7/30/2019 000 Risk & Precautions Cyberlaw
1/56
Risk
Management
7/30/2019 000 Risk & Precautions Cyberlaw
2/56
How Much to Invest in Security?How much is too much?
Firewall
Intrusion Detection/Prevention
Guard
Biometrics Virtual Private Network
Encrypted Data &Transmission
Card Readers
Policies & Procedures Audit & Control Testing
Antivirus / Spyware
Wireless Security
How much is too little? Hacker attack Internal Fraud Loss of Confidentiality
Stolen data Loss of Reputation Loss of Business Penalties Legal liability
Theft & Misappropriation
Security is a Balancing Act between Security Costs & Losses
7/30/2019 000 Risk & Precautions Cyberlaw
3/56
Risk Management
Internal Factors External Factors
Structure
Risk Mgmt Strategies are determined by both internal & external factors
7/30/2019 000 Risk & Precautions Cyberlaw
4/56
Risk Management ProcessEstablishScope &
Boundaries
Identification
Analysis
Evaluation
Avoid Reduce Transfer Retain
Accept Residual Risk
RiskCommunicatio
n
&Monitoring
RiskAssessment
Risk
Treatment
What assets & risks exist?
What does this risk cost?What priorities shall we set?
What controls can we use?
What to investigate?What to consider?
7/30/2019 000 Risk & Precautions Cyberlaw
5/56
Risk Appetite
Do you operate your computer with or without antivirussoftware?
Do you have antispyware?
Do you open emails with forwarded attachments fromfriends or follow questionable web links? Have you ever given your bank account information to a
foreign emailer to make $$$?
What is your risk appetite?If liberal, is it due to risk acceptance or ignorance?
Companies too have risk appetites, decided afterevaluating risk
7/30/2019 000 Risk & Precautions Cyberlaw
6/56
Continuous Risk Mgmt Process
Identify &Assess Risks
Develop Risk
Mgmt Plan
Implement RiskMgmt Plan
Proactive
Monitoring
RiskAppetite
Risks change with time asbusiness & environmentchanges Controls degradeover time and are subject tofailure Counter measures mayopen new risks
7/30/2019 000 Risk & Precautions Cyberlaw
7/56
Security Evaluation:Risk Assessment
Five Steps include:1. Assign Values to Assets:
Where are the Crown Jewels?
2. Determine Loss due to Threats & Vulnerabilities Confidentiality, Integrity, Availability
3. Estimate Likelihood of Exploitation Weekly, monthly, 1 year, 10 years?
4. Compute Expected Loss Loss = Downtime + Recovery + Liability + Replacement
5. Treat Risk Survey & Select New Controls Reduce, Transfer, Avoid or Accept Risk
7/30/2019 000 Risk & Precautions Cyberlaw
8/56
Step 1:
Determine Value of AssetsIdentify & Determine Value of Assets (Crown Jewels): Assets include:
IT-Related: Information/data, hardware, software, services,
documents, personnel Other: Buildings, inventory, cash, reputation, sales opportunities
What is the value of this asset to the company? How much of our income can we attribute to this asset? How much would it cost to recover this?
How much liability would we be subject to if the assetwere compromised?
Helpful websites: www.attrition.org
7/30/2019 000 Risk & Precautions Cyberlaw
9/56
Determine Cost of Assets
Sales
Product A
Product B
Product C
Risk: Replacement Cost=Cost of loss of integrity=Cost of loss of availability=Cost of loss of confidentiality=
Risk: Replacement Cost=Cost of loss of integrity=Cost of loss of availability=
Cost of loss of confidentiality=
Risk: Replacement Cost=
Cost of loss of integrity=Cost of loss of availability=Cost of loss of confidentiality=
Tangible $ Intangible: High/Med/Low
Costs
7/30/2019 000 Risk & Precautions Cyberlaw
10/56
Matrix of Loss Scenario
(taken from CISM Exhibit 2.16)SizeofLoss
Repu-tation
Law-suitLoss
Fines/
Reg.Loss
Mar-ketLoss
Exp.
YearlyLoss
Hacker steals customerdata; publicly blackmailscompany
1-10KRecords
$1M-$20M
$1M-$10M
$1M-$35M
$1M-$5M
$10M
Employee steals strategicplan; sells data tocompetitor
3-year Min. Min. Min. $20M $2M
Backup tapes and Cust.data found in garbage;makes front-page news
10MRecords
$20M $20M $10M $5M $200K
Contractor steals employeedata; sells data to hackers
10KRecor
ds
$5M $10M Min. Min. $200K
7/30/2019 000 Risk & Precautions Cyberlaw
11/56
Step 1:
Determine Value of AssetsAsset Name
$ ValueDirect Loss:Replacement
$ ValueConsequential
Financial Loss
Confidentiality,Integrity, and
Availability Notes
Laptop $1,000 Mailings=$130 x #Cust
Reputation
= $9,000
Conf., Avail.Breach
Notification
Law
Equipment $10,000 $2k per day
in income
Availability
7/30/2019 000 Risk & Precautions Cyberlaw
12/56
Step 2: Determine LossDue to Threats
Natural: Flood, fire, cyclones,rain/snow/hail and earthquakes
Unintentional: Fire, water, buildingdamage/collapse, loss of utilityservices, and equipment failure
Intentional: Fire, water, theft,vandalism
Intentional, non-physical: Fraud,espionage, hacking, identity
theft, malicious code, socialengineering, phishing, denial ofservice
7/30/2019 000 Risk & Precautions Cyberlaw
13/56
Threat Agent Types
Hackers/Crackers
Challenge, rebellion Unauthorizedaccess
Criminals Financial gain,Disclosure/ destructionof info.
Fraud, computercrimes
Terrorists Destruction/ revenge/extortion
info warfare
IndustrySpies
Competitive advantage Info theft, econ.Exploitation
Insiders Opportunity, personalissues
Fraud/ theft,malware, abuse
7/30/2019 000 Risk & Precautions Cyberlaw
14/56
Step 2: Determine Threats Due to Vulnerabilities
SystemVulnerabilities
Behavioral:unsatisfiedemployee,
uncontrolledprocesses,
poor networkdesign,
improperlyconfiguredEquipment
Misinterpretation:Poorly-defined
procedures,employee error,Insufficient staff,
Inadequate mgmt,Inadequate
complianceenforcement
CodingProblems:
Security ignorance,poorly-definedrequirements,
defective software,
unprotectedcommunication
PhysicalVulnerabilities:
Fire, flood,negligence, theft,kicked terminals,
no redundancy
7/30/2019 000 Risk & Precautions Cyberlaw
15/56
Step 3: Estimate Likelihood of Exploitation
Best sources: Past experience Specialists and expert advice
Economic, engineering, or other models Market research & analysis Experiments & prototypes
7/30/2019 000 Risk & Precautions Cyberlaw
16/56
Likelihood of Exploitation:
Sources of Losses
Source: 2009 Annual Study:Evaluation of 31 organizations
Lost laptop/device 35%
Third party or outsourcer 21%
Electronic backup 19%
Paper records 9%
Malicious insider or code 9%
Hacked system 7%
7/30/2019 000 Risk & Precautions Cyberlaw
17/56
Step 4: Compute Expected Loss
Risk Analysis StrategiesQualitative: Prioritizes risks so that highest risks
can be addressed first
Based on judgment, intuition, and experience May factor in reputation, goodwill, nontangibles
Quantitative: Measures approximate cost ofimpact in financial terms
Semiquantitative: Combination of Qualitative &Quantitative techniques
7/30/2019 000 Risk & Precautions Cyberlaw
18/56
Step 4: Compute Loss Using
Qualitative AnalysisQualitative Analysis is used:
As a preliminary look at risk
With non-tangibles, such as reputation,image -> market share, share value
When there is insufficient information toperform a more quantified analysis
7/30/2019 000 Risk & Precautions Cyberlaw
19/56
Vulnerability AssessmentQuadrant Map
Threat(Probability)
Vulnerability(Severity)
Hacker/CriminalMalware
Disgruntled Employee
Fire
Terrorist
Flood
Spy
Snow emergencyIntruder
7/30/2019 000 Risk & Precautions Cyberlaw
20/56
Step 4: Compute Loss Using
Semi-Quantitative AnalysisImpact
1. Insignificant: Nomeaningful impact
2. Minor: Impacts a smallpart of the business, $1M
4. Material: Requiresexternal reporting,>$200M
5. Catastrophic: Failure ordownsizing of company
Likelihood1. Rare2. Unlikely: Not seen
within the last 5 years3. Moderate: Occurred in
last 5 years, but not inlast year
4. Likely: Occurred in last
year5. Frequent: Occurs on a
regular basis
Risk = Impact * Likelihood
7/30/2019 000 Risk & Precautions Cyberlaw
21/56
SemiQuantitative Impact Matrix
Rare(1) Unlikely(2) Moderate(3) Likely (4) Frequent(5)
Catastrophic(5)
Material(4)
Major(3)
Minor(2)
Insignificant(1)
Likelihood
Impact
7/30/2019 000 Risk & Precautions Cyberlaw
22/56
Step 4: Compute Loss Using
Quantitative AnalysisSingle Loss Expectancy (SLE): The cost to the
organization if one threat occurs once Eg. Stolen laptop=
Replacement cost + Cost of installation of special software and data Assumes no liability
SLE = Asset Value (AV) x Exposure Factor (EF) With Stolen Laptop EF > 1.0
Annualized Rate of Occurrence (ARO): Probability or
frequency of the threat occurring in one year If a fire occurs once every 25 years, ARO=1/25
Annual Loss Expectancy (ALE): The annual expectedfinancial loss to an asset, resulting from a specific threat ALE = SLE x ARO
7/30/2019 000 Risk & Precautions Cyberlaw
23/56
Risk Assessment Using
Quantitative AnalysisQuantitative:
Cost of HIPAA accident with insufficient
protectionsSLE = $50K + (1 year in jail:) $100K = $150K
Plus loss of reputation
Estimate of Time = 10 years or less = 0.1
Annualized Loss Expectancy (ALE)=
$150 x .1 =$15K
7/30/2019 000 Risk & Precautions Cyberlaw
24/56
Annualized Loss ExpectancyAssetValue->
$1K $10K $100K $1M
1 Yr 1K 10K 100K 1000K
5 Yrs 200 2K 20K 200K10 Yrs 100 1K 10K 100K
20 Yrs 50 1K 5K 50K
Asset Costs $10K Risk of Loss 20% per Year
Over 5 years, average loss = $10K
Spend up to $2K each year to prevent loss
7/30/2019 000 Risk & Precautions Cyberlaw
25/56
Quantitative
Risk
Asset Threat Single LossExpectancy
(SLE)
AnnualizedRate of
Occurrence(ARO)
Annual LossExpectancy
(ALE)
Building
Fire $1M .05(20 years)
$50K
Laptop Stolen $1K + $9K(breachnotif)
0.2(5 years)
$1K
Workbook
7/30/2019 000 Risk & Precautions Cyberlaw
26/56
Step 5: Treat Risk
Risk Acceptance: Handle attack when necessary E.g.: Comet hits Ignore risk if risk exposure is negligible
Risk Avoidance: Stop doing risky behavior E.g.: Do not use Social Security NumbersRisk Mitigation: Implement control to minimize
vulnerability E.g. Purchase & configure a firewallRisk Transference: Pay someone to assume risk for you E.g., Buy malpractice insurance (doctor) While financial impact can be transferred, legal
responsibility cannot
Risk Planning: Implement a set of controls
Activity Output
7/30/2019 000 Risk & Precautions Cyberlaw
27/56
System Characterization
Identify Threats
Identify Vulnerabilities
Analyze Controls
Determine Likelihood
Analyze Impact
Determine Risk
Recommend Controls
Document Results Risk Assessment
Report
Recommended Controls
Documented Risks
Impact Rating
Likelihood Rating
List of current &planned controls
List of threats& vulnerabilities
System boundarySystem functions
System/data criticalitySystem/data sensitivity
Activity Output
Company historyIntelligence agency
data: NIPC, OIG
Audit &test results
Business ImpactAnalysis
Data Criticality &
Sensitivity analysis
Input
NIST RiskAssessment
Methodology
7/30/2019 000 Risk & Precautions Cyberlaw
28/56
Control Types
Threat
CompensatingControl
Impact
Vulnerability
CorrectiveControlDeterrentControl
Detective
Control
PreventiveControl
Attack
Reduceslikelihood of
Decreases
Resultsin
Creates
Reduceslikelihood of
7/30/2019 000 Risk & Precautions Cyberlaw
29/56
Deterrentcontrol
Mitigatingcontrol
Detectivecontrol
Preventivecontrol
Correctivecontrol
VULNE
RABILITY
IM
PACT
Residualrisk
RiskProbab
ility
THREAT
7/30/2019 000 Risk & Precautions Cyberlaw
30/56
Controls & Countermeasures
Cost of control should never exceed theexpected loss assuming no control
Countermeasure = Targeted ControlAimed at a specific threat or vulnerability
Problem: Firewall cannot process packets fastenough due to IP packet attacks
Solution: Add border router to eliminateinvalid accesses
7/30/2019 000 Risk & Precautions Cyberlaw
31/56
Analysis of Risk vs. Controls
WorkbookRisk ALE or
ScoreControl Cost of
Control
StolenLaptop $1K($9K BreachNotif. Law)
Encryption $60
Disk Failure $3K per day RAID $750
Hacker $9K BreachNotif. Law
Firewall $1K
Cost of Some Controls is shown in Case Study Appendix
7/30/2019 000 Risk & Precautions Cyberlaw
32/56
Extra Step:
Step 6: Risk MonitoringStolen Laptop In investigation $2k, legal issues
HIPAA IncidentResponse
Procedure being definedincident response
$200K
Cost overruns Internal audit investigation $400K
HIPAA: Physicalsecurity
Training occurred $200K
Report to Mgmt status of security Metrics showing current performance Outstanding issues Newly arising issues
How handled when resolution is expected
Security Dashboard, Heat chart or Stoplight Chart
7/30/2019 000 Risk & Precautions Cyberlaw
33/56
Training
Importance of following policies & procedures
Clean desk policy
Incident or emergency response
Authentication & access control
Privacy and confidentiality
Recognizing and reporting security incidents
Recognizing and dealing with social engineering
7/30/2019 000 Risk & Precautions Cyberlaw
34/56
Security Control Baselines &
MetricsBaseline: A measurement
of performance
Metrics are regularly and
consistently measured,quantifiable,inexpensively collected
Leads to subsequentperformance evaluation
E.g. How many viruses ishelp desk reporting?
0
10
20
30
40
50
60
70
80
90
Year 1 Year 2 Year 3 Year 4
Stolen Laptop
Virus/Worm
% Misuse
(Company data - Not real)
7/30/2019 000 Risk & Precautions Cyberlaw
35/56
Risk Management
Risk Management is aligned with businessstrategy & direction
Risk mgmt must be a joint effort betweenall key business units & IS
Business-Driven (not Technology-Driven)
Steering Committee: Sets risk management priorities Define Risk management objectives to
achieve business strategy
7/30/2019 000 Risk & Precautions Cyberlaw
36/56
Risk Management Roles
Governance & Sr Mgmt:Allocate resources, assess
& use risk assessment results
Chief Info OfficerIT planning, budget,
performance incl. risk
Info. Security MgrDevelops, collaborates, and
manages IS risk mgmt process
Security TrainersDevelop appropriatetraining materials, includingrisk assessment, to
educate end users.
Business Managers(Process Owners)Make difficult decisionsrelating to priority toachieve business goals
System / Info OwnersResponsible to ensurecontrols in place toaddress CIA.
Sign off on changes
IT Security PractitionersImplement security requireminto IT systems: network,
system, DB, app, admin.
7/30/2019 000 Risk & Precautions Cyberlaw
37/56
Due Diligence
Due Diligence = Did careful risk assessment (RA)Due Care = Implemented recommended controls from RA
Liability minimized if reasonable precautions taken
Senior Mgmt Support
7/30/2019 000 Risk & Precautions Cyberlaw
38/56
Question
Risk Assessment includes:
1. The steps: risk analysis, risk treatment, risk
acceptance, and risk monitoring2. Answers the question: What risks are we
prone to, and what is the financial costs ofthese risks?
3. Assesses controls after implementation
4. The identification, financial analysis, andprioritization of risks, and evaluation of controls
7/30/2019 000 Risk & Precautions Cyberlaw
39/56
Question
Risk Management includes:
1. The steps: risk analysis, risk treatment, risk
acceptance, and risk monitoring2. Answers the question: What risks are we
prone to, and what is the financial costs ofthese risks?
3. Assesses controls after implementation
4. The identification, financial analysis, andprioritization of risks, and evaluation of controls
7/30/2019 000 Risk & Precautions Cyberlaw
40/56
Question
The FIRST step in Security RiskAssessment is:
1. Determine threats and vulnerabilities2. Determine values of key assets
3. Estimate likelihood of exploitation
4. Analyze existing controls
7/30/2019 000 Risk & Precautions Cyberlaw
41/56
Question
Single Loss Expectancy refers to:
1. The probability that an attack will occur in one
year2. The duration of time where a loss is expected
to occur (e.g., one month, one year, onedecade)
3. The cost of losing an asset once
4. The average cost of loss of this asset per year
7/30/2019 000 Risk & Precautions Cyberlaw
42/56
Question
The role(s) responsible for deciding whetherrisks should be accepted, transferred, or
mitigated is:1. The Chief Information Officer
2. The Chief Risk Officer
3. The Chief Information Security Officer
4. Enterprise governance and senior businessmanagement
7/30/2019 000 Risk & Precautions Cyberlaw
43/56
Question
Which of these risks is best measured using aqualitative process?
1. Temporary power outage in an office building2. Loss of consumer confidence due to a
malfunctioning website
3.Theft of an employees laptop while traveling
4. Disruption of supply deliveries due to flooding
7/30/2019 000 Risk & Precautions Cyberlaw
44/56
Question
The risk that is assumed afterimplementing controls is known as:
1. Accepted Risk2. Annualized Loss Expectancy
3. Quantitative risk
4. Residual risk
7/30/2019 000 Risk & Precautions Cyberlaw
45/56
Question
The primary purpose of risk managementis to:
1. Eliminate all risk2. Find the most cost-effective controls
3. Reduce risk to an acceptable level
4. Determine budget for residual risk
7/30/2019 000 Risk & Precautions Cyberlaw
46/56
Question
Due Diligence ensures that
1. An organization has exercised the best possiblesecurity practices according to best practices
2. An organization has exercised acceptably reasonablesecurity practices addressing all major security areas
3. An organization has implemented risk management andestablished the necessary controls
4. An organization has allocated a Chief InformationSecurity Officer who is responsible for securing theorganizations information assets
7/30/2019 000 Risk & Precautions Cyberlaw
47/56
Question
ALE is:1. The average cost of loss of this asset, for a
single incident
2. An estimate using quantitative riskmanagement of the frequency of asset loss dueto a threat
3. An estimate using qualitative risk management
of the priority of the vulnerability4. ALE = SLE x ARO
7/30/2019 000 Risk & Precautions Cyberlaw
48/56
Vocabulary to study
Risk mgmt, risk appetite, risk analysis, riskassessment, risk treatment, residual risk
Risk avoidance, risk reduction/risk mitigation,risk transference, risk retention/risk acceptance
Threat, threat agent, vulnerability,
Qualitative risk analysis, quantitative riskanalysis
SLE, ARO, ALE
Due diligence, due care
7/30/2019 000 Risk & Precautions Cyberlaw
49/56
HEALTH FIRST CASE STUDYAnalyzing Risk
Jamie Ramon MDDoctor
Chris Ramon RDDietician
TerryMedical Admin
PatSoftware Consultant
7/30/2019 000 Risk & Precautions Cyberlaw
50/56
Step 1: Define Assets
7/30/2019 000 Risk & Precautions Cyberlaw
51/56
Step 1: Define Assets
Consider Consequential Financial Loss
Asset Name $ ValueDirect Loss:
Replacement
$ Value
Consequential Financial
Loss
Confidentiality, Integrity,and Availability Notes
Medical DB C? I? A?
Daily Operation (DO)
Medical Malpractice (M)
HIPAA Liability (H)
Notification Law Liability (NL)
7/30/2019 000 Risk & Precautions Cyberlaw
52/56
Step 1: Define Assets
Consider Consequential Financial Loss
Asset Name $ ValueDirect Loss:
Replacement
$ Value
Consequential Financial
Loss
Confidentiality, Integrity,and Availability Notes
Medical DB DO+M_H+NL C I A
Daily Operation (DO) $Medical Malpractice (M) $HIPAA Liability (H) $Notification Law Liability (NL) $
7/30/2019 000 Risk & Precautions Cyberlaw
53/56
HIPAA Criminal Penalties
$ Penalty Imprison-ment
Offense
Up to $50K Up to one
year
Wrongful disclosure of
individually identifiable healthinformation
Up to$100K
Up to 5years
committed under false
pretenses
Up to$500K
Up to 10years
with intent to sell, achievepersonal gain, or causemalicious harm
Then consider bad press, state audit, state law penalties, civil lawsuits, lost claims,
7/30/2019 000 Risk & Precautions Cyberlaw
54/56
Step 2: Estimate Potential Loss for ThreatsStep 3: Estimate Likelihood of Exploitation
Normal threats: Threats common to allorganizations
Inherent threats: Threats particular to yourspecific industry
Known vulnerabilities: Previous audit
reports indicate deficiencies.
7/30/2019 000 Risk & Precautions Cyberlaw
55/56
Step 2: Estimate Potential Loss for ThreatsStep 3: Estimate Likelihood of Exploitation
low Down Business Temp. Shut Down Business Threaten Business
222
333
111
444
1 week
1 year
10 years
(.1)
5 years
(.2)
Vulnerability
(Severity)
20 years
(.05)
50 years
(.02)
Threat
(Probability)
Snow Emergency
Hacker/Criminal
Loss of Electricity
Malware
Failed Disk
Stolen Laptop
Stolen Backup Tape(s)
Social Engineering
Intruder
Fire
Flood
Earthquake
Pandemic
Tornado/Wind Storm
7/30/2019 000 Risk & Precautions Cyberlaw
56/56
Step 4: Compute Expected LossStep 5: Treat RiskStep 4: Compute E(Loss)
ALE = SLE * ARO
Asset Threat SingleLoss
Expectancy(SLE)
Annualized
Rate ofOccurrence
(ARO)
AnnualLoss
Expectancy(ALE)
Step 5: Treat Risk
Risk Acceptance: Handleattack when necessary
Risk Avoidance: Stop doing
risky behavior Risk Mitigation: Implement
control to minimizevulnerability
Risk Transference: Pay
someone to assume risk foryou
Risk Planning: Implement aset of controls
Top Related