Risk Management and Privacy #
Analyzing Risk #
- Enterprise Risk Program (ERP) - Formal approach to risk analysis
- Identify Risks
- Depetermine severity for each risk
- Adopt risk management strategies to address risks
- Clarification
- Threats: any possible events that might impact CIA characteristics
- The Bad Guy/Thing: It’s something that might cause trouble. Like a burglar who wants to break into your house.
- Vulnerabilities: weaknesses in our systems/controls that could be exploted by a threat
- The Weak Spot: It’s the thing that makes it easier for the bad guy. Like if you left the window unlocked.
- Risk: Overlap between of Threats and Vulnerabilities
- What could actually happen: It’s the chance of the bad guy using the weak spot to cause harm. Like the burglar actually climbing through your unlocked window and stealing your toys.
- Threats: any possible events that might impact CIA characteristics
- A threat that has no corresponding Vulnerability to exploit, results in no risk.
- CyberSecurity Example
- Threat - An attacker with a brute-force tool
- Vulnerability - Expose port 22 for SSH
- Risk - The commbination is the risk.
Risk Identification #
Identify threats and vulnerabilities in your operation environment/scope/boundary
- External Risks - from outside organization
- Internal Risks - from inside organization
- Multiparty Risks - Impacts more than one organization (e.g. Power Outage for entire city)
- Legacy Systems - outdated systems that don’t receive updates, patches, etc…
- Intelectual Property (IP) theft Risk - Organization’s IP that, when disclossed, impacts business advantage
- Software Compliance/Licensing Risk - intentional/accidental breach of ToS/License cause Financial and Legal Risk.
Risk Assessment #
Not all risks are equal.
- We asses risk on 2 dimensions:
- Likelihood of it occuring, aka the probability.
- Possible way of expressing
10% chance of happening this in the next year
- Possible way of expressing
- Impact if it occures
- Possible way of expressing
financial cost of 100 000 EUR
- Possible way of expressing
- Likelihood of it occuring, aka the probability.
- Risk Severity = Likelihood * Impact
- This is mostly conceptual, doesn’t habve to be dine literally.
- Ways of performing Risk Assesment
- One-Time - Snapshot of specific time, often in response to a security incident.
- Ad-hoc - in response to specific event/change, like an new project, tech… . Often quickly to adress a certain set of concerns.
- Recurring - on regular base, to track evolution of risks
- Continious - on continious base through automation and tooling
Risk Analysis #
Formalized approach to risk prioritization in a structured maner.
- 2 Methodologies
- Quantitative Risk Analysis - Use numeric data in the analysis, allows for straightforward prioritization,
- Qualitative Risk Analysis - Use subjective analysis, more difficult.
- Not uncommon that they are combined.
Quantitative Risk Analysis #
Calculated for each threat/vulnerability combination
- Determine Asset Value (AV) - that is affected by the risk
- Determine Annualized Rate Of Occurance (ARO) - probability of the risk occuring annually
- ARO of 2.0 => Probable that the risk occurs 2x per year.
- ARO of 1.0 => Probable that the risk occurs 1x per year.
- ARO of 0.01 => Probable that the risk occurs 1x per 100 year.
- Detemine Exposure Factor (EF) - relative value of the asset to be affected if the risk materializes.
- EF of 100% => Entire Asset destroyed
- EF of 50% => Half Asset destroyed
- Calculuate Single Loss Expectancy (SLE) - absolute value of the asset to be affected if the risk materializes.
- Formula:
AV * EF
- Example:
1000 EUR * 50% => 500 EUR
loss if the risk materializes
- Formula:
- Calculuate Annualized Loss Expectancy (ALE) - absolute value of the asset to be affected if the risk materializes accordingly to annual probability.
- Formula:
SLE * ARE
- Example:
500 EUR * 2.0 => 1000 EUR
loss if the risk materializes - Use ALE to prioritize, if it cost more to protect an asset than the value of its ALE, there is no point arguably to put in the effort.
- Formula:
Example #
You have an email server that sends out emails to customers and generates 1000$ in sales per hour. Can happen up to 3x year to have a DDoS attack. It would take 3 hours to recover. When it happens, the email server would work only at 10% capacity.
- AV - $1000/hour
- ARO - 3.0
- EF - 90% (because the server works at 10% when experiencing the attack)
- SLE -
($1000/hour * 3h) * 90% => $2700
- ALE -
$2700 & 3 => $8100
Qualitative Risk Analysis #
Some risks don’t qualify easily (e.g. Risk to Reputation)
- We rate the risk on 2 dimensions with a score of
low
,medium
,high
:- Magnitude
- Probability
- Risks with
high
magnitude andhigh
probability should be prioritized - Risks with
low
magnitude andlow
probability should be deprioritized
Supply Chain Assesment #
Don’t forget to also do a risk assesment of your supply chain.
Conclusion #
- Risk Analysis provides guidance in prioritizing risk.
- Quantitative Risk Analysis helps determine if the cost to avoid a risk is justified.
Managing Risk #
Once risk has been identified, assesed, analyzed/prioritized we can choose of the following 4 ways to manage/adress each risk.
Risk Mitigation #
Apply security controls to reduce probability and/or magnutide.
- Per risk, you might apply multiple security controls to achieve mitigation.
- Examples:
- Buy DDoS protection
- Locks for laptops
Risk Avoidance #
Change business pratices/systems to eleminiate the potential alltogether.
- Examples:
- Just don’t have laptops, if you don’t want them to be stolen.
Risk Transference #
Shifts (some of) the impadct to another entity
- Examples
- Buy Insurance for stolen laptop
- Buy “distinct cybersecurity insurance” cause default insurances don’t cover this.
- Use cloud servives, they take responsibility of the datacenters (hardware security)
Risk Acceptance #
Don’t do anything, accept the risk, the cost to avoid/transfer/avoid is bigger than the actual risk materializing.
- This is not neglicence, here we conciously, intentionally choose to accept the risk.
- Might require
Exemptions
orExceptions
on a policy to allow Risk Acceptance formallyExceptions
- cost is to high, organization accepts it thoughfullyExemptions
- more formal exceptions, may require high level approval and may come with an “end date”.
Risk Tracking #
- Inherent Risk - original level of risk before any security controls were implemented.
- Therefore, they are inherint to the business.
- Residual Risk - level of risk after implementing controls
- Risk Appetite - level of risk the organization is willing to accept
- Expansionary Risk Appetite high risk, for high rewards. Typical for high growth organizations
- Neutral Risk Appetite medium risk, medium rewards. Stability and growth is keu
- Conservative Risk Appetite avoid high risk all together, prioritize security over high growth, risk averse.
- Risk Threshold - the specific threshold where the risk appetite stops and would trigger some actions
- Risk Tolerance - ability to whitstand risk and continue operations
- Key Risk Indicator (KRI) - metrics to measure increased level of risk.
- Measures effectiviness of risk mitigations and makeing sure the risks stays within the appetite.
- Risk Owner - Individual/entity responsible managing/monitoring risk and implementing controls.
Risk Register #
- The tool that tracks all the risks.
- Too communicate to leadership risk matrixes and heatmaps are often used.
- To include: Risk Owner, RIsk Threshold information, KRIs.
Risk Reporting #
Communicating the status and evolution of risks to stakeholders.
- Reporting Methods
- Regular Updates - routing reports to stakeholders with status, effectiveness of controls and changes
- Dashboard Reporting - Real-time visual aids to summerize risk
- Ad Hoc Reports - Created as needed
- Risk Trend Analysis - Analyze history to indetify patterns/trends
- Risk Event Reports - Document specific security events, like incidents
Disaster Recovery Planning (DRP) #
Develop as soon as possible in case of disaster. Usually the key focus is a plan for each facility, as disasters often are scoped to a facility.
Disaster Types (Examples) #
- Hurricans
- Floods
- Natural disasters
- human-made origin
- internal risk
- …
Business Impact Analysis (BIA) #
Formal process to indentify mission essential functions in an organization and identify the systems that support those functions.
Mean Time Between Failures (MTBF) - measure stability of a system, how much time between failures
Mean Time To Repair (MTTR) - averahe time to restore operations after failure
Recovery Time Objective (OTR) - Time you can tolerate the system being down
Recovery Point Objective (RPO) - Amount of data you can tolerate to lose
Note: Focus on
single-point-of-failure