In this installment of the Risk Management Guide, Shon Harris provides step-by-step instructions on conducting a risk analysis.
A risk analysis helps integrate security program objectives with the company's business objectives
Risk analysis, which is a tool for risk management, is a method of identifying vulnerabilities and threats, and assessing the possible damage to determine where to implement security safeguards. Risk analysis is used to ensure that security is cost effective, relevant, timely and responsive to threats. Security can be quite complex, even for well-versed security professionals, and it is easy to apply too much security, not enough security or the wrong security components, and spend too much money in the process without attaining the necessary objectives. Risk analysis helps companies prioritize their risks and shows management the amount of money that should be applied to protecting against those risks in a sensible manner.
A risk analysis has four main goals:
- Identify assets and their values
- Identify vulnerabilities and threats
- Quantify the probability and business impact of these potential threats
- Provide an economic balance between the impact of the threat and the cost of the countermeasure
The process of conducting a risk analysis is very similar to identifying an acceptable risk level. Essentially, you do a risk analysis on the organization as a whole to determine the acceptable risk level. This is then your baseline to compare all other identified risks to determine whether the risk is too high or if it is under the established acceptable risk level.
Step one: Identify assets and their values
Risk analysis provides a cost/benefit comparison, which compares the annualized cost of safeguards to protect against threats with the potential cost of loss. A safeguard, in most cases, should not be implemented unless the annualized cost of loss exceeds the annualized cost of the safeguard itself. This means that if a facility is worth $100,000, it does not make sense to spend $150,000 trying to protect it.
The value placed on assets (including information) is relative to the parties involved, what work was required to develop it, how much it costs to maintain, what damage would result if it were lost or destroyed, and what benefit another party would gain if it were to obtain it. If a company does not know the value of the information and the other assets it is trying to protect, it does not know how much money and time it should spend on protecting them.
The value of an asset should reflect all identifiable costs that would arise if there were an actual impairment of the asset. If a server costs $4,000 to purchase, this value should not be input as the value of the asset in a business risk assessment. Rather, the cost of replacing or repairing it, the loss of productivity and the value of any data that may be corrupted or lost, need to be accounted for to properly capture the amount the company would lose if the server were to fail for one reason or another.
The following issues should be considered when assigning values to assets:
- Cost to acquire or develop the asset
- Cost to maintain and protect the asset
- Value of the asset to owners and users
- Value of the asset to adversaries
- Value of intellectual property that went into developing the information
- Price others are willing to pay for the asset
- Cost to replace the asset if lost
- Operational and production activities that are affected if the asset is unavailable
- Liability issues if the asset is compromised
- Usefulness and role of the asset in the organization
Understanding the value of an asset is the first step to understanding what security mechanisms should be put in place and what funds should go toward protecting it. A very important question is how much it could cost the company to not protect the asset.
Step two: Identify vulnerabilities and threats
Once the assets have been identified and assigned values, all of the vulnerabilities and associated threats need to be identified for each asset or group of assets. The IRM team needs to identify the vulnerabilities that could affect each asset's integrity, availability or confidentiality requirements. All of the relevant vulnerabilities need to be identified and documented so that the necessary countermeasures can be implemented.
Since there is a large amount of vulnerabilities and threats that can affect the different assets, it is important to be able to properly categorize them. The goal is to determine which threats and vulnerabilities could cause the most damage so that the most critical items can be taken care of first.
Step three: Quantify the probability and business impact of these potential threats
The team carrying out the risk assessment needs to figure out the business impact for the identified threats.
To estimate potential losses posed by threats, answer the following questions:
- What physical damage could the threat cause, and how much would that cost?
- How much productivity loss could the threat cause, and how much would that cost?
- What is the value lost if confidential information is disclosed?
- What is the cost of recovering from a virus attack?
- What is the cost of recovering from a hacker attack?
- What is the value lost if critical devices were to fail?
- What is the single loss expectancy (SLE) for each asset and each threat?
This is just a small list of questions that should be answered. The specific questions will depend upon the types of threats the team uncovers.
The team then needs to calculate the probability and frequency of the identified vulnerabilities being exploited. The team will need to gather information about the likelihood of each threat taking place from people in each department, past records and official security resources. If the team is using a quantitative approach, then they will calculate the annualized rate of occurrence (ARO), which is how many times the threat can take place in a 12-month period.
Step four: Identify countermeasures and determine cost/benefit
The team then needs to identify countermeasures and solutions to reduce the potential damages from the identified threats.
A security countermeasure must make good business sense, meaning that it is cost-effective and that its benefit outweighs its cost. This requires another type of analysis: a cost/benefit analysis.
A commonly used cost/benefit calculation for a given safeguard is:
(ALE before implementing safeguard) – (ALE after implementing safeguard) – (annual cost of safeguard) = value of safeguard to the company
For example, if the ALE of the threat of a hacker bringing down a Web server is $12,000 prior to implementing the suggested safeguard, $3,000 after implementing the safeguard, and the annual cost of maintenance and operation of the safeguard is $650, then the value of this safeguard to the company is $8,350 each year.
The cost of a countermeasure is more than just the amount that is filled out on the purchase order. The following items need to be considered and evaluated when deriving the full cost of a countermeasure:
- Product costs
- Design/planning costs
- Implementation costs
- Environment modifications
- Compatibility with other countermeasures
- Maintenance requirements
- Testing requirements
- Repair, replacement or update costs
- Operating and support costs
- Effects on productivity
So, for example, the cost of this countermeasure could be:
$5,500 for the product
$2,500 for training
$3,400 for the lab and testing time
$2,600 for the loss in user productivity once the product was introduced into production
$4,000 in labor for router reconfiguration, product installation, troubleshooting, and installation of the two service patches.
The real cost of this countermeasure is $18,000. If our total potential loss was calculated at $9,000, we went over budget by 100% when applying this countermeasure for the identified risk. Some of these costs may be hard or impossible to identify before they are acquired, but an experienced risk analyst would account for many of these possibilities.
It is important that the team knows how to calculate the actual cost of a countermeasure to properly weigh it against the benefit and savings the countermeasure is supposed to provide.
Goals of a risk analysis
The risk analysis team should have clearly defined goals that it is seeking. The following is a short list of what generally is expected from the results of a risk analysis:
- Monetary values assigned to assets
- Comprehensive list of all possible and significant threats
- Probability of the occurrence rate of each threat
- Loss potential the company can endure per threat in a 12-month time span
- Recommended safeguards, countermeasures and actions
Although this list looks short, there is usually an incredible amount of detail under each bullet item. This report is presented to senior management, which will be concerned with possible monetary losses and the necessary costs to mitigate these risks. Although the reports should be as detailed as possible, there should be executive abstracts so that senior management may quickly understand the overall findings of the analysis.
RISK MANAGEMENT GUIDE
Introduction: Understanding risk
An overview of the risk management process
How to define an acceptable level of risk
How to write an information risk management policy
How to implement an effective risk management team
Information risk management: Defining the scope, methodology and tools
How to conduct a risk analysis
How to deal with risk
About the author
Shon Harris is a CISSP, MCSE and President of Logical Security, a firm specializing in security educational and training tools. Shon is a former engineer in the Air Force's Information Warfare unit, a security consultant and an author. She has authored two best selling CISSP books, including CISSP All-in-One Exam Guide, and was a contributing author to the book Hacker's Challenge. Shon is also the co-author of Gray Hat Hacking: The Ethical Hacker's Handbook.
This was first published in April 2006