Lecture Slides-Lecture 2

Embed Size (px)

Citation preview

  • Lecture 2

    Building an Information Risk Management Toolkit:

    Learning the Language of Risk Management: RM Theory I

    Dr. Barbara Endicott-Popovsky

  • QUICK REVIEW Terminology

  • Risk Undesirable effect of uncertainty on achieving business objectives

    Risk Management Framework A system that addresses risk and reward

    Risk Management Process Process that communicates with stakeholders about, risk management; and

    identifies, analyzes, prioritizes, treats, and monitors while addressing reward.

    The purpose of risk management is to change the future, not to explain the past

    The Book of Risk, Dan Borge

    Risk: Key Terms

  • General Approach

    identify, characterize, and assess threats

    assess the vulnerability of critical assets

    determine the risk (i.e. expected consequences of specific types of attacks on specific assets)

    identify ways to control those risks

    prioritize risk reduction measures

  • Security Design

    Threats Vulnerabilities

    Controls

    (Threats + Vulnerabilities = Controls)

  • Certificate for Information Assurance and Cybersecurity

    7

    The Role of Risk in IA

  • QUANTITATIVE RISK MANGEMENT

  • Certificate for Information Assurance and Cybersecurity

  • QUALITATIVE RISK MANGEMENT

  • Impact Definition

    Example:

    Hi Significant Impact

    Medium Impact

    Low Tolerable Impact

    Courtesy: Rick Coffey, City University

  • Probability Definition

    Example:

    Hi More than 70% likely

    Medium 30-70% likely

    Low Less than 30% likely

    Courtesy: Rick Coffey, City University

  • Simple Risk Matrix

    3 6 9

    2 4 6

    1 2 3

    Low Med Hi

    Probability

    Hi

    Med

    Low

    List of Risks

    (in Categories)

    Courtesy: Rick Coffey, City University

  • Generic Risk Management Process

    Identify Identify potential risk

    Analyze Quantify risks into actionable priorities

    Plan Develop risk mitigation plans

    Track Monitor risk indicators and mitigation plans

    Control Correct deviations from plan

    Communicate Communicate Communicate

    Courtesy: Rick Coffey, City University

  • Courtesy: Rick Coffey, City University

    Continuous Process

    (Not Rocket Science)

    Identify - what can go wrong

    Analyze Decide whats important

    Plan Plan to mitigate targeted risks

    Monitor Plans - Track

    Take appropriate action

    Control

    Source: SEI Risk Management Paradigm

  • Step 1. System Characterization

    Step 7. Risk Determination

    Step 8.Control

    Recommendations

    Step 9.Results

    Documentation

    Step 2. Threat Identification

    Step 5. Likelihood Determination

    Step 3. Vulnerability Identification

    Step 6. Impact Analysis

    Step 4. Control Analysis

    NIST Risk Management Process

    Courtesy: Rick Coffey, City University

    http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf http://csrc.nist.gov/publications/nistpubs/800-37.../sp800-37-rev1-final.pdf

  • Key Points About The NIST

    Risk Management Process

    This is one of many RA/RM models.

    It is only a model!! in the real world, we need to do what makes sense for us and our organizations

    (FLEXIBILITY)

    Courtesy: Rick Coffey, City University

  • The diffusion of technology and commoditization of information

    transforms it into a resource equal in importance to the traditionally

    important resources of land, labor and capital Peter Drucker

  • History of Risk Management

  • Historical Aspects

    The revolutionary idea that sets the boundaries between modern times and the ancient times is the ascendancy over risks:

    The idea that the future is much more than a wish of the gods and that man are not passive before nature

    Until man discovered how to overcome this boundary, the future was merely a mirror from the past or an obscure oracle that held the monopoly over predicted events

    Source: Against the Gods: The Remarkable Story of Risk, Peter Bernstein

  • How It All Started

    risk comes from ancient Italian risicare, meaning to dare

    In that sense, risk is an option , and not fate

    Freedom to choose the actions we dare to take

    TO DARE IS STILL THE BEST WAY TO LIVE

  • How It All Started

    Study of risks began in the Renaissance, when people released themselves from the constraints of the past and openly challenged sacred beliefs

    It was an era when the world was discovered and greatly explored, and the a lot of resources were found

    In a time of religious turbulence and the beginning of capitalism, science was vigorous and the approach to the future was bold

  • 1654 The Enigma of Mrs

    The Chevalier de Mr, with a keen taste for games, challenged the famous mathematician Blaise Pascal to decipher an enigma that had been exposed by Luca Pacioli 200 years before

    How to split a bet on a game that had been interrupted when one player was winning?

    The example used in the original publication referred to a game of balla where six goals were required to win the game. If the game ended normally, the winner would take all. But what if the game stopped when one player was in the lead by five goals to three?

    Pascal asked Pierre de Fermat for help, and the result of that collaboration was pure intellectual dynamite

    Led to the discovery of probability theory, the mathematical core of the concept of risk

  • Laying The Foundation

    The solution to the Enigma of Pacioli for the first time enabled people to make decisions and predict the future with the help of numbers

    Previously, people were able to make decisions, defend their concerns and do business, but without a real understanding of risks or decision making

    As time went by, mathematicians transformed the probability theory into a powerful tool to organize, interpret and use information

  • 18th Century Advances

    Mathematicians competed to invent new life expectancy charts

    Shipping insurances had emerged as a promising and sophisticated business in London

    Gottfried von Leibniz stated: Nature establishes standards that originate the return of events, but only in the majority of cases", leading Bernoulli to discover the Law of Large Numbers and statistical sampling

  • 1738 The Bell Curve

    Abraham de Moivre, an English mathematician of French extraction, introduces the normal distribution as an approximation for binomial distributions as sample sizes become larger

    Provided researchers with a critical tool for linking sample statistics with probability statements

  • Bernoulli and The Law of Large Numbers

    Jacob Bernoulli proved that a random sampling of items from a population has the same characteristics, on average, as the population

    He used coin flips to illustrate his point by noting that the proportion of heads (and tails) approached 50% as the number of coin tosses increased

    In the process, he laid the foundation for generalizing population properties from samples, a practice that now permeates both the social and economic sciences

  • 1763 Bayesian Statistics

    Bayes published a simple way of updating existing beliefs in the light of new evidence

    In Bayesian statistics, the existing beliefs are called prior probabilities and the revised values after considering the new evidence are called posterior or conditional probabilities

    Bayes provided a powerful tool for researchers who wanted to use probabilities to assess the likelihood of negative outcomes, and to update these probabilities as events unfolded

    In addition, Bayes rule allows us to start with subjective judgments about the likelihood of events occurring and to modify these judgments as new data or information is made available about these events

  • The Use of Data

    In 1662, John Graunt created one of the first mortality tables by counting for every one hundred children born in London, each year from 1603 to 1661, how many were still living In the course of constructing the table, Graunt not only refined the use of statistical

    tools and measures with large samples but also considered ways of dealing with data errors

    He estimated that while 64 out of every 100 made it to age 6 alive, only 1 in 100 survived to be 76

    In an interesting aside, Graunt estimated the population of London in 1663 to be only 384,000, well below the then prevailing estimate of six to seven million

    He was eventually proved right, and Londons population did not exceed 6 million until three centuries later

    In 1693, Edmund Halley, the British mathematician, constructed the first life table from observations and devised a method for valuing life annuities Halley pointed out that the government, that was selling life annuities to citizens at

    that time, was pricing them too low and was not setting the price independently of the age of the annuitant

  • The Insurance View of Risk

    As early as 1000 BC, the Babylonians developed a system where merchants who borrowed money to fund shipments could pay an extra amount to cancel the loan if the shipment was stolen

    The Greeks and the Romans initiated life insurance with benevolent societies which cared for families of society members, if they died

    However, the development of the insurance business was stymied by the absence of ways of measuring risk exposure

    The advances in assessing probabilities and the subsequent development of statistical measures of risk laid the basis for the modern insurance business

  • The 1950s The Markowitz Revolution By 1950, investors in financial markets were using measures

    of risk based on past prices and accounting information, in conjunction with broad risk categories, based on security type and issuer reputation, to make judgments about risk

    However, there was no consensus on how best to measure risk and the exact relationship between risk and expected return

    Markowitz changed the way we think about risk by linking the risk of a portfolio to the co-movement between individual assets in that portfolio diversification

  • Key Developments in Risk Analysis and Evolution of Risk Measures

    Key Event Time

    Frame Risk Measure

    Used

    Risk considered to be either fated and thus impossible to change or divine providence, in which case it could be altered only through prayer or sacrifice

    Pre- 1494

    None or gut feeling

    Luca Pacioli posits his puzzle with two gamblers in a coin tossing game

    1494

    Pascal and Fermal solve the Pacioli puzzle and lay foundations for probability estimation and theory

    1654 Computed

    Probabilities

    Graunt generates life table using data on births and deaths in London

    1662

    Bernoulli states the law of large numbers, providing the basis for sampling from large populations

    1711 Sample-based probabilities de Moivre derives the normal distribution as an approxi-mation to

    the binomial and Gauss & Laplace refine it 1738

    continued

  • Key Developments in Risk Analysis and Evolution of Risk Measures

    Key Event Time

    Frame Risk Measure

    Used

    Bayes publishes his treatise on how to update prior beliefs as new information is acquired

    1763

    Insurance business develops and with it come actuarial measures of risk, based on historical data

    1800s Expected loss

    Bachelier examines stock and option prices on Paris exchanges and defends his thesis that prices follow a random walk

    1900 Price variance

    Standard Statistics Bureau, Moodys and Fitch start rating corporate bonds using accounting information

    1909-15 Bond & Stock

    Ratings

    John von Neumann, Stanislaw Ulam and Nicholas Metropolis coin the term Monte Carlo method , while working on nuclear weapon projects at Los Alamos (Monte Carlo methods are a class of computational algorithms that rely on repeated random sampling to compute their results)

    1940s

    continued

  • Key Developments in Risk Analysis and Evolution of Risk Measures

    Key Event Time

    Frame Risk Measure

    Used

    Markowitz lays statistical basis for diversification and generates efficient portfolios for different risk levels

    1952

    Variance added to portfolio Sharpe and Lintner introduce a riskless asset and show that

    combinations of it and a market portfolio (including all traded assets) are optimal for all investors; the CAPM is born

    1964

    Risk and return models based upon alternatives to normal distribution - Power law, asymmetric and jump process distributions

    1960s Market beta

    Using the no arbitrage argument, Ross derives the arbitrage pricing model; multiple market risk factors are derived from the historical data

    1976 Factor betas

    Macroeconomic variables examined as potential market risk factors, leading the multi-factor model

    1986 Macroeconomic

    betas

    Fama and French, examining the link between stock returns and firm-specific factors conclude that market cap and book to price at better proxies for risk than beta or betas

    1992 Proxies

  • What is Risk Management?

    Risk management is a scientific approach to the problem of dealing with the pure risks facing individuals and organizations

    It evolved from corporate insurance management, which focused on the risk of accidental loss to assets and income of the organization

  • History of Modern Risk Management The general use of the term risk management began in the

    early 1950s

    One of the early discussions of risk management in the academic literature appeared in a 1956 Harvard Business Review article ("Risk Management: New Phase of Cost Control, by Russell Gallagher)

    Gallagher proposed that someone within the organization should be responsible for managing the organizations pure risks

  • Development of Risk Management

    Evolution from corporate insurance buying

    Year Milestone

    1929 Corporate insurance buyers met informally in Boston to discuss mutual problems

    1931 American Management Association establishes Insurance Division

    1932 Insurance Buyers of New York formed

    1950 National Association of Insurance Buyers formed

  • Development of Risk Management

    Emergence of risk management was a revolution that signaled a dramatic shift in philosophy

    It occurred when the attitude toward insurance changed and insurance lost its traditional status as the standard approach for dealing with risk

    Question: why the change occurred when it did?

  • The Shift in Philosophy

    The insurance managers function was to buy insurance

    While these buyers attempted to get the most coverage for the insurance dollar, they could hardly be criticized for buying insurance that was their job

    Something other than mere evolution triggered the shift

    The shift coincided with a reappraisal of business school curriculum in the U.S. in 1950s and 1960s: the introduction of

    operations research and

    management science

  • Operations research and management science

    Originated in World War II

    Developed through engineering applications in post-war military and aerospace programs

    Emphasized cost-benefit analysis, expected value, and a scientific approach to decision-making under uncertainty

    Led to a shift from descriptive to normative decision theory

  • Insurance Faculty and the Shift

    Insurance faculty were among the first to embrace decision theory

    Many were trained in actuarial science

    Most had an inventory of interesting questions relating to decision making under uncertainty

    They not only questioned the central role that had been granted to insurance, but developed the theoretical justification for the challenge

  • Insurance Buyers and the Shift

    Some insurance buyers intuitively (and independently) reached the same conclusions about the supremacy of insurance in dealing with risk as academics who applied the new decision models

    Many concepts of modern risk management that originated in academia were taken over and applied in the corporate world

  • Origins of Risk Management

    Risk management grew out of a merger of engineering applications in the military and aerospace programs , financial theory, and insurance

  • Risk Management Defined

    Risk management is a scientific approach to dealing with pure risks by anticipating possible accidental losses and designing and implementing procedures that minimize the occurrence of loss or the financial impact of the losses that do occur

  • Nature of Risk Management

    Scientific approach to dealing with pure risks

    Broader than insurance management

    Differs from insurance management in philosophy

  • Scientific Approach

    Risk management depends on rules (laws) derived from the general knowledge of experience, through deduction, and from precepts drawn from other disciplines, especially decision theory

    Although risk management is not a science in the same sense as the physical sciences, this does not preclude its use of the scientific method

  • Distinguishing Characteristics

    Broader than insurance management

    Because it evolved from insurance management, risk management is concerned primarily with insurable risk

    However, the risk managers responsibility is broader, and includes both insurable and uninsurable pure risks

  • Risk Management Tools

    Risk Control

    Avoidance

    Reduction

    Risk Financing

    Retention

    Transfer

  • Executive Director, Risk Management UW

  • Risk Management Process

    1. Determination of objectives

    2. Identification of risks

    3. Evaluation of risks

    4. Consideration of alternatives selection of the tool

    5. Implementing the decision

    6. Evaluation and review

  • Evaluation of Risks

    Critical Severe financial impact (e.g., losses that could result in bankruptcy)

    Important Moderate financial impact (e.g., losses that would require resort to credit)

    Unimportant Modest financial impact (e.g., losses that could be met from existing assets or cash flow)

  • Misconceptions About Risk Management

    Two misconceptions have developed concerning risk management:

    1. The risk management concept is applicable principally to large organizations

    2. The risk management approach seeks to minimize the role of insurance

  • What is Information Risk Management?

  • Information Risk Management

    Information risk management is directed towards assessing, mitigating (to an acceptable level) and monitoring risks associated with information

    The principle goal of an organizations risk management process should be to protect the organization and its ability to perform their mission, not just its IT assets

  • IRM Activities

    Assessing

    Mitigating Monitoring

  • Principle Goal of IRM Process

    Organization

    Mission

    IT Assets

  • IRM Methodologies (Sample)

    National Institute of Standards & Technology (NIST) Methodology

    OCTAVE

    FRAP

    Risk Watch

    ISO (introduced last week)

  • NIST

    800-30, Risk Management Guide for Information Technology Systems

    http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf Foundation for development of effective RM program containing both

    definitions Includes definitions and practical guidance for assessing and mitigating

    risks identified within IT system Also provides information on selecting cost-effective security controls Goal is to help organizations to better manage IT-related mission risks

    Small, to-the-point, and scalable from a single server to an entire IT enterprise

    Quants hate it, but for quals and Government, its good enough

    Private sector

  • NIST 800-30: Seven Key Roles

    Senior Management Ultimate responsibility for mission accomplishment

    Chief Information Officer Responsible for agencys IT planning, budgeting, and performance including its InfoSec components

    System and Information Owner Responsible for ensuring proper controls are in place to address integrity, confidentiality and availability of the IT system and the data they own

    Business and Functional Managers Responsible for business operations and IT procurement process and also play a key role in risk management

    ISSO Responsible for the organizations security program including risk management

    IT Security Practitioners Responsible for proper implementation of security system in the IT system

    Security Awareness Trainers Develop training materials and incorporate risk assessment into training programs to educate the end users

  • NIST 800-30 Definitions: Security Primitives

    Threat the potential for a threat source to exercise a specific vulnerability

    Examples?

    Vulnerability a weakness that can be accidentally triggered or intentionally exploited

    Examples?

    Risk a function of the likelihood of a given threat source exercising a particular potential vulnerability and the resulting impact of that adverse event on the organization

  • NIST 800-30 Definitions: Controls System controls risk reducing measures

    Management Controls Focus on the stipulation of information protection policy, guidelines and standards which are carried out through operational procedures to fulfill the organizations mission and guidelines

    Technical Controls Technical configurations for risk mitigation

    Operational Control A set of guidelines or controls to ensure that the security procedures governing the use of the organizations IT assets and resources are properly enforced and implemented in accordance with the organizations goals and mission

  • NIST 800-30 Risk Mitigation Options

    Risk Assumption To accept the potential risk and continue operating the IT system or to implement controls to lower the risk to an acceptable level

    Risk Avoidance To avoid the risk by eliminating the risk cause and/or consequence

    Risk Limitation To limit the risk by implementing controls that minimize the adverse impact of a threats exercising a vulnerability

    Risk Planning To manage risk by developing a risk mitigation plan that prioritizes, implements, and maintains controls

    Research and Acknowledgment To lower the risk of loss by acknowledging the vulnerability or flaw and researching controls to correct the vulnerability

    Risk Transference To transfer the risk by using other options to compensate for the loss, such as purchasing insurance

  • NIST 800-30 Risk Mitigation Methodology

  • Octave

    Software Engineering Institute (SEI) at Carnegie Mellon University

    Stands for Operationally Critical, Threat, Asset and Vulnerability Evaluation (OCTAVE) process

    Goal is to help organizations improve their ability to manage and protect themselves from information security risks

    Workshop-based

    Premise: an organization understands the risk better than a tool and decisions will be made by the organization rather than by a tool

  • Octave 3 Phases of Workshops

    Process 1: Identify Senior Management Knowledge

    Process 2: (multiple) Identify Operational Area Management Knowledge

    Process 3: (multiple) Identify Staff Knowledge

    Process 4: Create Threat Profiles

    Process 5: Identify Key Components

    Process 6: Evaluate Selected Components

    Process 7: Conduct Risk Analysis

    Process 8: Develop Protection Strategy (workshop A: strategy

    development) (workshop B: strategy review, revision, approval)

    Phase 1

    Phase 2 Phase 3

  • FRAP

    Peltier

    Qualitativebut faster and simpler

    Facilitator + small group of subject matter experts

    Steps

    Brainstorming to ID threats

    Assign impact of probability score to each threat

    ID and assign controls/safeguards

    Management summary

  • FRAP Definitions

    Threat undesirable event that could impact business objectives or mission of the target asset(s)

    Examples?

    Probability how likely an event will occur

    H/M/L

    Impact potential effect a risk ma have on asset(s)

    H/M/L

    Control/Safeguard measure taken to detect, prevent, mini9mize, or eliminate risk

    Examples?

  • Risk Watch

    http://www.riskwatch.com

    Tool

    Uses expert knowledge database to walk the user through a risk assessment

    Reports on compliance and advice on managing the risks

    Includes statistical information to support quantitative risk assessment

    ROI

    Several products, each focused along different compliance needs

  • Risk Watch Products

    Risk Watch for HIPAA Compliance

    Risk Watch for Hospital Security

    Risk Watch for Banks (& Financial Institutions)

    Risk Watch for Hospital Security & California 1257.7

    Risk Watch for Credit Unions & NCUA

    Risk Watch for Physical, Corporate & Homeland Security

    Risk Watch for Information Systems & ISO 27001

    Risk Watch for University & College Security

    Risk Watch for PCI (Payment Card) Compliance

    Risk Watch Benchmarking Tools for Corporate Security

    Risk Watch for NERC Compliance

    Risk Watch for NEI 04-04 (Nuclear Cybersecurity Compliance)

    Risk Watch Benchmarking Tools for Information Systems

  • Risk should be managed to an acceptable level, based on the enterprises risk appetite with decision-making guided by a risk assessment model. A structured, consistent and repeatable process for making the risk/reward calculation helps to ensure that it is done consistently across the organization Mastering the Risk/Reward Equation: Optimizing Information Risks to Maximize Business Innovation Rewards, an industry initiative sponsored by RSA (http://www.rsa.com/innovation/docs/CISO_RPT_0808.pdf)

    Addressed in current state of the art?

  • Key Concepts

    Risk Management

    Dictionary definition: activity directed towards assessing, mitigating (to an acceptable level) and monitoring of risk

    Alternative definition: a process aimed at an efficient balance between realizing opportunities for gains and minimizing vulnerabilities and losses

    Which is more relevant in the context of the risk/reward equation associated with information risk?

  • Key Concepts

    Risk Assessment The determination of quantitative or qualitative value of risk related to information

    Security Controls Activities or technology solutions that address risk (or mitigate it to an acceptable level)

    Governance Set of responsibilities and practices exercised by the enterprise board of directors and executive management with the goal of providing strategic direction, ensuring objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprises resources are used responsibly

    Compliance Either a state of being in accordance with established guidelines, specifications, or legislation (e.g. GLBA, HIPAA, SOX, PCI etc.) or the process of becoming so

  • Key Concepts

    Policy High level statement of executive managements intent or direction

    Standards Metrics, allowable boundaries or the process used to determine whether processes meet policy requirements

    Procedures Detailed descriptions of the steps necessary to perform specific operations to conform with applicable standards

    Guidelines Suggested actions or recommendations related to an area of InfoSec policy that is intended to supplement a procedure Unlike Standards, implementation of Guidelines may be at the

    discretion of the organization

  • Todays organizations are concerned about GRC:

    Governance

    (Enterprise) Risk Management

    Compliance

  • HOMEWORK: Download / Study NIST Special Publications Download, Study and Compare/Contrast NIST Risk Management guidelines discussed in Special Publications 800-30, -

    37, -39 and -53 You will be working individually. You will download and skim several NIST Special Publications, extracting key concepts:

    NIST Special Publication 800-30 Risk Management Guide for Information Technology Systems Technology Systems

    (http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf)

    NIST Special Publication 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach

    (http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf)

    NIST Special Publication 800-39 Managing Information Security Risk Organization, Mission, and Information System View

    (http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf)

    NIST Special Publication 800-53 Recommended Security Controls for Federal Information Systems and Organizations

    (http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf)

    We will engage in discussions about these