Olivier Sessink, Hellen Havinga 1
Risk Reduction Overviewfor
Risk Management
Dr. ir. Olivier D.T. SessinkHead of section Innovation & ResearchJoint IT command, Ministry of Defense
Ir. Hellen N.J. HavingaEnterprise security architectCentral Information Services, Rijkswaterstaat
Olivier Sessink, Hellen Havinga 2
ContentsContents
• Introduction to Risk Management• IT Risk management challenges• Objectives• The Risk Reduction Overview method• Risk Reduction Overview benefits• Evaluation
Olivier Sessink, Hellen Havinga 3
ISO27005 Risk ManagementISO27005 Risk Management
Olivier Sessink, Hellen Havinga 4
Risk acceptanceRisk acceptance
Chance * Impact
Measures
Olivier Sessink, Hellen Havinga 5
Why is risk management hard ?Why is risk management hard ?
• Threats and the chance that they might cause damage are unknown external factors
Olivier Sessink, Hellen Havinga 6
Why is risk management hard ?Why is risk management hard ?
• (Known) vulnerabilities change with high rate
Vulnerable? Exploit ? Patch?• IT changes continuously affecting
chance and damage
Olivier Sessink, Hellen Havinga 7
Why is risk management hard ?Why is risk management hard ?
• Cost of damage is hard to estimateSensitive information leaked? Business process interupted ?
Loss of trust ? Reputation damage?
Olivier Sessink, Hellen Havinga 8
Why is risk management hard ?Why is risk management hard ?
In large organisations the situation is even worse :• Large number of roles & people
involved in risk management• Large numbers of interconnected
systems• Different requirements from different
business units
Olivier Sessink, Hellen Havinga 9
Our supplier has the right to remotely administrate
our copiers
Risk acceptance in large organizationsRisk acceptance in large organizations
We need easy file sharing with this marketing firm.
Protect our intellectual property !!
We cannot risk losing our customer records !
I want to use my private phone on the company
network !If we cannot keep secrets secure our partners will
stop to coorperate with us!
If this system goes down, all our production goes
down !
If I'm not allowed to run this software I'll do this at
home.
But we need dropbox to send our designs to the
factory !?
Olivier Sessink, Hellen Havinga 10
Existing methodsExisting methods
Existing methods (such as CRAMM and IRAM) include generic baseline measures.
However : the relation between these baseline measures and the residual risk is not clear
Olivier Sessink, Hellen Havinga 11
How can we improve the situation ?How can we improve the situation ?
Objectives: present an overview such that:
• Residual risks can be evaluated• The relation between risk, measures and
residual risk is clear• It is useful for people in different roles
and with different background• It is applicable for a design or
implemented system
Olivier Sessink, Hellen Havinga 12
Risk Reduction OverviewRisk Reduction Overview
M1 Users are instructed how to handle untrusted
attachments from outside and never to send confidential data outside the organization
M3Anti-malware
product W blocks malware on the email
server
M4Anti-malware
product X blocksmalware on the
desktop computers
M2A firewall only allows SMTP
communication with the email server
M6Intrusion detection
monitors SMTP traffic to the email server for
attacks
M5Data-leakage
is installed to detectconfidential data leaks
I1Malware enters the network via
email attachments
I2Email attachments
contain Confidential data
and leak out
I3Computers on the
network are attacked from the internet
R1Malware that does
not need user interaction, or phishing
email is activated on the network
R2Users forget or
ignore the instructionand still sendConfidential
data by email
R3The email server is
attacked over SMTPfrom the internet
F1New malware ortargeted attack
malware that doesn'tneed activation or issomehow activated
by the user stillenters the net-work via emailattachments
F2Confidential data
that is illegally sent by an employee and
not detected by product Y may
still leak
F3An attack from
Internet over SMTP which is not de-
tected by the IDS may compromise the
confidentialnetwork
F4 A misconfigured
firewall allows com-puters on the networkto be attacked from
the internet
Initial risk
Residual risk
Final residual risk
Measure
Risk reduction flow
M#
R#
F#
I #
Olivier Sessink, Hellen Havinga 13
Olivier Sessink, Hellen Havinga 14
RRO application and benefitsRRO application and benefits
• Drawing forces to rethink design decisions• Unneeded measures and effect of the
measures is easily identified• Missing risks are easily identified• Realism of risk reduction is easily evaluated• Final residual risks are directly visible• Impact of changes is easily derived• Future designs can re-use risk reduction
patterns
Olivier Sessink, Hellen Havinga 15
RRO EvaluationRRO Evaluation
Several years of use:
• Dutch Ministry of Defence, Joint IT command
– Information security of military and national sensitive information
• Rijkswaterstaat (national civil infrastructure and waterway agency)
– Cyber security of vital infrastructure
Olivier Sessink, Hellen Havinga 16
Evaluation results 1/2Evaluation results 1/2
• The RRO has been found to be beneficial in all seven mentioned application areas.
• First time reviewers with different backgrounds find the RRO intuitive and easy to understand
• Reviewers indicate they need less time to review measures and residual risk
• Reviewers indicate the RRO gives far more overview than traditional design documents
Olivier Sessink, Hellen Havinga 17
Evaluation results 2/2Evaluation results 2/2
• Business owners point out that the RRO enables them to discuss measures with IT specialist – something they found very difficult in the past
Which is exactly what ISO 27005 risk management requires
Olivier Sessink, Hellen Havinga 18
Risk Reduction OverviewRisk Reduction Overview
Makes communication about risks, measures and residual risk possible
between people with various different roles and backgrounds.
http://rro.sourceforge.net/
Questions ?
Top Related