Sponsored by the U.S. Department of Defense© 2004 by Carnegie Mellon University
page 1
Pittsburgh, PA 15213-3890
Rethinking Risk Management
Christopher AlbertsAudrey Dorofee
Report Documentation Page Form ApprovedOMB No. 0704-0188
Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering andmaintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information,including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, ArlingtonVA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if itdoes not display a currently valid OMB control number.
1. REPORT DATE JAN 2004 2. REPORT TYPE
3. DATES COVERED 00-00-2004 to 00-00-2004
4. TITLE AND SUBTITLE Rethinking Risk Management
5a. CONTRACT NUMBER
5b. GRANT NUMBER
5c. PROGRAM ELEMENT NUMBER
6. AUTHOR(S) 5d. PROJECT NUMBER
5e. TASK NUMBER
5f. WORK UNIT NUMBER
7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) Carnegie Mellon University,Software Engineering Institute,Pittsburgh,PA,15213
8. PERFORMING ORGANIZATIONREPORT NUMBER
9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSOR/MONITOR’S ACRONYM(S)
11. SPONSOR/MONITOR’S REPORT NUMBER(S)
12. DISTRIBUTION/AVAILABILITY STATEMENT Approved for public release; distribution unlimited
13. SUPPLEMENTARY NOTES
14. ABSTRACT
15. SUBJECT TERMS
16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF ABSTRACT Same as
Report (SAR)
18. NUMBEROF PAGES
19
19a. NAME OFRESPONSIBLE PERSON
a. REPORT unclassified
b. ABSTRACT unclassified
c. THIS PAGE unclassified
Standard Form 298 (Rev. 8-98) Prescribed by ANSI Std Z39-18
© 2004 by Carnegie Mellon University page 2
HIPAA Data SecurityThe Health Insurance Portability and Accountability Act (HIPAA) of 1996 establishes a standard of due care for data security in healthcare organizations.
The regulation requires each healthcare organization to conduct a security risk assessment to ensure that its security program effectively mitigates its risk.
© 2004 by Carnegie Mellon University page 3
Key QuestionsDo state-of-the-practice risk assessments accurately characterize the security risk confronting healthcare organizations?
Are some risks overlooked by state-of-the-practice risk assessments?
© 2004 by Carnegie Mellon University page 4
Example: Work Process
Activity 2
Activity 1
Activity 3
Activity 4 Mission
© 2004 by Carnegie Mellon University page 5
Example: Organizational Control
Activity 1
Activity 2
Activity 3
Activity 4 Mission
Organization A Organization B Organization C
© 2004 by Carnegie Mellon University page 6
Activity 1
Activity 2
Activity 3
Activity 4 Mission
Organization A Organization B Organization C
Inherited Risk
Example: Inherited Risk
Organization C’s risk analysis only considers what happens within its organizational boundaries. However, risk is inherited from activities performed earlier in the process.
© 2004 by Carnegie Mellon University page 7
Current RealityOutsourcing requires work products to move across organizational borders.
Distributed computing enables information to flow outside of defined system boundaries.
© 2004 by Carnegie Mellon University page 8
Current Risk Assessment Practices
State-of-the-practice risk assessments begin by drawing boundaries around the entity “being analyzed” (i.e., a technology or an organization).
These assessment techniques view risk as a static entity.
They cannot address the• flow of work and information outside of artificially
defined boundaries• complex interrelationships among processes and
technologies
© 2004 by Carnegie Mellon University page 9
The Dynamic Nature of RiskRisk must be viewed as being dynamic in nature, moving with the workflow or the information flow.
Failure to account for the dynamic nature of risk precludes development of an accurate risk profile, because much of the risk is inherited from the surrounding environment.
© 2004 by Carnegie Mellon University page 10
Common Risk Assessment Deficiencies
The operational context is not sufficiently established.
Dependencies and interrelationships among risks and risk factors are not identified.
There is a tendency for local optimization of risk mitigation efforts.• Only a subset of mission-related risk factors are
examined at any given time. • Inherited risk is not considered during the analysis.
© 2004 by Carnegie Mellon University page 11
What Is NeededA risk analysis designed for the complexities of the modern business environment, where • outsourcing of business processes are commonplace• distributed technologies have become ubiquitous
© 2004 by Carnegie Mellon University page 12
Multi-Dimensional Risk AnalysisDefines a set of objects, rules, and heuristics used to model and analyze risk
Can be tailored to many different domains and many different types of risk
Focuses on assuring the completion of defined missions
Addresses common risk assessment deficiencies
© 2004 by Carnegie Mellon University page 13
Addressing the DeficienciesAn operational model with the following attributes is developed• flow of work or information• sequencing of activities• timing of activities
Risk factors are mapped to the operational model, enabling analysis of combinatorial effects among risk factors.
Risk reduction strategies are globally optimized. • A range of mission-related risk factors are examined,
providing a balanced view of risk. • Inherited risk is integral to the analysis.
© 2004 by Carnegie Mellon University page 14
Multi-Dimensional Risk Analysis Framework
Phase 2Prepare to
Conduct Risk Analysis
Phase 1Develop
Operational Model
Phase 3Conduct Risk
Analysis
Scope and requirementsStandard domain model (optional) Operational model
Risk tools and techniques
Prioritized risksMitigation strategies
© 2004 by Carnegie Mellon University page 15
A Common Basis for Analyzing RiskMulti-Dimensional Risk
Analysis Technique
Other Risk Assessments
CSIRT Risk Assessment
Software Process Risk Assessment
Operational Security Risk Assessment
Incident Response Risk Model
Operational Security Risk
ModelOther Risk
Models
Software Process Risk
Model
© 2004 by Carnegie Mellon University page 16
Four Dimensions of RiskMission Risk
Architecture Risk
Activity Risk
Event Risk
© 2004 by Carnegie Mellon University page 17
Depth of AnalysisType I Gap Analysis
Type II Basic Risk Analysis
Type III Advanced Risk Analysis
Type IV Measured Risk Analysis
© 2004 by Carnegie Mellon University page 18
Why Focus on Incident Response?
1. Experience has shown that many organizations initially focus on incident response when developing a cyber-security capability.
2. An incident-response capability is a requirement of the HIPAA data security regulations.
3. An incident-response capability is typically distributed across multiple departments or organizations.
© 2004 by Carnegie Mellon University page 19
Project StatusFirst pilot analyzing risk to a CSIRT capability is underway. • The operational model has been developed.• Evaluations of CSIRT capabilities are beginning.
Currently looking for a second pilot in another domain.• operational security risk (HIPAA risk assessment)• software acquisition risk• unique problems (e.g., risk in operating weapons
systems, critical infrastructure risks)
Top Related