Security Risk Management and Ethics Ch1

Textbook Reference

  • Title: Measuring and managing information risk: A FAIR Approach

  • Authors: Freund, J., & Jones, J.

  • Edition: 1st Edition, 2015

  • Publisher: Butterworth-Heinemann

  • ISBN-13: 9780127999326

  • Chapter One: Introduction to Security Risk Management

Chapter 1: Topics

  • Definitions and concepts related to risk, including its relationship to:

    • Threats

    • Vulnerabilities

    • Losses

  • Major components of risk to IT infrastructure

  • Importance of risk management in business

  • Techniques for risk identification

  • Techniques for risk management

Chapter 1: Goals

Upon completion of this chapter, you will be able to:

  • Define risk

  • Identify major components of risk

  • Describe relationships between:

    • Threats and vulnerabilities

    • Impact

  • Define risk management

  • Explain risk management's relationship with:

    • Profitability

    • Survivability

  • Understand the relationship between cost of loss versus cost of risk management

  • Describe risk perception among different organizational roles

  • Identify threats and categorize them

  • Describe techniques for identifying vulnerabilities

  • Define and identify risk management techniques

What Is Risk?

  • Definition of Risk: Likelihood of a loss occurring

    • Loss occurs when a threat exploits a vulnerability

  • Risk spectrum:

    • Severe risks can cause business failure; minor risks are often accepted

  • Management techniques help differentiate severe from minor risks

  • Decision-making outcomes involve:

    • Avoiding

    • Transferring

    • Mitigating

    • Accepting a risk

Key Concepts of Risk

  • Common themes in risk definitions:

    • Threat: Activity representing possible danger

    • Vulnerability: A weakness in systems or processes

    • Loss: Compromise to business functions or assets

  • Primary goal: Minimize potential losses from risks

Effect of Risks on Businesses

  • Categories of organizational losses:

    • Business Functions: Disruption of services or sales

    • Business Assets: Loss of value due to threats

    • Driver of Business Costs: Cost implications of managing risks

Business Functions

  • Activities performing services and product sales

  • Security risks affecting functions directly impact revenue

Examples of Business Functions & Risks

  • E-commerce site: Attack leads to loss of sales

  • Author's PC virus: Delayed article submission lowers value

  • Analyst connectivity issues: Poor decisions from outdated data

  • Warehouse application failure: Delayed shipments and losses

Business Assets

  • Definition: Items with measurable value to a company

  • Tangible value: Monetary worth, e.g., computer hardware

  • Intangible value: Non-measurable attributes, e.g., trust

  • Both types of value are crucial in risk identification and prioritization

Intangible Value Examples

  • Future lost revenue from shifting customer loyalty

  • Cost of acquiring customers lost during disruptions

Driver of Business Costs

  • Risk management impacts overall business profitability

  • Balance required between spending on risk controls and maintaining profits

Profitability vs. Survivability

  • Profitability: Revenue minus costs

  • Survivability: Ability to endure losses

  • Costs of risk management do not directly generate revenue but ensure continued operation

Key Considerations

  • Out-of-pocket costs: Funds spent on risk reduction

  • Lost opportunity costs: Alternative investments lost for risk management

  • Future costs: Ongoing expenses for maintaining controls

  • Confidence of clients/stakeholders: Affected by risk management effectiveness

Major Components of Risk in IT Infrastructure

  • Seven domains present in a typical environment:

    1. User Domain

    2. Workstation Domain

    3. LAN Domain

    4. LAN-to-WAN Domain

    5. Remote Access Domain

    6. WAN Domain

    7. System/Application Domain

  • Each domain must be protected; vulnerabilities in any can jeopardize the security of all

The User Domain

  • Includes users (employees, contractors) as potential weak links

  • Social engineering tactics can manipulate personnel to bypass security

Workstation Domain

  • Vulnerable to malware and lack of updates

  • Importance of antivirus software and timely patch management

LAN Domain

  • Internal environment with connected devices

  • Risks include sniffing attacks; protection through switches is key

LAN-to-WAN Domain

  • Boundary between trusted local network and untrusted WAN

  • Requires high security measures for protections

Remote Access Domain

  • Remote access grants workers connectivity but introduces vulnerabilities

  • VPNs provide security, but have their own risks

WAN Domain

  • Often the Internet, inherently untrusted and subjected to attacks

  • High-security measures are critical

System/Application Domain

  • Includes servers and key applications, requiring server-specific security

  • Regular updates and control measures are necessary to maintain integrity

Threats, Vulnerabilities, and Impact

  • Threats exploit vulnerabilities leading to potential loss

  • Important to understand impact severity and types of loss:

    • Confidentiality, Integrity, Availability (CIA)

  • Preventing unauthorized access is key to maintaining system security

  • Losses can be characterized as high, medium, or low impact

IT Security Management

  • Process to achieve suitable levels of key security objectives (CIA)

  • Functions include:

    • Defining security objectives and policies

    • Identifying and analyzing threats and risks

    • Developing safeguards and monitoring implementations

    • Incident detection and response

Security Standards

  • ISO 27000 series defines vocabulary and security management practices

  • Standards include frameworks for implementing controls and assessing risks

Risk Assessment Approaches

  • Baseline Approach: Use of industry best practices

  • Informal Approach: Pragmatic analysis using analyst knowledge

  • Detailed Risk Assessment: Comprehensive structure for critical systems

  • Combined Approach: Iterative assessment process

Steps to Risk Assessment

  1. Establish Context: Define the broad exposure and risk appetite

  2. Asset Identification: Identify significant assets within the organization

  3. Threat Identification: Determine possible threats to the identified assets

  4. Vulnerability Identification: Explore weaknesses in systems

  5. Analyze Risks: Specify likelihood and consequences of identified risks

  6. Documenting Results: Maintain a risk register detailing identified risks and controls

Case Study: Silver Star Mines

  • Context: Global mining operation with extensive IT infrastructure

  • Decided on a combined risk assessment approach

  • Emphasis on the integrity and availability of critical systems alongside managing known threats and vulnerabilities

Summary

  • Emphasizes the necessity of performing thorough risk assessments as part of IT security management processes.