Print bookPrint book

Risk Management

Site: Saylor Academy
Course: CS406: Information Security
Book: Risk Management
Printed by: Guest user
Date: Wednesday, 2 April 2025, 1:41 AM

Description

Read this page and watch the video to learn more about the purpose of risk management and the four stages of the risk management process. Before you move on, make sure you have a good understanding of the formulas, and that you are able to use the formulas on this page to calculate single loss expectancy (SLE), annual rate of occurrence (ARO), and annual loss expectancy (ALE).

Table of contents

Introduction

The principle of risk includes three ideas: it examines an event, and then combines its probability with its potential impact. When examining risk two questions are always examined: what is the probability that a particular event will occur? And what negative impact would this event have if it actually occurred? Risk is measured by combining the results of these two questions. A high risk event would have both a high probability combined with a significant negative impact if it occurred. The concept of measuring risk must always be focused on the future.


Lesson Objectives

By the end of this lesson, you will be able to:

  1. Explain the purpose of risk management.

  2. Discuss the impact of the Target Corporation data breach.

  3. Demonstrate the ability to incorporate risk management principles and best practices into an organization – wide plan.

  4. Explain the methods of managing risks.

  5. Perform a quantitative risk assessment analysis.

  6. Perform a qualitative risk assessment analysis.


Source: National Information Security and Geospatial Technologies Consortium (NISGTC), https://www.edjet.com/scorm-content/edjet-prod-uploads/1bbb6bd2940fd96497953e96a7011e315c141cf3/771aacefbe2ed9e16b17173a36b691df/story_content/WebObjects/6MLNkf2prXH/lesson02/index.html
Creative Commons License This work is licensed under a Creative Commons Attribution 3.0 License.

Key Terms

Term Definition
Risk management the process of identifying, assessing, and prioritizing organizational risk
Risk The potential of losing something that is of value to an organization
Risk assessment the process of analyzing risk
Risk analysis analysis uses information to identify possible sources of risk and identify threats or events that could have a harmful impact
Countermeasures A measure taken to counter or offset a threat
Threat A danger that exploits a vulnerability to breach security
Security controls Safeguards or countermeasures implemented to minimize security risks.
Compliance Obligations to external authorities and information security reviews
Asset Any resource, product, system, process, or any other organizational resource that has value to an organization
Tangible assets Assets that have a physical presence and an identifiable value
Intangible assets Assets that are not physical but still represent a value to the organization’s image, its operations, and the ability to compete in the market
Quantitative Risk Analysis This type of risk analysis assigns independent, objective, numeric monetary values to the elements of risk assessment and the assessment of potential losses
Single Loss Expectancy (SLE) The estimate of the amount of damage that an asset will suffer due to a single incident
Exposure Factor (EF) A potential percent of loss to a specific asset if a particular threat is realized. This is regarded as a subjective measure
Annual Rate of Occurrence (ARO) the number of times per year that an incident is likely to occur
Annual Loss Expectancy (ALE) the yearly financial impact to the organization from a particular risk
Qualitative Risk Analysis Evaluates the impact or effect of threats on the business process or the goals of the organization with a scenario-oriented, carefully reasoned risk assessment
Risk mitigation Reducing the severity of a loss or the likelihood of the loss from occurring
Risk Exposure A quantifiable loss potential


Instruction

Risk Management


Risk management is the process of identifying, assessing, and prioritizing organizational risk. Risk management also includes the creation of organizational processes to address loss exposures, monitor risk control and mitigate the impact of potential risk to the organization. Natural disasters, human error, accidents, legal liabilities, and deliberate attacks from an adversary all pose some degree of risk. This lesson will introduce the concepts and processes associated with risk management.

Risk management and risk assessment are major components of Information Security Management (ISM). The ISO 27000 framework defines risk management as a process that includes four activities:

  1. risk assessment

  2. risk acceptance

  3. risk treatment

  4. risk communications

Risk management includes all of the related activities that an organization carries out in order to assess, evaluate and respond to organizational risk. Risk assessment is the process of analyzing risk. This can be performed using a quantitative or qualitative approach. One measures the actual financial impact, the other measures impact on the organization's operations and reputation.

Figure 1 – Components of risk management


Risk analysis uses information to identify possible sources of risk and identify threats or events that could have a harmful impact. Risk analysis also includes the implementation of controls that estimates the risk. A risk evaluation compares the estimated risk with a set of risk criteria. This is done in order to determine how significant the risk really is and helps to prioritize the risks. Risk response is the approach taken to mitigate the threat and reduce the risk impact.

The video, Managing IT Risk: Trends in Global Information Security (12:55), discusses the most important challenges for IT professionals to mitigate the threats that organizations now face in a dynamic technology environment.



The Risk Management Process

The risk management process consists of three stages:

  • Risk analysis/assessment. This stage is designed to inventory or identify risk and classification of risk. Within the first stage, each risk event identified is recorded and examined to determine likelihood, current value of the asset and vulnerability exposure.

  • Risk response. The risk response stage requires the planning of processes and procedures to address each risk item identified in the first stage. These processes and procedures are typically called controls.

  • Evaluating and monitoring the implemented controls. This stage requires the organization to document, review and make continuous improvements or changes to manage risk.

Figure 2 – The risk management process


Risk Inventory

The risk inventory is done to create a checklist of potential risks to evaluate the likelihood of occurrence. Some organizations develop risk checklists based on past experiences. These checklists can be helpful in building a more comprehensive list. Identifying the sources of risk by category is another method for exploring potential risk. Some examples of categories for potential risks include the following:

  • Equipment/Technical

  • Human Factors

  • System Vulnerabilities

  • Malicious Attacks

  • Theft

  • Weather/Natural Disasters

  • Financial/Cost

  • Contractual

  • Political/Legal

  • Environmental/Physical

For example, a human factor risk would include the inability to find an employee with the skills needed to properly complete a task or protect resources.

Risk Management Benefits and Motivation

Besides identifying the risks facing an organization, a risk management program enables the organization to assess the impact risks can have on organization-wide performance and processes. Therefore, risk management not only provides risk evaluation, but can identify whether adequate controls are in place to mitigate risks effectively. The real benefit and motivation come down to cost. The process is designed to identify the optimal level of security at the minimum cost. It typically comes down to the cost of the countermeasure versus the cost of the security failure.

Figure 3 – Cost versus security level trade – off


At point A, the cost of security failure is high, while the level of security assurance is low. At point B, there is too much money being spent to provide security assurance. At point D, the cost of security failures is equal to the cost of the security measures. Point D is optimal since the cost of both failures and security measures are minimized and security assurance is maximized.

Tangible and Intangible Asset Valuation

An "asset" is any resource, product, system, process, or any other organizational resource that has value to an organization. As such, all assets must be protected. Assets can be physical/tangible items, such as equipment or computers, and they can also be non-tangibles, such as information or intellectual property.

Figure 4 – Tangible assets versus intangible assets


Tangible Assets

Tangible assets are those assets that have a physical presence. The risk analysis can identify a real value. These types of assets are valued based on the original or replacement cost.

These types of assets often depreciate to zero for accounting purposes. Common ways to calculate tangible assets would include:

  1. Original cost minus depreciation

  2. Actual market value based on market research

  3. Installation cost

  4. Impact on operations

Intangible Asset Valuation

Intangible assets are not physical, but still represent value to the organization's image, its operations, and ability to compete in the marketplace. Intangible assets include:

  • Trademarks

  • Copyrights

  • Patents

  • Intellectual property

  • Formulas

  • Brand recognition

  • Brand reputation

Methods for Managing Risk

Risks should be ranked based on financial or operational impact and likelihood of occurrence. The results of this assessment will align risk events in one of four risk response categories:

  • Mitigate risk – activities with a high likelihood of occurring, but financial impact is small. The best response is to use management control systems to reduce the risk of potential loss.

  • Avoid risk – activities with a high likelihood of loss and large financial impact. The best response is to avoid the activity.

  • Transfer risk – activities with low probability of occurring, but with a large financial impact. The best response is to transfer a portion or all of the risk to a third party by purchasing insurance, hedging, outsourcing, or entering into partnerships.

  • Accept risk – if cost – benefit analysis determines the cost to mitigate risk is higher than the cost to bear the risk, the best response is to accept and continually monitor the risk.

Figure 7 – Methods for managing risk


Asset Valuation Example Review

To conduct an asset valuation, answer the following questions:

  • How can the level of impact be measured?

  • What are the cost implications to the business?

  • How can you determine what effect this event has on sales, IT, customer reputation, and employees?

  • What possible regulatory issues does the company face?

  • What is the best response to handle this situation in the future?

Quantitative Risk Analysis


This type of risk analysis assigns independent, objective, numeric monetary values to the elements of risk assessment and the assessment of potential losses.

EVERYTHING gets a dollar value!

Standardized calculation of risk is based on the impact of each occurrence and frequency of occurrence. The overall approach to quantitative risk analysis is illustrated in Figure 8.

Figure 8 – Quantitative risk analysis approach

Single Loss Expectancy (SLE)

SLE is the estimate of the amount of damage that an asset will suffer due to a single incident.

Asset categories include people, facilities, equipment, materials, information, activities, and operations.

Figure 9 – Single Loss Expectancy calculation


The following formula is used to calculate the single loss expectancy:

Single Loss Expectancy = Asset Value * Exposure Factor

Exposure Factor (EF) is expressed as a percentage of the asset value. If loss can be limited to one type, the impact on the asset by percentage of the asset value lost can be determined.


Annual Rate of Occurrence (ARO)

ARO is the number of times per year that an incident is likely to occur. Knowing the adversaries' intent, capability, and motivation will help determine the ARO.

          ARO = Incidents / Year

 Annualized Rate of Occurrence is number of incidents per year.

Figure 10 – Annual rate of occurrence calculation

Annual Loss Expectancy (ALE)

ALE provides an estimate of the yearly financial impact to the organization from a particular risk.

This helps determine how much money the organization is justified in spending on countermeasures in order to reduce the likelihood or impact of an incident.

          Annualized Loss Expectancy = Single Loss Expectancy * Annual Rate of Occurrence

          ALE = SLE * ARO

Qualitative Risk Analysis

A qualitative risk analysis evaluates the impact or effect of threats on the business process or the goals of the organization and has the following characteristics:

  • Scenario oriented

  • A carefully reasoned risk assessment is performed
A qualitative analysis is much more subjective. Members of the risk assessment team determine the overall security risk to assets. An asset value is still used in addition to the threat frequency, impact, and safeguard effectiveness. All of these elements, though, are measured in subjective terms such as high, low, or not likely.

Although qualitative security risk equation variables are expressed as numerical values, these values are considered ordinal numbers which correspond to High > Medium > Low. There is no metric that determines a distance between categories. For example, Low is not twice as good as High.

Tables are used as the "formula" for determining qualitative security risks, as shown in Figure 11.

Figure 11 – Qualitative risk analysis matrix


The team then defines each of the qualitative values for probability and impact. The values in the table are the result of multiplying the probability value by the impact value. Read the article, Qualitative Risk Analysis and Assessment for more information.

Risk Mitigation

Risk mitigation involves reducing the severity of the loss or the likelihood of the loss from occurring. There are many technical controls that can be used to mitigate risk including authentication systems, file permissions and firewalls. Organization and security professionals must understand that risk mitigation can have both positive and negative impact on the organization. Good risk mitigation finds a balance between negative impact of countermeasures and controls and the benefit of risk reduction. A shorter-term strategy is to accept the risk, in the sense of accepting the necessity for creating contingency plans for that risk.

Modern software development methodologies reduce risk by developing and delivering software incrementally and providing regular updates and patches to address vulnerabilities and misconfigurations.

Outsourcing services can be an example of risk reduction. Hiring specialists to perform critical tasks to reduce risk can be a good decision and yield greater results with less long term investment. The ISO framework identifies several ways to manage risk:

  1. Accept – periodically re-assess risks that are accepted in ongoing processes as a normal feature of business operations and modify mitigation measures.

  2. Reduce – design a new business process with adequate built-in risk control and containment measures from the start.

  3. Transfer – transfer risks to an external agency (a service level agreement or insurance company).

  4. Avoid – avoid risks altogether would include measures such as physically disconnecting from the Internet.

Figure 12 – Ways to deal with risk


These strategies are not mutually exclusive. A good risk mitigation plan can include two or more strategies.

Security Control Selection Principles

The total cost of a control includes the following:

  1. Selection

  2. Construction and replacement

  3. Acquisition (materials and mechanisms)

  4. Maintenance and testing

  5. Non-trivial operating cost

  6. Potential side effects

  7. Environmental modifications

  8. Impact on operations
Read the article, Critical Security Controls for Effective Cyber Defense, which lists the top twenty security controls as derived from the most common attack patterns.

Countermeasure Selection Considerations: Review

Applying criteria for selection will assist in measuring the true costs of implementing that countermeasure. Take the case of an ATM at a bank. The following questions should be asked:

  • What are the 'real' costs of changing security controls?

  • How would a chip and pin solution be calculated effectively? What would need to be considered?

  • What other options may have been considered instead of chip and pin? Shutting down ATMs? Biometrics? More physical security?

There are seven possible functions that a security countermeasure can fulfill.

  1. Control access

  2. Help assess the attack

  3. Delay the attack

  4. Deter an attack

  5. Detect an attack

  6. Respond to the attack

  7. Collect evidence of the attack

Various countermeasures can perform one or more of these functions.

Calculating Risk Exposure

Risk exposure is a calculation done as part of a risk assessment. Read How to Calculate Risk Exposure Value.

Using a Qualitative Risk Analysis, risk exposure is the Probability of the risk occurring multiplied by the total loss on Risk Occurrence. The risk exposure is the potential for financial loss. A quantitative risk analysis is shown in Table 1.

Table 1: Calculation of Annualized Loss Expectancy

Table 1: Calculation of Annualized Loss Expectancy

Asset Threat Asset Value EF SLE ARO ALE
File Server Virus every year $15,000 .20 3,000 ½ (.5) 1,500
Operation Center Hurricane every 10 years $1,000,000 .90 900,000 1/5 (.2) 180,000

EF – Exposure Factor  SLE – Single Loss Expectancy  ARO – Annualized Rate of Occurrence  ALE – Annualized Loss Expectancy

Formulas:

  • SLE = Asset Value * EF

  • ARO = Incidents / Year

  • ALE = SLE * ARO

Statement of Applicability (SOA)

The statement of applicability is a document that identifies the controls chosen for an organization's environment. The SOA is derived from the risk assessment and explains how and why these controls are appropriate.

Read The importance of Statement of Applicability for ISO 27001 which discusses why an SOA is needed and why it is useful.

Summary

This lesson examined the principle of risk which takes an event and combines its probability with its potential impact. Risk management is the process that an organization employs to identify, assess and prioritize risk. The lesson discussed qualitative and quantitative risk analyses which are both methods used to analyze and rank risk based on financial or operational impact and likelihood of occurrence. The lesson concluded with a discussion on evaluating security control measures.