ch7 MIFS
cost-benefit analysis
Also known as an economic feasibility study, the formal assessment and presentation of the economic expenditures needed for a particular security control, contrasted with its projected value to the organization
operational feasibility
An examination of how well a particular solution fits within the organization's culture and the extent to which users are expected to accept the solution. Also known as behavioral feasibility
asset valuation 2
As you learned in Chapter 6, the value of information differs within organizations and between organizations. Some argue that it is virtually impossible to accurately determine the true value of information and information-bearing assets, which is perhaps one reason why insurance underwriters currently have no definitive valuation tables for 298 Chapter 7 Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203 information assets. Asset valuation can draw on the assessment of information assets performed as part of the risk identification process you learned about in Chapter 6.
FAIR cont
Basic FAIR analysis comprises 10 steps in four stages: Stage 1—Identify Scenario Components 1. Identify the asset at risk. 2. Identify the threat community under consideration. Stage 2—Evaluate Loss Event Frequency (LEF) 3. Estimate the probable Threat Event Frequency (TEF). 4. Estimate the Threat Capability (TCap). 5. Estimate Control Strength (CS). 6. Derive Vulnerability (Vuln). 7. Derive Loss Event Frequency (LEF). Stage 3—Evaluate Probable Loss Magnitude (PLM) 8. Estimate worst-case loss. 9. Estimate probable loss. Stage 4—Derive and Articulate Risk 10. Derive and articulate risk. Unlike other risk management frameworks, FAIR relies on the qualitative assessment of many risk components, using scales with value ranges—for example, very high to very low. Figure 7-6 shows the basic structure of the FAIR method.
benefit
Benefit is the value to the organization of using controls to prevent losses associated with a specific vulnerability. It is usually determined by valuing the information asset or assets exposed by the vulnerability and then determining how much of that value is at risk and how much risk exists for the asset. This result is expressed as the annualized loss expectancy (ALE), which is defined later in this chapter.
Factir analysis of information risk (FAIR)
Factor Analysis of Information Risk (FAIR), a risk management framework developed by Jack A. Jones, can help organizations understand, analyze, and measure information risk. The outcomes are more cost-effective information risk management, greater credibility for the InfoSec profession, and a foundation from which to develop a scientific approach to information risk management. The FAIR framework, as shown in Figure 7-6, include
single loss expectancy
In a cost-benefit analysis, the calculated value associated with the most likely loss from an attack. The SLE is the product of the asset's value and the exposure factor
annualized rate of occurrence
In a cost-benefit analysis, the expected frequency of an attack, expressed on a per-year basis.
annualized loss expectancy
In a cost-benefit analysis, the product of the annualized rate of occurrence and single loss expectancy.
microsoft risk management approach
Microsoft asserts that risk management is not a stand-alone subject and should be part of a general governance program to allow the organizational general-management community of interest to evaluate the organization's operations and make better, more informed decisions. The purpose of the risk management process is to prioritize and manage security risks. Microsoft presents four phases in its security risk management process: 1. Assessing risk 2. Conducting decision support 3. Implementing controls 4. Measuring program effectiveness
NIST
Risk management is a comprehensive process that requires organizations to: (i) frame risk (i.e., establish the context for risk-based decisions); (ii) assess risk; (iii) respond to risk once determined; and (iv) monitor risk on an ongoing basis using effective organizational communications and a feedback loop for continuous improvement in the risk-related activities of organizations. Risk management is carried out as a holistic, organization-wide activity that addresses risk from the strategic level to the tactical level, ensuring that risk-based decision making is integrated into every aspect of the organization. The first component of risk management addresses how organizations frame risk or establish a risk context— or establish a risk context— or establish a risk context that is, describing the environment in which riskbased decisions are made. The purpose of the risk framing component is to produce a risk management strategy that addresses how organizations intend to 7 Risk assessment Identify risks Establish the context Communicate and consult Monitor and review Analyze risks Evaluate risks Treat risks Risk assessment Figure 7-7 AS/NZS risk management overview Source: AS/NZS Risk Management Overview (AS/NZS 4360:200414) Risk Management: Controlling Risk 313 Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203 assess risk, respond to risk, and monitor risk—making explicit and transparent the risk perceptions that organizations routinely use in making both investment and operational decisions. The risk frame establishes a foundation for managing risk and delineates the boundaries for risk-based decisions within organizations. Establishing a realistic and credible risk frame requires that organizations identify: (i) risk assumptions (e.g., assumptions about the threats, vulnerabilities, consequences/impact, and likelihood of occurrence that affect how risk is assessed, responded to, and monitored over time); (ii) risk constraints (e.g., constraints on the risk assessment, response, and monitoring alternatives under consideration); (iii) risk tolerance (e.g., levels of risk, types of risk, and degree of risk uncertainty that are acceptable); and (iv) priorities and trade-offs (e.g., the relative importance of missions/business functions, trade-offs among different types of risk that organizations face, time frames in which organizations must address risk, and any factors of uncertainty that organizations consider in risk responses). The risk framing component and the associated risk management strategy also include any strategic-level decisions on how risk to organizational operations and assets, individuals, other organizations, and the Nation, is to be managed by senior leaders/executives. Integrated, enterprise-wide risk management includes, for example, consideration of: (i) the strategic goals/objectives of organizations; (ii) organizational missions/business functions prioritized as needed; (iii) mission/business processes; (iv) enterprise and InfoSec architectures; and (v) system development life cycle processes. The second component of risk management addresses how organizations assess risk within the context of the organizational risk frame. The purpose of the risk assessment component is to identify: (i) threats to organizations (i.e., operations, assets, or individuals) or threats directed through organizations against other organizations or the Nation; (ii) vulnerabilities internal and external to organizations; (iii) the harm (i.e., consequences/impact) to organizations that may occur given the potential for threats exploiting vulnerabilities; and (iv) the likelihood that harm will occur. The end result is a determination of risk (i.e., the degree of harm and likelihood of harm occurring). To support the risk assessment component, organizations identify: (i) the tools, techniques, and methodologies that are used to assess risk; (ii) the assumptions related to risk assessments; (iii) the constraints that may affect risk assessments; (iv) roles and responsibilities; (v) how risk assessment information is collected, processed, and communicated throughout organizations; (vi) how risk assessments are conducted within organizations; (vii) the frequency of risk assessments; and (viii) how threat information is obtained (i.e., sources and methods). The third component of risk management addresses how organizations respond to risk once that risk is determined based on the results of risk assessments. The purpose of the risk response component is to provide a consistent, organizationwide, response to risk in accordance with the organizational risk frame by: (i) developing alternative courses of action for responding to risk; (ii) evaluating the alternative courses of action; (iii) determining appropriate courses of action consistent with organizational risk tolerance; and (iv) implementing risk responses based on selected courses of action. To support the risk response component, 314 Chapter 7 Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203 organizations describe the types of risk responses that can be implemented (i.e., accepting, avoiding, mitigating, sharing, or transferring risk). Organizations also identify the tools, techniques, and methodologies used to develop courses of action for responding to risk, how courses of action are evaluated, and how risk responses are communicated across organizations and as appropriate, to external entities (e.g., external service providers, supply chain partners). The fourth component of risk management addresses how organizations monitor risk over time. The purpose of the risk monitoring component is to: (i) verify that planned risk response measures are implemented and InfoSec requirements derived from/traceable to organizational missions/business functions, federal legislation, directives, regulations, policies, and standards, and guidelines, are satisfied; (ii) determine the ongoing effectiveness of risk response measures following implementation; and (iii) identify risk-impacting changes to organizational information systems and the environments in which the systems operate. To support the risk monitoring component, organizations describe how compliance is verified and how the ongoing effectiveness of risk responses is determined (e.g., the types of tools, techniques, and methodologies used to determine the sufficiency/correctness of risk responses and if risk mitigation measures are implemented correctly, operating as intended, and producing the desired effect with regard to reducing risk). In addition, organizations describe how changes that may impact the ongoing effectiveness of risk responses are monitored.15
transference control risk strategy:
attempts to shift risk to another entity. This goal may be accomplished by rethinking how services are offered, revising deployment models, outsourcing to other organizations, purchasing insurance, or implementing service contracts with providers.
an organization
must be able to place a dollar value on each collection of information and the information assets it owns. There are several methods an organization can use to calculate these values.
behavior feasibility
see operational feasibility
political feasibility
An examination of how well a particular solution fits within the organization's political environment—for example, the working relationship within the organization's communities of interest or between the organization and its external environmen
organizational feasibility
An examination of how well a particular solution fits within the organization's strategic planning objectives and goals
technical feasibility
An examination of how well a particular solution is supportable given the organization's current technological infrastructure and resources, which include hardware, software, networking, and personnel
single loss expectancy:
An organization must be able to place a dollar value on each collection of information and the information assets it owns. There are several methods an organization can use to calculate these values.
asset valuation
Asset valuation can involve the estimation of real or perceived costs. These costs can be selected from any or all of those associated with the design, development, installation, maintenance, protection, recovery, and defense against loss or litigation. Some costs are easily determined, such as the cost of replacing a network switch or the cost of the hardware needed for a specific class of server. Other costs are almost impossible to determine, such as the dollar value of the loss in market share if information on a firm's new product offerings is released prematurely and the company loses its competitive edge. A further complication is that over time some information assets acquire value that is beyond their intrinsic value. This higher acquired value is the more appropriate value in most cases.
acceptance risk control strategy:
Determined the level of risk posed to the information asset • Assessed the probability of attack and the likelihood of a successful exploitation of a vulnerability • Estimated the potential damage or loss that could result from attacks • Evaluated potential controls using each appropriate type of feasibility • Performed a thorough risk assessment, including a financial analysis such as a CBA • Determined that the costs to control the risk to a particular function, service, collection of data, or information asset do not justify the cost of implementing and maintaining the control
delphi technique
How do you calculate the values and scales used in qualitative and quantitative assessment? An individual can pull the information together based on personal experience, but, as the saying goes, "two heads are better than one"—and a team of heads is better than two. The Delphi technique, named for the oracle at Delphi, which predicted the future (in Greek mythology), is a process whereby a group rates or ranks a set of information. The individual responses are compiled and then returned to the group for another iteration. This process continues until the entire group is satisfied with the result. This technique can be applied to 308 Chapter 7 Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203 the development of scales, asset valuation, asset or threat ranking, or any scenario that can benefit from the input of more than one decision maker.
organizational feasibility 2
Organizational feasibility examines how well the proposed InfoSec alternatives will contribute to the efficiency, effectiveness, and overall operation of an organization. In other words, the proposed control approach must contribute to the organization's strategic objectives. Does the implementation align well with the strategic planning for the information systems, or does it require deviation from the planned expansion and 7 Risk Management: Controlling Risk 303 Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203 management of the current systems? The organization should not invest in technology that changes its fundamental ability to explore certain avenues and opportunities. For example, suppose that a university decides to implement a new firewall. It takes a few months for the technology group to learn enough about the firewall to configure it completely. A few months after the implementation begins, it is discovered that the firewall as configured does not permit outgoing Web-streamed media. If one of the goals of the university is the pursuit of distancelearning opportunities, a firewall that prevents that type of communication has not met the organizational feasibility requirement and should be modified or replaced.
ISO 27005 Standard for Infosec risk management
The ISO 27000 series includes a standard for the performance of risk management: ISO 27005 (www.27000.org/iso-27005.htm), which includes a five-stage risk management methodology: 1. Risk assessment 2. Risk treatment 3. Risk acceptance 4. Risk communication 5. Risk monitoring and revie
NIST Risk management model
The National Institute of Standards and Technology (NIST) has modified its fundamental approach to systems management and certification/accreditation to one that follows the industry standard of effective risk management. As discussed in "Special Publication 800-39: Managing Information Security Risk: Organization, Mission, and Information System View" (http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39final.pdf)
defense risk control strategy cont
The defense risk control strategy attempts to prevent the exploitation of the vulnerability. This is the preferred approach and is accomplished by means of countering threats, removing vulnerabilities in assets, limiting access to assets, and adding protective safeguards. This approach is sometimes referred to as avoidance.
Other methods:
The few methods described in this section are by no means all of the available methods. In fact, many other organizations compare methods and provide recommendations for risk management tools that the public can use. A few are listed here: • Mitre—Mitre is a nonprofit organization designed to support research and development groups that have received federal funding. In their systems engineering guide, Mitre presents a risk management plan that uses a four-step approach of (1) risk identification, (2) risk impact assessment, (3) risk prioritization analysis, and (4) risk mitigation planning, implementation, and progress monitoring. For more details, see • European Network and Information Security Agency (ENISA)—This agency of the European Union ranks 12 tools using 22 different attributes. It also provides a utility on its Web site that enables users to compare risk management methods or tools The primary risk management process promoted by ENISA is shown in Figure 7-9. • New Zealand's IsecT Ltd.—An independent governance, risk management, and compliance consultancy, IsecT maintains the ISO 27001 Security Web site at http:// iso27001security.com. This Web site describes a large number of risk management methods
cost avoidance
The financial savings from using the defense risk control strategy to implement a control and eliminate the financial ramifications of an incident
asset valuation
The process of assigning financial value or worth to each information asset.
avoidance/ defense risk control strategy
The risk control strategy that attempts to eliminate or reduce any remaining uncontrolled risk through the application of additional controls and safeguards. Also known as the avoidance strategy
mitigate risk control strategy:
The risk control strategy that attempts to reduce the impact of the loss caused by a realized incident, disaster, or attack through effective contingency planning and preparation
acceptance risk control strategy
The risk control strategy that indicates the organization is willing to accept the current level of risk. As a result, the organization makes a conscious decision to do nothing to protect an information asset from risk and to accept the outcome from any resulting exploitation.
technical feasibility
Unfortunately, many organizations rush to acquire new safeguards without thoroughly examining what is required to implement and use them effectively. Because the implementation of technological controls can be extremely complex, the project team must consider their technical feasibility—that is, determine whether the organization already has or can acquire the technology necessary to implement and support them. For example, does the organization have the hardware and software necessary to support a new firewall system? If not, can it be obtained? Technical feasibility analysis also examines whether the organization has the technological expertise to manage the new technology. Does the staff include individuals who are qualified (and possibly certified) to install and manage a new firewall system? If not, can staff be spared from their current obligations to attend formal training and education programs to 304 Chapter 7 Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203 prepare them to administer the new systems, or must personnel be hired? In the current environment, how difficult is it to find qualified personnel
octave methods
Until now, this book has presented a general treatment of risk management, synthesizing information and methods from many sources to present the customary or usual approaches that organizations use to manage risk. This and the following sections present alternative approaches to risk management that come from a single source. One such source, the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Method, is an InfoSec risk evaluation methodology that allows organizations to balance the protection of critical information assets against the costs of providing protective and detection controls. This process, which is illustrated in Figure 7-4, can enable an organization to measure itself against known or accepted good security practices and then establish an organization-wide protection strategy and InfoSec risk mitigation plan. The OCTAVE process is promoted by the Computer Emergency Response Team (CERT) Coordination Center (www.cert.org). The process has three variations: • The original OCTAVE Method, which forms the basis for the OCTAVE body of knowledge and which was designed for large organizations (300 or more users) • OCTAVE-S, for smaller organizations of about 100 users • OCTAVE-Allegro, a streamlined approach for InfoSec assessment and assurance9
Risk control strategies
When an organization's general management team determines that risks from information security (InfoSec) threats are creating a competitive disadvantage, it empowers the InfoSec and IT communities of interest to control those risks. Once the project team for InfoSec development has created the ranked vulnerability table (see Chapter 6), the team must choose one of five basic strategies to control the risks that arise from these vulnerabilities: • Defense—Applying controls and safeguards that eliminate or reduce the remaining uncontrolled risk • Transference—Shifting risks to other areas or to outside entities • Mitigation—Reducing the impact to information assets should an attacker successfully exploit a vulnerability • Acceptance—Understanding the consequences of choosing to leave a risk uncontrolled and then properly acknowledging the risk that remains without an attempt at control • Termination—Removing or discontinuing the information asset from the organization's operating environment
once vulnerabilities are identified and ranked:
a strategy to control the risks must be chosen. Five control strategies are defense, transference, mitigation, acceptance, and termination.
organizations may choose:
alternatives to feasibility studies to justify applying InfoSec controls, including: benchmarking with either metrics-based measures or processbased measures; due care and/or due diligence; best security practices up to and including the near-mythic gold standard; and/or baselining.
three common approaches to implement the defense risk control strategy:
application of policy, application of training and education, implementation of technology :• Application of Policy—As discussed in Chapter 4, the application of policy allows all levels of management to mandate that certain procedures always be followed. For example, if the organization needs to control password use more tightly, it can implement a policy requiring passwords on all IT systems. But policy alone may not be enough. Effective management always couples changes in policy with the training and education of employees, or an application of technology, or both. • Application of Training and Education—Simply communicating new or revised policy to employees may not be adequate to assure compliance. Awareness, training, and education are essential to creating a safer and more controlled organizational environment and to achieving the necessary changes in end-user behavior. • Implementation of Technology—In the everyday world of InfoSec, technical controls and safeguards are frequently required to effectively reduce risk. For example, firewall administrators can deploy new firewall and IDPS technologies where and how policy requires them and where administrators are both aware of the requirements and trained to implement the
risk appetite
defines the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility. Residual risk is the amount of risk unaccounted for after the application of controls.
cost benefit analysis CBA:
determines whether a control alternative is worth its associated cost. CBA calculations are based on costs before and after controls are implemented and the cost of the controls. Other feasibility analysis approaches can also be used.
operational feasibility 2
refers to user acceptance and support, management acceptance and support, and the system's compatibility with the requirements of the organization's stakeholders. Operational feasibility is also known as behavioral feasibility. An important aspect of systems development is obtaining user buy-in on projects. If the users do not accept a new technology, policy, or program, it will inevitably fail. Users may not openly oppose a change, but if they do not support it, they will find ways to disable or otherwise circumvent it. One of the most common methods of obtaining user acceptance and support is via user engagement. User engagement and support can be achieved by means of three simple actions: communication, education, and involvement. Organizations should communicate with system users, sharing timetables and implementation schedules, plus the dates, times, and locations of upcoming briefings and training. Affected parties must know the purpose of the proposed changes and how they will enable everyone to work more securely. In addition, users should be educated and trained in how to work under the new constraints while avoiding any negative performance consequences. A major frustration for users is the implementation of a new program that prevents them from accomplishing their duties, with only a promise of eventual training. Finally, those making changes should involve users by asking them what they want and what they will tolerate from the new systems. One way to do so this is to include representatives from the various constituencies in the development process. Communication, education, and involvement can reduce resistance to change and can build resilience for change—that ethereal quality that allows workers not only to tolerate constant change but also to understand that change is a necessary part of the job.
economic feasibility
studies determine and compare costs and benefits from potential controls (often called a cost-benefit analysis). Other forms of feasibility analysis include analyses based on organizational, operational, technical, and political factors
mitigate risk control strategy control approach:
the control approach that focuses on planning and preparation to reduce the damage caused by a realized incident or disaster. This approach includes three types of plans, which you will learn about in Chapter 10: the incident response (IR) plan, the disaster recovery (DR) plan, and the business continuity (BC) plan. Mitigation depends on the ability to detect and respond to an attack as quickly as possible.
transference risk control strategy
the risk control strategy that attempts to shift risk to other assets, other processes, or other organizations
termination risk control strategy
the risk control strategy that eliminates all risk associated with an information asset by removing it from service
FAIR
• A taxonomy for information risk • Standard nomenclature for information risk terms • A framework for establishing data collection criteria • Measurement scales for risk factors • A computational engine for calculating risk • A modeling construct for analyzing complex risk scenarios
Just as it is difficult to determine the value of information, it is difficult to determine the cost of safeguarding it. Among the items that affect the cost of a control or safeguard are the following:
• Cost of development or acquisition (hardware, software, and services) • Training fees (cost to train personnel) • Cost of implementation (installing, configuring, and testing hardware, software, and services) • Service costs (vendor fees for maintenance and upgrades) • Cost of maintenance (labor expense to verify and continually test, maintain, train, and update)
The FDIC also suggests that organizations use the following four steps to create a successful SLA. While originally written for InfoSec and IT departments within financial institutions, these recommendations are equally applicable and easily adaptable to virtually any organization:
• Determining Objectives—Reviewing the strategic business needs of the financial institution includes evaluating its day-to-day operating environment, risk factors, and market conditions. Consideration should be given to how the outsourced service fits into the bank's overall strategic plan. • Defining Requirements—Identifying the operational objectives (e.g., the need to improve operating efficiency, reduce costs, or enhance security) will help the institution define performance requirements. It will also help identify the levels of service the bank needs from the service provider to meet its strategic goals and objectives for the outsourced activity. • Setting Measurements—Clear and impartial measurements, or metrics, can be developed once the strategic needs and operating objectives have been defined. The metrics Risk Management: Controlling Risk 291 Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203 are used to measure and confirm that the necessary service levels have been achieved and the objectives and strategic intent have been met. • Establishing Accountability—It is useful to develop and adopt a framework that ensures accountability after the metrics have been clearly defined. The service provider rarely has full accountability and responsibility for all tasks. Establishing this accountability usually includes a clear statement of the outcome if the level of service is exceeded or if the expected service fails to meet the stated standard.
According to the Federal Deposit Insurance Corporation (FDIC) in their document "Tools to Manage Technology Providers' Performance Risk: Service Level Agreements," a typical SLA should contain the following elements:
• Service category (e.g., system availability or response time) • Acceptable range of service quality • Definition of what is being measured • Formula for calculating the measurement • Relevant credits/penalties for achieving/failing performance targets • Frequency and interval of measurement
asset valuation approaches:
• Value Retained from the Cost of Creating the Information Asset— Value Retained from the Cost of Creating the Information Asset— Value Retained from the Cost of Creating the Information Asset Information is created or acquired at a cost, which can be calculated or estimated. For example, many organizations have developed extensive cost-accounting practices to capture the costs associated with collecting and processing data as well as the costs of developing and maintaining software. Software development costs include the efforts of the many people involved in the systems development life cycle for each application and system. Although this effort draws mainly on IT personnel, it also includes the user and general management community and sometimes the InfoSec staff. In today's marketplace, with high programmer salaries and even higher contractor expenses, the average cost to complete even a moderately sized application can quickly escalate. For example, multimedia-based training software that requires 350 hours of development for each hour of content will require the expenditure of as much as $10,000 per hour of content produced. Value Retained from Past Maintenance of the Information Asset— Value Retained from Past Maintenance of the Information Asset— Value Retained from Past Maintenance of the Information Asset It is estimated that for every dollar spent to develop an application or to acquire and process data, many more dollars are spent on maintenance over the useful life of the data or software. If actual costs have not been recorded, the cost can be estimated in terms of the human resources required to continually update, support, modify, and service the applications and systems. • Value Implied by the Cost of Replacing the Information—The costs associated with replacing information should include the human and technical resources needed to reconstruct, restore, or regenerate the information from backups, independent transaction logs, or even hard copies of data sources. Most organizations rely on routine media backups to protect their information. When estimating recovery costs, keep in mind that you may have to hire contractors to carry out the regular workload that employees will be unable to perform during recovery efforts. Also, realtime information may not be recoverable from a tape backup unless the system has built-in journaling capabilities. To restore this information, the various information sources may have to be reconstructed, with the data reentered into the system and validated for accuracy. This restoration can take longer than it initially took to create the data • Value from Providing the Information—Separate from the cost of developing or maintaining the information is the cost of providing the information to those users who need it. Such costs include the values associated with the delivery of the information through databases, networks, and hardware and software systems. They also include the cost of the infrastructure necessary to provide access to and control of the information. • Value Acquired from the Cost of Protecting the Information—The value of an asset is based in part on the cost of protecting it, and the amount of money spent to protect an asset is based in part on the value of the asset. While this is a seemingly unending circle, estimating the value of protecting an information asset can help you better understand the expense associated with its potential loss. The values listed previously are easy to calculate with some precision. This value and those that follow are likely to be estimates of cost. • Value to Owners—How much is your Social Security number worth to you? Or your telephone number? Placing a value on information can be quite a daunting task. A market researcher collects data from a company's sales figures and determines that a new product offering has a strong potential market appeal to members of a certain age group. While the cost of creating this new information may be small, how much is the new information actually worth? It could be worth millions if it successfully captures a new market share. Although it may be impossible to estimate the value of information to an organization or what portion of revenue is directly attributable to that information, it is vital to understand the overall cost that could be a consequence of its loss so as to better realize its value. Here again, estimating value may be the only method possible. • Value of Intellectual Property—The value of a new product or service to a customer may ultimately be unknowable. How much would a cancer patient pay for a cure? How much would a shopper pay for a new flavor of cheese? What is the value of a logo or advertising slogan? Related but separate are intellectual properties known as trade secrets. Intellectual information assets are the primary assets of some organizations. • Value to Adversaries—How much is it worth to an organization to know what the competition is doing? Many organizations have established departments tasked with the assessment and estimation of the activities of their competition. Even organizations in traditionally nonprofit industries can benefit from knowing what is going on in political, business, and competitive organizations. Stories of industrial espionage abound, including the urban legend of Company A encouraging its employees to hire on as janitors at Company B. As custodial workers, the employees could snoop through open terminals, photograph and photocopy unsecured documents, and rifle through internal trash and recycling bins. Such legends support a widely accepted concept: Information can have extraordinary value to the right individuals. Similarly, stories are circulated of how disgruntled employees, soon to be terminated, steal information and present it to competitive organizations to curry favor and achieve new employment. Those who hire such applicants in an effort to gain from their larceny should consider whether benefiting from such a tactic is wise. 300 Chapter 7 Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. WCN 02-200-203 After all, such thieves could presumably repeat their activities when they become disgruntled with their new employers. • Loss of Productivity While the Information Assets Are Unavailable—When a power —When a power — failure occurs, effective use of uninterruptible power supply (UPS) equipment can prevent data loss, but users cannot create additional information. Although this is not an example of an attack that damages information, it is an instance in which a threat (deviations in quality of service from service providers) affects an organization's productivity. The hours of wasted employee time, the cost of using alternatives, and the general lack of productivity will incur costs and can severely set back a critical operation or process. • Loss of Revenue While Information Assets Are Unavailable—Have you ever been purchasing something at a retail store and your credit card would not scan? How many times did the salesperson rescan the card before entering the numbers manually? How long did it take to enter the numbers manually in contrast to the quick swipe? What if the credit card verification process was offline? Did the organization have a manual process to validate or process credit card payments in the absence of the familiar approval system? Many organizations have all but abandoned manual backups for automated processes. Sometimes, businesses may even have to turn away customers because their automated payments systems are inoperative. Most grocery stores no longer label each item with the price, because the UPC scanners and the related databases calculate the costs and inventory levels dynamically. Without these systems, could your grocery store sell goods? How much would the store lose if it could not? The Federal Emergency Management Agency (FEMA) estimates that 40 percent of businesses do not reopen after a disaster and another 25 percent fail within one year.7 Imagine, instead of a grocery store, an online book retailer such as Amazon.com suffering a power outage. The entire operation is instantly closed. Even if Amazon's offering system were operational, what if the payment systems were offline? Customers could make selections but could not complete their purchases. While online businesses may be more susceptible to suffering a loss of revenue as a result of a loss of information, most organizations would be unable to conduct business if certain pieces of information were unavailable.
rules of thumb for selecting a strategy
• When a Vulnerability (Flaw or Weakness) Exists in an Important Asset— When a Vulnerability (Flaw or Weakness) Exists in an Important Asset— When a Vulnerability (Flaw or Weakness) Exists in an Important Asset Implement security controls to reduce the likelihood of a vulnerability being exploited. • When a Vulnerability Can Be Exploited— When a Vulnerability Can Be Exploited— When a Vulnerability Can Be Exploited Apply layered protections, architectural designs, —Apply layered protections, architectural designs, — and administrative controls to minimize the risk or prevent the occurrence of an attack. • When the Attacker's Potential Gain is Greater Than the Costs of Attack—Apply protections to increase the attacker's cost or reduce the attacker's gain by using technical or managerial controls. • When the Potential Loss is Substantial— When the Potential Loss is Substantial— When the Potential Loss is Substantial Apply design principles, architectural designs, and technical and nontechnical protections to limit the extent of the attack, thereby reducing the potential for loss.6
more
■ It is possible to repeat risk analysis using estimates based on a qualitative assessment. The Delphi technique can be used to obtain group consensus on risk assessment values. ■ Once a control strategy has been implemented, the effectiveness of controls should be monitored and measured. ■ Alternative approaches to risk management include the OCTAVE Method, the Microsoft risk management approach, ISO 27005, the NIST risk management approach, and FAIR
