IT risk management
Economics of Security and Privacy
(BMEVIHIAV15)
Mark Felegyhazi
assistant professor
CrySyS Lab.
IT risk management
BME Department of Telecommunications
(Híradástechnikai Tanszék)
mfelegyhazi(atat)crysys(dot)hu
Security is risk management
§  risk:
•  Merriam-Webster (1): possibility of loss or injury
•  Dictionary (1): exposure to the chance of injury or
loss; a hazard or dangerous chance:
•  Wikipedia: Risk is the potential that a chosen action
or activity (including the choice of inaction) will lead
to a loss (an undesirable outcome). The notion
implies that a choice having an influence on the
outcome exists (or existed).
IT risk management
© Mark Felegyhazi, CrySyS Lab,
Department of Telecommunications, BME
2
Security is risk management
§  risk management:
Wikipedia: risk management is the identification,
assessment, and prioritization of risks followed by
coordinated and economical application of resources to
minimize, monitor, and control the probability and/or
impact of unfortunate events or to maximize the
realization of opportunities.
CISA Review Manual: Risk management is the process of
identifying vulnerabilities and threats to the information
resources used by an organization in achieving business
objectives, and deciding what countermeasures, if any,
to take in reducing risk to an acceptable level, based on
the value of the information resource to the organization.
IT risk management
© Mark Felegyhazi, CrySyS Lab,
Department of Telecommunications, BME
3
More concepts
§  vulnerability = a possibility to attack
•  flaw or weakness in the hardware, software or design
•  ex: software bugs
§  threat agent (= attacker)
§  threat = potential for a threat agent to exploit a vulnerability
•  ex: disk is not encrypted, but the device is fixed anyway
•  also need motivation for an attacker
§  risk = threat realization with considered impact
IT risk management
© Mark Felegyhazi, CrySyS Lab,
Department of Telecommunications, BME
4
Risk management (simplified)
?$
risk manager
2
1
3
IT risk management
© Mark Felegyhazi, CrySyS Lab,
Department of Telecommunications, BME
5
Goal of risk management
§  vulnerabilities
threats
incidents
losses
Goal: Minimize the costs associated with risks (threats)
IT risk management
© Mark Felegyhazi, CrySyS Lab,
Department of Telecommunications, BME
6
Risk management lifecycle
source: Systems Engineering Fundamentals. Defense Acquisition University Press, 2001
IT risk management
© Mark Felegyhazi, CrySyS Lab,
Department of Telecommunications, BME
7
Risk management standards
§  ISO/IEC 27000 series - Information security management
systems
•  27005:2011 - Information security risk management
•  generally accepted guidelines of implementing information
management systems and also serves to perform audits
•  open source support: Enterprise Security Information System
(ESIS)
§  NIST SP 800-30
§  ISACA Risk IT
§  Open Source Security Testing Methodology Manual (OSSTMM)
§  ISO/IEC 15408 - Common Criteria for Information Technology
Security Evaluation (abbreviated as Common Criteria or CC)
IT risk management
© Mark Felegyhazi, CrySyS Lab,
Department of Telecommunications, BME
8
!
G?*!#B*'C!$*LA*(:*!>=9!,?*!8*9>=9+'(:*!=>!,?*!89=:*$$*$!=>!"#$%!&'(')*+*(,!#$!,=!$,'9,!
H#,?!,?*!*$,'@C#$?+*(,!=>!'!I=98=9',*!"#$%!&'(')*+*(,!5,9',*)<!'(B!89=:**B!'::=9B#()!
,=!,?*!=9'()*!:<:C#:!'99=H!'$!#(B#:',*B!#(!,?*!>#)A9*;!H?*9*'$!+A,A'C!#(,*9':,#=($!@*,H**(!
,?*!89=:*$$*$!+#)?,!'C$=!@*!8*9>=9+*B!M*D)D!8*9>=9+'(:*!=>!"#$%!6$$*$$+*(,!'>,*9!'!"#$%!
6::*8,'(:*ND!
!
Risk Management process (ENISA)
@%&"/#,*"(&'('&3"/('+"/,&$'%,8(,%-(+/'->*&(+/'*"55"5
='/+'/,&"(
;$52(<,%,4"0"%&(
)&/,&"4A
!"#$%$&$'%('#()*'+"(,%./,0"1'/2(#'/(&3"(
0,%,4"0"%&('#(/$525
;$52(?55"550"%&
@-"%&$#$*,&$'%('#(;$525
;$52(B/",&0"%&
@-"%&$#$*,&$'%('#('+&$'%5
?%,8A5$5('#(/"8"9,%&(;$525
!"9"8'+0"%&('#(,*&$'%(+8,%
!"#$%$&$'%('#(67&"/%,8(6%9$/'%0"%&
69,8>,&$'%('#(;$525
!"#$%$&$'%('#(@%&"/%,8(6%9$/'%0"%&
?++/'9,8('#(,*&$'%(+8,%
:"%"/,&$'%('#(;$52(<,%,4"0"%&(
='%&"7&
@0+8"0"%&,&$'%('#(,*&$'%(+8,%
.'/0>8,&$'%('#(;$52(=/$&"/$,
@-"%&$#$*,&$'%('#(/"5$->,8(;$525
;$525(='00>%$*,&$'%
;$525(?1,/"%"55
='%5>8&$%4
C,88(,5+"*&5($%*8>-"-($%(&3"($%&"/#,*"
1$&3('&3"/('+"/,&$'%,8('/(+/'->*&(+/'*"55"5F
G+
&$'
;$52
%,
8
?**"+&,%*"
;"*>//"%*"
-#./&%'$(
)*++,'&%'$(
<'%$&'/(,%-(;"9$"1(C+8,%5D("9"%&5D(E>,8$&AF
!"#$%&%'$(
!
"#$%&'!()!*+'&,--!./.-'!01!,!2#34!5,6,$'7'68!9&0.'33!
European Network and Information
Security Agency (ENISA), “Risk Management: Implementation
!
principles and Inventories for Risk Management/Risk Assessment methods and tools,” June 2006
IT risk management
4,!#$!H=9,?!+*(,#=(#();!,?',!(=!*>>*:,#K*!"#$%!&'(')*+*(,!$<$,*+!:'(!@*!*$,'@C#$?*B!#(!
© Mark Felegyhazi, CrySyS Lab,
'(!=9)'(#E',#=(;!#>!#,!C':%$!$A:?!#(,*9>':*$!'(B!*$8*:#'CC<!,=!=,?*9!9*C*K'(,!=8*9',#=('C!=9!
Department of Telecommunications, BME
89=BA:,!89=:*$$*$!M$D!@=F!',!,?*!,=8!=>!,?*!>#)A9*ND!4(!#,$!>A,A9*!H=9%!=(!"#$%!
&'(')*+*(,;!23456!H#CC!*C'@=9',*!*F'+8C*$!,=!B*+=($,9',*!H'<$!,=!#(,*)9',*!"#$%!
9
The Risk IT framework is built on the principles laid out in chapter 3 and further developed into a comprehensive process model (figure 6).
The risk management process model groups key activities into a number of processes. These processes are grouped into three domains. The
process model will appear familiar to users of COBIT and Val IT: substantial guidance is provided on the key activities within each process,
responsibilities for the process, information flows between processes and performance management of the process.
Risk Management process (Risk-IT)
The three domains of the Risk IT framework—Risk Governance, Risk Evaluation and Risk Response—each contain three processes, as
shown in figure 6.
Figure 6—Risk IT Framework
9PZR.V]LYUHUJL
Ensure that IT risk management
practices are embedded in the
enterprise, enabling it to secure
optimal risk-adjusted return.
Integrate
With
ERM
Establish and
Maintain a
Common Risk
View
)\ZPULZZ
6IQLJ[P]LZ
Manage
Risk
Articulate
Risk
Make
Risk-aware
Business
Decisions
React to
Events
*VTT\UPJH[PVU
Analyse
Risk
Collect
Data
Maintain
Risk
Profile
9PZR9LZWVUZL
9PZR,]HS\H[PVU
Ensure that IT-related risk issues,
opportunities and events are
addressed in a cost-effective manner
and in line with business priorities.
Ensure that IT-related risks and
opportunities are identified, analysed
and presented in business terms.
The following chapters contain a number of essential practices and techniques for each of the three domains of the Risk IT framework.
The model is explained in full detail in chapter 11.
IT risk management
ISACA, “Risk-IT framework,” 2009
© Mark Felegyhazi, CrySyS Lab,
Department of Telecommunications, BME
10
Risk management phases
§  risk governance (RG)
§  risk assessment (RA)
•  risk analysis
•  risk mgmt context
•  define criteria
-  identification
-  estimation
-  profile definition
•  risk evaluation
-  requirements
•  resources
§  risk monitoring and
review (RM)
•  monitoring
•  communication
•  awareness
IT risk management
§  risk treatment (RT)
• 
• 
• 
• 
prevent
mitigate
transfer
accept
© Mark Felegyhazi, CrySyS Lab,
Department of Telecommunications, BME
11
RG
Decision-makers
§  senior management
§  chief information officer (CIO)
§  information system security officer (ISSO)
§  system and information owners
§  security practitioners (sysadmins, security specialists)
§  security awareness trainers
ISACA, “Risk-IT framework,” 2009
IT risk management
© Mark Felegyhazi, CrySyS Lab,
Department of Telecommunications, BME
12
Risk management planning and governance
RG
§  develop an enterprise risk management strategy
§  establish and maintain a risk management plan
•  risk appetite
•  risk tolerance
§  ensure that IT risk management is embedded in
the system
•  integrate with business processes
§  provide resources for risk management
§  establish responsibilities and accountability
generic control of risk management
IT risk management
© Mark Felegyhazi, CrySyS Lab,
Department of Telecommunications, BME
13
UNT OF RISK A COMPANY OR OTHER ENTITY IS WILLING TO ACCEPT IN PURSUIT OF ITS MISSION OR VISION
TION RELATIVE TO THE ACHIEVEMENT OF AN OBJECTIVE AND OFTEN IS BEST MEASURED IN THE SAME UNITS AS THOSE
Behavior towards risks
SK )4 PROCESS MODEL IN THE KEY MANAGEMENT PRACTICES 2' 2' AND 2' OF PROCESS
n risk view.
RG
ISACA, “Risk-IT framework,” 2009
§  risk appetite: the property of engaging with risks
NTITY IS PREPARED TO ACCEPT WHEN TRYING TO ACHIEVE ITS OBJECTIVES 7HEN CONSIDERING THE RISK APPETITE
ORS ARE IMPORTANT
ABSORB LOSS EG FINANCIAL LOSS REPUTATION DAMAGE
OSITION TOWARDS RISK TAKINGˆCAUTIOUS OR AGGRESSIVE 7HAT IS THE AMOUNT OF LOSS THE ENTERPRISE WANTS TO
•  risk-averse – risk-neutral – risk-taking
§  risk tolerance: tolerance towards the difference from the
e in terms of combinations of frequency and magnitude of a risk. Risk appetite can and will be
riskOFlevel
as defined
risk appetite
NO ABSOLUTE NORM OR STANDARD
WHAT CONSTITUTES
ACCEPTABLE AND in
UNACCEPTABLE
RISK
Figure 7—Risk Map Indicating Risk Appetite Bands
maps. Different bands of risk
by coloured bands on the risk map
Really Unacceptable
Magnitude
NCE ARE DEFINED
SK 4HE ENTERPRISE ESTIMATES THAT THIS
ISK APPETITE !NY RISK FOUND TO BE IN
risk response.
ALSO ABOVE ACCEPTABLE RISK APPETITE
olicy, require mitigation or another
n certain time boundaries.
E LEVEL OF RISK USUALLY WITH NO SPECIAL
G THE CURRENT CONTROLS OR OTHER
Unacceptable
Acceptable
Opportunity
COSTSAVING OPPORTUNITIES MAY BE
ntrol or where opportunities for
IT risk management
Frequency
© Mark Felegyhazi, CrySyS Lab,
Department
BME
E %VERY ENTERPRISE HAS TO DEFINE ITS OWN RISK APPETITE LEVELS AND REVIEW
THEMofONTelecommunications,
A REGULAR BASIS 4HIS
ERALL RISK CULTURE THAT THE ENTERPRISE WANTS TO EXPRESS IE RANGING FROM VERY RISK AVERSE TO RISK TAKING
14
Key factors to success
RG
§  continuous support from top management
§  central management – common strategy
§  successful integration with business processes
§  optimize tasks and controls (avoid over-control)
§  compliant with company’s business philosophy
§  continuous training
§  never-ending process!
ENISA, “Risk Management: Implementation principles and Inventories
for Risk Management/Risk Assessment methods and tools,” June 2006
IT risk management
© Mark Felegyhazi, CrySyS Lab,
Department of Telecommunications, BME
15
#
IT risk management
© Mark Felegyhazi, CrySyS Lab,
Department of Telecommunications, BME
NIST SP800-30, “Risk Management Guide for Information Technology Systems,” July 2002
#
<2&='J+''
,&-$72-'I5:$0&12;2"51
<2&='M+''
?512%57',&:500&16;2"51-
<2&='L+'',"-.'I&2&%0"1;2"51
= ,0..#01#AH(-7(<-7-/B
= ,0..#01#2051-6*5/-(7-/B
= ,0..#01#J5/*)4-/B#
<2&='K+''B0=;:2'/1;78-"-
<2&='G+''
H".&7"4556'I&2&%0"1;2"51
<2&='>+''?512%57'/1;78-"-
<2&='(+''
D$71&%;E"7"28'B6&12"C":;2"51
<2&='@+''
A4%&;2'B6&12"C":;2"51
<2&='*+''
<8-2&0'?4;%;:2&%"F;2"51
&'()*+((,((-,"%*+.%'/'%',(
>-.@#A..*..:*5/#
>*?04/
>*C0::*56*6#
205/407.
>-.@.#(56#
A..0C-(/*6#>-.@#
,*H*7.
J:?(C/#>(/-5)
,-@*7-9006#>(/-5)
,-./#01#2344*5/#(56#
"7(55*6#205/407.
,-./#01#"0/*5/-(7#
;375*4(<-7-/-*.
894*(/#!/(/*:*5/
= !B./*:#M0356(4B#
= !B./*:#N35C/-05.
= !B./*:#(56#G(/(#
24-/-C(7-/B
= !B./*:#(56#G(/(#
!*5.-/-H-/B
0$%#$%
!"#$%&'()*+'',"-.'/--&--0&12'3&2456575#8'!759:4;%2''
= A6*D3(CB#01#?7(55*6#04#
C344*5/#C05/407.#
= K()5-/36*#01#-:?(C/
= ,-@*7-9006#01#/94*(/#
*L?70-/(/-05
= A..*/#C4-/-C(7-/B#(..*..:*5/
= G(/(#C4-/-C(7-/B#
= G(/(#.*5.-/-H-/B
= K-..-05#-:?(C/#(5(7B.-.#
= 894*(/#C(?(C-/B
= I(/34*#01#H375*4(<-7-/B
= 2344*5/#C05/407.
= 894*(/&.034C*#:0/-H(/-05#
= 2344*5/#C05/407.
= "7(55*6#C05/407.
= >*?04/.#140:#?4-04#4-.@#
(..*..:*5/.
= A5B#(36-/#C0::*5/.
= !*C34-/B#4*D3-4*:*5/.
= !*C34-/B#/*./#4*.37/.
= E-./04B#01#.B./*:#(//(C@
= G(/(#140:#-5/*77-)*5C*#
()*5C-*.O#IJ"2O#PJQO
N*62J>2O#:(..#:*6-(O#
= E(46F(4*
= !01/F(4*
= !B./*:#-5/*41(C*.
= G(/(#(56#-5104:(/-05
= "*0?7*
= !B./*:#:-..-05
!"#$%
Risk assessment
RA
16
RA
Risk assessment
§  Risk assessment
#
!"#$%
&'()*+((,((-,"%*+.%'/'%',(
= E(46F(4*
= !01/F(4*
= !B./*:#-5/*41(C*.
= G(/(#(56#-5104:(/-05
= "*0?7*
= !B./*:#:-..-05
•  identification
= E-./04B#01#.B./*:#(//(C@
= G(/(#140:#-5/*77-)*5C*#
()*5C-*.O#IJ"2O#PJQO
N*62J>2O#:(..#:*6-(O#
-  persons, assets and system info
= >*?04/.#140:#?4-04#4-.@#
(..*..:*5/.
= A5B#(36-/#C0::*5/.
= !*C34-/B#4*D3-4*:*5/.
= !*C34-/B#/*./#4*.37/.
-  technical / mgmt / operational controls
-  information gathering – info sources
= 2344*5/#C05/407.
= "7(55*6#C05/407.
-  threat sources – attacker model
= 894*(/&.034C*#:0/-H(/-05#
= 894*(/#C(?(C-/B
= I(/34*#01#H375*4(<-7-/B
= 2344*5/#C05/407.
-  vulnerability identification
= K-..-05#-:?(C/#(5(7B.-.#
= A..*/#C4-/-C(7-/B#(..*..:*5/
= G(/(#C4-/-C(7-/B#
= G(/(#.*5.-/-H-/B
•  analysis / estimation
= K()5-/36*#01#-:?(C/
0$%#$%
= !B./*:#M0356(4B#
= !B./*:#N35C/-05.
= !B./*:#(56#G(/(#
24-/-C(7-/B
= !B./*:#(56#G(/(#
!*5.-/-H-/B
894*(/#!/(/*:*5/
<2&='(+''
D$71&%;E"7"28'B6&12"C":;2"51
,-./#01#"0/*5/-(7#
;375*4(<-7-/-*.
<2&='>+''?512%57'/1;78-"-
,-./#01#2344*5/#(56#
"7(55*6#205/407.
<2&='G+''
H".&7"4556'I&2&%0"1;2"51
,-@*7-9006#>(/-5)
<2&='K+''B0=;:2'/1;78-"= ,0..#01#J5/*)4-/B#
J:?(C/#>(/-5)
= ,0..#01#AH(-7(<-7-/B
= ,0..#01#2051-6*5/-(7-/B
<2&='L+'',"-.'I&2&%0"1;2"51
= A6*D3(CB#01#?7(55*6#04#
C344*5/#C05/407.#
<2&='M+''
?512%57',&:500&16;2"51-
-  categorize threats by likelihood
•  evaluation
<2&='@+''
A4%&;2'B6&12"C":;2"51
= ,-@*7-9006#01#/94*(/#
*L?70-/(/-05
-  control analysis – security options (ROSI)
-  impact analysis – system critical incidents
<2&='*+''
<8-2&0'?4;%;:2&%"F;2"51
<2&='J+''
,&-$72-'I5:$0&12;2"51
>-.@.#(56#
A..0C-(/*6#>-.@#
,*H*7.
>*C0::*56*6#
205/407.
>-.@#A..*..:*5/#
>*?04/
#
!"#$%&'()*+'',"-.'/--&--0&12'3&2456575#8'!759:4;%2''
!"#$%%&'%##
###########
"()*#+
-  risk determination
IT risk management
© Mark Felegyhazi, CrySyS Lab,
Department of Telecommunications, BME
17
13*4*#:.,1/.84#1.#0-1-)(1*#13*#/-46#(,9#7/.1*:1#.>/#./)(,-A(1-.,@B#
#
C3*#/-46#0-1-)(1-.,#:3(/1#-,#D-)>/*#E&F#(99/*44*4#13*4*#G>*41-.,4H##I77/.7/-(1*#7.-,14#J./# RA
-078*0*,1(1-.,#.J#:.,1/.8#(:1-.,4#(/*#-,9-:(1*9#-,#13-4#J-)>/*#K;#13*#5./9#LM!H#
#
Risk analysis – flowchart
*D?4@3
':=?B4
'12345
642789
$<=>94?@A>4M
0/'
0/'
/CE>:73@A>4M
.-
.:$%72;
%72;
/C7232
<=>94?@A7>731
3:$,33@B;
/C7232
!
.-
.:$%72;
,33@B;4?G2
H:23$I$+@79
.%72;$,BB4E3
0/'
J:22
,937B7E@34K
L$*D?42D:>K
0/'
F9@BB4E3@A>4
%72;
.%72;$,BB4E3
#
NIST SP800-30,
“Risk Management Guide for Information Technology Systems,” July 2002
N78=?4$!OP"$$%72;$)7378@37:9$,B37:9$Q:7932$
© Mark Felegyhazi, CrySyS Lab,
#
IT risk management
18
Department of Telecommunications, BME
C3-4#41/(1*);#-4#J>/13*/#(/1-:>8(1*9#-,#13*#J.88.5-,)#/>8*4#.J#13>0K2#53-:3#7/.N-9*#)>-9(,:*#.,#
Measuring risks: simplified
RA
§  Annualized Loss Expectancy (ALE)
•  ALE = ARO * SLE = ARO * AV * EF
-  ARO – Annualized Rate of Occurrence (likelihood)
-  AV – Asset Value (impact)
-  EF – Exposure Factor
§  example:
Problems
•  prob. of a server failing 0.01
•  data worth $500.000
•  most probably 30% destroyed
ALE = 0.01 *$500000 * 0.3 = $15000
IT risk management
© Mark Felegyhazi, CrySyS Lab,
Department of Telecommunications, BME
19
¦
The preceding three
x 0 risk metrics can be illustrated with an example. Let X be a random
Therefore,
the expected
a breach,
E[X], attributable
under Proposal
is givenSuppose
by:
variable
representing
the lossloss
(infrom
millions
of dollars)
to a1breach.
for a
variable representing
the to
loss
(in millions
of dollars)severe
attributable
to adecision-maker
breach. Supposemust
for afirst specify
In order
calculate
the expected
loss, the
RA
9
proposal (called Proposal 1) for enhancing information security activities, X has the following
[X ] ¦
x ˜ P[ X1) for
x] enhancing
0 ˜ [.1] 1information
˜ [.1] ... 9security
˜ [.1] 4activities,
.5
proposalE(called
Proposal
X has the following
threshold
level.
Suppose
the
threshold
level,
denoted
by
T,
is
judged
to be 8, i.e., any breac
x 0
L.D. Bodin, L.A. Gordon, M.P. Loeb,
discrete
uniform
distribution:
assume
“Information security and risk management,”
discrete
uniform
distribution:
whose
cost
is
$8
million
or
greater
is
believed
to put
theofsurvivability
offirst
the specify
organization
at
In order to calculate the expected severeCommunications
loss, the
decision-maker
must
a
the ACM,
2008
P[X=x]
= .1= .1for for
x =x0,
1, 1,
2, 2,……, 9.
P[X=x]
= 0,
, 9.
The
expected
severe loss
underlevel,
Proposal
1, denoted
E[severe
, is any
given
by:
threshold
level.
threshold
denoted
by T, isby
judged
to beloss]
8, i.e.,
breach
where
xSuppose
is in $ the
millions
Therefore,
the expected
lossloss
from
a breach,
givenby:by:
Therefore,
the expected
from
a breach,E[X],
E[X],under
under Proposal
Proposal 11isisgiven
9
§ whose
expected
cost is loss
$8E[severe
million loss]
or greater isx ˜believed
thesurvivability
P[ X x]to put
8 ˜ [.1]
9 ˜ [.1] 1.7 of the organization at risk.
Percieved composite risk (PCR)
9
¦
9
x[.81] 1 ˜ [.1] ... 9 ˜ [.1]
E
[ X¦
] x¦
x[˜XP[ X x] x]0 ˜0[.˜1
44..55
E
[
X
]
˜
P
] 1 ˜ [.11,
] denoted
... 9 ˜ [.1by
] E[severe
The expected severe
loss
under
Proposal
loss] , is given by:
x 0
x 0
§  expected severe
loss deviation of loss, denoted by V , under the loss function defined for
The standard
Computing
the Expected
Perceived Composite Risk (PCR)
In order to calculate9 the expected severe loss, the decision-maker must first specify a
In order
to calculate
expected
loss,
must first specify a
E[severe
loss] the
x ˜ P[ X xsevere
] 8 ˜ [.1]
9the
˜ [.1]decision-maker
1.7
¦
Proposal 1 is given
by:
x 8
ForSuppose
a giventhe
setthreshold
of information
security
thebePCR
a linear
threshold
level.
level, denoted
by T,activities,
is judged to
8, i.e.,isany
breachcombinatio
§ 
standard
deviation
of
the
loss
threshold level. Suppose the threshold level, denoted by T, is judged to be 8, i.e., any breach
9
The
standard
deviation
of is
loss,
denoted
by the
V , survivability
under the loss
function
definedatfor
2
whose
cost
is
$8
million
or
greater
believed
to
put
of
the
organization
risk.
expected
loss,
the
expected
severe
loss,
and
the
standard
deviation
of
loss that
can be a
V
( x E[ X ]) ˜ P[ X x]
8.25 | 2.872
¦
whose cost is $8 million
or greater is believed to put the survivability of the organization at risk.
x 0
Proposal
1 is given
by:
The to
expected
severe
loss under Proposal 1, denoted by E[severe loss] , is given by:
a breach. Specifically,
The expectedWe
severe
under
1, denoted by E[severe loss] , is given by:
now loss
present
the Proposal
PCR metric.
V
9
9
8|˜ [.1]
9loss]
˜ [.1] 1.7
[C / A] ˜ V
( x PCR
E[ Xloss]
]){ E
˜9P[ [X
2.872
¦X]x˜[PxB][ X/ A]8x˜.]E25[severe
¦E[severe
E[severe loss] ¦ x ˜ P[ X x] 8 ˜ [.1] 9 ˜ [.1] 1.7
x 0
2
x 8
x 8
where
the
weights
A, B, and© C
determined
from the AHP. The weights, 20
A, B, and
Markare
Felegyhazi,
CrySyS Lab,
IT risk management The standard deviation of loss, denoted by V , under the loss function defined for
We now present the PCR metric.Department of Telecommunications, BME
The standard deviation of loss, denoted by V , under the loss function defined for
PCR: calculate weights
RA
§  CISO decides about the importance of these factors
•  A + B + C = 1 and A,B,C > 0
•  weights calculated using Analytic Hierarchy Process (AHP)
(check on Wikipedia, it’s quite interesting)
IT risk management
© Mark Felegyhazi, CrySyS Lab,
Department of Telecommunications, BME
21
assuming that A = 0.4, B = 0.4, and C = 0.2.
terion. The pairwise comproject proposals.
ensapproach
ofthis
using
to a problems
breach as
with using the popular metri
that represent
judg-the expected loss dueSome
expectedofloss
a sole measure of riskRA
are apparen
are
by setting
12 = CISO a narrow analysis
ng realized
criterion
givesathe
theasalternatives
= 1, a13 = 2, a23 = 2, PCR
a31 = 1/2, and
a32 = 1/2. Fur- examining Tables 2 and 3. According to the expe
example
and
may
lead
to
misleading
results.
he diagonal elements, a11, a22, and a33, are set loss metric, Proposal 3 is the preferred proposal,
to 1, since a criterion is equally important as lowed in order by Proposal 1, Proposal 2, and
§  A = 0.4, B = 0.4, C = 0.2
posal 4. Note that although Proposal 3 minimizes
a given
maker for which AHP reveals
it br
also(ingenerates
and
rowsdecision
2–4
Losses fromexpected
an inf
ormationloss,
security
each
$ millions) the second hig
weights—A
probability of threatening the survivability of
ore, see [1]). = 0.4, B = 0.4, and C = 0.2—here
0
1 2 3 4 5 6 7 8 9 Other values
this of
pairwise
value
the PCRProbability
for Proposal
1:
organization
(Pr .1[X≥8]=0.4)
and generates the hig
of Loss Proposal 1 .1
.1
.1
.1
.1 .1
.1
.1
.1
0
, the assumpstandard
deviation
of loss. 0
0
.2
0
0
.5
0
.1
.2 0
Probability of Loss Proposal 2 0
le is(Proposal
that the
1)
=
$4.5+[.4/.4]
Table
3 also indicates that
based on the expe
.2
0
0
0
0 .05 .05 .1 .3
0
Probability of Loss Proposal 3 .3
(E[X]) and
M]+[.2/.4].[$2.872M]=$4.5M+$1.7M+$1.43
severe
loss0 criterion,
Proposal
2 is the preferred
.0
0
0
0
0
.45
.45
.1
0
Probability of Loss Proposal 4 .0
s (E[X|X≥T])
7.636M
posal, followed in o
rtant criteria,
by Proposal 1, Propos
Table
2.
Probability
Standard
Expected
the threeExpected
risk measures
for each ofPerceived
the three proposals;
preferred than
ATING FOUR
and Proposal 4. Furt
of losses under three Loss E[X] Severe Loss Deviation of Composite Risk
it
also
lists
the
value
of
the
PCR
for
each
proposal,
iation-of-loss
E[X|X T]
Loss
PCR
information security
SALS
based on the stand
assuming
that
A
=
0.4,
B
=
0.4,
and
C
=
0.2.
pairwise comproject
proposals.
Proposal 1
14.5
1.7
2.872
7.636
er
to
demonstrate
deviation
criterion,
Some
problems
with
using
the
popular
metric
of
sent this judg5.2
1.6
1.990
7.795
Proposal 2
use,
assume
that
the
posalby4 is the prefe
expected
loss
as
a
sole
measure
of
risk
are
apparent
y setting a12 =
4.35
3.5
4.028
9.864
Proposal 3
must
select
from
proposal, followed
examining Tables 2 and 3. According to the expected
23 = 2, a31 = 1/2, and a32 = 1/2. Fur7.65
4.5
0.654
12.477
Proposal 4
gelements,
four equal
order
, and a33, are set loss metric, Proposal 3 is the preferred proposal,
a11, a22cost
fol-by Proposal 2,
Bold indicates column minimums
sals
for enhancing
posal
criterion
is equally important
as lowed in order by Proposal 1, Proposal 2, and
Pro-1, and Proposa
Table
3. Risk measures
for3the
anization’s information security. Suppose
the that
Thus,
posal 4. Note
although
Proposal
minimizes
the a decision m
three proposals (where T=8,
22
and maker
his/herforstaff
have
estimated
loss probminimi
sion
which
AHP
reveals the
expected
loss, itA=0.4,
alsoB=0.4,
generates
the second interested
highest in
and C=0.2.
= 0.4,
B = 0.4,with
and Cthe
= 0.2—here
probability
of risk
the of a breach co
es
associated
three proposed
sets ofof threatening the survivability the
IT risk management
© Mark Felegyhazi, CrySyS Lab,
Department of Telecommunications, BME
ALE method’s “failure”
RA
§  ALE method’s “failure”
•  too many details
-  difficult to implement
-  number of scenarios is too high
•  technology view on risk
-  deterministic rather than probabilistic
•  dependence on information
§  new methods
•  simplify risk analysis
•  mostly short-term
K. Soo Hoo, “How Much Is Enough? A RiskManagement Approach to Computer
Security,” PhD thesis, Stanford 2000
IT risk management
© Mark Felegyhazi, CrySyS Lab,
Department of Telecommunications, BME
23
Improved methods
RA
simplify – tractable way to analyze risks
§  Integrated Business Risk management framework
•  focuses on impact and added value
•  security like other business risks
•  simplifies management
§  valuation-driven methods
•  no data
•  ignore incident likelihoods and focus on asset value
•  suffer the simplification
IT risk management
© Mark Felegyhazi, CrySyS Lab,
Department of Telecommunications, BME
24
Improved methods (cont’d)
RA
§  scenario analysis
•  often used to dramatize impact (by consultants)
•  limited scope
§  good practices
•  common engineering response
•  conformance to policies results in (some) protection
•  also protects against liability claims
•  de-coupled from data collection and analysis
•  efficiency depends on
-  compliance costs
-  process to define practices / rules
IT risk management
© Mark Felegyhazi, CrySyS Lab,
Department of Telecommunications, BME
25
Quantitative risk management
RA
§  qualitative
quantitative methods
share information
§  Key enabler: information = data (potentially historic)
• 
• 
• 
• 
vulnerabilities
incidents
losses
effectiveness of countermeasures
§  steps
•  register incidents – proper forensics
•  report
•  summarize in a central(ized) database
§  driving force
•  insurance ??? (more in Chapter 10)
•  governments ?
IT risk management
© Mark Felegyhazi, CrySyS Lab,
Department of Telecommunications, BME
26
Government security risk management
IT risk management
© Mark Felegyhazi, CrySyS Lab,
Department of Telecommunications, BME
RA
27
Risk treatment – options
§  avoidance
§  mitigation
•  eliminate incidents – testing
•  reduce impact
RT
determine the
appropriate controls
§  sharing / transfer
•  disclaimer: no party is responsible
•  agreement: responsibility transferred
•  compensation
-  risk pooling: share losses
-  risk hedging: bet for losses
§  acceptance / retention
•  self-insure
•  accept losses
IT risk management
partially from:
Blakley, B. and McDermott, E. and Geer, D., “Information
security is information risk management,” Proceedings of
the 2001 workshop on New security paradigms, 2001
© Mark Felegyhazi, CrySyS Lab,
Department of Telecommunications, BME
28
Risk treatment – controls
RT
§  select risk treatment controls
•  prevention
-  firewall, authentication, locks
•  detection
-  IDS
•  recovery
-  backup, forensics
•  management
-  better data center for security information collection
-  information sharing (more in Chapter 6)
•  training / awareness
-  employee training sessions
IT risk management
© Mark Felegyhazi, CrySyS Lab,
Department of Telecommunications, BME
29
Risk treatment – action plan
RT
action plan = prioritize + implement actions / controls
§  prioritize controls / actions
•  cost-benefit analysis (more in Chapter 4)
•  importance of risk (impact)
•  effectiveness – difficult quantify benefit of unrealized losses
(ROSI)
§  get approval for the action plan – top mgmt support is essential
§  implement the action plan
•  develop a policy w/ security policy
•  assign responsibility
•  performance measures and reporting
§  residual risks and acceptance
IT risk management
© Mark Felegyhazi, CrySyS Lab,
Department of Telecommunications, BME
30
Risk monitoring and review
RM
§  review and update processes and policies
§  document each stage of the risk management process
•  development and action plan (reasons and analysis)
•  changes and efficiency
•  legal basis
•  reuse of information
IT risk management
© Mark Felegyhazi, CrySyS Lab,
Department of Telecommunications, BME
31
THE RISK IT FRAMEWORK
Risk communication
Figure 9—IT Risk Communication Components
Expectation:
Strategy, Policies,
Procedures,
Awareness,
Training, etc.
Effective IT Risk
Communication
Status:
Risk Profile,
Key Risk Indicators,
Loss Data, etc.
IT risk management
Capability:
Risk Management
Process Maturity
RM
Risk Communication—What to Co
IT risk communication covers a broad ar
Risk IT distinguishes amongst the follow
communication, as shown in figure 9:
s )NFORMATION ON EXPECTATIONS FROM RISK M
policies, procedures, awareness training
of principles, etc. This is essential comm
overall strategy towards IT risk, and it d
risk management. It sets the overall exp
s )NFORMATION ON CURRENT RISK MANAGEMENT C
monitoring of the state of the ‘risk manage
is a key indicator for good risk manageme
well the enterprise is managing risk and re
s )NFORMATION ON THE ACTUAL STATUS WITH RE
information such as:
– Risk profile of the enterprise, i.e., the
risks to which the enterprise is expose
– KRIs to support management reportin
– Event/loss data
– Root cause of loss events
– Options to mitigate (cost and benefits
“Risk-IT
framework,” 2009
To be effective, all information exchanged, regardlessISACA,
of its type,
should be:
© Mark Felegyhazi,
CrySyS Lab,
s #LEARˆ+NOWN AND UNDERSTOOD
BY ALL STAKEHOLDERS
32
Department of Telecommunications, BME
s #ONCISEˆ)NFORMATION OR COMMUNICATION SHOULD NOT INUNDATE THE RECIPIENTS !LL GROUND RULES OF GOOD COM
communication on risk. This includes the avoidance of jargon and technical terms regarding risk since the
Reading for next time
§  Gordon, L.A. and Loeb, M.P.,
The economics of information security investment, ACM
Transactions on Information and System Security
(TISSEC), vol 5 nr 4, 2002
optional:
§  Gordon, L.A. and Loeb, M.P. and Lucyshyn, W.,
Information Security Expenditures and Real Options: A
Wait-and-See Approach, Computer Security Journal, vol.
19 nr. 2, 2003
§  Böhme, R. and Moore, T., The iterated weakest link, IEEE
Security and Privacy vol 8 nr 1, 2010
IT risk management
© Mark Felegyhazi, CrySyS Lab,
Department of Telecommunications, BME
33