# 1.6: Risk

$$\newcommand{\vecs}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} }$$

$$\newcommand{\vecd}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash {#1}}}$$

$$\newcommand{\id}{\mathrm{id}}$$ $$\newcommand{\Span}{\mathrm{span}}$$

( \newcommand{\kernel}{\mathrm{null}\,}\) $$\newcommand{\range}{\mathrm{range}\,}$$

$$\newcommand{\RealPart}{\mathrm{Re}}$$ $$\newcommand{\ImaginaryPart}{\mathrm{Im}}$$

$$\newcommand{\Argument}{\mathrm{Arg}}$$ $$\newcommand{\norm}[1]{\| #1 \|}$$

$$\newcommand{\inner}[2]{\langle #1, #2 \rangle}$$

$$\newcommand{\Span}{\mathrm{span}}$$

$$\newcommand{\id}{\mathrm{id}}$$

$$\newcommand{\Span}{\mathrm{span}}$$

$$\newcommand{\kernel}{\mathrm{null}\,}$$

$$\newcommand{\range}{\mathrm{range}\,}$$

$$\newcommand{\RealPart}{\mathrm{Re}}$$

$$\newcommand{\ImaginaryPart}{\mathrm{Im}}$$

$$\newcommand{\Argument}{\mathrm{Arg}}$$

$$\newcommand{\norm}[1]{\| #1 \|}$$

$$\newcommand{\inner}[2]{\langle #1, #2 \rangle}$$

$$\newcommand{\Span}{\mathrm{span}}$$ $$\newcommand{\AA}{\unicode[.8,0]{x212B}}$$

$$\newcommand{\vectorA}[1]{\vec{#1}} % arrow$$

$$\newcommand{\vectorAt}[1]{\vec{\text{#1}}} % arrow$$

$$\newcommand{\vectorB}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} }$$

$$\newcommand{\vectorC}[1]{\textbf{#1}}$$

$$\newcommand{\vectorD}[1]{\overrightarrow{#1}}$$

$$\newcommand{\vectorDt}[1]{\overrightarrow{\text{#1}}}$$

$$\newcommand{\vectE}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash{\mathbf {#1}}}}$$

$$\newcommand{\vecs}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} }$$

$$\newcommand{\vecd}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash {#1}}}$$

$$\newcommand{\avec}{\mathbf a}$$ $$\newcommand{\bvec}{\mathbf b}$$ $$\newcommand{\cvec}{\mathbf c}$$ $$\newcommand{\dvec}{\mathbf d}$$ $$\newcommand{\dtil}{\widetilde{\mathbf d}}$$ $$\newcommand{\evec}{\mathbf e}$$ $$\newcommand{\fvec}{\mathbf f}$$ $$\newcommand{\nvec}{\mathbf n}$$ $$\newcommand{\pvec}{\mathbf p}$$ $$\newcommand{\qvec}{\mathbf q}$$ $$\newcommand{\svec}{\mathbf s}$$ $$\newcommand{\tvec}{\mathbf t}$$ $$\newcommand{\uvec}{\mathbf u}$$ $$\newcommand{\vvec}{\mathbf v}$$ $$\newcommand{\wvec}{\mathbf w}$$ $$\newcommand{\xvec}{\mathbf x}$$ $$\newcommand{\yvec}{\mathbf y}$$ $$\newcommand{\zvec}{\mathbf z}$$ $$\newcommand{\rvec}{\mathbf r}$$ $$\newcommand{\mvec}{\mathbf m}$$ $$\newcommand{\zerovec}{\mathbf 0}$$ $$\newcommand{\onevec}{\mathbf 1}$$ $$\newcommand{\real}{\mathbb R}$$ $$\newcommand{\twovec}[2]{\left[\begin{array}{r}#1 \\ #2 \end{array}\right]}$$ $$\newcommand{\ctwovec}[2]{\left[\begin{array}{c}#1 \\ #2 \end{array}\right]}$$ $$\newcommand{\threevec}[3]{\left[\begin{array}{r}#1 \\ #2 \\ #3 \end{array}\right]}$$ $$\newcommand{\cthreevec}[3]{\left[\begin{array}{c}#1 \\ #2 \\ #3 \end{array}\right]}$$ $$\newcommand{\fourvec}[4]{\left[\begin{array}{r}#1 \\ #2 \\ #3 \\ #4 \end{array}\right]}$$ $$\newcommand{\cfourvec}[4]{\left[\begin{array}{c}#1 \\ #2 \\ #3 \\ #4 \end{array}\right]}$$ $$\newcommand{\fivevec}[5]{\left[\begin{array}{r}#1 \\ #2 \\ #3 \\ #4 \\ #5 \\ \end{array}\right]}$$ $$\newcommand{\cfivevec}[5]{\left[\begin{array}{c}#1 \\ #2 \\ #3 \\ #4 \\ #5 \\ \end{array}\right]}$$ $$\newcommand{\mattwo}[4]{\left[\begin{array}{rr}#1 \amp #2 \\ #3 \amp #4 \\ \end{array}\right]}$$ $$\newcommand{\laspan}[1]{\text{Span}\{#1\}}$$ $$\newcommand{\bcal}{\cal B}$$ $$\newcommand{\ccal}{\cal C}$$ $$\newcommand{\scal}{\cal S}$$ $$\newcommand{\wcal}{\cal W}$$ $$\newcommand{\ecal}{\cal E}$$ $$\newcommand{\coords}[2]{\left\{#1\right\}_{#2}}$$ $$\newcommand{\gray}[1]{\color{gray}{#1}}$$ $$\newcommand{\lgray}[1]{\color{lightgray}{#1}}$$ $$\newcommand{\rank}{\operatorname{rank}}$$ $$\newcommand{\row}{\text{Row}}$$ $$\newcommand{\col}{\text{Col}}$$ $$\renewcommand{\row}{\text{Row}}$$ $$\newcommand{\nul}{\text{Nul}}$$ $$\newcommand{\var}{\text{Var}}$$ $$\newcommand{\corr}{\text{corr}}$$ $$\newcommand{\len}[1]{\left|#1\right|}$$ $$\newcommand{\bbar}{\overline{\bvec}}$$ $$\newcommand{\bhat}{\widehat{\bvec}}$$ $$\newcommand{\bperp}{\bvec^\perp}$$ $$\newcommand{\xhat}{\widehat{\xvec}}$$ $$\newcommand{\vhat}{\widehat{\vvec}}$$ $$\newcommand{\uhat}{\widehat{\uvec}}$$ $$\newcommand{\what}{\widehat{\wvec}}$$ $$\newcommand{\Sighat}{\widehat{\Sigma}}$$ $$\newcommand{\lt}{<}$$ $$\newcommand{\gt}{>}$$ $$\newcommand{\amp}{&}$$ $$\definecolor{fillinmathshade}{gray}{0.9}$$

## Risk in Cybersecurity

There are many threats actors in the world including nation states, criminal syndicates and various enterprises, hacktivists and insiders. These advisaries have a variety of motivation often include financial gain, corporate or government espionage, and military advantage. These concern is the launch of cyber attacks through the exploitation of vulnerabilities. There are a number of vulnerabilities in both hardware and software that can be exploited from outside or inside. The vulnerability could be unpatched software, unsecured access points, and poorly configured systems. The consequence is the harm caused to an exploited organization by a cyberattack, the organization will have to face a lot of things including a loss of sensitive data. It will affect the company’s customer base, reputation, financial standing and may lose a great deal of customers. The consequence can be very costly to the organization. Cyber risk is commonly defined as exposure to harm or loss resulting from breaches of or attacks on information systems.

## Risk Management

A risk is nothing but intersection of assets, threats and vulnerability.

A+T+V = R

NIST SP 800-30 Risk Management Guide for Information Technology Practitioners defines risk as a function of the likelihood of a given threat-source exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization.

So the main components of Risk Assessment are:

• Threats
• Vulnerability
• Impact (i.e. potential loss)
• Likelihood of occurrence (i.e. the probability that an event – threat successful exploit of a vulnerability – will occur)

Threats are anything that can exploit a vulnerability accidentally or intentionally and destroy or damage an asset. An asset can be anything: people, property or information. An asset is what we are trying to protect and a threat is what we are trying to protect against. Vulnerability means a gap or weakness in our protection efforts.

Threat Source is the exploitation of a vulnerability or a situation either intentionally or unintentionally.

The complete process of Risk Management can be divided into following stages:

1. Context Establishment
2. Risk Assessment
3. Risk Management/ Mitigation
4. Risk Communication
5. Risk Monitoring and Review
6. IT Evaluation and Assessment

1. Context Establishment –
In this step information about the organization and basic criteria, purpose, scope and boundaries of risk management activities are obtained. In addition to this data, it is important to gather details about the organization in charge of risk management activities.

Organization’s mission, values, structure, strategy, locations and cultural environment are studied to have a deep understanding of it’s scope and boundaries.
The constraints (budgetary, cultural, political, technical) of the organization are to be collected and documented as guide for next steps.

The main role inside organization in charge of risk management activities can be seen as:

• Senior Management
• Chief information officer (CIO)
• System and Information owners
• the business and functional managers
• the Information System Security Officer (ISSO) or Chief information security officer (CISO)
• IT Security Practitioners
• Security Awareness Trainers

2. Risk Assessment –
Risk Management is a recurrent activity, on the other hand Risk assessment is executed at discrete points and until the performance of the next assessment. Risk Assessment is the process of evaluating known and postulated threats and vulnerabilities to determine expected loss. It also includes establishing the degree of acceptability to system operations.

Risk Assessment receives input and output from Context establishment phase and output is the list of assessed risk risks, where risks are given priorities as per risk evaluation criteria.

1. Risk Identification –
In this step we identify the following:

Thus output includes the following:

• assets
• threats
• existing and planned security measures
• vulnerabilities
• consequence
• list of asset and related business processes with associated list of threats, existing and planned security measures
• list of vulnerabilities unrelated to any identified threats
• list of incident scenarios with their consequences
2. Risk Estimation –
There are 2 methods for Risk Assessment:

1. Quantitative Risk Assessment – This methodology is not mostly used by the organizations except for the financial institutions and insurance companies. Quantitative risk is mathematically expressed as Annualised Loss Expectancy (ALE). ALE is the expected monetary loss that can be expected for an asset due to a risk being realised over a one-year period.

2. Qualitative Risk Assessment – Qualitative Risk Assessment defines likelihood, impact values and risk in subjective terms, keeping in mind that likelihood and impact values are highly uncertain. Qualitative risk assessments typically give risk results of “High”, “Moderate” and “Low”. Following are the steps in Qualitative Risk Assessment:

• Identifying Threats: Threats and Threat-Sources must be identified. Threats should include threat-source to ensure accurate estimation. It is important to compile a list of all possible threats that are present across the organization and use this list as the basis for all risk management activities. Some of the examples of threat and threat-source are:
• Natural Threats- floods, earthquakes etc.
• Human Threats- virus, worms etc.
• Environmental Threats- power failure, pollution etc.
• Identifying Vulnerabilities: Vulnerabilities are identified by numerous means. Some of the tools are:
• Vulnerability Scanners – This is the software the compare the operating system or code for flaws against the database of flaw signatures.
• Penetration Testing – Human Security analyst will exercise threats against the system including operational vulnerabilities like Social Engineering.
• Audit of Operational and Management Controls – Operational and management controls are reviewed by comparing the current documentation to best practices for example ISO 17799 and by comparing actual practices against current documented processes.
• Relating Threats to Vulnerabilities: This is the most difficult and mandatory activity in Risk Assessment. T-V pair list is established by reviewing the vulnerability list and pairing a vulnerability with every threat that applies, then by reviewing the threat list and ensuring that all the vulnerabilities that that threat-action/threat can act against have been identified.
• Defining Likelihood: Likelihood is the probability that a threat caused by a threat-source will occur against a vulnerability. Sample Likelihood definitions can be like:

Low -0-30% chance of successful exercise of Threat during a one year period

Moderate – 31-70% chance of successful exercise of Threat during a one year period

High – 71-100% chance of successful exercise of Threat during a one year period

This is just a sample definations. Organization can use their own definitaion like Very Low, Low, Moderate, High, Very High.

• Defining Impact: Impact is best defined in terms of impact upon confidentiality, integrity and availability. Sample definitions for impact are as follows:
Confidentiality Integrity Availability
Low Loss of Confidentiality leads to Limited effect on organization Loss of Integrity leads to Limited effect on organization Loss of Availability leads to Limited effect on organization
Medium Loss of Confidentiality leads to Serious effect on organization Loss of Integrity leads to Serious effect on organization Loss of Availability leads to Serious effect on organization
High Loss of Confidentiality leads to Severe effect on organization Loss of Integrity leads to Severe effect on organization Loss of Availability leads to Severe effect on organization
• Assessing Risk: Assessing risk is the process to determine the likelihood of the threat being exercised against the vulnerability and the resulting impact from a successful compromise. Sample Risk Determination Matrix is as follows:
Impact
High Moderate Low
Likelihood High High High Moderate
Moderate High Moderate Low
Low Moderate Low Low
•  Risk Evaluation
T
he risk evaluation process receives as input the output of risk analysis process. It first compares each risk level against the risk acceptance criteria and then prioritize the risk list with risk treatment indications.
3. Risk Mitigation/ Management
Risk Mitigation involves prioritizing, evaluating, and implementing the appropriate risk-reducing controls recommended from the risk assessment process. Since eliminating all risk in an organization is close to impossible thus, it is the responsibility of senior management and functional and business managers to use the least-cost approach and implement the most appropriate controls to decrease risk to an acceptable level.
As per NIST SP 800 30 framework there are 6 steps in Risk Mitigation.
• Risk Assumption: This means to accept the risk and continue operating the system but at the same time try to implement the controls to
• Risk Avoidance: This means to eliminate the risk cause or consequence in order to avoid the risk for example shutdown the system if the risk is identified.
• Risk Limitation: To limit the risk by implementing controls that minimize the adverse impact of a threat’s exercising a vulnerability (e.g., use of supporting, preventive, detective controls)
• Risk Planning: To manage risk by developing a risk mitigation plan that prioritizes, implements, and maintains controls
• Research and Acknowledgement: In this step involves acknowledging the vulnerability or flaw and researching controls to correct the vulnerability.
• Risk Transference: This means to transfer the risk to compensate for the loss for example purchasing insurance guarantees not 100% in all cases but alteast some recovery from the loss.
4. Risk Communication
The main purpose of this step is to communicate, give an understanding of all aspects of risk to all the stakeholder’s of an organization. Establishing a common understanding is important, since it influences decisions to be taken.
5. Risk Monitoring and Review
Security Measures are regularly reviewed to ensure they work as planned and changes in the environment don’t make them ineffective. With major changes in the work environment security measures should also be updated.Business requirements, vulnerabilities and threats can change over the time. Regular audits should be scheduled and should be conducted by an independent party.
6. IT Evaluation and Assessment
Security controls should be validated. Technical controls are systems that need to tested and verified. Vulnerability assessment and Penetration test are used for verifying status of security controls. Monitoring system events according to a security monitoring strategy, an incident response plan and security validation and metrics are fundamental activities to assure that an optimal level of security is obtained. It is important to keep a check on new vulnerabilities and apply procedural and technical controls for example regularly update software.