Vulnerability
flaw or weakness in a
- system
- procedure
- design
- entity
- implementation,
- or internal control
that could be exercised (accidentally triggered or intentionally exploited) by a threat and result in a security breach or violations of the system’s security
Behavioral: unscured computers or memory sticks, unlocked filing cabinets (computer left unlocked) (password on sticky note)
system related: software bugs, insecure communication channels (outdated software)
organizational: untrained workforce (social engineering), it Misuse (visiting problematic websites)
threats
and threat analysis
are a potential cause for undesired incidents with negative consequences for a system or an organization
types of threats
- human error ( accindent: deleting files, mistakes, social engineering, phishing)
- physical (theft, vandalism, sabotage)
- unauthorized access (espionage, trespassing)
- forces of nature (fire, earthquake, blackout)
- legal and contractual (legislation breaches)
threat analysis:
- systematically identifying potential threats and resulting damage
- basis for risk analysis
risk and risk mgmt
risk is an insecurity concerning the goal achievement of an organization and is often seen as the combination of the probability of occurence and the consequences of an event
- risks result from vulnerabilities being exploited by threats, producing undesired consequences
- Risk Management: the process of identifying risk, assessing its relative magnitude, and taking steps to reduce it to an acceptable level
- you can’t eliminate all risks always dealing with risks
Risk mgmt process
C Monitoring/review o m 1 risk identification m u n 2 risk analysis i c a 3 risk evaluation. risk assessment t i I o v n
Context Establishment
Goal: understand the organization’s internal and external operating context that plays a role and affects the risk management process
external context:
- Business env. (who are the customers, competitors)
- legal and compliance (what are regulations to comply)
- threats and vulnerabilities
- outside support (any outside support one needs to inform)
internal context:
-internal stakeholders (who needs to be informed)
-culture
-exisiting information
security program (what is there already
-experience (where there some issues in the past, what has been learned)
Risk Identification
goal to identify threats facing the organization’s information assets and understand the significance of these threats
-Identification of information assets that collect store process or transmit information (people, networks)
- create a catalog of the organization’s. Informations assets
- prioritize the information assets by assigning value to them
Threat analysis: identification of threats associated with the information assets
- identify threats that are relevant to the organization and vulnerabilities associated with (groups of) information assets
- weighted ranking of threats for groups of information assets (probabilities)
Risk Analysis
- Goal: to determine the extent to which the Organisation’s information assets are exposed to risk:
- Required input: likelihood and impact
- likelihood that a specific vulnerability will be exploited or attacked (scale from 0 to 1 how likely in the next 12 months)
- potential impact of a successful attack (financial impact)
- Risk determination:
R = L x I
-Must be reviewed continually as risks can change
Risk evaluation
determine if risk treatment is needed based on the results of risk analysis ant the organizations risk appetite
risk evaluation:
- How acceptable is each risk
- should the risk be treated
Decision criteria:
- Organization’s risk appetite
- Potential solutions and their costs
- Certain solutions might address multiple risks
risk treatment
choose strategies that counteract the risks identified during the risk assessment phase
Strategy:
Defense: Applying controls and safeguards that reduce the risk (clean desk policies)
Transference: Shifting risks to other areas or to outside entities (insurance against risk or outsource risk treatment: dependency )
Mitgiation: Reducing the impact in case of a possible attack (data backup, store data on mirror server)
acceptance: Stating willingness to live with the risk (too expensive to reduce the remaining risk)
termination: remove an information asset from all operations (shutting down old Webserver which is not maintained)
Critical Reflection
Applying the risk management process conveys the impression of having used a rigorous method to protect an organization’s information assets
Any issues with the process?
- statistical rigor
- abuse (someone in charge abuses the process to proof his good work)
- disturbing mixture of quantitative analyses applied to interpretive data
- risk analysis ignore the effects of luck and guesswork on its accuracy
- if original estimates are invalid, then the probability arithmetic which follows it is complete nonsense
- highly subjective nature of risk analysis permit its abuse
