Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
12/18/2017
1
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
Module 3 – Risk Management Tools and Techniques
Unit 1: Fundamentals of Risk Management
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
Learning Outcomes
Upon completion of this lesson, students will be able to: • Distinguish the difference between risk management tools and techniques• Identify the appropriate tool for different scenarios• Apply risk management tools and techniques to cybersecurity risk assessments
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
Module 3 Outline Risk Management Tools and Techniques
• RM Tools and Techniques• Preliminary Hazard Analysis (PHA)• Hazard and Operability Analysis (HAZOP)• Failure Mode and Effects Analysis (FMEA)• Fault Tree Analysis (FTA)• Cause and Consequences Analysis (CCA)• The principle of As Low As Reasonably Practicable (ALARP)
• Integrating risk management concepts into cybersecurity risk assessments
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
Risk Management Tools and Techniques
Preliminary Hazard Analysis (PHA)• Initial assessment of the hazards and their
corresponding accidents• Identifies hazards, hazardous situations and events
for a given activity, facility or system.Hazard and Operability Analysis (HAZOP)• Structured and systematic technique for system
examination and risk management.• Identifies and evaluate problems that may represent
risks to personnel, equipment, and operationA Job Safety Analysis (JSA)• Emphasizes job safety by analyzing workplace
hazards• Identifies hazards associated with each step of any
job or task that has the potential to cause serious injury
Failure Mode & Effects Analysis (FMEA)• Design tool for systematic analysis of component
failures and their effects on system operations• Identifies potential design and process failures
before they occur and proposes changes to design or operational procedures
Fault Tree Analysis (FTA)• Deductive top‐down modeling technique used to
analyze how an unwanted event or a failure can occur
• Identifies linkages between segments in a causal chain of events chain of events
Cause‐Consequence Analysis (CCA)• Combines two different types of tree structures for
analyzing consequence chains.• Shows the way various factors may combine to
cause a hazardous event with the ability of event tress to show the various possible outcomes
As Low As Reasonably Practicable (ALARP)• Fundamental approach that sets the risk to the
tolerable, reasonable, and practical level• Provides guidance of when further reducing
likelihood and consequences of risk events may be disproportionate to the
• time, cost and physical difficulty of implementing risk treatments
12/18/2017
2
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
Tools and Techniques Comparison
Tool or technique
Brief description General purpose Typical application How to apply
Preliminary Hazard
Analysis (PHA)
Initial assessment of hazards and their consequences
Identifying hazardous situations for a given system
Initial risk study at early stage of a project;Initial step of a detailed risk analysisFor system concept or existing system
PHA worksheet
Hazard and operability
study (HAZOP)
Qualitative assessment of system operability
Identifying deviations from the design and operating intent and their consequences
General‐purpose Suitable for highly monitored performance and detailed design requirements
Use HAZOP worksheetExtend with JSA, FTA, or CCA where applicable
Failure Mode & Effects Analysis (FMEA)
Quantitative assessment of failures in design, process, or system
Analyzing elements of a system, and their interactions
General‐purpose Suitable for highly monitored performance and detailed design requirements
Use FMEA worksheetExtend with JSA, FTA, or CCA where applicable
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
Tools and Techniques Comparison (Cont.)Tool or
techniqueBrief
description General purpose Typical application How to apply
Fault Tree Analysis (FTA)
Top‐down modeling and graphical technique used to analyze how a failure can occur
Maps causal chain of events by connecting hazards and events that can bring about failure
General‐purpose Understanding large and complex systems
Boolean logicFault tree diagram
Cause‐consequence analysis (CCA)
Graphical technique for analyzing cause and consequence chains
Shows how factors may combine to cause hazardous events and consequences
Examining complex event chains
Bowtie DiagramFTAETA
As low as reasonably practical (ALARP)
Sets the risk to the tolerable, reasonable, and practical level
To reduce the risks to the reasonable level at which the benefits arising from further risk reduction are disproportionate to the time, trouble, cost and physical difficulty of implementing further risk reduction measures.
When evaluating whether to implement proposals, control and preventive measures
Carrot diagramCost‐benefit analysis if needed
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
Cause and Consequences Analysis (CCA)
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
Cause and Consequences Analysis (CCA) Definition
• Analytical method for tracing and exposing the chains of events related to a particular risk event of interest
• Visual chronological description of failures from its initiation to the final outcomes
• uses graphical sub‐tools and diagrams
12/18/2017
3
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
Where and when to use CCA
• Illustrating the relationships between causes and consequences, especially when examining complex causal event chains where many possible causes and consequences connect to a single event
• Analysis of security and safety problems• Determining requirements for risk management in the design and development of a new system
• Assessing existing system’s performance standards, risk management strategies, and accountability
• Managing risk as well as a support for other tools such as FMEA and HAZOP
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
Bowtie diagram for CCA
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
Event tree analysis‐ hypothetical example
Cyber attacker send a phishing e‐mail with a malicious code as the payload User accepts
the phishing e‐mail and clicks on the link
User rejects the phishing e‐mail
Anti virus does not recognize malware. Malware is dropped into the user network.
Anti virus detects the malware and deletes it.
Sensitive data is encrypted.Attacker steals data but cannot decrypt all information.
Sensitive data is not encrypted.Attacker steals sensitive data.
No damage
No damage
Extreme damage.Sensitive data is used to disrupt user’s activities.User loses reputation.
Limited damage.User needs to assign financial resources to recover damage.
p=0.7
p=0.3
p=0.9
p=0.1
p=0.3
p=0.7
p=0.0009
p=0.0021
p=0.027
p=0.7
Initiating event Outcomes
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
Generalized steps for CCA
1. Define the system of interest2. Identify the primary event3. Generate the initiating chain (similar to FTA if applicable)
• Determine the underlying causes of the event• For each underlying cause identify the causes or initiating events• Repeat until the underlying cause becomes uncontrollable
4. Generate the damage chain (similar to ETA if applicable)• Determine follow‐up events• For each follow‐up event, identify the consequences• Repeat until all outcomes are exhausted
12/18/2017
4
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
Event Tree Analysis (ETA) for TARGET example
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
Preliminary Hazard Analysis (PHA)
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
PHA: Preliminary Hazard Analysis
• A semi‐quantitative approach to develop an initial listing of potential hazards, hazardous situations or events
• A broad appraisal of risk events and is typically done early in a product or system development
• Aka Preliminary Risk Assessment (PRA), Rapid Risk Ranking or Hazard Identification (HAZID).
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
Where and When to Use PHA
• Preliminary study in the early stages of the design process, especially safety‐related requirements
• In support of identification and development of system or product specifications
• Towards detailed risk analysis of an existing project, product or system, i.e. a precursor to further detailed studies
12/18/2017
5
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
Where and When to Use PHA (Cont.)
• Can be used to initiate the formation of a hazard log• hazard log, aka risk register or risk log, tracks information about a hazard from its initial identification to its proposed control
• hazard log facilitates the continuous monitoring of hazards
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
Generalized Steps for PHA
1. Define the system and scope of study2. Identify possible hazards3. Describe the accidents that can be caused by the hazards, as well
as their consequences4. Identify potential causes of how accidents identified in (3) can
occur5. Evaluate each cause according to the likelihood that it can occur
and the severity of consequences6. Rank hazards in terms of (5)7. Determine recommended preventive and control measures to
address the hazards, the causes, and their consequences
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
Preliminary Hazard Analysis (PHA) for TARGET Example(1)Hazards<What are the possible hazards>
(2)Accidents<What could be the harm of the hazard>
(3) Potentialcauses<How might the accident occur>
(4) Likelihood (L) Rating Scale<What is the likelihood of occurrence>
(5) Severity rating Scale<How significant is the harm>
(6) Risk Score<LxSRanking>
(7) Possible Controls<What can be done>
Customer credit and debit card information stolen
Cost for re‐issuing credit and debit cardsCosts for law suitsReputationLoss of customers
An intrusion of malware not detected
2 8 16 Determine technical vulnerabilities where the intrusion can happen (e.g. not up–to‐date OS software).
Analyze processes where external dependency (e.g. vendor portal) takes place.
Exfiltrationnot detected
1 10 10 Enable stricter corporatenetwork segregation.
Utilize SIEM products for ranking and prioritization of anomalies.
Train personnel for cyber security monitoring services.
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
Hazard and Operability Analysis (HAZOP)
12/18/2017
6
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
HAZOP: Hazard and Operability Analysis Definition
• A top‐down qualitative approach, as opposed to semi‐quantitative like PHA.
• Also used to determine potential hazards in a process, operation, or system
• systematically identifies possible deviations from the design and operating intent and determines how these deviations may eventually become hazards
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
HAZOP ‐ Operability
• The term operability in HAZOP pertains to the focus on hazards resulting from operations or processes that are performed beyond the range of the intended design (hence again, the emphasis on deviation)
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
HAZOP vs PHA
• Unlike PHA, HAZOP’s qualitative nature does not attempt to quantify or rate hazards
• Likelihood and severity ratings are omitted• Thus, it does not typically prioritize risk
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
HAZOP: Hazard and Operability Analysis
• Documents existing preventive and control measures• Recommendations focus on additional measures that are needed
12/18/2017
7
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
Where and When to Use HAZOP
• Originally intended for analyzing accidents that affect human health and safety
• Often adopted as a general‐purpose risk management tool• Similar to PHA, it is applicable during the design phase of a project, or a product or system development to determine specifications
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
Where and When to Use HAZOP (Cont.)
• Also often applied to already existing systems to improve safety and minimize operational risk
• Useful for periodic review throughout the life of the system to accommodate changes within the system and its environment
• Used as supporting documentation for hazard logs
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
Generalized Steps for HAZOP
1. Define the system and scope of study2. Divide the system into nodes and define each node’s design intent3. For each node, identify node elements such as material, input, process
step or operation4. Define the element’s relation to the design intent, performance measure,
and acceptable range of performance (parameters)5. Define the deviation by selecting a process guideword and pair with
parameter6. Establish the causality of the deviation with potential hazards. Describe
the consequences of each hazard7. Identify existing preventive and control measures to address the hazard8. Determine recommendations for additional controls to address the
hazard
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
Hazard and Operability Analysis (HAZOP) for TARGET Example
12/18/2017
8
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
HAZOP for TARGET Example
(1)Element
Describe what the guide word pertains to (material, input,process step. etc.)
PeopleProcessTechnology
(2)Deviation
What can go wrong (Describedeviation)
(3) Possiblecauses
How can the deviation occur
(4)Consequences
What may happen if deviation occurs
(5) Safeguards (preventative
List controls thatprevent the deviation from occurring
(5) Safeguards(reactive)
List controls that can address the deviation is occurring
(7) Actions required
Identify any additional controls or actions
TechnologyUnauthorized codes installed in the POS terminals
POS terminals acceptunauthorized software.
Malware can be installed in the POS terminals . Operations may be disrupted or sensitive data may be stolen.
Only manufacturer authorized apps are
allowed for installation POS terminals.
Sensitive data is encrypted.
Sensitive data stored in hardware.
Isolation of infected POS from other parts of the network.
Add security protocols to POS software development process.
Add whitelisting property into the POS machines.
Use anti‐virus and host‐based intrusion detection systems.
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
Failure Mode and Effects Analysis (FMEA)
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
FMEA: Failure Mode and Effects Analysis Definition
• A top‐down quantitative technique applied to identify failures in a design, a process, a system or an existing product, equipment or service
• Used to analyze elements or components of a system, their interactions, and their effects on the operation of the system as a whole
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
FMEA: Failure Mode and Effects Analysis
• Failure modes pertain to ways in which functional elements may fail• Effects analysis establishes and describes the consequences of those failures; and the ability to prevent, control and mitigate those failures
12/18/2017
9
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
FMEA ‐ Similarities with the Other Methods
• Like HAZOP, also examines how existing system capabilities detect failures and manage such failures
• Failures are ranked based on the likelihood and consequences, as well as the propensity to detect and manage if they do occur
• Similar to PHA, assesses the likelihood of occurrence (unlike HAZOP and JSA)
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
Where and When to Use FMEA
• To study a variety of systems and products that are more detailed and complex such as those in the aviation and electronics industry
• Applicable in both the design and operation phases, particularly in the development of operational risk management strategies
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
Where and When to Use FMEA (Cont.)
• Re‐designing existing systems for a new application• Risk auditing and accident investigations• Periodic review throughout the life of the system to accommodate changes within the system and its environment
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
Generalized Steps for FMEA
1. Define the system and scope of study 2. Identify key functional objectives3. For each objective, identify the ways failure can occur (the failure modes)4. For each failure mode, identify the consequences (effects) if failure occurs 5. Rate the consequences in terms of severity6. Identify the root causes for each failure mode7. Rate each root cause in terms of chance of occurrence8. Identify current preventive and control measures for each root cause9. For each root cause and failure, rate how well or early they can be
detected and addressed10. Calculate the risk priority number (RPN) based on the consequences,
occurrence, and detection11. Identify failures that are considered critical12. Determine additional preventive or control measures as needed
12/18/2017
10
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
Failure Mode and Effects Analysis for TARGET Example(1)Function/ Process
Whatcan go right, What is supposed to happen
(2)Potential FailureModes
What are the ways that prevent the process or function to achieve this objective
(3) PotentialEffect(s) of Failure
What is the consequence of the failure
(4) Severity (S)
How significant is the impact
(5) Potential cause(s) of Failure
How can the failure occur
(6) Occurrence rating (L)
What is the likelihood of occurrence
(7) Current DesignControls (Prevent)
What are in place so that failure is prevented
(7) Current DesignControls (Detect)
What are in place so that failure is controlled
(8) Detection rating (D)
Howeffective are the measures (less effective higher numbers)
(9) RPN
LxSxD
(10) Recommended Actions
What can be done
Vendorsaccess AribaExternal Billing System (Target’s vendor portal)
Entities other than authorized vendors can access Ariba
Unauthorized users can access further parts of the network
9 Vendor credentialscompromis
ed
3 Vendors policies in effect to prevent compromise
Encryption of some of the sensitive data
10 270 Multi‐factor authentication
Encryption of sensitive data
Force brutal of Ariba
credentials
5 Password needs update periodically.
Network anomaly detection services are in place.
3 135 Strong password policy
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
Fault Tree Analysis (FTA)
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
FTA: Fault Tree Analysis ‐ Definition
• Deductive top‐down modeling technique used to analyze how a failure can occur
• Maps out causal chain of events by connecting hazards and events that can bring about a total or partial system failure
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
FTA: Fault Tree Analysis
• Unlike other risk tools which examine single events or single hazards at a time, FTA is able to analyze relationships of more than one events together and determines combined effects
• Used extensively in reliability and safety engineering to understand how systems can fail
12/18/2017
11
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
Where and When to Use FTA
• To understand and manage larger and/or more complex systems• Can be used to show compliance with system safety and reliability requirements or support more robust system design
• For developing system or product specifications and show critical contributors and pathways to system failure
• Extend the analysis of other risk tools such as FMEA, HAZOP, and CCA
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
Generalized Steps for FTA
1. Define the system to be analyzed2. Describe the top level risk event (e.g. system failure)3. Describe intermediate events (e.g. subsystems failure) that
contribute to the top level event, and connect theme with logic gates as appropriate.
4. Identify sublevel events that contribute to intermediate events and connect same level events with logic gates as appropriate
5. Repeat (4) until the underlying contributory events are regarded as root causes (basic events)
6. Identify critical events and pathways to failure
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
Common Logic Gates and Shapes
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
Fault Tree Analysis (FTA) for TARGET Example
12/18/2017
12
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
The Principle of As Low As Reasonably Practicable (ALARP)
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
ALARP: As Low As Reasonably Practicable
• A principle, and not a tool or technique• Supports the notion that residual risk shall be as low as reasonably practicable
• Since safety (i.e. zero risk) cannot be guaranteed, and the cost of addressing risk can be excessive if pursued without limits, ALARP provides an approach to help derive a justifiable level of riskiness and set tolerable risk levels
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
ALARP
• Involves judgment in weighing the riskiness and the cost of attaining such level
• Concept also includes accepting a certain level of risk because of the deliberate decision to bear it rather than address it
• Similar to SFAIRP (so far as is reasonably practical).
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
Where and When to Use ALARP
• To address the questions• What can be done?• What are the alternatives?• What are the effects beyond?
• Given that a risk study has been undertaken, whether through an FMEA, HAZOP, PHA, or other tools, decision makers are then presented with recommended or proposed measures to treat the particular risk events
12/18/2017
13
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
Where and When to Use ALARP (Cont.)
• When decision makers need to decide if a certain risk is to be addressed
• and how much of the risk should be addressed?• How much will be reasonably accepted or tolerated?
• Preemptively during the recommendation step of risk studies• Generating alternatives that already adhere to an ALARP level
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
Carrot Diagram of the ALARP Principle
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
Finding the (im)balance
• If the costs to treat risks are clearly very high and the reduction is only marginal, then it is likely that the situation is already ALARP and further improvements are not required
• Common tools: cost‐benefit analysis, Multi Criteria Decision Making (MCDM)/Multi Criteria Decision Analysis (MCDA)
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
Generalized Steps for ALARP
1. Identify risk2. Determine where risk falls in the ALARP region3. If risk falls in the top region, undertake implementation plan to
achieve ALARP4. If risk falls in the bottom region, implement proposals if simple and
inexpensive; undertake monitoring and control to maintain ALARP5. If risk falls in the middle region, undertake further analysis (e.g.
cost‐benefit analysis, MCDM/ MCDA)
12/18/2017
14
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
As Low As Reasonably Practicable (ALARP) for TARGET Example
• Risk of exfiltration of customer credit and debit card information is unacceptable
• Risk of destruction of 40% of the POS terminals is tolerable.
• Risk of disruption of process up to 2% of time is acceptable.
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
As Low As Reasonably Practicable (ALARP) and Risk Map
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
Integrating Risk Management Concepts into Cybersecurity Risk Assessments
This document is licensed with a Creative Commons Attribution 4.0 International License ©2017
Guide Question
• How do the tools and techniques help cyber security practitioners apply the generalized risk management framework?