Risk 2

1. Risk 2 CST 481/598 Many thanks to Jeni Li

2. Visualizing and quantifying risk • Risk matrix or cube • Cost effectiveness analysis • Annualized Loss Expectancy • Multi-Attribute Risk Assessment • Monte Carlo analysis • … et cetera

3. The three basic variables • Vulnerability • Threat • Impact

4. Defining impact • Cost of recovering lost or modified data • Business value of unrecoverable data • Lost productivity due to down time • Replacement cost of physical assets • Fines and penalties • For unauthorized disclosures or posting inaccurate information • Damage compensation to compromised customers • Fines imposed by regulatory agencies • Damage to reputation

5. The basic steps are always the same • (more or less) • Asset identification and valuation • Threat/vulnerability assessment • Risk calculation • Countermeasure selection

6. Risk matrix or cube • From Jones/Ashenden text • R = V x T x I • Useful for visuals and comparisons • Not much else

7. Cost effectiveness analysis • Combines soft and hard numbers • Can use estimates or probability tables • Examples: ROSI, CRAMM

8. Annualized Loss Expectancy • ALE = SLE x ARO • SLE: Single Loss Expectancy • How much will it cost if it happens once? • ARO: Annualized Rate of Occurrence • How many times a year will it happen? • Actual losses will vary, of course • Poisson distribution, Monte Carlo analysis

9. Monte Carlo analysis • Used to introduce “controlled randomness” • Goal: Make estimates more realistic • Often used with ALE models • Used in latest version of ROSI • Many algorithms exist • Some information for the interested • http://en.wikipedia.org/wiki/Monte_Carlo_method

10. CRAMM • Origin: UK government • Commercial software (cramm.com) • Used by UK, NATO, Dutch military, T-Mobile • Used for ISO 27001 compliance • Can be used to justify cost of controls • Based on statistical analysis of other agencies • Detailed departmental questionnaires • Or informed estimates (Express version) • Database of controls • Pre-assigned effectiveness, cost/benefit values

11. ROSI • Origin and user: AU government • Freely available • http://www.gcio.nsw.gov.au/search?SearchableText=rosi • Based on Annualized Loss Expectancy and Australian Threat/Risk Assessment • User-assigned values for TRA descriptions

12. SAEM • Origin: Carnegie-Mellon University • http://www.cs.cmu.edu/~shawnb/ • Based on Multi-Attribute Risk Assessment • Categorizes attributes of impact • Revenue, Reputation, Productivity, Penalties • Likelihood, impact ratings based on industry peer review • Emphasizes coverage of threats • Protect, Detect, React • Doesn’t quantify risk financially

13. Mitigating risk • Avoidance • Reduction • Retention • Transfer

14. Mitigating risk • Avoidance • Reduction • Retention • Transfer

15. Risk avoidance • Get out of (or don’t get into) the risky business • Do this when… • Probability of a loss is high • Potential impact is high • Gain from continuing the function is low

16. Risk reduction • Protect, detect, react • This is what we usually think of in IS • Do this when… • Probability of a loss is high • Potential impact is low

17. Risk reduction • Protect • Prevent the threat from meeting with the vulnerability • Detect • Discover and respond to a threat before it causes too much damage • React (Recover) • Minimize impact after an incident

18. Risk retention • “Cost of doing business” • Live with it when… • Probability of a loss is low • Potential impact is low • Gain from continuing the function is high

19. Risk transfer • Common methods • Buy insurance • Outsource the risky function • Do this when… • Probability of a loss is low • Potential impact is high • Gain from continuing the function is high