Risk Assessment / Analysis (Treatment) and the CISSP Exam
Two key elements of risk management are the risk assessment and risk treatment. Risk can never be completely eliminated. Given sufficient time, resources, motivation, and money, any system or environment, no matter how secure, can eventually be compromised. Some threats or events, such as natural disasters, are entirely beyond our control and often unpredictable. Therefore, the main goal of risk management is risk treatment: making intentional decisions about specific risks that organizations identify.
A risk assessment begins with risk identification — detecting and defining specific elements of the three components of risk: assets, threats, and vulnerabilities.
The process of risk identification occurs during a risk assessment.
Identifying an organization’s assets and determining their value is a critical step in determining the appropriate level of security. The value of an asset to an organization can be both quantitative (related to its cost) and qualitative (its relative importance). An inaccurate or hastily conducted asset valuation process can have the following consequences:
- Poorly chosen or improperly implemented controls
- Controls that aren’t cost-effective
- Controls that protect the wrong asset
A properly conducted asset valuation process has several benefits to an organization:
- Supports quantitative and qualitative risk assessments, Business Impact Analyses (BIAs), and security auditing.
- Facilitates cost-benefit analysis and supports management decisions regarding selection of appropriate safeguards.
- Can be used to determine insurance requirements, budgeting, and replacement costs.
- Helps demonstrate due care, thus (potentially) limiting personal liability on the part of directors and officers.
Three basic elements used to determine the value of an asset are
- Initial and maintenance costs: Most often, a tangible dollar value that may include purchasing, licensing, development (or acquisition), maintenance, and support costs.
- Organizational (or internal) value: Often a difficult and intangible value. It may include the cost of creating, acquiring, and re-creating information, and the business impact or loss if the information is lost or compromised. It can also include liability costs associated with privacy issues, personal injury, and death.
- Public (or external) value: Another difficult and often intangible cost, public value can include loss of proprietary information or processes, as well as loss of business reputation.
- Contribution to revenue: For instance, an asset worth $10,000 may be instrumental to the realization of $5 million in annual revenue. Hence, risk decisions for such an asset should consider not only its cost, but also its role in generating or protecting revenue.
To perform threat analysis, you follow these four basic steps:
- Define the actual threat.
- Identify possible consequences to the organization if the threat event occurs.
- Determine the probable frequency and impact of a threat event.
- Assess the probability that a threat will actually materialize.
For example, a company that has a major distribution center located along the Gulf Coast of the United States may be concerned about hurricanes. Possible consequences include power and communications outages, wind damage, and flooding. Using climatology, the company can determine that an annual average of three hurricanes pass within 50 miles of its location between June and September, and that a specific probability exists of a hurricane actually affecting the company’s operations during this period. During the remainder of the year, the threat of hurricanes has a low probability.
The number and types of threats that an organization must consider can be overwhelming, but you can generally categorize them as
- Natural: Earthquakes, floods, hurricanes, lightning, fire, and so on.
- Man-made: Unauthorized access, data-entry errors, strikes/labor disputes, theft, terrorism, sabotage, arson, social engineering, malicious code and viruses, and so on.
Not all threats can be easily or rigidly classified. For example, fires and utility losses can be both natural and man-made. See Chapter 9 for more on disaster recovery.
A vulnerability assessment provides a valuable baseline for identifying vulnerabilities in an asset as well as identifying one or more potential methods for mitigating those vulnerabilities. For example, an organization may consider a Denial of Service (DoS) threat, coupled with a vulnerability found in Microsoft’s implementation of Domain Name System (DNS). However, if an organization’s DNS servers have been properly patched or the organization uses a UNIX-based DNSSEC server, the specific vulnerability may already have been adequately addressed, and no additional safeguards may be necessary for that threat.
The next element in risk management is risk analysis — a methodical examination that brings together all the elements of risk management (identification, analysis, and control) and is critical to an organization for developing an effective risk management strategy.
Risk analysis involves the following four steps:
1. Identify the assets to be protected, including their relative value, sensitivity, or importance to the organization.
This component of risk identification is asset valuation.
2. Define specific threats, including threat frequency and impact data.
This component of risk identification is threat analysis.
3. Calculate Annualized Loss Expectancy (ALE).
The ALE calculation is a fundamental concept in risk analysis; we discuss this calculation later in this section.
4. Select appropriate safeguards.
This process is a component of both risk identification (vulnerability assessment) and risk control.
The Annualized Loss Expectancy (ALE) provides a standard, quantifiable measure of the impact that a realized threat has on an organization’s assets. Because it’s the estimated annual loss for a threat or event, expressed in dollars, ALE is particularly useful for determining the cost-benefit ratio of a safeguard or control. You determine ALE by using this formula:
SLE × ARO = ALE
Here’s an explanation of the elements in this formula:
- Single Loss Expectancy (SLE): A measure of the loss incurred from a single realized threat or event, expressed in dollars. You calculate the SLE by using the formula Asset value @@ts Exposure Factor (EF).
Exposure Factor (EF) is a measure of the negative effect or impact that a realized threat or event would have on a specific asset, expressed as a percentage.
- Annualized Rate of Occurrence (ARO): The estimated annual frequency of occurrence for a threat or event.
The two major types of risk analysis are qualitative and quantitative, which we discuss in the following sections.
Qualitative Risk Analysis
Qualitative risk analysis is more subjective than a quantitative risk analysis; unlike quantitative risk analysis, this approach to analyzing risk can be purely qualitative and avoids specific numbers altogether. The challenge of such an approach is developing real scenarios that describe actual threats and potential losses to organizational assets.
Qualitative risk analysis has some advantages when compared with quantitative risk analysis; these include
- No complex calculations are required.
- Time and work effort involved is relatively low.
- Volume of input data required is relatively low.
Disadvantages of qualitative risk analysis, compared with quantitative risk analysis, include
- No financial costs are defined; therefore cost-benefit analysis isn’t possible.
- The qualitative approach relies more on assumptions and guesswork.
- Generally, qualitative risk analysis can’t be automated.
- Qualitative analysis is less easily communicated. (Executives seem to understand “This will cost us $3 million over 12 months” better than “This will cause an unspecified loss at an undetermined future date.”)
A distinct advantage of qualitative risk analysis is that a large set of identified risks can be charted and sorted by asset value, risk, or other means. This can help an organization identify and distinguish higher risks from lower risks, even though precise dollar amounts may not be known.
A qualitative risk analysis doesn’t attempt to assign numeric values to the components (the assets and threats) of the risk analysis.
Quantitative Risk Analysis
A fully quantitative risk analysis requires all elements of the process, including asset value, impact, threat frequency, safeguard effectiveness, safeguard costs, uncertainty, and probability, to be measured and assigned numeric values.
A quantitative risk analysis attempts to assign more objective numeric values (costs) to the components (assets and threats) of the risk analysis.
Advantages of a quantitative risk analysis, compared with qualitative risk analysis, include the following:
- Financial costs are defined; therefore, cost-benefit analysis can be determined.
- More concise, specific data supports analysis; thus, fewer assumptions and less guesswork are required.
- Analysis and calculations can often be automated.
- Specific quantifiable results are easier to communicate to executives and senior-level management.
Disadvantages of a quantitative risk analysis, compared with qualitative risk analysis, include the following:
- Human biases will skew results.
- Many complex calculations are usually required.
- Time and work effort involved is relatively high.
- Volume of input data required is relatively high.
- The probability of threat events is difficult to determine.
- Some assumptions are required.
Purely quantitative risk analysis is generally not possible or practical. Primarily, this is because it is difficult to determine a precise probability of occurrence for any given threat scenario. For this reason, many risk analyses are a blend of qualitative and quantitative risk analysis, known as a hybrid risk analysis.
Hybrid Risk Analysis
A hybrid risk analysis combines elements of both a quantitative and qualitative risk analysis. The challenges of determining accurate probabilities of occurrence, as well as the true impact of an event, compel many risk managers to take a middle ground. In such cases, easily determined quantitative values (such as asset value) are used in conjunction with qualitative measures for probability of occurrence and risk level. Indeed, many so-called quantitative risk analyses are more accurately described as hybrid.