Risk Analysis
Risk impact - loss associated with
an event
 risk probability – likelihood that
the event will occur
 Risk control – degree to which we
can change the outcome
 Risk exposure – risk impact * risk
probability

Risk Analysis – risk reduction
Avoid the risk
 Transfer the risk
 Assume the risk




Risk leverage = [(risk exposure before
reduction) – (risk exposure after
reduction)] / cost of risk reduction
Cannot guarantee systems are risk free
Security plans must address action
needed should an unexpected risk
becomes a problem
Steps of a Risk Analysis
Identify assets
 Determine vulnerabilities
 Estimate likelihood of exploitation
 Compute expected annual loss
 Survey applicable controls and their
costs
 Project annual savings of control

Identify Assets








Hardware
Software
Data
People
Procedures (policies, training)
Documentation
Supplies
Infrastructure (building, power, water,…)
Determine Vulnerabilities
Asset
Hardware
Software
Data
People
procedures
Confidentiality Integrity
Availability
Determine Vulnerabilities
What are the effects
errors?
 What are the effects
malicious insiders?
 What are the effects
 What are the effects
physical disasters?

of unintentional
of willfully
of outsiders?
of natural and
Risk Analysis

Estimate Likelihood of Exploitation
• Classical probability
• Frequency probability (simulation)
• Subjective probability (Delphi approach)

Computer Expected Lost
costs)
• Legal obligations
• Side effects
• Psychological effects
(look for hidden
Risk Analysis

Survey and Select New Controls
• What Criteria Are Used for Selecting Controls?

Vulnerability Assessment and Mitigation (VAM)
Methodology
• How Do Controls Affect What They Control?
• Which Controls Are Best?

Project Savings
• Do costs outweigh benefits of preventing /
mitigating risks
Arguments for Risk Analysis
Improve awareness
 Relate security mission to
management objectives
 Identify assets, vulnerabilities, and
controls
 Improve basis for decisions
 Justify expenditures for security

Arguments against Risk Analysis





False sense of precision and confidence
Hard to perform
Immutability (filed and forgotten)
Lack of accuracy
“Today’s complex Internet networks cannot be made
watertight…. A system administrator has to get everything
right all the time; a hacker only has to find one small hole.
A sysadmin has to be lucky all of the time; a hacker only
has to get lucky once. It is easier to destroy than to
create.”
• Robert Graham, lead architect of Internet Security Systems