Principles of Information Security, 5th Edition5-1Chapter 5Risk ManagementKey TermsAcceptance control strategy:the risk control strategy that indicates an organization iswilling to accept the current level of residual risk.Annualized cost of a safeguard (ACS):in a cost-benefit analysis, the total cost of acontrol or safeguard, including all purchase, maintenance, subscription, personnel, andsupport fees, divided by the total number of expected years of use.Annualized loss expectancy (ALE):in a cost-benefit analysis, the product of theannualized rate of occurrence and single loss expectancy.Annualized rate of occurrence (ARO):in a cost-benefit analysis, the expectedfrequency of an attack, expressed on a per-year basis.Asset exposure:seeloss magnitude.Asset valuation:the process of assigning financial value or worth to each informationasset.Attack success probability:the number of successful attacks that are expected to occurwithin a specified time period.Avoidance of competitive advantage: the adoption and implementation of a businessmodel, method, technique, resource, or technology to prevent being outperformed by acompeting organization; working to keep pace with the competition through innovation,rather than falling behind.Baseline:a performance value or metric used to compare changes in the object beingmeasured.Baselining:the comparison of past security activities and events against theorganization’s current performance.Behavioral feasibility:seeoperational feasibility.Benchmarking:the process of comparing other organizations’ activities against thepractices used in one’s own organization to produce results it would like to duplicate.
Principles of Information Security, 5th Edition, Chapter 5
Avoidance of competitive disadvantage
The adoption and implementation of a business model, method, technique, resource, or technology prevent being a out performed by a competing an organization; working to keep pace with the competition and innovation, rather than falling behind
The adoption and implementation of an innovative business model, method, technique, resource, or technology in order to out perform the competition
A determination of the extent to which an organization's information assets are exposed to risk
The application of controls that reduce the risks to an organization's information assets to an acceptable level
The enumeration and documentation of risks to an organization's information assets
Process of identifying risk, assessing its relative magnitude, taking steps to reduce it to an acceptable level
The amount of risk that remains to an information asset even after the organization has applied its desired level controls
The amount of risk organization is willing to accept
An authorization issued by an organization for the repair, modification, or update of a piece of equipment
Data classification scheme
Formal access control methodology used to assign a level of confidentiality to an information asset and thus restrict the number of people who can access it
A component of data classification scheme that assigns a status level to employees to designate maximum level classified data they may access
An organizational policy that specifies employees must inspect their work areas and ensure that all classified information, documents, and materials are secured at the end of every workday
An information attack that involves searching through a organization's trash and recycling bins for sensitive information
A process of assigning financial value or worth to each information asset
And evaluation of the threats to information assets, including a determination of their potential to endanger the organization
Threat-vulnerabilities-assets triples
A pairing of an asset with a threat and an identification of vulnerabilities that exist between the two. This pairing is often expressed in the format TVA, where there may be one or more vulnerabilities between the threat and asset.
Threats-vulnerabilities-assets worksheet
A document that shows a comparative ranking of prioritized assets against prioritized threats, with an indication of any vulnerabilities in the asset/threat pairings
attack success probability
The number of successful attacks that are expected to occur within a specified time period.
The probability that a specific vulnerability within an organization will be the target of an attack
The calculation of the likelihood of an attack coupled with the attack frequency to determine the expected number of losses within a specified time range
Also known as event loss magnitude, the combination of an asset's value and the percentage of it that might be lost in an attack
Also known as event loss magnitude, the combination of an asset's value and the percentage of it that might be lost in an attack
The risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards
transfer control strategy
The risk control strategy that attempts to shift residual risk to other assets, other processes, or other organizations
mitigation control strategy
The risk control strategy that attempts to reduce the impact of a successful attack through planning and preparation
acceptance control strategy
The risk control strategy that indicates an organization is willing to accept the current level of residual risk
termination control strategy
The risk control strategy that eliminates all risk associated with an information asset by removing it from service
Annualized cost of a safeguard
In a cost-benefits analysis, the total cost of a control or safeguard, including all purchase, maintenance, subscription, personnel, and support fees, divided by the total number of expected years of use
Annualized Loss expectancy
In a cost benefit analysis, the product of the annualized rate of occurrence and single loss expectancy
Annualized rate of occurrence (ARO)
In a cost benefit analysis, the expected frequency of an attack, expressed on a per year basis
The process of preventing the financial impact of an incident by implementing a control
Cost benefit analysis (CBA)
AKA an economic feasibility study, the formal assessment and presentation of the economic expenditures needed for a particular security control; contrasted with its projected value to the organization
In a cost benefit analysis, the expected percentage of loss that would occur from a particular attack
Single Loss Expectancy (SLE)
In a cost benefit analysis, the calculated value associated with the most likely loss from an attack. The SLE is the product of the asset's value and the exposure factor
An asset valuation approach that uses categorical or non-numeric values rather than absolute numerical measures
As asset valuation approach that attempts to assign absolute numerical measures
The process of comparing other organization's activities against the practices used in one's own organization to produce results it would like to duplicate
Security efforts that seek to provide a superior level of performance in the protection of information. AKA best practices or recommended practices.
Performance measures or metrics based on observed numerical data
The difference between an organization's observed and desired performance
Performance measures or metrics based on intangible activities
A performance value or metric used to compare changes in the object being measured
The comparison of past security activities and events against the organization's current performance
An assessment of user acceptance and support, management acceptance and support, and the overall requirements of the organization's stakeholders
An assessment of user acceptance and support, management acceptance and support, and the overall requirements of the organization's stakeholders
organizational feasibility
An assessment of how well the proposed information security alternatives will contribute to the efficiency, effectiveness, and overall operation of an organization
An assessment of which controls can and cannot occur based on the consensus and relationships among communities of interest
An assessment of whether the organization can acquire the technology necessary to implement and support the proposed control
SLE = Exposure Factor (EF) x Asset Value
Single Loss Expectancy Formula
ALE = Single Loss Expectancy (SLE) x Annualized Rate of Occurance (ARO)
Annualized Loss Expectancy (ALE)
CBA = ALE (prior) - ALE (post) - ACS (Annualized Cost of Safeguard)
Cost-Benefit Analysis (CBA)
Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Lifecycle Approach
Engineering Principles for Information Technology Security (A Baseline for Achieving Security)
Security Self-Assessment Guide for Information Technology Systems
Things to consider when considering Best Practices for your organization
1) Does your organization resemble the identified target organization? Is your organization in a similar industry as the target?
2) Can your organization expend resources similar to those identified with the best practice?
3) Is your organization in a sim
Federal Agencies Security Practices (FASP)
A web site established by the U.S. government to share best practices in Information Security
Two measures to compare benchmarking practices
Metrics-based and Process-based measures
Fear, uncertainty, and doubt (FUD) emotions of upper management officials
Primary factors to consider when selecting a risk control strategy
Level of the threat and value of the asset
The most common mitigation plans are:
Contigency Plans (IR, DR, BC plans)
The Defense Strategy includes 3 common methods
1) Application of policy (Managerial control)
2) Education and training (Operational control)
3) Application of technology (Technological control)
FAIR Approach to Risk Assessment
Stage
1: Identify scenario components
Stage 2: Evaluate Loss Event Frequency (LEF)
- Threat Event Frequency (TEF)
- Threat capability (TCap)
- Control strength (CS)
- Vulnerability (Vuln)
Stage 3: Evaluate Probable Loss Magnitude (PLM)
Stage 4: Derive and
Risk = Loss frequency x Loss magnitude + uncertainty
Loss Event Frequency (LEF) Formula
LEF = Likelihood of attack x attack success probability
Compartmented Information
Named projects requiring an extreme-need-to-know before access is allowed
The Reasoned Approach to Risk
One that balances the expense of controlling vulnerabilities against possible losses if the vulnerabilities are exposed