Lesson 2: Risk Assessment

Previous page
Table of content
Next page

Lesson 2: Risk Assessment

To properly prioritize the efforts of your security program, you must assess risk. Risk is the likelihood that a particular threat will exercise a specific vulnerability and cause damage to an asset. Risk assessment involves the evaluation of threats, vulnerabilities, and potential impact on assets. Properly assessing risk allows you to implement security controls based on the degree of risk to specific assets. Security controls include security policy and procedures, antivirus software, firewalls, and everything else your organization does or implements to protect its assets.

After this lesson, you will be able to

  • Calculate risk

  • Identify assets

  • Assess threats

  • Assess vulnerabilities

Estimated lesson time: 25 minutes

Calculating Risk

Calculating risk allows you to prioritize implementation and maintenance of security controls. The security controls that address the highest risk areas should be the highest priorities for implementation and maintenance. Calculating risk requires a series of subordinate assessments. These assessments are then multiplied to determine risk. The formula for calculating risk can be expressed as follows:

Threat Vulnerability Impact = Risk

Some formulas for calculating risk show impact as event cost or asset value. One reference for more information is "The Risk Equation" by Peter Tippet, available from the TruSecure Corporation's Web site at http://www.trusecure.com.

If any of the multiplied factors is zero, then the risk is zero. To calculate risk, you must assess threats, vulnerabilities, and impacts, as explained in the following sections. However, before you can make any of these assessments, you must first understand your organization's assets.

Asset Identification and Valuation

Asset identification and valuation is the process of identifying all of an organization's assets and assigning a value to them. Because asset valuation involves calculations of depreciation, accountants are usually responsible for assigning value. Asset valuations help security administrators assess risk and apply appropriate protections to assets. The following list identifies assets that are found in most organizations:

  • Personnel.

    People are often called the most important asset of an organization; this category includes users, maintenance personnel, and administrators.

  • Information system equipment.

    All information systems hardware including computers, servers, network cabling, routers, switches, hubs, and all related devices are assets to the organization.

  • Software.

    All types of computer software are assets, including operating systems, diagnostic utilities, office applications, and so on.

  • Information.

    All data is an asset to the organization. Be sure to include data in applications, databases, user accounts, home directories, backups, archives, and logs.

  • Documentation.

    All of the policies, procedures, and supporting information are valuable to the organization. At a minimum the documentation is worth the time that it would take to re-create it.

  • Furniture.

    Desks, chairs, couches, conference tables, rolling carts, and all other manner of furniture that the organization owns are assets.

  • Production machinery.

    Any machinery that is used to produce products must be considered an asset. For example, a restaurant typically has a kitchen with oven, stove, cooking utensils, and other equipment.

  • Vehicles.

    Company cars, vans, buses, and other vehicles are all assets.

  • Physical structures.

    All physical structures that the organization owns, such as buildings, office spaces, and production facilities are assets.

  • Other items.

    Supplies such as paper, ribbons, removable media, pens, pencils, and staplers are also part of the organization's assets.

This list is certainly not complete for all organizations. Each organization must consider assets that might be unique to the organization.

Threat Assessment

A threat is anything that could potentially cause harm to an asset. To assess threats, you must identify them and then estimate the likelihood that they might compromise your assets.

Threat Identification

The actual threats that could affect an organization vary depending on the organization's locations, industry, physical security, and visibility. Threats can be grouped into three major subcategories: natural, environmental, and human. Here are some examples:

  • Natural.

    Natural threats include fires, floods, volcanic eruptions, earthquakes, tornadoes, mudslides, avalanches, thunderstorms, and other natural disasters.

  • Environmental.

    Environmental threats can include pollutants, chemical spills, long-term power outages, and other situations.

  • Human.

    Human threats include any intentional or unintentional human action that might cause harm to organizational assets. Human threats can be subdivided into many separate categories. Some examples are technological attacks, which can include viruses, worms, Trojans, malicious software uploads, and network-based attacks; social engineering attacks, which involve tricking or deceiving clients, customers, or members of the organization to attack organizational assets; and physical attacks, such as theft, vandalism, arson, and sabotage.

Threat Likelihood

Estimating the likelihood that a threat will compromise your organization is truly guesswork, but you can collect information concerning the potential for each threat. For example, if you are assessing the likelihood of a natural disaster, you can check local historical records concerning floods, fires, tornadoes, and the like. When assessing the likelihood of future technological attacks, you can check the statistics of previous technological attacks and extrapolate based on that information. The following Web sites can help you collect statistics on technology attacks:

  • NIST ICAT statistics at http://icat.nist.gov

  • CERT statistics at http://www.cert.org/stats

  • Security Stats statistics at http://www.securitystats.com

If you want to use the risk formula presented earlier, you should assign a numeric value to the likelihood that a threat will affect your organization. For example, you could use a five-point rating scale such as this one:

Rating

Description

1

A low rating, denoting that there is no history of the threat ever attempting to compromise this organization or similar organizations. The threat is unlikely to affect the organization in the future.

2

A medium-low rating, indicating there is little history of the threat attempting to compromise similar organizations. There is a minimal chance that the threat will affect this organization in the future.

3

A medium rating, signifying there is some history of the threat compromising this organization or similar organizations. The threat might affect the organization in the future.

4

A medium-high rating, denoting there is notable history of the threat compromising this organization or similar organizations. The threat will likely affect this organization in the future.

5

A high rating, indicating there is significant history of the threat compromising this organization or similar organizations. The threat is very likely to affect this organization in the future.

This scale is only a recommendation for assigning a numeric value to the likelihood of a threat. Many organizations decide to use a low, medium, and high scale without numerical assignment.

Impact Assessment

Assessing impact involves performing a monetary calculation of the costs incurred should a particular threat compromise your organization's assets. This includes damage, loss of time, exposure to legal liability, and any other costs of restoring the organization to the operational capabilities that existed before the compromise. Assessing impact is a matter of guesswork based on historical data, current security controls, and current costs. For example, you might determine that a fire in the computer lab is likely to result in a loss of 25 computers. The time required to reinstall those systems and clean up the computer lab and the cost of replacing the equipment are part of the impact. If this represents .01 percent of your organization's total assets, the impact might be .01. Some organizations might choose to assign impact as a specific monetary value, which is perfectly acceptable. Organizations might also choose to use a multipoint scale, such as this:

Rating

Description

1

A low rating concerning an annoyance or minor, superficial damage.

2

A medium-low rating, indicating a minor disruption or small (but measurable) loss of productivity.

3

A medium rating, indicating a loss of information or successful denial of service.

4

A medium-high rating, indicating a full loss of connectivity, serious disruption of business operations, or some other effect that seriously impedes business operations.

5

A high rating, representing a significant business loss (potential loss of the organization to function at all, loss of life, or serious physical injury).

Vulnerability Assessment

A vulnerability assessment is a calculation of how prepared the organization is to handle a specific threat. For example, if the threat is a hurricane and the organization's structure, windows, equipment, and personnel are all very well prepared to handle such an event, the vulnerability of the organization to a hurricane is probably low. Again, if you choose to use the risk assessment formula, you should assign a value to the organization's vulnerability. Here is a sample scale for doing so:

Rating

Description

1

A low rating, denoting that the organization is well prepared to handle the specified threat.

2

A medium-low rating, indicating the organization is mostly prepared to handle the threat; there are a few additional safety measures that could be taken.

3

A medium rating, signifying that the organization has some safety measures in place for this threat, but it is still somewhat vulnerable to the specified threat.

4

A medium-high rating, denoting that the organization has very few safety measures in place for this vulnerability. The organization is vulnerable to the specified threat.

5

A high rating, indicating that the organization has no safety measures in place for this threat. The organization is very vulnerable to the specified threat.

This lesson was a brief overview on how to calculate risk. For more information on assessing and managing risk, review NIST Special Publication 800-30, "Risk Management Guide for Information Technology Systems."

Exercise 1: Checking Security Statistics

In this exercise you use CERT and ICAT to track down vulnerability reports. You must have Internet connectivity and a Web browser to complete this exercise.

  1. Open your Web browser and connect to http://www.cert.org/stats.

  2. Compare the number of incidents reported in the 1990s to the year 2000. Notice there were far more incidents in that one year than in the preceding decade.

  3. Add up all the incidents CERT reported from 1988 to the year 2000 and compare that number with what was reported in the year 2001 alone. You should find that CERT recorded over 4900 more incidents in 2001 than in the preceding 12 years combined.

  4. Review the rest of the statistics on this Web page. Notice the number of vulnerabilities reported in 2001 was more than double those reported in 2000.

  5. Point your Web browser to http://icat.nist.gov.

  6. Locate and click the Statistics link once the page loads.

  7. Notice there is a more detailed breakdown of vulnerabilities on this Web site than those that CERT provides. However, as you can see from the statistics, vulnerabilities increased considerably between the beginning of 2000 and the end of 2001.

Exercise 2: Calculating Risk Discussion

In this exercise assume that you have been assigned to calculate the risk of 100 client computers to a malicious code attack, such as a virus, worm, or Trojan horse. What types of information would be relevant to your assessment? How would you quantify this information?

Answers here can vary widely, but some things to consider include the following:

  1. Understand the value of the assets: How much did the equipment cost? Does it store sensitive data? What is the value of the complete system?

  2. You need to see the system architecture documentation: hardware, software, and network connectivity.

  3. Research the types of vulnerabilities that apply to the specific systems and applications.

  4. Consider existing protective implementations: Is there a virus scanner on each system and at the gateway? Do the systems allow removable media? How often are backups and drive images taken?

  5. Risk can be quantified by determining the total value of each asset and estimating how much damage can be done if the assets are compromised in a malicious code attack (determine impact). Then multiply impact by an estimate of how likely the threat is to occur (threat). Then multiply that figure by how vulnerable the system is to compromise (vulnerability). Risk = Threat Vulnerability Impact.

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson and then try the question again. Answers to the questions can be found in Appendix A, "Questions and Answers."

  1. What is the formula for calculating risk?

  2. Who is normally responsible for assigning value to assets?

  3. List some resources for collecting technology threat statistics.

  4. What is the purpose of an impact assessment?

  5. What is a vulnerability assessment?

Lesson Summary

  • Threat multiplied by vulnerability multiplied by impact equals risk. To calculate risk, you must first assess the value of your assets, determine the likelihood of potential threats attacking or affecting your organization, and estimate the damage that would be caused by a successful attack on your organization.

  • Assets are typically identified and valued by accountants because depreciation in value is involved in some of these calculations. The security administrator must be able to identify assets and have some concept of their value to the organization.

  • Identifying and categorizing threats is important because there are many possible threats to any given organization. The security administrator must assess the likelihood that each threat will affect the organization and then prioritize security controls accordingly.

  • To properly assess risk, a security administrator must assess the vulnerabilities of the organization's assets. This means the security administrator must determine how exposed each resource is to the possible threats that exist in the world.

  • The security administrator must also decide how susceptible each asset is to compromise. The question here is how much of a given asset could or probably would be compromised in an attack.


Previous page
Table of content
Next page
Security+ Certification Training Kit
Security+ Certification Training Kit (Pro-Certification)
ISBN: 0735618224
EAN: 2147483647
Year: 2002
Pages: 55
Authors: Microsoft Corporation, Andy Ruth, Kurt Hudson
BUY ON AMAZON
Crystal Reports 9 on Oracle (Database Professionals)
OpenSSH: A Survival Guide for Secure Shell Handling (Version 1.0)
Making Sense of Change Management: A Complete Guide to the Models, Tools and Techniques of Organizational Change
PMP Practice Questions Exam Cram 2
Oracle SQL*Plus: The Definitive Guide (Definitive Guides)
Digital Character Animation 3 (No. 3)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy