1. Lightweight Cybersecurity Risk
Assessment Tools for
Cyberinfrastructure
Jim Basney <jbasney@ncsa.illinois.edu>
URISC@SC17
This material is based upon work supported by the National Science Foundation under grant number 1547272. Any opinions, findings, and conclusions or
recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the National Science Foundation.

2. Risk Assessment: Motivation
Implement cybersecurity “best practices”
Create an inventory of your project's assets
Think critically about potential risks
Develop risk mitigations
Understand accepted risks

3. Risk Assessment Tools
Risk Self-Evaluation Spreadsheet
https://goo.gl/9x1NdQ
Risk Assessment Table
http://trustedci.org/guide/docs/RAtable
Copies also in https://go.ncsa.illinois.edu/URISC

4. Risk Self-Evaluation: Sections
Policy and Procedure
Host Protection
Network Security
Physical Security
Monitoring and Logging

5. Risk Self-Evaluation: Layout

6. Risk Self-Evaluation: Example

7. Risk Self-Evaluation: Potential Strategies
View project as a whole
Divide project into parts
Conceptual components
Location-based
Existing vs Planned
Have personnel fill out what they know

8. Risk Self-Evaluation: Discussion

9. I Did the Risk Self-Evaluation! Now What?
Address any issues
Mitigated = “Partial”, “No”, or “Unknown”
Schedule a re-check in 3 months
Give report to management
Start a more complete Risk Assessment
http://trustedci.org/guide/docs/RAtable

10. Risk Assessment Process
Risk Assessment Table
http://trustedci.org/guide/docs/RAtable
CTSC Guide to Developing Cybersecurity Programs
https://trustedci.org/guide
NIST 800-30: Risk Management Guide for
Information Technology Systems
http://doi.org/10.6028/NIST.SP.800-30

11. 1. System Characterization
Describe the system resources used by the project
Break down the system by location, function, information flow, etc.
Use an Information Asset Inventory
https://trustedci.org/guide/docs/IAI

12. 2. Threat Identification
Threat is the potential for a particular source to exploit a particular vulnerability
toward a malicious end.
Threats consist of sources (e.g., humans, natural disasters, power outages),
motivations (e.g., monetary gain, espionage), and actions (e.g., hacking, social
engineering).
Identifying threats often involves looking at old attack data and noting which
threats are applicable today.

13. 3. Vulnerability Identification
A vulnerability is a flaw or weakness in a system’s security procedures, design,
implementation, or internal controls that could potentially be exercised by a
threat agent to result in a breach or violation of the system's security policy.
The Risk Assessment Table reflects the vulnerabilities as a combination of the
columns “Asset”, “Attack Surface”, and “Threat Description”.

14. 4. Control Analysis
Security controls are mechanisms put in place to mitigate the risk of threats being
being realized by exploiting vulnerabilities.
Controls can be administrative (e.g., policies, standards, guidelines, training and
other processes), technical/logical (e.g., authentication and authorization
systems, file permissions, firewalls, intrusion detection systems, etc.), or physical
(e.g., locked file cabinets, secured data centers, cameras, fences, etc.).
The “Current Controls” column of the Risk Assessment Table lists any controls in
place for the associated risk. The “Control Effectiveness” column is an estimation
of how effective the current control is, using a scale from 1 (ineffective) to 5
(extremely effective).
Control Effectiveness
5 Extremely effective
4 Very effective
3 Moderately effective
2 Minimally effective
1 Ineffective

15. 5. Likelihood Determination
When ranking likelihood, consider not only the specifics of the vulnerability, but
also motivation and capability of a potential threat source.
Likelihood Estimation
5 Constant or extremely frequent, > 85%
4 Very frequent, 60% - 85%
3 Somewhat frequent, 30% - 60%
2 Infrequent, 10% - 30%
1 Rarely, if ever, < 10%

16. 6. Impact Analysis
The impact of any exploit depends upon (1) the mission of the project, (2) the
criticality of the vulnerable system or data, and (3) the sensitivity of the affected
system or data.
Impact from a security incident could affect the integrity, availability, or
confidentiality of a system or data. Depending on the subsystem affected, we
could be concerned more with one kind of impact than another. However, the
impact on each of these three properties should be considered for any potential
exploit.
On method to make the impact of an exploited vulnerability more concrete is to
estimate a dollar amount for the impact of an incident.
Impact Estimation
5 Catastrophic, > $1M
4 Major, $250K - $1M
3 Moderate, $50K - $250K
2 Minor, up to $50K
1 Insignificant, ~$100s

17. Sort the Risk Assessment Table by “Residual Risk” to find the vulnerabilities which
have a high risk, taking into account the current controls in place. These are the
risks that should be addressed first.
7. Risk Determination & Recommendations
Inherent Risk = Likelihood * Impact
Risk
20 – 25 Very High
14 – 19 High
9 – 13 Medium
4 – 8 Low
0 – 3 Negligible
Residual Risk = Inherent Risk * (6-Control Effectiveness)/5

18. Risk Assessment Table: Discussion

19. 19
Cybersecurity Guides and Tools
● Addressing concerns unique to science
● Policy templates:
Acceptable Use, Access Control,
Asset Management, Disaster Recovery,
Incident Response, Inventory, Awareness,
Physical Security, ...
● Risk assessment table
● Securing commodity IT
● Self-assessment Tool
● Identity Management Best Practices
https://trustedci.org/guide

20. Thanks!
https://go.ncsa.illinois.edu/URISC
https://trustedci.org/webinars
https://trustedci.org/guide
jbasney@ncsa.illinois.edu