Risk Management for IT Security

1、 cs 564 software requirements engineering lecture 11professor larry bernsteinend game:november 30: lecture 11december 7: lecture 12december 14: final examplease study all handouts as they supplement the material in the prerelease of the textbook i gave you.risk analysisrisk evaluation with discounte

2、d cash flow analysiscondier this product with three phases: :phase 1: r&d, $18m / year for 2 years, probability of success at the end : 60%phase 2: market development, $10m / year for 2 years starting second yearphase 3: sales, 3 possible scenarios, starting year 4:1. $24m / year for 20 years (proba

3、bility : .3)2. $12m / year for 10 years (probability : .5)3. abandon product (probability : .2)cash flow for this product :year 1 : -$18myear 2 : -$28myear 3 : .6 * -$10myear 4-13 : (.6 * .3 * $24m) + (.6 * .5 * $12m)year 14-23 : .6 * .3 * $24mto discount the cash flow, compute todays value of futur

4、e moneys by using this formulanpv = cf / (1+ir)nnpv = net present valuecf = cash flowir = interest rate (3% for example)n = number of yearsexample :year 2 : cash flow is -$28m, discounted cash flow at 3% interest rate is : -$26.39mto get an idea of what the project is worth one should discount cash

5、flows for each year and add them together.rate of return = net profits / net costs (should be at least 10%)how do we estimate future sales?what products will take off ?a blend of sales and r&d talent should be used : r&d favors disruptive changes but may be too disruptive sales favors continuous imp

6、rovement but may miss big new opportunitiesexample :“a tape recorder that does not record”what became known as “walkman” has been at first snubbed by sonys salespeople who did not see its potential, while r&d people were able to imagine new uses for the product and push to finally make it happen.oth

7、er factors increasing risk1. excessive schedule pressure (65% of projects)2. management malpractice3. inaccurate and inadequate metrics4. poor cost estimates5. silver bullet syndrome6. creping features7. quality8. sizerisk dos and dont dont overestimate the risks : too much contingency planning dont

8、 underestimate the risks : leads to panic management later dont look for scapegoats do deal only with the top 10 priorities, as they get solved add to the list.quantitative computationp(e) = m/np = probability m = favorable eventsn = total eventsrisk = 1-p(e)risk exposure = risk * coststhe spiral mo

9、del requires a risk analysis after the prototype (1st cycle).risk management for it securityrick kazman, dan port, information technology management, university of hawaiidavid klappholz, computer science, stevens institute of technology1. introduction1.1 security risk assessment 1.2 it security risk

10、 control1.3 risk management in practice2. risk assessment methodologies2.1 octave2.2 srmd2.3 frap2.4 quantitative versus qualitative approaches3. management of information security standards3.1 tcsec, itsec, ctcpec, common criteria, and iso 154083.2 bs 7799, iso 17799, and iso tr 13335 (gmits) 3.3 h

11、ipaa3.4 sse-cmm, and iso/iec 218273.5 nist guidance documents4. risk models4.1 definitions4.2 strategic risk models4.3 strategic risk management methods4.4 the need for strategic risk management methods5. practical strategic risk models5.1 multi-technique strategic methods5.2 strategic decision maki

12、ng and competing risks5.3 risk of delay5.4 balancing competing risks for strategic planning5.5 unsuitable sweet spots6. practical risk exposure estimation6.1 qualitative methods6.2 empirical approaches6.3 pitfalls to avoid7. summarykey words: risk, security risk, risk assessment, risk control, risk

13、management, risk exposure, strategic methods abstract: dealing with risk is critical to the success of any engineering or business endeavor. considering the nature of it and considering recent events, this is especially true in the case of risks to it security. we define the various notions associat

14、ed with the assessment and management of risk in general and of it security risk in particular, and provide both concrete examples of it security risks and categorizations of well-known risks. we also review the various it guidelines and standards that have it security risk as major components. fina

15、lly, we detail approaches to dealing with it security risk, with an emphasis on strategic approaches.1. introductionaccording to carr93, risks must be managed, and risk management must be part of any mature organizations overall management practices and management structure. the primary activities i

16、dentified by carr93 for managing risk are: identify: risks must first be identified before they can be managed.analyze: risks must be analyzed so that management can make prudent decisions about them.plan: for information about a risk to be turned into action, a detailed plan, outlining both present

17、 and potential future actions, must be created. these actions may mitigate the risk, avoid the risk, or even accept the risk.track: risks, whether they have been acted upon or not, must be tracked, so that management can continue to exercise diligence.control: even if a risk has been identified and

18、addressed, it must be continually controlled, to monitor for any deviations.the key activity tying all of these together is assessment. assessment is considered central to the risk management process, underlying all of the other activities.for the purposes of exposition, we will follow the generic r

19、isk taxonomy shown in figure 1 in figure 1, for application to security the examples listed for risk analysis might include “security models, threat analysis, and vulnerability factor analysis. boehm91. in this taxonomy the activity of risk management has two major sub-activities: risk assessment an

20、d risk control. risk assessment is further divided into risk identification, risk analysis, and risk prioritization. risk control is divided into risk management planning, risk resolution, and risk monitoring. while we will broadly discuss several areas of risk management, our focus in this chapter

21、is primarily on risk assessment, as it applies to it security. assessment is the starting point and forms the fundamental basis for all risk management activities. many risk assessment methods and techniques have directly analogous application to risk control. in such cases we will note this is the

22、case without elaboration. the terminology used in the field of risk management varies somewhat among the different business and engineering areas in which it is used (e.g. see carr93, hall98, boehm91). it even varies among writers in the field of it security risk management. the generic risk managem

23、ent concepts that we have just introduced were created for software development (of which security is one attribute). the reader familiar with other works on it security risk management should have little trouble seeing the direct applications. in this section we will define terms informally with ex

24、amples; in later sections, we will formalize these definitions.although most people are unaware that theyre doing it, we all engage in risk management on a daily basis. consider, as an example, a decision, on the way out the door, on whether to stuff an umbrella into an uncomfortably heavy bag that

25、will be taken on a thirty-minute train ride, followed by a ten-minute walk this example, as well as a number of others in this section, is taken, albeit with considerably more detail, from nist. to the office. the decision is based on a quick, often almost unconscious, assessment of the risks involv

26、ed and a decision on how to control them. figure 1: boehms risk management taxonomyon the one hand, theres the probability that the rain predicted by the tv forecaster will actually materialize, that it will be in progress during the drive to the train station and/or during the walk, and, if all goe

27、s as badly as it might, of the damage it would cause, from the point of view of both walking in drenched clothing and, possibly, losing work time during the drying-out period. balanced against all of this, on the other hand, is the discomfort of carrying the extra weight, of the possibility of the p

28、recariously-situated umbrellas dropping out of the bag and, as it did last week, causing a spillage of hot carry-out coffee during the effort to pick it up. an additional consideration is the probability that carrying the umbrella will solve the problem, a consideration that depends upon the expecte

29、d strength of prevailing winds; if the wind proves to be too strong, the umbrella will provide no relief from the rain. an alternative possibility to consider, assuming its an option, is to work at home all morning and to go to the office only after the rain, or its un-materialized threat, has abate

30、d.1.1 security risk assessmentin its typical definition, it security involves protection of the confidentiality, integrity, and availability of data/information critical to the success of a business or government organization. naturally, it also involves protection, from injury and death, of the peo

31、ple involved in dealing with that information. the following are examples of consequences that can result from materialization of risks in the areas of confidentiality, integrity, and availability: loss of confidentiality:o personal embarrassment resulting from theft and publication of personal fina

32、ncial, health, or other data, and possible prosecution and fine for individuals and the organization responsible for maintaining confidentialityo corporate loss of earnings resulting from theft of pre-patent technical datao loss of life of a covert intelligence agent resulting from theft and revelat

33、ion of name and address loss of integrity:o personal embarrassment and, possibly, fine and imprisonment resulting from insertion into database of false financial data implicating the subject in fraud or embezzlemento loss of corporate auditors ability to detect embezzlement, and attendant loss of fu

34、nds, resulting from deliberate corruption of financial data by embezzlero loss of life resulting from changes to database indicating that subject is a covert agent when s/he isnt loss of availability:o personal embarrassment resulting from inability to keep appointments resulting from temporary inab

35、ility to use electronic calendaro temporary inability of corporation to issue weekly pay checks to employees, with attendant anger and loss of productivity, resulting from temporary unavailability of hours-worked datao loss of initiative, armaments, and lives resulting from battlefield commanders in

36、ability to connect to field-support databasethe terms threat, threat source, vulnerability, impact, and risk exposure are in common use in the field of it security risk assessment. their application to the trip-to-work scenario is as follows: the threat, or threat source, is the onset of rain, at a

37、sufficiently strong level, during an exposed part of the trip to work the vulnerability is the fact that the person involved will get drenched if the threat materializes and the person has no form of shelter (e.g. an umbrella) the impact is the damage, measured in terms of discomfort and, possibly,

38、of loss of productivity or even health, that will occur if the threat materializes the risk exposure is an assessment, on either a numerical, perhaps monetary, scale or an ordinal scale e.g., low, medium, or high of the expected magnitude of the loss given the threat, the vulnerability to it, and it

39、s impact, should it threat materialize. in this example the risk exposure might change if the person is wearing a water-resistant coat.the first step in risk assessment is risk identification, i.e., identification of potential threats, of vulnerabilities to those threats, and of impacts that would r

40、esult should they materialize all of which weve already done for the scenario under discussion. in the trip-to-work scenario, we are concerned with such intangibles as the threat of rain, the vulnerability of getting drenched, and the impact of discomfort and with such tangibles as umbrellas. in the

41、 field of it security, we are concerned with systems that store, process, and transmit data/information. information systems are sometimes localized, and sometimes widely distributed; they involve computer hardware and software, as well as other physical and human assets. tangibles include the vario

42、us sorts of equipment and media, and the sites in which they and staff are housed. intangibles include such notions as organizational reputation, opportunity or loss of same, productivity or loss of same, etc. threat sources are of at least three varieties: natural, human, and environmental. example

43、s are: natural: electrical storms, monsoons, hurricanes, tornadoes, floods, avalanches, volcanic eruptions, human: incorrect data entry (unintentional), forgetting to lock door (unintentional), failure to unlock door to enable confederate to enter after hours (intentional), denial of service attack

44、(intentional), creation and propagation of viruses (intentional), environmental: failure of roof or wall due to use of bad construction materials, seepage of toxic chemicals through ceiling, power outage.vulnerabilities have various sources, including technical failings such as those reported in the

45、 public and professional presses on a daily basis. a compilation of technical threats may be found at http/: or fred cohen provides an excellent, extensive taxonomy of threats and vulnerabilities in his security database cohen04. one unique aspect of this database is

46、that the threats (or causes) are cross-referenced against the attack mechanisms to provide a linkage between the cause and the mechanisms used. the attack mechanisms are also cross-referenced against the defence mechanisms to indicate which mechanisms might be effective in some circumstances against

47、 those attack mechanisms.the second step in risk assessment is risk analysis, i.e., estimation and calculation of the risk likelihoods (i.e. probabilities), magnitudes, impacts and dependencies. this is easy in the case of monetary impacts arising from threat-vulnerability pairs whose probability of

48、 materializing can reasonably be computed, but considerably harder in most other cases. special care must be taken when assigning the likelihoods as the quality of the whole risk assessment is strongly dependent on the accuracy and realism of the assigned probabilities.the final step in risk assessm

49、ent is risk prioritization, that is prioritizing all risks with respect to the organizations relative exposures to them. it is typically necessary to utilize techniques that enable risk comparison such as calculating risk exposure in terms of potential loss. in the trip-to-work scenario, risks other

50、 than the one discussed above might include the risks associated with not buckling the seat belt during the drive to the station, the risk of an accident during the drive, the risk of missing the train, etc. a meticulous person, one who always leaves the house earlier than necessary and who is very

51、conscious of taking safety precautions will likely rate these new risks as having far lower exposures than the rain risk: a less meticulous person might do otherwise. in a highly-simplified version of a business situation, three threats might be volcanic eruption, late delivery of raw materials, and

52、 embezzlement. an organization located in chicago would likely assign a lower priority to volcanic eruption than would one in south-western washington; an organization whose suppliers have never before been late would likely assign a lower priority to late delivery than would an organization using a

53、 supplier for the first time. be aware that there may be threats or vulnerabilities you may not have included in your analysis. for this reason, you should draw upon the experiences of others to help building a library of threats and vulnerabilities.1.2 it security risk controlduring the risk contro

54、l phase of the risk management process, we are concerned with safeguards, also known as controls. safeguards fit into at least three categories: technical, management, and operational, with examples as follows: technical: authentication (prevention), authorization (prevention), access control (preve

55、ntion), intrusion detection (detection), audit (detection), automatic backup (recovery), etc. management: assignment of guards to critical venues (prevention), institution of user account initiation and termination procedures (prevention), institution of need-to-know data access policy (prevention),

56、 institution of periodic risk re-assessment policy (prevention), institution of organization-wide security training (prevention and detection), etc. operational: secure network hardware from access to any but authorized network administrators and/or service personnel (prevention), bolt desktop pcs t

57、o desks (prevention), screen outsiders before permitting entry (prevention), set up and monitor motion alarms, sensors, and closed circuit tv (detection of physical threat), set up and monitor smoke detectors, gas detectors, fire alarms (detection of environmental threats)in the trip-to-work scenari

58、o, the safeguard that we have considered has a (fairly low-tech) technical component, i.e., the umbrella, and an operational component, i.e., carrying the umbrella. an alternative operational safeguard would be to work at home all morning, if thats an option, and to go to the office only after the rain, or the threat of rain, has abated. during the risk control phase of the risk management process, we cons