient number of connections to warrant attention.
CRITICAL INFRASTRUCTURE PROTECTION ESTIMATE THREAT OCCURRENCES
• The probability of the threat attempting to manifest itself to exploit the vulnerabilities in the system.
• Involves combination of historical research
• Determine the number of occurrences in a period of time
• Future projection
• Based on knowledgeable resources, determine whether the same factors that allowed threat to manifest itself in the past are applicable to future
projections
CRITICAL INFRASTRUCTURE PROTECTION IDENTIFY AND RANK VALUE, SENSITIVITY & CRITICALITY OF OPERATIONS AFFECTED
• Consider not only on the importance of operations, but also legal, and regulatory requirements
• Consider the health and wellness of population and environment
• Consider both Critical Infrastructure Protection (CIP) and Critical Infrastructure Assurance (CIA).
• Consider not only the internal impact, but the external consequences and liabilities that can be assigned to an event.
• A relatively inconsequential act may not affect internal operations to a great extent; however, if that disruption triggers a cascading failure through critical networks the dynamics will change
• Consideration of the fact that some events can exceed insurance coverage.
CRITICAL INFRASTRUCTURE PROTECTION ESTIMATE THE LOSSES SHOULD THE THREAT OCCUR
• Most significant aspect within the risk assessment process cycle
• Assigns a value to the process, operations, and assets
• Defines the potential losses or damage that could occur if a threat were to materialize
• Includes recovery costs to restore service and operations to the organization
• Determines (prior to a threat occuring) the amount of money the organization would need to continue to operate successfully
• Value of assets can be the result of different factors • Critical to operation but largely unregulated
• Noncritical asset may be subject to significant regulatory controls (linked to significant penalties)
• Irreplaceable cultural heritage to the community
CRITICAL INFRASTRUCTURE PROTECTION BUILD THE THREAT SCENARIO
• Create a threat scenario
• Keep the threat scenario real and documented
• Describe how the threat causes the impact to the asset within a period of time or under certain conditions
• A viable scenario allows for clear understanding and aligns information being presented with a potential event
CRITICAL INFRASTRUCTURE PROTECTION IDENTIFY AND ANALYZE VULNERABILITIES
What is a Vulnerability?
• An inherent weakness or flaws in a system or its operating environment that may be exploited to cause harm to the system.
• System design
• Personnel within the system
• Management
• Hardware
• Software, etc..
• The vulnerability of an asset may be modified by using countermeasures that can reduce or remove the probability of a
particular attack
CRITICAL INFRASTRUCTURE PROTECTION IDENTIFY AND ANALYZE VULNERABILITIES (CONTINUED)
What is a Vulnerability Analysis?
• Vulnerability analysis is perhaps the most important skill needed to practice CIP.
• This important skill involves several difficult steps: • Identification of essential components (critical nodes),
• Understanding the linkages and relationships among critical nodes (network analysis)
• Focusing on what is critical and what is desirable to protect
• A process of calculating sector vulnerability from estimates of component vulnerabilities.
• Without vulnerability analysis, policy makers are merely making wild guess about what to protect and how best to invest limited funds.
• Vulnerability is a measure of the strength of a component in the face of a threat.
CRITICAL INFRASTRUCTURE PROTECTION IDENTIFY AND ANALYZE VULNERABILITIES (CONTINUED)
• The analysis begins with asset identification • Identify vulnerabilities
• Estimate the likelihood being impacted
• Perform a financial analysis of investing in target hardening versus the anticipated improvement in sector security.
• Involves sector modeling, vulnerability modeling, financial modeling and planning.
• Vulnerability is not the same as risk. • Vulnerability is a probability, whereas risk is measured in terms of financial
risk, casualty risk, equipment risk, and so forth.
• Vulnerability reduction attempts to limit the likelihood of undesirable incident, while Risk reduction attempts to limit cost
associated with an undesirable incident.
EXAMPLE: VULNERABILITY VS RISK
• Automobile accident may occur with probability of 50% but one accident may cause $100 damages whereas another may cause $1000 of damage.
• The vulnerability is the same in both cases, 50% but the risk is 50% x $100 = $50
• The other case 50% x $1000 = $500
• Risk is ten time greater for one accident than the other
• Vulnerability is never absolute; vulnerabilities differ depending on the threat. • Two cars are both equally vulnerable, one is 25% vulnerable to a head-on collision, the other is
75% vulnerable to rear-end Collison. Are both cars equally vulnerable?
• No, because it depends on the threat. Car one is less vulnerable in relation to the threat of a head- on collision.
• Both cars may be vulnerable to both threats, in different proportions, depending on the size and safety of each.
• An important fact, vulnerability analysis is complicated by several factors: • Nature of threat
• Likelihood of successful attacks
• Interplay among components that make up the critical infrastructure sector
CRITICAL INFRASTRUCTURE PROTECTION IDENTIFY ACTIONS TO MITIGATE OR REMOVE THE RISK
• Three part process can be used to create a roughly prioritized list of risks to the organization
Part I: Pure Risk
• Determine the pure risk faced by the
organization
• Pure risk simple relationship
between threat, asset, and
projected loss
• Generate the first prioritize list that
can be used by management to look
at issues from a purely conceptual
view of operations
• Identifying a clear start point for the
on-site survey that will identify what
vulnerabilities are present in the
system
Part II: Vulnerability Analysis
• Describe in terms of deficiency, lack
or incomplete application of
something the reduces the impact or
probability of an incident
• Describes what deficiency is exploited
by the threat in clinical or near
scientific detail (describes the
mechanics of how the organization is
vulnerable)
• Focuses on the characteristics of the
vulnerability itself
Part III: Vulnerability Assessment
• Three elements to align
• First involves the threat and the
knowledge, skills, abilities, resources,
intent, and commitment of that threat
• Second looks at the vulnerability and
determines how those characteristic of
the threat would affect the means,
opportunity or intent associated with
the vulnerability (all factors that affect
probability) and potential impact
associated with the event (in terms of
nature, extent, containment, etc.)
• Third is the nature of the assessment
that answers just how relevant or
connected the vulnerability is to
operations. (probability comes into
play)
CRITICAL INFRASTRUCTURE PROTECTION IDENTIFY ACTIONS TO MITIGATE OR REMOVE THE RISK (CONTINUED)
• Implementation of new organizational policies and procedures
• Goal is one of more the following: • Reduce impact (losses) associated with the event
• Lower or reduce the probability associated with the event
• Reduce the means or opportunity that the threat has to exploit the vulnerability
• Cause the threat to come to its own conclusion; no realistic chance of success without apprehended or failing, and suffer negative consequences
• Provide management with the information needed to make sound and appropriate decisions.
• The assessor is not there to dictate to management
CRITICAL INFRASTRUCTURE PROTECTION DOCUMENT, DOCUMENT, DOCUMENT
• Assessor will need to prove his/her work
• Necessary for showing work that supports the conclusions
• Needed as part of the official records associated with the work completed
• Provides management with ability to analyze and assess data and information when looking at the recommendations
• Provides support for creating effective contingency plans
CRITICAL INFRASTRUCTURE PROTECTION CHALLENGES ASSOCIATED WITH ASSESSING RISK
• Reliably assessing security risk is typically more difficult than assessing other forms of risk.
• Threat likelihoods and costs associated with those risk factors are constantly changing
• Advances in technology make obsolete technology vulnerable to attacks
• Publicly available information on the internet and/or other forums of data interchange more visible to the general public
• Costs of remediation once considered possible now has a higher cost
• It is difficult to precisely estimate any related indirect costs