Introduction To

Security
Security Risk Management

Risk Management
At the end of this course the students will be able to :
•Define the phenomenon of risk.
•Explain the various types of risks in human life.
•Describe the various risks involved in the business
world.
•Discuss the role of security in business risk
environment.
•Identify the components of risk in a security
environment.
•Describe the process of risk management
•Apply effectively the risk assessment
methodologies.
•Describe the decision making process in risk
mitigation.
•Develop risk exposure matrix chart.
•interpret the risk metrics derived from the chart.
•Generate a report based on the interpretation of
the
matrix chart.
LIFE IS FULL OF STRESS – OH! WHAT A
RISKY LIFE
The Risk factor
 RISK is seen by many people in terms of their own personal
experiences…-
he following quotation is one which exemplifies a typical approach to risk

"…in all my experience, I

have never been in an
accident of any sort
worth speaking about. I
have seen but one
vessel in distress in all
my years at sea… I
never saw a wreck and
have never been
wrecked, nor was I ever
in any predicament that
threatened to end in
disaster of any sort."
Captain Edward J. Smith
On April 15, 1913, RMS Titanic sank
interviewed by the New
with the loss of more than 1500 lives -
York press, 1907.
one of which was its Captain E.J.Smith.
 Outline for Today’s Talk
• Basic Definitions
• What is Security Risk Management
• Generic Security Risk Management
Methodology
• Security Risk Analysis
 What is a risk (generic)
• A definable event
• Probability of Occurrence
• Consequence (impact) of occurrence

• A risk is not a problem …. A problem is

a risk whose time has come
FLIGHT TRAVEL IS RISKY
 What is Risk?
Risk is an uncertain hazard or eventful situation
that will bring about negative or adverse
consequences resulting in loss of life or economic
loss to an individual or an organization.

Risk normally is measured by its degree of effect

through the functions of two components known
as frequency/probability and severity/impact .
Two types of Risk
Risks arising from uncertainty may also include
a positive as well as a negative side.

• Pure Risk : Generally pure risk do not hold out

any prospect of gain. It always brings
about negative consequences.
examples – theft, flood, fire etc.
• Speculative Risk : On the contrary, speculative risk
may either bring gain or loss.
examples – gambling, share market, etc
 What is a security risk
• Threat – is any potential danger to
information, or systems (e.g. fire)
• Vulnerability – is a physical system, or
procedural weakness that may provide an
attacker the open door to enter a system.
• Risk – loss potential (probability) that a
threat will exploit a vulnerability with a
certain impact.
Relationship among different security
components
Gives rise to
Threat
Exploits
Agent Threat Leads to
Vulnerability

Directly affects
RISK

Asset
Can damage
Exposure
Safeguard And causes an
Can be counter
measured by a
 The Ingredients of an Attack
Threat + Motive + Method + Vulnerability = ATTACK!
Good security Security
controls can stop Controls &
certain attacks Policies
Natural
Disasters
Methods Poor Security
and Policies could
Tools Let an attack
through

ASSETS
Motives Methods
Man-made
and and
Threats
Goals Tools
Vulnerabilities
Methods
and
Tools NO security policies or
Natural controls could be disastrous
Disasters
Basically risk analysis and risk
management are defined as
follows:

Risk analysis involves the identification

and assessment of the levels of risks
calculated from the known values of
assets and the levels of threats to, and
vulnerabilities of, those assets.

Risk management involves the

identification, selection and adoption of
countermeasures justified by the
 Security Risk Management
• Risk Management is the process of
identifying, assessing, and reducing a risk(s)
to an acceptable level and implementing the
right mechanisms to maintain that level of
risk. (e.g acceptable risk)
• Risk management reduces risks by defining
and controlling threats and vulnerabilities.
A systematic process for:

-the identification and evaluation

of pure loss exposures faced by
an organization or individual

-and for the selection and

administration of the most
appropriate technique for treating
such exposures.
eneric Security Risk Management Methodolog

Identify
Baseline Classify Evaluate Prioritize
Or Risks Risks Risks
Project New Risks
Start
Identify Analyze

Determine Track Control

Assign Determine
Response Risks Risks
Responsibility Action Plan
Strategy

Plan Tracking & Control

Communicate Risks
Inside and Outside
The Project Team * Modified from the SEI Risk
Management Paradigm
Communication Copyright Carnegie Melon University
 QUIZ – SECURITY RISK MANAGEMENT 17-1-01

1. Explain the meaning of Risk.

2. Give examples of risks in our daily life.
3. Explain the impacts of risk in business organization
4. List down FIVE examples of threat to Saito College
5. List down THREE vulnerabilities in Saito College.
6. Explain what is risk management?
7. Why is risk management in an airport necessary?
 Assignment
Identify the risk exposure level of
Saito College Annex at SBC.
Establish the critical assets that
are in place at the site. Determine
the potential threats that could be
faced by the Site based upon the
local environment and the ongoing
activities. Make a comprehensive
study of the vulnerabilities that
exists, Which can be exploited by
the potential threats. Finally
determine the risk exposure level
 TEST 1 – SECURITY RISK MANAGEMENT 21-2-11

at is a security risk in business organization?

h aid of a diagram describe risk analysis & risk manag
ain the two types of risk analysis methods.
h the aid of a diagram explain the risk components mo
h aid of diagram describe the risk management proces
Risk Analysis and Risk Management

ASSETS THREATS VULNERABILITIES

ANALYSIS

RISKS

MANAGEMENT

COUNTERMEASURES
Risk Management Process
Define Scope

Identify Assets

‘Value’ Assets -
Impact of Failure

Assess Likelihood
of Threat

Determine Overall Identify / Justify Evaluate Existing

Risk Required Controls Controls

Determine
Residual Risk
 Risk Analysis
• Risk Analysis is a method of identifying and
assessing the possible damage that could be
caused on order to justify security safeguards.
• Two types of risk analysis:
– Quantitative – attempts to assign real numbers to
the costs of safeguards and the amount of damage
that can take place
– Qualitative – An analysis that judges an
organization’s risk to threats, which is based on
judgment, intuition, and the experience versus
assigning real numbers to this possible risks and
their potential loss
 Risk Analysis Model
Assets

Attacks or Negative Consequences

Threats

(+) Increases Likelihood (-) Decreases Likelihood

or Impact or Impact

Vulnerabilities Controls
 Components of Risk Assessment
Asset Threat Vulnerability Mitigation
What are What are How could What is
you trying to you afraid of the threat currently
assess? happening? occur? reducing
the risk?

Impact Probability
What is the How likely is

+
impact to the the threat
business? given
the controls?

=
Current Level of
Risk
What is the probability that the threat
will overcome controls to successfully
exploit the vulnerability and impact
the asset?
 Assets

• People
• Property
• Information
Threat
Vulnerability
COUNTERMEASURES/SAFEGUARDS
COUNTERMEASURES/SAFEGUARDS
 Steps of Quantitative Risk
Analysis
• Assign value to assets (tangible and
intangible)
• Estimate potential loss per risk
• Perform a threat analysis
• Derive the overall loss potential per risk
• Choose safeguards / countermeasure for
each risk
• Determine Risk Response (e.g. mitigation,
avoidance, acceptance)
 Quantitative Risk Analysis
• Exposure Factor (EF) = Percentage of asset loss caused by
identified threat; ranges from 0 to 100%

• Single Loss Expectancy (SLE) = Asset Value x Exposure factor;

1,000,000 @ 10% likelihood = $100,000

• Annualized Rate of Occurrence (ARO) = Estimated frequency a

threat will occur within a year and is characterized on an annual
basis. A threat occurring once in 10 years has an ARO of 0.1; a
threat occurring 50 times in a year has an ARO of 50

• Annualized Loss Expectancy (ALE) = Single Loss Expectancy x

Annualized Rate of Occurrence

• Safeguard cost/benefit analysis = (ALE before implementing

safeguard) – (ALE after implementing safeguard) – (annual cost
of safeguard) = value of safeguard to the company
Benefit = RM100,000 - RM25,000 = RM 75,000

= 75,000 / 15,000 Ratio is 5 to 1

 Quantitative Risk Summary
• Pros • Cons
– Uses probability
concepts – the likelihood
that an risk will occur or
will not occur
– The value of information
is expressed in monetary
terms with supporting
rationale
– Risk assessment results
are derived and
expressed in
management speak
– Purely quantitative risk
analysis not possible
because quantitative
measures must be applied
to qualitative elements
– Can be less ambiguous but
using numbers can give
appearance of specificity
that does not really exist
– Huge amount of data must
be gathered and managed
 Qualitative Data
• Description of This is not
– qualities, a nice day
– elements, or
– ingredients of a variable
 Qualitative Risk Analysis
• Does not assign numbers and monetary
value to components and losses.
• Walks through different scenarios of risk
possibilities and rank the seriousness of
the threats for the sensitivity of the
assets.
 Identifying Qualitative Risks
• Expert Interviews
• Wideband Delphi Technique
• Brainstorming
• Nominal Group Technique
• Affinity Diagram
• Analogy Techniques
 What Is Delphi Technique?
• Delphi Technique
– This method attempts to
harness expert opinion on
the subject
– Questionnaires are used to
discover opinions of experts
in the field.
– The results of the forecasts
are then fed back to the
experts with the aim of
reaching a consensus view.
– Value of delphi technique is
that it aids individual panel
members in assessing their
forecasts. Implicitly they are
forced to consider why their
judgment different from that
of other experts.
– May be carried out by the
organization itself or
contracted out to a
specialist market research
organization.
– Could be a useful way of
forecasting for NEW or
REVISED PRODUCT
where no time series data
exist.
– Survey results are only as
valid as the underlying
methodology, so care
should be taken to ensure
that the sample used is
true. Reflection of the
organization potential
customer and is of large to
be valid.
Brainstorming is a procedure that allows a group
to express problem areas, ideas, solutions, or
needs. It allows each participant to state their
opinion in a non-threatening environment.
Brainstorming helps a group create many ideas in
as short a time as possible. Brainstorming can be
used in two ways: structured or unstructured.

Brainstormin
g
 Evaluate the Risk

• Step 1: Identify threat, asset, and vulnerability

• Step 2: Measure assets, threats and
vulnerabilities

• Step 3: Calculate the measures of risk

• Step 4: Review the measures of risk

Asset Assessment
Threat Assessment
Vulnerability Assessment
Risk Analysis
QUATIFYING ASSET VALUE
• Very High – Loss or damage of the facility’s assets would
have exceptionally grave consequences, such as extensive
loss of life, widespread severe injuries, or total loss of
primary services and core functions and processes.

• High – Loss or damage of the facility’s assets would have

grave consequences, such as loss of life, severe injuries, loss
of primary services, or major loss of core functions and
processes for an extended period of time.

• Medium High – Loss or damage of the facility’s assets would

have serious consequences, such as serious injuries, or
impairment of core functions and processes for an extended
period of time.
QUATIFYING
QUATIFYINGASSET
ASSETVALUE
VALUE…. cont’d

• Medium – Loss or damage of the facility’s assets would have

moderate to serious consequences, such as injuries, or
impairment of core functions and processes.

• Medium Low – Loss or damage of the facility’s assets would have

moderate consequences, such as minor injuries, or minor
impairment of core functions and processes.

• Low – Loss or damage of the facility’s assets would have minor

consequences or impact, such as a slight impact on core
functions and processes for a short period of time.

• Very Low – Loss or damage of the facility’s assets would have

negligible consequences or impact.
ASSET VALUE RATING

Very High 10
High 8-9
Medium High 7
Medium 5-6
Medium Low 4
Low 2-3
Very Low 1
ASSET RATING
ASSESSMENT
THREAT RATING

Very High 10
High 8-9
Medium High 7
Medium 5-6
Medium Low 4
Low 2-3
Very Low 1
QUANTIFYING THREAT VALUE
• Very High – Known aggressors or hazards highly capable of
causing loss of, or damage to, the facility exist. One or more
vulnerabilities are present. The aggressors are known or highly
suspected of having intent to exploit the facility’s assets and
are known or highly suspected of performing surveillance on a
facility.

• High – Known aggressors or hazards, capable of causing loss

or damage to the facility exist. One or more vulnerabilities are
present and the aggressors are known or reasonably suspected
of having intent to exploit the facility’s assets.

• Medium High – Known aggressors or hazards, capable of

causing loss or damage to the facility exist. One or more
vulnerabilities are present and the aggressor is suspected of
having intent to exploit the facility’s assets.
QUANTIFYING THREAT VALUE … cont’d

• Medium – Known aggressors or hazards that may be capable

of causing loss or damage to the facility exist. One or more
vulnerabilities may be present; however, the aggressors are
not believed to have intent to exploit the facility’s assets.

• Medium Low – Known aggressors or hazards that may be

capable of causing loss of or damage to the facility exist.
Aggressors have no intent to exploit the facility’s assets.

• Low – Few or no aggressors or hazards exist. Their capability

of causing damage to the facility’s assets is doubtful.

• Very Low – No aggressors or hazards exist.

QUATIFYING VULNERABILITY VALUE

• Very High – One or more major weaknesses have been

identified
which make the facility’s assets extremely susceptible to an
aggressor or hazard.

• High – One or more significant weaknesses have been identified

which make the facility’s assets highly susceptible to an
aggressor or hazard.

• Medium High – An important weakness has been identified

which makes the facility’s assets very susceptible to an
aggressor or hazard.
 QUATIFYING VULNERABILITY VALUE ….cont’d

• Medium – A weakness has been identified which makes the

facility’s assets fairly susceptible to an aggressor or hazard.

• Medium Low – A weakness has been identified which makes the

facility’s assets somewhat susceptible to an aggressor or hazard.

• Low – A minor weakness has been identified which slightly

increases the susceptibility of the facility’s assets to an aggressor
or hazard.

• Very Low – No weaknesses exist.

VULNERABILITY RATING

Very High 10
High 8-9
Medium High 7
Medium 5-6
Medium Low 4
Low 2-3
Very Low 1
VULNERABILI
TY
ASSESSMENT
ISK ASSESSMENT

= Asset Value x Threat Rating x Vulnerability R

QUATIFYING RISK

• Very High – Potential for loss or damage of the facilty’s assets is so

great as to expect exceptionally grave consequences (e.g., extensive
loss of life, widespread severe injuries, total loss of primary
services, and total loss of core functions and processes).

• High – Potential for loss or damage of the facility’s assets is so

great as to expect grave consequences (e.g., loss of life, severe
injuries, loss of primary services, or major loss of core functions and
processes for an extended period of time).

• Medium High – Potential for loss or damage of the facilty’s assets

is such as to expect serious consequences (e.g., as serious injuries,
or impairment of core functions and processes for an extended
period of time).
QUATIFYING RISK …cont’d
• Medium – Potential for loss or damage of the facility’s assets is
such as to expect serious consequences (e.g., injuries, or
impairment of core functions and processes).

• Medium Low – Potential for loss or damage of the facility’s assets

is such as to expect only moderate consequences (e.g., minor
injuries, or minor impairment of core functions and
processes).

• Low – Potential for loss or damage of the facility’s assets is such

as to expect only minor consequences or impact (e.g., a slight
impact on core functions and processes for a short period of time).

• Very Low – Potential for loss or damage of the facility’s assets is

so low that there would be negligible consequences or impact.
Risk Quantified
Risk Quantified
 Value the Assets - (1)
Unavailability Impacts Value:

• 3 hours - 1
• 1 day - 2
• 1 week - 3
• 1 month - 4
• ≥2 months - 5
Financial Loss / Disruption to Activities : Assignment of Values

Result in l
Measure Threats and Vulnerabilities

Threat Rating: The likelihood it will occur

e.g. Has it happened before?

Who is interested?
etc.

Vulnerability Rating: Does the system make a successful

threat occurrence any easier or
increase the extent of likely damage?

e.g. How easy is it to eavesdrop?

What redundancy is there?
etc.
LIKELIHOOD +

CONSEQUENCE
CONTROLS IN PLACE
VULNERABILITY - =
Probability Definition Scale
Frequency in which threat will exploit vulnerability
independent of harm
Probability of each asset/threat/vulnerability combination
should be quantified:
Extreme = > once per day - 5
Very High = > once per month - 4
High <= once per month - 3
Medium <= once every 6 months - 2
Low <= once per year - 1
Negligible Unlikely to occur - 0
Harm Definition Scale
Impact if threat exploits vulnerability independent of probability
Harm of each asset/threat/vulnerability combination should be
quantified:
•Permanent shutdown /Complete compromise - Grave - 5
•Extended outage and / or loss of connectivity
Compromise of large amounts of data or service - Serious - 4

Significant expenditure of resources required - Damaging- 3

Damage to reputation and confidence

Significant Tangible harm / extra effort required to repair -2

Minor No extra effort required to repair -

1
Insignificant No impact/Harm -0
Risk = Probability X Harm (impact/severity)

Quantification based on both frequency and impact

Risk of each asset/threat/vulnerability combination
should be calculated:

Scale Definition

20 -25 - Extreme / Catastrophic

15-19 - Critical
8-14 - High
4-7 - Medium
1-3 - Low
0 - NIL
Balancing the Risk

Cost of Cost of
Security Insecurity