A basic introduction to risk analysis and assessment with pointers to additional resources.

1. How to Assess and Manage
Your Cyber Risk
Stephen Cobb, CISSP
Senior Security Researcher

2. Stephen Cobb
Sr. Security Researcher, ESET North America
Stephen Cobb has been a CISSP since 1996
and has helped companies large and small to
manage their information security, with a
focus on emerging threats and data privacy
issues. The author of several books and
hundreds of articles on information
assurance, Cobb is part of the research team
at ESET North America, based in San Diego.

3. Today’s topic
• Information technology brings
many benefits to a business,
but IT also brings risks
• Your organization needs to
know how to assess and
manage those cyber risks
• Cyber risk assessment and
management can provide a
powerful hedge against many
of the threats that your
business faces

4. Q1: Has there been a risk analysis of your
organization in the last 12 months?
Polling Question
 Yes
 No
 Not sure
 I don’t work for an organization

5. Risk assessment is fundamental
• It’s the basis of your security program
• Your defense in case of a breach
• And a hedge against fines!
Meaningful Use audit of a small optometry
clinic in MN found: “failure to perform a
proper risk assessment and follow policies
and procedures.”
Penalty: Initial incentive payments had to
be repaid, plus 2 more years of payments
totaling more than $40,000 put in doubt
OCR investigation of ePHI
breach at NY hospital
found: “failure to complete
an accurate and thorough
risk analysis identifying all
systems that access ePHI.”
Penalty: Fined $4.8 million.

6. Working definitions
• Follow standards in NIST and HIPAA literature
• Because even if your organization is not
covered by federal standards, the courts will
likely use those standards to determine guilt
But your honor, how on
earth could we have known
that hackers would try to
steal our customers’ data?
My firm has never heard of
this “risk analysis.”

7. Risk Analysis:
• An assessment of the
potential risks and
vulnerabilities to the
confidentiality, integrity,
and availability of
information held (or
collected or processed)
by the organization
http://www.hhs.gov/ocr/privacy/hipaa/administrative/
securityrule/riskassessment.pdf

8. Risk is…
• The likelihood that a specific threat will occur
• A Vulnerability triggered or exploited by a
Threat equals a Risk
NIST SP 800-30
Vulnerability
Your office network is
connected to the
Internet by a router
that contains a
software bug
Threat
Someone wants to
steal information of
the type that may be
stored on your office
network
Risk
The bug in your router
will be used by a
criminal to penetrate
your network and steal
information
+ =

9. Vulnerability is…
• Flaw or weakness in system security
procedures, design, implementation,
or internal controls that could be
exercised (accidentally triggered or
intentionally exploited) and result in a
security breach or a violation of the
system’s security policy.

10. Threat is…
• The potential for a person or thing to exercise
(accidentally trigger or intentionally exploit)
a specific vulnerability.
Natural threats
Floods, earthquakes,
lightning strikes
Human threats
Unintentional, like
accidentally deleting
a file OR intentional
like installing
malicious software
Environmental threats
Power outage, Internet
connectivity failure,
office evacuation due to
chemical spill

11. Risk is also
• The net mission impact, bearing in mind:
– the probability that
a particular threat
– will exercise
(accidentally trigger or
intentionally exploit)
– a particular vulnerability
– and the resulting impact
if this should occur
NIST SP 800-30

12. Q2: Has your organization experienced a
significant data loss in the last 12 months?
Polling Question
 Yes
 No
 Not sure
 I don’t work for an organization

13. Risk and mission impact
• Missed deadline for RFP submission
due to lack of access to data
Vulnerability
Your office is easily
accessible from the
street and the door
is unlocked
Threat
Someone wants to
steal the kind of
computer hardware
you use in your office
Risk
Your computer is
stolen, preventing
you from meeting an
important deadline
+ =

14. Risks arise from legal liability or
mission loss due to
1. Unauthorized (malicious or accidental) disclosure,
modification, or destruction of information
2. Unintentional errors and omissions
3. IT disruptions due to natural or man-made
disasters
4. Failure to exercise due care and diligence in the
implementation and operation of the IT system.

15. Risk analysis in 8 steps
1. Identify the scope of the analysis
2. Gather data
3. Identify and document potential threats and
vulnerabilities
4. Assess current security measures
5. Determine likelihood of threat occurrence
6. Determine potential impact of threat occurrence
7. Determine the level of risk
8. Identify security measures and finalize
documentation

16. Steps 1 and 2
• Identify the scope of the analysis
– Is this an IT security risk analysis?
– General risk, company-wide?
– Department or project specific?
• Gather data
– Within the above bounds, make sure you are
comprehensive in your data gathering with
respect to assets and processes in scope
– Seek a range of perspectives

17. #3 Threats and Vulnerabilities
• Identify and document potential
threats and vulnerabilities
– This is where you need to be current or
your analysis will be flawed
– Are you aware of all the threats?
– Do you understand all of the
vulnerabilities?
– Consider an audit or pen-test at this stage?

18. #4 Assess current security measures
• This can be done internally, but an outside
view might be more perceptive
• Real world, healthcare company internal
versus external findings:
• “We require passwords to be changed every six months”
• The system allowed passwords to remain unchanged
• “We delete access for all ex-employees”
• Several dozen ex-employees still had access
• “We use antivirus on all our endpoints”
• But it was turned off in the HR department

19. #5 Determine likelihood of threat occurrence
2015 ISACA and RSA Conference Survey

20. 6+7: Determine potential impact of threat
occurrence and level of risk
• Risks can be rated Low to High
• Based on Consequence and Occurrence Rate
Consequences
Low High
OccurrenceRate
HighLow
Human
errors
Earthquake
After: Jacobs, CSH6, Wiley

21. 6+7: Impact of threat and level of risk
• Annualized Loss Exposure or ALE
Threat Occurrence Rate (number per year) X
Threat effect factor (0.0 to 1.0) X
Loss potential (in $$)
Malware Infection
Threat Occurrence Rate: 2 per month
Limited impact: 0.5
Loss potential: $25,000
ALE = $600,000

22. #8 Identify security measures and
finalize documentation
• Important to document everything
• Risk analysis is not just an exercise
• Should lead to informed choices about
security measures, in other words
• Risk management

23. Risk management consists of…
• Identifying risks
– Risk Identification
• Assessment and
classification of risks
– Risk Assessment
• Dealing with risks
– Risk Strategy
Definite overlap
with risk analysis
This is where
Management
comes into play

24. 4 ways of addressing risks
• Avoidance
– Don’t make that movie about that dictator
• Reduction
– Make sure all systems are patched regularly
• Acceptance
– Take a calculated risk
• Transfer
– Buy insurance

25. Help is available
• Engage an expert to set the baseline
• Use the tools that are available
– CompTIA Security Assessment Wizard
– HHS Security Risk Assessment Tool
– DHS Cyber Security Evaluation Tool
– OCTAVE from CERT

26. https://www.comptia.org/communities/it-
security/documents/security-assessment-wizard

27. http://www.healthit.gov/providers-
professionals/security-risk-assessment

28. https://ics-cert.us-cert.gov/Assessments

29. http://www.cert.org/resilience/products-services/octave/
Operationally Critical Threat Asset & Vulnerability Evaluation

30. OCTAVE: 8 steps in 4 phases
1. Develop risk measurement criteria consistent with
the organization's mission, goal objectives, and
critical success factors.
2. Create a profile of each critical information asset
that establishes clear boundaries for the asset,
identifies its security requirements, and identifies
all of its containers.
3. Identify threats to each information asset in the
context of its containers.
4. Identify and analyze risks to information assets
and begin to develop mitigation approaches.

31. OCTAVE: 8 steps in 4 phases

32. OCTAVE: worksheets provided

33. Thank You
WeLiveSecurity.com
stephen.cobb@eset.com
@zcobb

34. Q5: I would like access to one of the
following:
Polling Question
 Contact from ESET Sales
 A custom business edition trial of ESET
software which includes our Remote
Administrator
 A product demo of ESET Endpoint Solutions
 Information on becoming a reseller partner
or MSP
 None of the Above