Module 3-Risk Management Tools and Techniques v8 AFTER …sites.wp.odu.edu/cyberrisk/wp-content/uploads/sites/3673/... · 2017-12-18 · 12/18/2017 1 This document is licensed with

12/18/2017

1

This document is licensed with a Creative Commons Attribution 4.0 International License ©2017

Module 3 – Risk Management Tools and Techniques

Unit 1: Fundamentals of Risk Management


Learning Outcomes

Upon completion of this lesson, students will be able to: • Distinguish the difference between risk management tools and techniques• Identify the appropriate tool for different scenarios• Apply risk management tools and techniques to cybersecurity risk assessments


Module 3 Outline Risk Management Tools and Techniques

• RM Tools and Techniques• Preliminary Hazard Analysis (PHA)• Hazard and Operability Analysis (HAZOP)• Failure Mode and Effects Analysis (FMEA)• Fault Tree Analysis (FTA)• Cause and Consequences Analysis (CCA)• The principle of As Low As Reasonably Practicable (ALARP)

• Integrating risk management concepts into cybersecurity risk assessments


Risk Management Tools and Techniques

Preliminary Hazard Analysis (PHA)• Initial assessment of the hazards and their

corresponding accidents• Identifies hazards, hazardous situations and events

for a given activity, facility or system.Hazard and Operability Analysis (HAZOP)• Structured and systematic technique for system

examination and risk management.• Identifies and evaluate problems that may represent

risks to personnel, equipment, and operationA Job Safety Analysis (JSA)• Emphasizes job safety by analyzing workplace

hazards• Identifies hazards associated with each step of any

job or task that has the potential to cause serious injury

Failure Mode & Effects Analysis (FMEA)• Design tool for systematic analysis of component

failures and their effects on system operations• Identifies potential design and process failures

before they occur and proposes changes to design or operational procedures

Fault Tree Analysis (FTA)• Deductive top‐down modeling technique used to

analyze how an unwanted event or a failure can occur

• Identifies linkages between segments in a causal chain of events chain of events

Cause‐Consequence Analysis (CCA)• Combines two different types of tree structures for

analyzing consequence chains.• Shows the way various factors may combine to

cause a hazardous event with the ability of event tress to show the various possible outcomes

As Low As Reasonably Practicable (ALARP)• Fundamental approach that sets the risk to the

tolerable, reasonable, and practical level• Provides guidance of when further reducing

likelihood and consequences of risk events may be disproportionate to the

• time, cost and physical difficulty of implementing risk treatments

12/18/2017

2


Tools and Techniques Comparison

Tool or technique

Brief description General purpose Typical application How to apply

Preliminary Hazard

Analysis (PHA)

Initial assessment of hazards and their consequences

Identifying hazardous situations for a given system

Initial risk study at early stage of a project;Initial step of a detailed risk analysisFor system concept or existing system

PHA worksheet

Hazard and operability

study (HAZOP)

Qualitative assessment of system operability

Identifying deviations from the design and operating intent and their consequences

General‐purpose Suitable for highly monitored performance and detailed design requirements

Use HAZOP worksheetExtend with JSA, FTA, or CCA where applicable

Failure Mode & Effects Analysis (FMEA)

Quantitative assessment of failures in design, process, or system

Analyzing elements of a system, and their interactions

General‐purpose Suitable for highly monitored performance and detailed design requirements

Use FMEA worksheetExtend with JSA, FTA, or CCA where applicable


Tools and Techniques Comparison (Cont.)Tool or

techniqueBrief

description General purpose Typical application How to apply

Fault Tree Analysis (FTA)

Top‐down modeling and graphical technique used to analyze how a failure can occur

Maps causal chain of events by connecting hazards and events that can bring about failure

General‐purpose Understanding large and complex systems

Boolean logicFault tree diagram

Cause‐consequence analysis (CCA)

Graphical technique for analyzing cause and consequence chains

Shows how factors may combine to cause hazardous events and consequences

Examining complex event chains

Bowtie DiagramFTAETA

As low as reasonably practical (ALARP)

Sets the risk to the tolerable, reasonable, and practical level

To reduce the risks to the reasonable level at which the benefits arising from further risk reduction are disproportionate to the time, trouble, cost and physical difficulty of implementing further risk reduction measures.

When evaluating whether to implement proposals, control and preventive measures

Carrot diagramCost‐benefit analysis if needed


Cause and Consequences Analysis (CCA)


Cause and Consequences Analysis (CCA) Definition

• Analytical method for tracing and exposing the chains of events related to a particular risk event of interest

• Visual chronological description of failures from its initiation to the final outcomes

• uses graphical sub‐tools and diagrams

12/18/2017

3


Where and when to use CCA

• Illustrating the relationships between causes and consequences, especially when examining complex causal event chains where many possible causes and consequences connect to a single event

• Analysis of security and safety problems• Determining requirements for risk management in the design and development of a new system

• Assessing existing system’s performance standards, risk management strategies, and accountability

• Managing risk as well as a support for other tools such as FMEA and HAZOP


Bowtie diagram for CCA


Event tree analysis‐ hypothetical example

Cyber attacker send a phishing e‐mail with a malicious code as the payload User accepts

the phishing e‐mail and clicks on the link

User rejects the phishing e‐mail

Anti virus does not recognize malware. Malware is dropped into the user network.

Anti virus detects the malware and deletes it.

Sensitive data is encrypted.Attacker steals data but cannot decrypt all information.

Sensitive data is not encrypted.Attacker steals sensitive data.

No damage

No damage

Extreme damage.Sensitive data is used to disrupt user’s activities.User loses reputation.

Limited damage.User needs to assign financial resources to recover damage.

p=0.7

p=0.3

p=0.9

p=0.1

p=0.3

p=0.7

p=0.0009

p=0.0021

p=0.027

p=0.7

Initiating event Outcomes


Generalized steps for CCA

1. Define the system of interest2. Identify the primary event3. Generate the initiating chain (similar to FTA if applicable)

• Determine the underlying causes of the event• For each underlying cause identify the causes or initiating events• Repeat until the underlying cause becomes uncontrollable

4. Generate the damage chain (similar to ETA if applicable)• Determine follow‐up events• For each follow‐up event, identify the consequences• Repeat until all outcomes are exhausted

12/18/2017

4


Event Tree Analysis (ETA) for TARGET example


Preliminary Hazard Analysis (PHA)


PHA: Preliminary Hazard Analysis

• A semi‐quantitative approach to develop an initial listing of potential hazards, hazardous situations or events

• A broad appraisal of risk events and is typically done early in a product or system development

• Aka Preliminary Risk Assessment (PRA), Rapid Risk Ranking or Hazard Identification (HAZID).


Where and When to Use PHA

• Preliminary study in the early stages of the design process, especially safety‐related requirements

• In support of identification and development of system or product specifications

• Towards detailed risk analysis of an existing project, product or system, i.e. a precursor to further detailed studies

12/18/2017

5


Where and When to Use PHA (Cont.)

• Can be used to initiate the formation of a hazard log• hazard log, aka risk register or risk log, tracks information about a hazard from its initial identification to its proposed control

• hazard log facilitates the continuous monitoring of hazards


Generalized Steps for PHA

1. Define the system and scope of study2. Identify possible hazards3. Describe the accidents that can be caused by the hazards, as well

as their consequences4. Identify potential causes of how accidents identified in (3) can

occur5. Evaluate each cause according to the likelihood that it can occur

and the severity of consequences6. Rank hazards in terms of (5)7. Determine recommended preventive and control measures to

address the hazards, the causes, and their consequences


Preliminary Hazard Analysis (PHA) for TARGET Example(1)Hazards<What are the possible hazards>

(2)Accidents<What could be the harm of the hazard>

(3) Potentialcauses<How might the accident occur>

(4) Likelihood (L) Rating Scale<What is the likelihood of occurrence>

(5) Severity rating Scale<How significant is the harm>

(6) Risk Score<LxSRanking>

(7) Possible Controls<What can be done>

Customer credit and debit card information stolen

Cost for re‐issuing credit and debit cardsCosts for law suitsReputationLoss of customers

An intrusion of malware not detected

2 8 16 Determine technical vulnerabilities where the intrusion can happen (e.g. not up–to‐date OS software).

Analyze processes where external dependency (e.g. vendor portal) takes place.

Exfiltrationnot detected

1 10 10 Enable stricter corporatenetwork segregation.

Utilize SIEM products for ranking and prioritization of anomalies.

Train personnel for cyber security monitoring services.


Hazard and Operability Analysis (HAZOP)

12/18/2017

6


HAZOP: Hazard and Operability Analysis Definition

• A top‐down qualitative approach, as opposed to semi‐quantitative like PHA.

• Also used to determine potential hazards in a process, operation, or system

• systematically identifies possible deviations from the design and operating intent and determines how these deviations may eventually become hazards


HAZOP ‐ Operability

• The term operability in HAZOP pertains to the focus on hazards resulting from operations or processes that are performed beyond the range of the intended design (hence again, the emphasis on deviation)


HAZOP vs PHA

• Unlike PHA, HAZOP’s qualitative nature does not attempt to quantify or rate hazards

• Likelihood and severity ratings are omitted• Thus, it does not typically prioritize risk


HAZOP: Hazard and Operability Analysis

• Documents existing preventive and control measures• Recommendations focus on additional measures that are needed

12/18/2017

7


Where and When to Use HAZOP

• Originally intended for analyzing accidents that affect human health and safety

• Often adopted as a general‐purpose risk management tool• Similar to PHA, it is applicable during the design phase of a project, or a product or system development to determine specifications


Where and When to Use HAZOP (Cont.)

• Also often applied to already existing systems to improve safety and minimize operational risk

• Useful for periodic review throughout the life of the system to accommodate changes within the system and its environment

• Used as supporting documentation for hazard logs


Generalized Steps for HAZOP

1. Define the system and scope of study2. Divide the system into nodes and define each node’s design intent3. For each node, identify node elements such as material, input, process

step or operation4. Define the element’s relation to the design intent, performance measure,

and acceptable range of performance (parameters)5. Define the deviation by selecting a process guideword and pair with

parameter6. Establish the causality of the deviation with potential hazards. Describe

the consequences of each hazard7. Identify existing preventive and control measures to address the hazard8. Determine recommendations for additional controls to address the

hazard


Hazard and Operability Analysis (HAZOP) for TARGET Example

12/18/2017

8


HAZOP for TARGET Example

(1)Element

Describe what the guide word pertains to (material, input,process step. etc.)

PeopleProcessTechnology

(2)Deviation

What can go wrong (Describedeviation)

(3) Possiblecauses

How can the deviation occur

(4)Consequences

What may happen if deviation occurs

(5) Safeguards (preventative

List controls thatprevent the deviation from occurring

(5) Safeguards(reactive)

List controls that can address the deviation is occurring

(7) Actions required

Identify any additional controls or actions

TechnologyUnauthorized codes installed in the POS terminals

POS terminals acceptunauthorized software.

Malware can be installed in the POS terminals . Operations may be disrupted or sensitive data may be stolen.

Only manufacturer authorized apps are

allowed for installation POS terminals.

Sensitive data is encrypted.

Sensitive data stored in hardware.

Isolation of infected POS from other parts of the network.

Add security protocols to POS software development process.

Add whitelisting property into the POS machines.

Use anti‐virus and host‐based intrusion detection systems.


Failure Mode and Effects Analysis (FMEA)


FMEA: Failure Mode and Effects Analysis Definition

• A top‐down quantitative technique applied to identify failures in a design, a process, a system or an existing product, equipment or service

• Used to analyze elements or components of a system, their interactions, and their effects on the operation of the system as a whole


FMEA: Failure Mode and Effects Analysis

• Failure modes pertain to ways in which functional elements may fail• Effects analysis establishes and describes the consequences of those failures; and the ability to prevent, control and mitigate those failures

12/18/2017

9


FMEA ‐ Similarities with the Other Methods

• Like HAZOP, also examines how existing system capabilities detect failures and manage such failures

• Failures are ranked based on the likelihood and consequences, as well as the propensity to detect and manage if they do occur

• Similar to PHA, assesses the likelihood of occurrence (unlike HAZOP and JSA)


Where and When to Use FMEA

• To study a variety of systems and products that are more detailed and complex such as those in the aviation and electronics industry

• Applicable in both the design and operation phases, particularly in the development of operational risk management strategies


Where and When to Use FMEA (Cont.)

• Re‐designing existing systems for a new application• Risk auditing and accident investigations• Periodic review throughout the life of the system to accommodate changes within the system and its environment


Generalized Steps for FMEA

1. Define the system and scope of study 2. Identify key functional objectives3. For each objective, identify the ways failure can occur (the failure modes)4. For each failure mode, identify the consequences (effects) if failure occurs 5. Rate the consequences in terms of severity6. Identify the root causes for each failure mode7. Rate each root cause in terms of chance of occurrence8. Identify current preventive and control measures for each root cause9. For each root cause and failure, rate how well or early they can be

detected and addressed10. Calculate the risk priority number (RPN) based on the consequences,

occurrence, and detection11. Identify failures that are considered critical12. Determine additional preventive or control measures as needed

12/18/2017

10


Failure Mode and Effects Analysis for TARGET Example(1)Function/ Process

Whatcan go right, What is supposed to happen

(2)Potential FailureModes

What are the ways that prevent the process or function to achieve this objective

(3) PotentialEffect(s) of Failure

What is the consequence of the failure

(4) Severity (S)

How significant is the impact

(5) Potential cause(s) of Failure

How can the failure occur

(6) Occurrence rating (L)

What is the likelihood of occurrence

(7) Current DesignControls (Prevent)

What are in place so that failure is prevented

(7) Current DesignControls (Detect)

What are in place so that failure is controlled

(8) Detection rating (D)

Howeffective are the measures (less effective higher numbers)

(9) RPN

LxSxD

(10) Recommended Actions

What can be done

Vendorsaccess AribaExternal Billing System (Target’s vendor portal)

Entities other than authorized vendors can access Ariba

Unauthorized users can access further parts of the network

9 Vendor credentialscompromis

ed

3 Vendors policies in effect to prevent compromise

Encryption of some of the sensitive data

10 270 Multi‐factor authentication

Encryption of sensitive data

Force brutal of Ariba

credentials

5 Password needs update periodically.

Network anomaly detection services are in place.

3 135 Strong password policy


Fault Tree Analysis (FTA)


FTA: Fault Tree Analysis ‐ Definition

• Deductive top‐down modeling technique used to analyze how a failure can occur

• Maps out causal chain of events by connecting hazards and events that can bring about a total or partial system failure


FTA: Fault Tree Analysis

• Unlike other risk tools which examine single events or single hazards at a time, FTA is able to analyze relationships of more than one events together and determines combined effects

• Used extensively in reliability and safety engineering to understand how systems can fail

12/18/2017

11


Where and When to Use FTA

• To understand and manage larger and/or more complex systems• Can be used to show compliance with system safety and reliability requirements or support more robust system design

• For developing system or product specifications and show critical contributors and pathways to system failure

• Extend the analysis of other risk tools such as FMEA, HAZOP, and CCA


Generalized Steps for FTA

1. Define the system to be analyzed2. Describe the top level risk event (e.g. system failure)3. Describe intermediate events (e.g. subsystems failure) that

contribute to the top level event, and connect theme with logic gates as appropriate.

4. Identify sublevel events that contribute to intermediate events and connect same level events with logic gates as appropriate

5. Repeat (4) until the underlying contributory events are regarded as root causes (basic events)

6. Identify critical events and pathways to failure


Common Logic Gates and Shapes


Fault Tree Analysis (FTA) for TARGET Example

12/18/2017

12


The Principle of As Low As Reasonably Practicable (ALARP)


ALARP: As Low As Reasonably Practicable

• A principle, and not a tool or technique• Supports the notion that residual risk shall be as low as reasonably practicable

• Since safety (i.e. zero risk) cannot be guaranteed, and the cost of addressing risk can be excessive if pursued without limits, ALARP provides an approach to help derive a justifiable level of riskiness and set tolerable risk levels


ALARP

• Involves judgment in weighing the riskiness and the cost of attaining such level

• Concept also includes accepting a certain level of risk because of the deliberate decision to bear it rather than address it

• Similar to SFAIRP (so far as is reasonably practical).


Where and When to Use ALARP

• To address the questions• What can be done?• What are the alternatives?• What are the effects beyond?

• Given that a risk study has been undertaken, whether through an FMEA, HAZOP, PHA, or other tools, decision makers are then presented with recommended or proposed measures to treat the particular risk events

12/18/2017

13


Where and When to Use ALARP (Cont.)

• When decision makers need to decide if a certain risk is to be addressed

• and how much of the risk should be addressed?• How much will be reasonably accepted or tolerated?

• Preemptively during the recommendation step of risk studies• Generating alternatives that already adhere to an ALARP level


Carrot Diagram of the ALARP Principle


Finding the (im)balance

• If the costs to treat risks are clearly very high and the reduction is only marginal, then it is likely that the situation is already ALARP and further improvements are not required

• Common tools: cost‐benefit analysis, Multi Criteria Decision Making (MCDM)/Multi Criteria Decision Analysis (MCDA)


Generalized Steps for ALARP

1. Identify risk2. Determine where risk falls in the ALARP region3. If risk falls in the top region, undertake implementation plan to

achieve ALARP4. If risk falls in the bottom region, implement proposals if simple and

inexpensive; undertake monitoring and control to maintain ALARP5. If risk falls in the middle region, undertake further analysis (e.g.

cost‐benefit analysis, MCDM/ MCDA)

12/18/2017

14


As Low As Reasonably Practicable (ALARP) for TARGET Example

• Risk of exfiltration of customer credit and debit card information is unacceptable

• Risk of destruction of 40% of the POS terminals is tolerable.

• Risk of disruption of process up to 2% of time is acceptable.


As Low As Reasonably Practicable (ALARP) and Risk Map


Integrating Risk Management Concepts into Cybersecurity Risk Assessments


Guide Question

• How do the tools and techniques help cyber security practitioners apply the generalized risk management framework?