Module 1: Assets, Threats, Vulnerability, and Risk
Direct costs in determining value
-Financial losses -Increased insurance premiums -Deductible expenses on insurance coverage -Lost business -Labor expenses -Management expenses -Punitive damages
Indirect costs in determining value
-Negative media coverage -Long-term negative consumer perception -Additional public relations expenses to overcome image problems -Lack of insurance coverage due to higher risk -Higher wages to attract future employees -Shareholder derivatives for mismanagement -Poor employee morale
successful
1-Pi must be the probability of the adversary being
Risk analysis
A detailed examination that includes risk assessment, vulnerability evaluation, and risk management alternatives.
The Threat Matrix
A grid or matrix for each asset and threat pair. The impact or consequences are shown on the vertical axis and the likelihood or probability on the horizontal axis.
Loss event profile
A list of the threats affecting the assets to be safeguarded.
Risk Mitigation
A systematic methodology used by senior management to reduce overall operational risk.
CARVER Method
A technique for determining likely targets for an attack. This method uses a five-point scale to rank each asset according to six categories.
Risk Assumption
Accept the potential risk and continue security operations "as is." Alternatively, implement some controls to lower risk to an acceptable level. (no cost)
Threat
An intent to damage or injure; an indication of something impending; associated with humans
10(f+i-3)/3
Annual Loss Expectancy formula
Vulnerability
Any weakness that an aggressor (terrorist or criminal) can exploit to make an asset susceptible to damage from natural hazards or from consequential events.
Asset
Anything you want to protect because of its value, its importance to maintaining business continuity, and/or its ability to be replaced within a required timeline.
tenants
Assessing asset value can be accomplished by interviewing stakeholders, including owners, facility staff, and
risk analysis
Assessing threats and hazards is the second major step in security
intangible
Assets can be either tangible or
Relative Asset Value
Assigning a relative value to assets based on their priority (low, medium, or high)
Risk Avoidance
Avoiding risk by eliminating its cause and/or consequence.(e.g., move assets to another location.)(Some cost)
threats
Before implementing any security program, first identify the assets your are trying to protect, the threats against those assets, and how vulnerable those assets are to the various
allocating resources
Blue (middle) boxes indicate areas where decisions respecting security protections must be based on a cost benefit analysis when
cost of lost income
Ci
consequential event threats
Conducting a due diligence investigation can help protect a company from
C
Consequence Value
indirect
Costs of assets can be direct or
cost of permanent replacement
Cp
related costs such as removal, installation, etc.
Cr
cost of temporary substitute
Ct
Risk assessment
Determining asset value, threats, likelihood, impact, and consequent vulnerability.
Risk management
Determining measures and safeguards, to mitigate threats and reduce vulnerabilities.
asset
Employees are an organization's most critical
-Injuries or deaths related to facility or infrastructure damage. -Replacement cost of assets. -Loss of revenue due to lost functions. -Existence of backups and system redundancy. -Availability of replacements. -Critical support agreements and lifelines in place. -Critical or sensitive information value. -Impact on reputation and loss of revenue..
Factors to consider when valuing and ranking critical assets by priority
Site Hardening
Harden the site against as many threats as possible. (Greatest cost)
available insurance or indemnity
I
1. Natural Disasters 2. Human-made disasters
Identify 2 subcategories of non-crime related threats.
1. Crimes. 2. Non-criminal events such as man-made incidents or natural disasters. 3. Consequential events caused by an organization's relationship with another organization. When the other organization's poor or negative reputation adversely affects the enterprise.
Identify 3 categories of threats.
1. Qualitative 2. Quantitative
Identify the two basic types of risk assessment.
1) the event's probability, and 2) the computed likely loss
Identify two fundamental elements in a quantitative approach to risk analysis.
Asset value assessment
Identifying people and asset values at a facility.
pair-wise comparison
In the CARVER Method, each critical asset is compared against the different threat scenarios using a technique called
security risk rating
In the risk analysis process, we can assign values to the three risk components to provide an overall
Risk Management
It is not possible to completely eliminate risk. Therefore it is important to determine what level of protection is desirable, and which options can help you achieve this level. This is known as
criticality, total cost of loss
K
Cost-of-loss formula
K= [Cp+Ct+Cr+Ci] minus I
Risk Limitation
Limit risk by implementing controls that minimize the adverse impact. (e.g., preventive, detective, and response controls) (Some cost)
1. Define and understand business processes and functions.. 2. Identify site and building infrastructure and systems. 3. Identify critical tangible and intangible assets.
Name 3 steps useful for identifying a company's critical assets.
Criticality Accessibility Recoverability Vulnerability Effects Recognizability
Name the six categories in the CARVER Method.
1. The Army's CARVER Method. 2. The Threat Matrix
Name two methods for quantifying risk.
Risk Analysis
Performed to understand the nature of unwanted, negative consequences to human life, health, property, or the environment.
Pa
Probability of an adversary attack during a period of time.
Pi
Probability of attack interruption by the security force.
in the future
Probability, or likelihood, of loss is an educated guess, based on historical, and socio-environmental data, about the likelihood of a loss risk event occurring
assets need to be protected
Ranking assets by Risk Rating helps put risks in a priority order so you can make decisions about which
decisions based on this value
Ranking events in order of the Annual Loss Expectancy quantifies the risk and facilitates
must be mitigated
Red (upper, right-hand) boxes on the threat matrix indicate threats that
Qualitative
Relating to that which is characteristic of something and makes it what it is.
Quantitative
Relating to, concerning or based on the amount or number of something.
i
Represents the "cost valuation" (impact) of an event in successive values such as i=1 ($10); i=2 ($100); i=3 ($1,000)
f
Represents the estimated frequency of the event in successive values such as f=1 (once in 300yrs); f=2 (once in 30yrs); f=3 (once every 3 years)
R=Pa*[1-(Pi)]*C
Risk Equation
asset
Risk is the potential for loss or damage to an
hazard
Risk takes into account the value of an asset, the threats or hazards that potentially impact the asset, and the vulnerability of the asset to the threat or
R
Risk to the facility of an adversary gaining access to assets.
Vulnerability Rating
Security Risk Rating= Asset Value Rating times Threat Likelihood Rating times
Hazards
Sources of potential danger or adverse condition; associated with nature
Define and understand the company's primary business functions and processes.
Step 1 in identifying a company's critical assets:
Identify site and building infrastructure and systems: - critical components, - life-safety systems and safe haven areas, and - secure areas.
Step 2 in identifying a company's critical assets:
Identify the company's tangible and intangible assets: - people, - information systems and data, - intellectual property, - one-of-a-kind assets, and - high-value assets
Step 3 in identifying a company's critical assets:
Cost-of-loss formula
Taking the worst-case position and analyzing each security loss risk in light of the probable maximum loss for a single occurrence of the risk event.
impact of recovery
The Qualitative approach to risk analysis assigns a relative value to assets based on replacement cost, criticality, or
probability
The Qualitative approach to risk analysis assigns a relative value to threats based on their
Risk=impact times likelihood
The Qualitative approach to risk analysis computes risk to any asset from a particular threat using the following equation:
mitigation measures
The degree of probability of a loss event determines the appropriate solution and
Asset value
The economic replacement cost for equipment and infrastructure.
Cost Benefit Analysis
The final step in a security risk analysis is to conduct a
assessment
The first task of risk analysis is to perform an asset value
probability that it will occur
The more ways a particular event can occur in given circumstances, the greater the
1. Cost-of-loss formula, and 2. Assign a relative value to each asset based on priority (e.g., 1=low, 3=medium, 5=high)
There are basically two ways to establish values for assets:
Adversary Sequence Diagram
This diagram is a useful tool that helps determine the timeline required for an adversary to breach security. Knowing the timeline required can help you implement more measures to deter, delay, and detect the intruder.
Annual Loss Expectancy
Threat probability times the value of the potential loss produces the
Risk Transference
Transfer risk by using other options to compensate for the loss, such as purchasing insurance. (Some cost)
1. the organization's mission, 2. the resources used to perform that mission, 3. how resources interface with each other to accomplish company goals, and 4. how the organization would cope or maintain business continuity if any assets were lost.
Understanding asset criticality requires understanding:
1. Risk Assumption 2. Risk Avoidance 3. Risk Limitation 4. Risk Transference 5. Site Hardening
What are five approaches to risk mitigation?
1. Risk Assessment 2. Vulnerability Evaluation 3. Risk Management
What are three components of the risk analysis process?
1. Injuries/deaths 2. Replacement cost 3. Loss of revenue to lost functionality 4. Existence of backups 5. Availability of replacements 6. Support agreements and lifelines in place 7. Critical or sensitive information value 8. Impact on reputation and loss of revenue
What factors can help in valuing identified assets.
People
What is a company's most critical asset?
mission
When selecting risk mitigation options, give priority to the asset/threat and vulnerability pairs that could significantly impact or harm the organization's
It allows you to develop a priority ranking that can facilitate decisions about which risks to manage first and how to address those risks.
Why is it important to assess vulnerability of assets?
procedural changes
Yellow (lower, left) boxes indicate threats that are acceptable "as is" or that require limited security or
