39 Risk Analysis

Ms.Vinodini Kapoor

epgp books

 

 

  1. Learning Outcome
  • Understand the basic concept of risk associated with Information Technology Systems.
  • Get an overview of concept of risk, threat, vulnerability and countermeasure.
  • Understand the procedure for Risk Analysis.
  • Define Risk Management and procedure for carrying Risk Assessment.
  • List various categories of Risk.
  • Understand the integration of Risk Management with stages of the SDLC.
  1. Introduction

The Internet and its substantial impact on the growth of electronic commerce, communication, and dissemination of information is obvious, the major impact of computer networks is on business process automation. Routine corporate functions are now handled with automated processes anchored in databases. Networked information systems form the backbone of enterprises and are used in almost all aspects of business including: payroll, procurement, human resource management analysis and design of engineering components, sales, and marketing. Information systems have improved organizational productivity manifold. However, complete dependence on information systems for critical operations has left organizations vulnerable to anomalies and attacks on networks. All organizations are exposed to uncertainties, which may impact the organization in both an affirmative and negative manner. To support the organization, IT security professionals must be able to help the management to comprehend and manage these uncertainties.

 

Limited resources and an ever-changing landscape of threats and vulnerabilities make mitigating these uncertainties complex. In this digital era, as organizations rely on automated information technology (IT) systems to process their information for better support of their missions, risk management plays a critical role in protecting an organization’s information assets. To facilitate this, it is the imperative of IT security professionals to have a toolset to assist them in sharing a commonly understood view with IT and business managers. This needs to be consistent, repetitive and cost-effective to be able to minimize risks to a reasonable level. IT assets are also exposed to risk of damage or losses. IT security involves protecting information stored electronically. Protection in this context implies data integrity, availability and confidentiality. There are many types of computer crimes like money theft, damage of software, theft of information, alteration of data, theft of services, trespass to minimize losses. Hence, lays the inevitable need to involve risk analysis, management and risk assessment in the areas of information technology and operational risks.

 

The purpose of risk analysis is to assist managers and facilitate decisions pertaining to investments and policies. Investment decisions are complicated and it is important that an organization utilizes possible information on risk in order to decide how much resource to invest and allocate in counter measures. It is imperative for IS risk to be quantified and managed accordingly. Since risk management requires accurate evaluation as a prerequisite, risk analysis is an indispensable aspect in managing information protection. To ensure efficiency and accuracy, automated tools must be used in the risk analysis process.

  1. Risk Analysis

 

Risk Analysis is based on the principal concept of threat, vulnerability, countermeasure, risk and attack.These can be stated in simplest terms as explained below.

 

  • v Threat – A threat is a possible danger that might breach security and therefore cause possible A threat has an adverse effect on an organization. A threat exists whether or not there are any practical ways in which it might be manifested. The threats to an Information System are independent from the physical implementation of the IS. The effects of various threats vary substantially and affect the integrity of data while others affect the availability of a system. A threat could on account of an external or internal entity. Internal threats occur due to authorized access to the network with either an account on a server or physical access to the network. A threat can be internal to the organization as the result of employee action or failure of an organization process. External threats can arise from individuals or organizations working outside of a company, physical intrusion or infected network. They do not have authorized access to the computer systems or network. External threats can be floods fires or earthquakes.
  • Vulnerability – Vulnerability refers to any type of weakness in a computer system, or procedures, or anything that leaves information security exposed to a threat. Vulnerabilities are what information security and information assurance professionals seek to reduce. Minimizing vulnerabilities provide fewer options for malicious users to gain access to secure information. Computer users and network personnel can protect computer systems from vulnerabilities by keeping software security patches updated. These patches can remove flaws or security holes that were found in the initial release. Computer and network personnel should stay abreast with current vulnerabilities and have readiness to deal with them.
  • Risk – A risk is something which exists when a threat and vulnerability overlap. There is threat to business and vulnerability must be exploited to realize this threat. To exploit the risk is to realize a threat called an attack and the person, agency or organization attempting to exploit that risk is the attacker. A computer risk is any event or action that could cause a loss or damage to computer hardware, software, data, or information. Common computer security risks include Computer viruses, unauthorized access and use of computer systems, hardware and software theft, information theft and information privacy and system failure.
  • Countermeasure – It reduces exposure by reducing the probability of attack (vulnerability), the business losses associated with a threat or losses resulting from successful attack. Depending on the nature of risk, an organization may choose from a variety of countermeasures. A risk can be shifted by applying a countermeasure to the risk itself which moves all or part of the exposure to a third party involving no change in business or technology models. The annual exposure is reduced because a countermeasure is applied to the vulnerability, which reduces frequency of occurrence. Risk avoidance where the countermeasure is applied to the threat which reduces the impact of the threat. A countermeasure here involves change to the business model but no change in the technology model.
  1. Risk Analysis Procedure

As information technology usage spreads, dependence on the information system, threats to assets, and vulnerability risks all increase, rendering organizations to be exposed to information leakage and attacks on the system security. The risk analysis measures the quantum of risk due to exposure, leakage and attack, and calculates the degree of risk. The ultimate objectives of the risk analysis process are to consider the threats to the information system and assess the vulnerability of the information system and its asset value and evaluate the asset risk level, to provide countermeasures for removing, accepting or avoiding risk, and, finally, to build a safe environment in which to operate the information system.

 

 

The process of risk analysis includes identification and quantifying uncertainties, estimating their impact and building a risk analysis model that express these elements in quantitative form.

  • Identify and quantify uncertainty – The goal is to identify each source of uncertainty and quantify its magnitude. We may not be able to predict the number of people shopping at a store each day but we can examine past data for frequency of days that people shopped and use this to estimate a distribution of shoppers on future days.
  • Compute the impact of uncertainty – This step is responsible for computing the impact of uncertainty on the outcome. In other words to calculate output or outcomes for any given inputs.
  • Complete a risk analysis model – A risk analysis model has inputs which are uncertain variables, random variables, assumptions or simply inputs. For any given set of input values the model calculates output. A risk analysis model allows us to think in ranges. Because inputs are uncertain they may take on different values, the outputs are uncertain and may take a range of values.
  • Explore the model with simulation – For a simulation based model we can use software such as Frontline’s Risk solver for a Monte Carlo Simulation. Simulation helps to perform a large number of trials.
  • Analyze the model results – Simulation yields many possible values for the outcomes it is essential to analyze the results. It is useful to create charts to visualize the results such as frequency charts and cumulative frequency charts. A powerful too is sensitivity analysis which can help to identify uncertain inputs with biggest impact on our key outcomes. Using software’s one can run multiple simulations choosing a different value on each simulation.
  • Decision making for risk mitigation – Risk analysis helps us to determine the right steps to take to avoid or mitigate risk. We can compare risk vs. return for different projects and diversify our position so that no single risk can harm.
  1. Risk Management and Risk Assessment

Risk is the net negative impact of vulnerability, considering both the probability and the impact of occurrence. Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level. Risk management and risk assessment are the most important parts of Information Security Management (ISM). Risk Management involves analysis, planning, implementation, control and monitoring of implemented measurements, and Risk Assessment, as part of Risk Management. It consists of several processes:

  • Risk identification,
  • Relevant risk analysis,
  • Risk evaluation

 

Risk Identification – The risk identification phase seeks to create a comprehensive list of events that may prevent, degrade or delay the achievement of the businesses objectives. Comprehensive identification is critical because a risk that is not identified at this stage will not be included in the risk analysis phase. In order to manage risk, the potential threats to the information systems need to be identified. This is achieved by defining risk scenarios.

 

Risk scenarios are methods of determining if any risks exist that could adversely affect the confidentiality, integrity or availability of the information system and thereby affect the business objectives. They generally consist of a threat which curbs a vulnerability resulting in an undesirable outcome.

 

The following techniques can be employed to ensure that comprehensive list of relevant risk are identified:

  • Stakeholders with appropriate knowledge should be involved in identification of risks. Discussions must include the domain experts who can provide relevant and up-to-date information during the process.
  • Group discussions and workshops to facilitate the identification and discussion of the risks that may affect the businesses objectives.

 

Risk Assessment helps to outline whether a system is acceptable, and which measures would provide its acceptability. For every organization using IT in its business process it is significant to conduct the risk assessment. Different threats and vulnerabilities are presented and their identification, analysis, and evaluation enable evaluation of risk impact, and proposing of suitable measures and controls.

 

  1. Relevant Risk Analysis – At this stage the managing entity tries to prevent the effect of already existing or future factors and proposes solutions helping to eliminate adverse effects and enabling to take advantage of positive effects. Part of the risk management process is a decision-making process that is based on a risk analysis. After having considered additional factors, such as economic, technical, social, political and other factors, the managers of risk management develop, analyze and compare potential preventive and regulatory measures and select those that minimize the existing risk.

 

On one hand qualitative methods are based on the description of the seriousness of a potential impact and on the probability that a given event will occur, where the impact level is usually determined by a qualified estimation and the method of structured interviews such as Delphi, which is based on a managed contact between the experts of the assessment group and the representatives of the assessed subject, is used. Qualitative methods are can be sufficiently corrected by including experienced, highly qualified experts. The advantage of this method is that it is less source and/or time demanding and takes into consideration the specifics of an assessed system, its administrator, the environment, users, etc. The Delphi method is well suited for analyzing risks especially because it determines what can happen and under what conditions.

 

A combination of both methods can be implemented where we assess risks (threats, probabilities, impacts) using a qualitative method and then use a quantitative approach, e.g. based on ČSN ISO/IEC 27005:2008. In this case, we start from the seriousness of the threat impact on the asset in the project or on the project itself and from the probability of the threat occurrence. We must take into consideration that this relationship depends on many other factors that can reflect both the actual risk of the project and the impact of system parameters.

 

3.  Risk Evaluation – Once the risk analysis has been completed the residual risks can be evaluated against the risk tolerance levels. Risk evaluation assists the business owner in making decisions on which risks require treatment, and the priority for implementing a risk response. Residual risks that are assessed as being between 1 and 3 on the ratings scale are generally considered to present an acceptable level of risk to the business and do not require any further evaluation. However, because risk is rarely static they should be added to the agency’s risk register so that they can be monitored and assessed on a regular basis to ensure that the likelihood and/or impact do not change. All residual risks that are evaluated as being between 4 and 25 on the rating scale need to be evaluated and prioritized. Typically the higher the risk rating is, the higher its priority. However, there may be two or more risks with the same risk rating. If it is not clear which risks have a higher priority the information protection priorities defined by the business owner when establishing the business context for the system should be used to determine the priority for the implementation of additional controls.

 

5.1 Classification of Risk

 

Based on the potential financial or other impact of a loss, we can divide risks into the following groups:

  • Critical risk: it implies a threat whose potential losses can sum up to a company’s bankruptcy or dissolution, political destabilization, large damages, a person’s bodily harm or potential death, etc.

 

E.g., a failed project can hamper basic state functions – payment of benefits, the registration of motor vehicles or real estate and, in the case of private entities, production shutdown, and default on contractual obligations.

  • Major risk: A threat whose damage due to potential losses do not lead to bankruptcy but to remain in operation, a company (or state) will have to e.g. borrow funds or adopt another measure that exceeds regular operation – e.g. to sell a part of assets, to remove authorized persons, to carry out a media campaign, to initiate legal steps, etc., which will result in higher expenses and/or the delay of a project;
  • Regular risk: A threat resulting in potential losses can be covered with current assets without causing inadequate financial pressure, i.e. a risk whose consequences are not threatening and a project can continue without major cost and time losses.

 

Knowing the threats affecting individual assets of a project the threat levels, the vulnerability of assets with respect to such threats and the probability of threat, we can determine the level of risk of a given threat with respect to the assigned asset.

 

We can express the level of risk R, as a function of two variables where

“a” is the impact of a materialized threat (in connection to the asset value) and

“h” is the probability of threat materialization (in connection to the vulnerability of a project (or an entire project). Finally,

R =f (a, h).

The higher the risk level for the threat-asset pair is, the more effective measures must be implemented in order to eliminate the risk or to reduce the risk to an acceptable level.

To assess the level of individual risks, we use the total risk matrix.

  • When analyzing risks and before adopting measures to eliminate risks, we assess inherent risks (i.e. without taking into consideration the already existing or considered measures).
  • After having implemented the measures, we reassess the level of risks while including the level of residual risk (after the measures were implemented) or the level of target risk (requested by the analysis recipient).
  • The target risk is based on the strategic managerial decision where the level of a given risk is determined and fully accepted, which does not mean necessarily zero risk, especially if achieving zero risk would mean inadequate expenses or the lower functioning of a system.
  1. Integration of Risk Management with System Development Life Cycle

SDLC has five phases: initiation, development or acquisition, implementation, operation or maintenance, and disposal. The risk management methodology is the same regardless of the SDLC phase for which the assessment is being conducted. Risk management is an iterative process that can be performed during each major phase of the SDLC.

 

 

 

1.  Initiation – in this phase the purpose and scope for the 2. Development – the Information System is designed, programmed and developed. The risks identified during this phase can be used to support the security analyses of the IT system that may lead to architecture and design tradeoffs during system development.

 

2.Information System is formulated. Identified risks are used to support the development of the system requirements, including security requirements, and a security concept of operations (strategy).

 

3.  Implementation – the system security features must be configured, verified, tested and enabled. The risk management process supports the assessment of the system implementation against its requirements and within its modeled operational environment. Decisions regarding risks identified should be made prior to system operation.

 

4.  Maintenance – the system performs its functions. The system is modified on an ongoing basis through addition of hardware or software and changes to organizational policies, procedures and processes. Risk management activities are performed for periodic system reauthorization (or reaccreditation) or whenever major changes are made to an IT system in its operational, production environment (e.g., new system interfaces).

 

5.  Disposal – This phase may involve the disposition of information, hardware, and software. Activities may include moving, archiving, discarding, or destroying information and sanitizing the hardware and software. Risk management activities are performed for system components that will be disposed of or replaced to ensure that the hardware and software are properly disposed of, that residual data is appropriately handled, and that system migration is conducted in a secure and systematic manner.

  1. Summary

 

Risk is the potential harm that may arise from some current process or from some future event. It is a function of the likelihood of a given threat exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. Risk in context of Information Systems can be stated as impact considering the probability that a particular threat-source will exercise i.e., trigger or intentionally exploit, particular information system vulnerability and the resulting impact if this should occur. IT-related risks arise from legal liability or loss due to unauthorized disclosure, modification, or destruction of information. Unintentional errors and omissions, disruptions due to natural or man-made disasters can pose risks. Other factors may include failure to exercise diligence in the implementation and operation of the IT system. Successful and effective risk management is the basis of successful and effective IT security. Due to the reality of limited resources and nearly unlimited threats, a reasonable decision must be made concerning the allocation of resources to protect systems. Risk management practices allow the organization to protect information and business process commensurate with their value. Successful and effective risk management is the basis of successful and effective IT security. Establishing and utilizing an effective, high quality risk management process and basing the information security activities of the organization on this process shall lead to an effective information security program in the organization.

you can view video on Risk Analysis

Web Resources

  • http://www.solver.com/risk-analysis-process
  • http://www.cultivate-em.com/
  • www.sciencedirect.com