More Related Content Similar to Threat Based Risk Assessment (20) Threat Based Risk Assessment2. © Michael Lines
cyberadvisor@protonmail.com
Introduction
My Objectives
• Provide you food for thought regarding how to structure a
risk assessment for your organization
• Familiarize you with risk assessment terms and present a
risk assessment process to consider in case you have not
performed a risk assessment before
• Help you understand the drivers for risk assessments, in
particular how to meet the needs of both the business
(including the board) and your information security program
2
3. © Michael Lines
cyberadvisor@protonmail.com
Introduction
My Credentials
• Past 17 years focused in Information Security
• Developed and lead the managed security services
organization for Exodus Communications
• First Global CISO at Fair Isaac Corp
• First Global CISO at TransUnion
• Global CISO for PriceWaterhouseCoopers LLP
• Global CISO for D+H Ltd
• Now an independent advisor to boards and management
on cyber security
3
4. © Michael Lines
cyberadvisor@protonmail.com
Introduction
Disclaimer
• The information presented here is a compilation of my
observations and experience as to what works (and what
doesn’t) in information security risk assessment over my
career
• The methodology presented is my own and is not intended
to represent the practice of any particular organization
• The examples used are for demonstration purposes only
and do not represent the security state of any particular
organization
• Finally, the approach and discussion today is focused on
macro or enterprise level risk
4
6. © Michael Lines
cyberadvisor@protonmail.com
Why assess risk?
"We were not able to prevent the accident from happening
because we stopped thinking," said Yuichi Okamura, a
Tepco company spokesman.
"We were not able to think beyond a certain point, such as
that a tsunami might be higher and what would happen to
the plant if that scenario did occur. We didn't think what
would happen if the safety equipment did not function as it
was meant to.”
The Telegraph article on the Fukushima disaster, March
2016
6
8. © Michael Lines
cyberadvisor@protonmail.com
Why assess risk?
Regulators (and regulations) demand it
8
Industry Risk Requirements
Retailers PCI DSS v3.1 12.2
Healthcare
45 CFR 164.308(a)(1)(ii)(A) (part of HIPAA Security
Rule)
Financial Services
GLBA Section 501(b)
16 CFR 314.4(b) (part of Safeguards Rule)
Federal Agencies FISMA 44 USC 3544(b)(1)
9. © Michael Lines
cyberadvisor@protonmail.com
Why assess risk?
Boards and management need it
• From the NACD Cyber Risk Oversight - Director’s Handbook
1. Directors need to understand and approach cybersecurity as an
enterprise-wide risk management issue, not just an IT issue.
2. Directors should understand the legal implications of cyber risks
as they relate to their company’s specific circumstances.
3. Boards should have adequate access to cybersecurity expertise,
and discussions about cyber-risk management should be given
regular and adequate time on the board meeting agenda.
4. Directors should set the expectation that management will
establish an enterprise-wide cyber-risk management framework.
5. Board-management discussion of cyber risks should include
identification of which risks to avoid, which to accept, and which
to mitigate or transfer through insurance, as well as specific
plans associated with each approach
9
10. © Michael Lines
cyberadvisor@protonmail.com
Why assess risk?
Your Information Security program requires it
• From ISO 27001:2013
• Information security management systems (ISMS)
• 6.1.2 Information Security Risk Assessment
• 6.1.3 Information Security Risk Treatment > SOA
• From NIST
• 800-30 Guide for Conducting Risk Assessments
• 800-37 Guide for Applying the Risk Mgmt Framework
• 800-39 Managing Information Security Risk
• 800-53r4 Security and Privacy Controls
• From ISF Standard of Good Practice
• SR1 Information Risk Assessment
• IRAM Information Risk Assessment Methodology
10
11. © Michael Lines
cyberadvisor@protonmail.com
Risk assessment challenges
• General agreement on the overall approach, no consensus on
the details
• Can be challenging in terms of where to start
• Easy to over analyze risk
• “Forrest for the trees” syndrome
• Analysis paralysis
• “Angels on the head of a pin” arguments
• Can easily become very costly to perform and maintain
• Easy to confuse management and frustrate the business
11
14. © Michael Lines
cyberadvisor@protonmail.com
Risk terms and calculations
• L = (P x V)/5
• P = Prevalence
• V = Vulnerability to Threat
• R = L x I
• R = Inherent Risk
• L = Inherent Likelihood of Threat
• I = Impact should Threat be successful or occur
• RR = cL x cI
• RR = Residual Risk
• cL = Compensated Likelihood of Threat
• cI = Compensated Impact should Threat be successful or
occur
14
15. © Michael Lines
cyberadvisor@protonmail.com
Risk terms and calculations
15
Prevalence
1 Rare, Unlikely, Not in Wild
2
3 Possible
4
5 Widespread, Certain
Vulnerability
1 Completely invulnerable
2
3 Partial protected
4
5 Complete vulnerable
Impact
1 Minor impact
2
3 Moderate impact
4
5 Major impact (share, legal)
Likelihood
1 2 3 4 5
5 Low Medium High High Critical
4 Low Medium Medium High High
3 Low Low Medium Medium High
2 Low Low Low Medium Medium
1 Low Low Low Low Low
Impact
Risk
16. © Michael Lines
cyberadvisor@protonmail.com
Risk terms and calculations
A medical example - Influenza
• Inherent risk
• Prevalence - Flu Season - (5)
• Vulnerability - Elderly, non vaccinated - (5)
• Impact - Hospitalization - (4)
• Risk - High (20)
• Compensating Control - Flu Vaccine
• Residual risk
• Prevalence - Flu Season - (5)
• Vulnerability - Elderly, vaccinated - (3)
• Impact - Moderate Illness - (3)
• Risk - Medium (9)
16
17. © Michael Lines
cyberadvisor@protonmail.com
Threat based risk analysis
What is an effective risk assessment program?
• One which:
• Gathers data regarding the information and technology
assets of the organization, threats to those assets,
vulnerabilities, existing security controls and processes,
and the current security standards and requirements;
• Analyzes the probability and impact associated with the
known threats and vulnerabilities to their assets; and
• Prioritizes the risks present due to threats and
vulnerabilities to determine the appropriate level of training,
controls, and assurance necessary for effective mitigation.
* From FFIEC Information Technology Examination Handbook
17
19. © Michael Lines
cyberadvisor@protonmail.com
Threat based risk analysis
What are the threats that come from these actors?
19
Malicious Data Loss NS OC H MI CE
Web/Application Compromise X X X X
Malicious Emails X X X X X
Malicious Websites X X X X X
3rd Party Compromise X X X X
21. © Michael Lines
cyberadvisor@protonmail.com
Threat based risk analysis
What are the threats that come from these actors?
21
Business Disruption NS OC H MI CE
Denial of Service X X X X
Business Process Disruption X X X X X
Facilities Attack X X X X
Ransomware X X X X
23. © Michael Lines
cyberadvisor@protonmail.com
Threat based risk analysis
An example threat analysis
• Compensating controls are added to reduce risk
• Answers the questions – what’s the threat, is it meaningful to
us (inherent risk score), what are we doing about it (or need to
do about it – drives action), do we think it is enough (vs risk
tolerance), how much does or will this cost us.
23
Inherent Risk Rating
Inherent
Risk
Residual
Risk
Deployment
StatusThreat # Threat Prevalence Vulnerability Impact Capex $ Opex $
1
Emails are received containing
malicious links or attachments 4 5 5 20 10 In Progress $ 450,000 $ 105,000
Residual Risk Rating
Residual
Risk
Deployment
StatusCC # Compensating Control Prevalence Vulnerability Impact Capex $ Opex $
1
APT solution to detect
malicious attachments 4 2 5 8 Proposed $ 250,000 $ 60,000
2
Web proxy to stop access to
malicious websites 4 3 5 12 In Progress $ 100,000 $ 25,000
2
Antivirus on endpoints to stop
malicious attachments 4 3 5 12 Complete $ 100,000 $ 20,000
24. © Michael Lines
cyberadvisor@protonmail.com
Threat based risk analysis
An example threat assessment summary
• Management sets the level of acceptable risk (risk tolerance)
• Not all threats have to be mitigated, management can accept the
risk
• Regular risk assessment meetings should focus on incident
reviews, deployment status updates and changes to threats or
risk ratings that drive the need for reassessment of controls
• All risks should be reviewed annually in light of actual incidents,
company changes and changes in the threat environment
24
Inherent Risk Rating
Inherent
Risk
Residual
Risk
Deployment
StatusThreat # Threat Likelihood Vulnerability Impact Capex $ Opex $
1
Emails are received containing
malicious links or attachments 4 5 5 20 10 In Progress $ 450,000 $ 105,000
2
Emails are received that trick
users to divulge information 4 5 4 16 8 Complete $ 75,000 $ 10,000
3
Order website is disabled by
DOS attack 3 4 4 10 10
Risk
accepted $ 0 $ 0
25. © Michael Lines
cyberadvisor@protonmail.com
In conclusion
Proposed approach
• Focus on threats to the entire enterprise
• Consider asset classes instead of individual systems
• Start at the top with fundamental controls
• And finally… (JFDI)
25
“A good plan violently
executed now is
better than a perfect
plan executed next
week.”
General George S. Patton
26. © Michael Lines
cyberadvisor@protonmail.com
For further information
Michael Lines
—————————————
Advisor to Boards and Management on Security Governance,
Assessment, Operations and Remediation
email: cyberadvisor@protonmail.com
Articles and further information available at
https://www.linkedin.com/in/michaellines
26