ITS 305 - Security Policies and Auditing

Chapter 8, Risk Management: Identifying and Assessing Risk


This lesson presents a discussion of risk management. Objectives important to this lesson:

  1. Risk management
  2. Identifying and prioritizing assets
  3. Identifying and prioritizing risk factors
  4. Probability of risk

The chapter opens with the usual amount of preamble, including an observation that managers should be concerned about security risks, regardless of whether they are general managers, IT managers, or IT security managers. A breach in security can occur in anyone's area of responsibility.

The text goes on to quote Sun Tzu (the third quote on the linked page), and to use his observation that you must know yourself and your enemy as a theme for the chapter. The quote is from the end of chapter 3 of The Art of War. It is not accidental that the authors refer to a classic source that is used as a management text and as a guide for warfare. Their point is that we must know our assets, know their weaknesses and strengths, and know the attacks that are likely to occur if we hope to defend against the attack. The authors might have quoted the beginning of chapter 3 to give us more hope. Sun Tzu wrote that "the worst policy of all is to besiege walled cities". It is our goal in mounting a defense to present such a wall that the enemy will not waste its effort in an attack.

Is it possible to protect everything we might call an IT asset? Given enough time and money, yes, but we will always have limits on what we can spend, how many staff we can hire, and what time we can devote to the project given what else we are assigned to do. The text devotes much of the chapter to a sequence of processes that lead to a prioritized list of assets which will tell us what we should spend the most effort to protect.

The first process creates a catalog of our IT assets. Note that any list represents only a snapshot in time. The procedures used to create such lists must be available to appropriate staff any time a new asset is added, or an old one is changed or removed. A related process is the one on page 281 that involves assigning meaningful names to assets and recording attributes that are relevant to their use and service. Consistent naming standards need to evolve over time, but they add a lot. Being able to recognize some of an object's characteristics from its name can be very helpful.

The text presents several scales on which assets might be rated to assign a "value to the organization". It may be that one of the questions on pages 284 and 285 will be more important than the others to your organization, but it is more likely that a composite score makes the most sense if several of the questions apply. In the example on page 286, five different assets are rated on three factors, each of which has been assigned a relative importance for this comparison. This leads to a score for each of those assets that shows its importance relative to the other four. Note that it might not be fair to compare numbers from this chart to numbers from another chart that used different criteria, unless those criteria were of equal importance to the organization.

The text moves on to identifying threats. On page 287, the chart of twelve threat categories from chapter 2 is repeated. The text makes a point, over several pages, that some assets are threatened only by specific threats, and some are much more likely to occur. Which ones? The text asks us to consider which threats are hazardous to our company and which of those are the most dangerous. It is hard for us to say about a hypothetical, so let's harvest some opinions.

See the chart on page 289, in which the twelve categories are sorted by their significance as potential problems, as perceived by surveyed IT professionals. Is this chart meaningful? It is not the opinion of one author, it is a composite of perhaps a thousand opinions. Perhaps? The text says over a thousand executives were polled. It does not say how many responded. The ACM website won't let me read the article, which is from an eleven year old issue. In fact, the article was written by one of the authors of our text. It is available here, and it represents several of the points of this chapter.

On page 290 the text makes the very odd assertion that "detected attacks are decreasing". I remark on this in case any of you read that and actually believed it. This assertion is based on the data presented in the chart on page 290, which may be based on asking the wrong questions. The chart seems to be reporting percentages of successful attacks on organizations broken into categories. I see three problems with this data. First, the data appear to refer to successful attacks, not the total number of attacks. The total number would be more interesting. Second, to be reported, an attack would have to be noticed. What about the ones that are not noticed? Third, what about the companies who choose not to report their losses?

Given the lack of hard data and the large amount of guesswork involved in these estimates, we can only say that the calculation shown in the text for risk assessment (page 295 and page 297) is only an estimate, a relative value that should only be used to rank one risk relative to another. The text refers to this calculation as risk assessment, risk identification, and risk determination. The phrase used in your organization may be one of these or a similar phrase. To use the formula, you first calculate a value for each term:

  • likelihood - the probability that a threat will be realized; the text says it will be a number from .1 to 1.0. Well, that's how we measure probability, isn't it? 0 means it won't happen, 1 means it will, and anything in between is how probable the event is.
  • value - the monetary value of the asset; this may be expressed as the income we lose if it is compromised and/or the cost to replace the asset; alternatively, this may be a relative value as calculated in the Prioritizing Assets section of the text
  • mitigation - the percentage of the risk that we have protected against
  • uncertainty - a fudge factor to express our confidence (or lack of it) in the other numbers
Chapter 9 leads us to another way to express these concepts that should be easier to understand. It goes like this:
  • Asset Value (AV) = the monetary value of the asset (In the discussion above, this is value.)
  • Exposure Factor (EF) = the percentage of the asset's value that would be lost to a particular attack (This will vary from one threat to another. In the discussion above, this would be the inverse of mitigation)
  • Single Loss Expectancy (SLE) = AV * EF
  • Annualized Rate of Occurrence (ARO) = probability of a loss in a particular year (This probability will include the possibility of multiple losses of the same type in a year.)
  • Annualized Loss Expectancy (ALE) = SLE * ARO