21CSC308T Security Risk

Management Principles

22-07-2024 1
 Unit – I
Introduction to Risk

• CO1: acquire the knowledge on the fundamentals of Risk

management

22-07-2024 2
Content
• Introduction to Risk, Elements of risk,
• Information Security Risk Management Overview,
• Information Risk Management Activities,
• Risk Management and the Security Program,
• Drivers, Laws, Regulations,
• Threat Source Leveraging a Vulnerability,
• Federal Information Security Management Act of 2002 (FISMA),
• Gramm-Leach-Bliley Act (GLBA),
• Health Insurance Portability and Accountability Act (HIPAA),
• ISO 27001, ISO 27005,
• Risk Management Framework, Practical Approach.

22-07-2024 3
Session 1
Introduction to Risk, Elements of risk
Reference: T4

22-07-2024 4
Introduction to Risk
• Risk is the situation that exposes an object to harm
• Risk is the measurement of uncertainty
NIST definition:
• A measure of the extent to which an entity is threatened by a
potential circumstance or event, and typically a function of:
(i) the adverse impacts that would arise if the circumstance or
event occurs; and
(ii) the likelihood of occurrence

22-07-2024 5
Information Security Risk
• In information security, risk revolves around three important
concepts: threats, vulnerabilities and impact (see Figure 1.4).
1. Threat is an event, either an action or an inaction that
leads to a negative or unwanted situation.
2. Vulnerabilities are weaknesses or environmental factors
that increase the probability or likelihood of the threat being
successful.
3. Impact is the outcome such as loss or potential for a loss
due to the threat leveraging the vulnerability.

22-07-2024 6
Information Security Risk

22-07-2024 7
Example: Unauthorized Access
• Unauthorized access by hackers through exploitation of weak
access controls within the application could lead to the
disclosure of sensitive data.

22-07-2024 8
Example: Unencrypted Media
• Accidental loss or theft of unencrypted backup tapes could lead
to the disclosure of sensitive data.

22-07-2024 9
Elements of Risk
Based on the definition of Risk the components of risk are derived (Fig 1.1 and
1.2)

22-07-2024 10
Elements of Risk
• Event
• Asset
• Outcome
• Probability

22-07-2024 11
Event
• An event is a chance or situation that is possible but is not certain.
• An event in the context of a risk assessment is always a future event.
• An event could also be an action or inaction.
• This action or inaction will have a direct or indirect influence on the outcome
• Identifying events is one of the key activities of a risk assessment.
• In information security risk assessments, these events will be our threat actions,
Examples(in the context of information security)
• Hackers gaining unauthorized access to an application, or an unencrypted backup
tape data being lost and then read

22-07-2024 12
Asset
• An asset is the direct or indirect target of an event.
• The outcome always has a direct consequence and is applied to the
asset.
• More often than not, an asset is something valued in your
organization.
• In information security, these assets are typically applications,
databases, software, hardware, or even people.
Example:
• the application and the backup tape are the assets that are the object
of the event.
22-07-2024 13
Outcome
• An outcome is the impact of the event
• an outcome will always be an adverse or unwelcome
circumstance such as a loss or potential for loss.
• This loss in turn always has a direct effect on the whole or part
of the asset.
• Example:
• a lost backup tape being read or unauthorized access by
hackers to an application – outcome - disclosure of sensitive
information.
22-07-2024 14
Probability
• The goal of a risk assessment is to measure the probability or likelihood of a
future event occurring.
• Example for hackers accessing an application and the unencrypted backup
tapes, the probability component will attempt to answer the following questions:
• What is the probability that hackers may be able to gain unauthorized access
to the application?
• What is the probability that data on unencrypted backup tapes may be
disclosed?
• Probability typically revolves around the determination of the exposure and
frequency of an event and can be very subjective in nature. The basis for
determining probability will be discussed in more detail in the proceeding
chapters.
22-07-2024 15
Components of Risk and their Interactions

22-07-2024 16
Components of Risk and their Interactions
• Figure 1.3 illustrates the components of risk and their interaction with
each other.
• The first component of risk` is a future event, which can either be an
action or inaction
• The second component of risk is the probability or likelihood of that
future event happening.
• The third component of risk is the asset, which is directly or indirectly
affected by the event.
• The fourth component of risk is the outcome, which is the impact of
the event on the asset.

22-07-2024 17
Session 2
Information Security Risk Management Overview

Reference: T1

22-07-2024 18
Information Security Risk Management
Overview
• Risk management is the process of measuring or assessing risk and
then developing strategies to manage the risk.
• the Information Security field is all about managing the risks to
sensitive data and critical resources.
The purpose of Risk Management
• Ensure overall business and business assets are safe
• Protect against competitive disadvantage
• Compliance with laws and best business practices
• Maintain a good public reputation

22-07-2024 19
Information Security Risk Management
Overview
The goal of Information Security should be
• to ensure that the confidentiality, integrity, availability, and
accountability of the organization’s resources (tangible and
intangible assets) are maintained at an acceptable level.
• Information Security has a broad set of responsibilities, ranging
from training and awareness to digital forensics.

22-07-2024 20
Information Security Risk Management
Overview
The goal of risk management is to
• maximize the output of the organization (in terms of services,
products, and revenue) while minimizing the chance of
unexpected negative outcomes.
• The goal should never be zero exposure, but finding the right
balance.

22-07-2024 21
Information Security Risk Management
Overview
• The security program should be filling a governance and
oversight role to help identify the risks that have the greatest
chance of harming the organization with the most severe
impact.
• If you have properly educated the organization about the likely
risk exposures, then you have fulfilled your obligations even if
the business chooses not to address the risks

22-07-2024 22
Session 3
Information Risk Management Activities
Reference: T1 page No. 43

22-07-2024 23
 Information Risk Management Activities
• The risk management process is made up of several point-in-time assessments of risk that
need to be re-evaluated as risks evolve.
• The process begins by profiling your resources (assets) and
• rating them on a sensitivity scale similar to a traditional Business Impact Assessment (BIA)
exercise. The goal is to identify critical resources that need to be protected.
• Identify the threats and vulnerabilities for these critical resources,
• rate the risk exposure,
• determine appropriate mitigation strategies,
• implement controls,
• evaluate the effectiveness of those controls, and
• finally monitor changes over time
22-07-2024 24
Information security risk management
workflow

22-07-2024 25
Session 4
Risk Management and the Security Program, Drivers, Laws, Regulations,

Ref: T1 and T4

22-07-2024 26
Risk Management and the Security Program
Architecting a Security Program
• If policies are the foundational component of any mature
information security program, then risk management needs to
be the lens through which you view the organization.
• The building blocks of a security program are policies,
standards, guidelines, procedures, and baselines, which you
use to establish expectations about how to secure the sensitive
resources.

22-07-2024 27
Risk Management and the Security Program
Architecting a Security Program
• the role of the risk management program should be well represented in the
organization’s security policy.
1. Some of the topics that need to be covered in policies and standards are as
follows:
• How the critical resources will be identified?
• The roles responsible for conducting risk assessments.
• The process that will be followed for risk assessments.
• How often assessments will be conducted?
• How findings will be scored and addressed?
• The process for requesting an exception.
22-07-2024 28
Risk Management and the Security Program
2. Once you establish new policies and standards, be prepared to
spend a lot of time interpreting those requirements as individual
business cases and scenarios arise.
3. the organization to find its creative ways to meet those
requirements when the solution may not match the letter of the
standard.
4. exception approval process is essential on day one of
implementation for any new policies or standards

22-07-2024 29
Risk Management and the Security Program
5. to promote a culture where other members in the organization
are encouraged to identify risks and request exceptions for
justified activities.
6. Often, even when you are reviewing an exception request for a
low-risk item, you might find that you will discover some other
related exposures that are more critical to the organization

22-07-2024 30
Risk Management and the Security Program
• information security risk assessments should be a fundamental
requirement for any security program.
• An information security function should be able to utilize this
process as a guide to achieve three primary objectives:
1. to determine safeguards needed to secure information
systems that store and process information.
• through regular assessments, this will allow the organization to
consistently devise, implement, and monitor security measures to
address the level of identified risk.

22-07-2024 31
Risk Management and the Security Program
2. allow an organization to comply with internal and external
requirements.
• Internal requirements are typically organizational policies -
ISO 27001 or NIST SP800-53
• External requirements are typically federal laws and
regulations - Gramm-Leach-Bliley Act (GLBA), Health
Insurance Portability and Accountability Act (HIPAA), and
Federal Information Security Management Act (FISMA)

22-07-2024 32
Risk Management and the Security Program
3. to make well-informed decisions
• The results and conclusions of the assessment can be used as
leverage to justify expenditures, manpower, time, budgeting,
technology purchases, and service procurements.

22-07-2024 33
Session 5
Threat Source Leveraging a Vulnerability

Ref: T4

22-07-2024 34
Information Risk Assessments Activities
• Identify Threats
• Identify Vulnerabilities
• Identify Assets
• Determine Impact
• Determine Livelihood
• Identify Controls

35
Threat Source Leveraging a Vulnerability
IDENTIFY THREATS
• The threats are events, sources, actions, or inactions that could potentially
lead to harm of the organization’s information security assets.
• Many of the frameworks represent threats as a combination of threat
actions and threat sources as illustrated in Figure 1.8.

22-07-2024 36
Threat Source Leveraging a Vulnerability
Identify Vulnerabilities
• This activity is focused on identifying vulnerabilities that could
be exploited by the threats that you have identified.
• The existence of a vulnerability is a major contributing factor for
calculating the probability of risk.
• If an asset has a vulnerability that can be exploited by a threat, then the
risk to that asset is much higher when compared to an asset that does
not have the same vulnerability.

22-07-2024 37
Threat Source Leveraging a Vulnerability
• Example: Figure 1.9, if a system has weak passwords, a hacker who is
able to find and leverage a “weak password” in an information system has
a greater chance of achieving unauthorized access.

• a vulnerability increases the probability of a threat source achieving its

threat action.

22-07-2024 38
Threat Source Leveraging a Vulnerability
• The objective of this activity is to determine all potential vulnerabilities to the asset that
could be leveraged by a threat source.
• The outcome of this activity is typically captured in the form of a vulnerability listing.
• There are actually two possible approaches to take here.
• Listing of vulnerability – two approaches
1. Make a comprehensive vulnerability listing of all possible vulnerabilities that you can
think of or
2. Can focus only on the vulnerabilities that have already been identified within the
organization.
• Sources of good vulnerability data for your organization can include penetration testing reports,
previous risk assessments, vulnerability assessments, security incident data, security metrics, and
other third party or internal audit reports.

22-07-2024 39
Threat Source Leveraging a Vulnerability
DETERMINE IMPACT
• In all risk assessment frameworks that you will encounter,
there will be in some form or another, a measurement of
impact.
• The objective of this activity is to produce a measurement for
impact.
• Types

Quantitative risk assessments

Qualitative determination of impact

40
Threat Source Leveraging a Vulnerability
DETERMINE LIVELIHOOD

41
Threat Source Leveraging a Vulnerability
IDENTIFY CONTROL
• Controls are mechanisms that detect or prevent threats
sources from leveraging vul-nerabilities and thus are closely
tied to likelihood as it affects the probability of a risk.
• objective of this activity is to identify what controls are currently
in place for the asset that would have an effect on the threat
that is being assessed.

42
 Drivers, Laws, Regulations
• the most common US laws,
regulations, policies and
frameworks related to information
security risk assessments.
• risk assessments are often
executed as part of an
organizations obligation to meet a
regulatory requirement.
• The diagram in Figure 1.11
represents the major risk
assessment "drivers" in the United
States.

22-07-2024 43
Session 6
Federal Information Security Management Act of 2002 (FISMA)

Ref: T4

22-07-2024 44
 Federal Information Security Management Act of
2002 (FISMA)
• The Federal Information Security Management Act (FISMA) is
United States legislation that defines a comprehensive
framework to protect government information, operations and
assets against natural or man-made threats.
• This act requires all federal agencies to develop, document, and
implement an information security program to protect
information and information systems that support the assets and
operations of the agency.
• This is meant to protect agency operations, which includes its
mission, functions, image, and reputation.

22-07-2024 45
Federal Information Security Management
Act of 2002 (FISMA)
• FISMA is a requirement for all federal agencies and the Office of
Management and Budget (OMB) is tasked to provide oversight for
FISMA.
• As part of their responsibility, OMB has provided Memorandum
99-20, reinforces the tenet that federal agencies should have a
continual assessment of risk in computer systems and maintain
adequate security commensurate with the risk.
• FISMA mandates that all Federal information systems be reviewed to
determine the types of data contained within the system, and then
categorized based on the damage that could be caused if the
system’s confidentiality, integrity, or availability were to become
compromised.
22-07-2024 46
Federal Information Security Management Act of
2002 (FISMA)
• Risk is mentioned multiple times within the circular from OMB.
• The OMB states that federal agencies should consider the risk when
deciding what security controls to implement and recommends
implementing a risk-based approach to security.
• This means that security should be commensurate with the risk and
magnitude of harm such as loss, misuse, unauthorized access, and
modification.
• Based on the circular, when determining the adequacy of security, federal
agencies should be considering the major risk factors, which are the value
of the system, threats, vulnerabilities, and the effectiveness of controls and
safeguards.
22-07-2024 47
Federal Information Security Management
Act of 2002 (FISMA)
• Overall, the basic concepts of FISMA and the OMB circulars are very
sound.
• They highlight the need for a risk-based policy through which an agency
could have a “foundational” level of security.
• an essential part of setting this “foundation” is to gain an understanding of
what risks the organization is exposed to and thus a risk assessment must be
performed.
• Accordingly, OMB points to the National Institute of Standards and
Technology (NIST) for specific standards regarding risk assessments.

22-07-2024 48
Federal Information Security Management
Act of 2002 (FISMA)
• NIST defines nine steps to FISMA compliance:
1. Categorize the information to be protected
2. Select minimum baseline controls
3. Refine controls using a risk assessment procedure
4. Document the controls in the system security plan
5. Implement security controls in appropriate information systems
6. Assess the effectiveness of the security controls once they have been
implemented
7. Determine agency-level risk to the mission or business case
8. Authorize the information system for processing
9. Monitor the security controls on a continuous basis
22-07-2024 49
Session 7
Gramm-Leach-Bliley Act (GLBA)

Ref: T4

22-07-2024 50
Gramm-Leach-Bliley Act (GLBA)
• The Gramm-Leach-Bliley Act (GLB Act or GLBA), also known as the Financial
Modernization Act of 1999, is a federal law enacted in the United States to
control the ways financial institutions deal with the private information of
individuals.
• The Gramm-Leach-Bliley Act, or GLBA, primarily affects financial institutions.
• GLBA defines financial institutions, as companies that offer financial products or
services to individuals, like loans, financial or investment advice, or insurance.
• Specific sections of GLBA, particularly the Information Security Guidelines of
section 501(b), require institutions to establish standards and safeguards around
administrative, technical, and physical security.
• These safeguards are meant to protect against anticipated threats and hazards
and ensure the security and integrity of company and customer information and
22-07-2024 51
information systems.
Gramm-Leach-Bliley Act (GLBA)
The Act consists of three sections:
1. The Financial Privacy Rule, which regulates the collection and
disclosure of private financial information;
2. the Safeguards Rule, which stipulates that financial institutions must
implement security programs to protect such information; and
3. the Pretexting provisions, which prohibit the practice of pretexting or
accessing private information using false pretenses.
• The Act also requires financial institutions to give customers written privacy
policy notices that explain their information-sharing practices.
22-07-2024 52
Gramm-Leach-Bliley Act (GLBA)
• As such, security practitioners in institutions that need to maintain
GLBA compliance are required to assess the risks of reasonably
foreseeable threats, and in particular those that could result in
unauthorized disclosure, misuse, alteration, and destruction of
information and information systems.
• In fact, the institution is required to report to its board at least
annually on its information security program with a focus on risk
assessments and risk management.
• GLBA also states that following the assessment of risk, the
organization should design a program to assess the identified risk
and develop and maintain appropriate measures to address these
risks.
22-07-2024 53
Gramm-Leach-Bliley Act (GLBA)
• Within GLBA most of the discussions about risk assessments, and what is required
for a compliant risk assessment, are high level and rather broad; as is the term
"financial institution".
• This leaves room for specific regulators or bodies to provide their own
interpretation regarding various security related topics. Some such regulatory
bodies include:
• Federal Deposit Insurance Corporation (FDIC).
•Office of the Comptroller of the Currency (OCC).
•National Credit Union Administration (NCUA).
•Consumer Financial Protection Bureau (CFPB).
•MAIC Mergers & Acquisitions International Clearing
22-07-2024 54
Gramm-Leach-Bliley Act (GLBA)
• As a result of there being multiple regulatory bodies evaluating various
organizations for GLBA compliance, the Federal Financial Institutions
Examination Council (FFIEC) was empowered to create standards in order to
promote uniformity in the supervision of financial institutions.
• Penalties for GLBA noncompliance
• Failure to comply with GLBA can have severe financial and personal
consequences for executives and employees.
• A financial institution faces a fine up to $100,000 for each violation.
• Its officers and directors can be fined up to $10,000, imprisoned for five years or
both.
• Companies also face increased exposure and a loss of customer confidence.

22-07-2024 55
Session 8
Health Insurance Portability and Accountability
Act (HIPAA)
Ref: T4

22-07-2024 56
Health Insurance Portability and
Accountability Act (HIPAA)
• The Health Insurance Portability and Accountability Act (HIPAA) focuses on
healthcare providers, insurers, and employers.
• Specific sections of HIPAA, particularly the Security Rule, focus on the
need to adequately and effectively protect Electronic Protected Health
Information or ePHI by adhering to good business practices for systems
handling ePHI.
• Specifically, in the Security Rule, HIPAA requires all covered entities
(healthcare providers, insurers, etc.) and their Business Associates
(vendors, contractors, etc.) to conduct an accurate and thorough Risk
Analysis (or a Risk Assessment).
• This Risk Analysis should assess the potential risks and vulnerabilities that
could affect the confidentiality, integrity, and availability of ePHI.
22-07-2024 57
Health Insurance Portability and
Accountability Act (HIPAA)
• The Department of Health and Human Services (HHS) is tasked to provide
oversight over HIPAA. HHS has provided a significant number of guidance
documents and memorandums regarding the security rule.
• One in particular focuses specifically on Risk Analysis (HIPAA Security
Standards: Guidance on Risk Analysis).
• This guidance document states that Risk Analysis is foundational and is the first
step in identifying safeguards or controls as well as ultimately implementing
these safeguards.
• It also states that risk analysis allows the organization to determine the
appropriateness of these safeguards or at the very least, document the rationale
as to why these safeguards are in place.

22-07-2024 58
Health Insurance Portability and
Accountability Act (HIPAA)
• There are also some specific guidelines that HHS includes in the
requirements associated with risk analysis, particularly whether the
organization has identified the locations of ePHI, external sources that
handle ePHI, as well as identifying human, natural, and environmental
threats.
• While HHS bases its guidance primarily on NIST, there are also several
other referenced methodologies that are provided by HHS to assist in
performing Risk Analysis including:
• Guidance from the Office of National Coordinator for Health Information
Technology (ONC).
• Healthcare Information and Management Systems Society (HIMSS).
• Health Information Trust Alliance (HITRUST).
22-07-2024 59
 Health Insurance Portability and
Accountability Act (HIPAA) sections
• Title I: Protects health insurance coverage for workers and their families who
change or lose jobs. It limits new health plans' ability to deny coverage due to a
pre-existing condition.
• Title II: Prevents healthcare fraud and abuse; medical liability reform;
administrative simplification that requires establishing national standards for electronic
healthcare transactions and national identifiers for providers, employers, and health
insurance plans.
• Title III: Guidelines for pre-tax medical spending accounts. It provides changes to
health insurance law and deductions for medical insurance.
• Title IV: Guidelines for group health plans. It provides modifications for health
coverage.
• Title V: Governs company-owned life insurance policies. Makes provisions for
treating people without United States citizenship and repealed financial institution rules to
22-07-2024 60
interest allocation rules.
Session 9
ISO 27001, ISO 27005, Risk Management
Framework, Practical Approach.
Ref: T4

22-07-2024 61
ISO 27001
• ISO 27001 is not a law or regulation but is one of the most widely adopted security frameworks
in the world. It is a framework for establishing an effective information security management
system (ISMS).

• This framework is considered a top down and risk-based approach, which is technology neutral.

• Requirements for ISO 27001 compliance

1. To define the risk assessment approach of the organization.
• According to the framework, the risk assessment methodology should be based on business,
information security, legal and regulatory requirements and should have a criterion for
accepting and identifying acceptable risk levels.
2. Another important aspect that the framework states is the risk assessment approach should be
able to produce comparable and reproducible results.

22-07-2024 62
ISO 27001
• ISO 27001 also mentions that the organization should be able to identify risks by identifying the
assets and asset owners, identifying threats, and identifying vulnerabilities which impacts
confidentiality, integrity, and availability.

• Aside from just identifying risk, ISO 27001 requires the organization to analyze and evaluate
risks. This evaluation is based on the business impact of the security failure, the realistic
likelihood (considering current controls), estimation of the risk, and a determination for accepting
the risk.

• Basically, these are just different way of saying that an organization needs to evaluate the
impact and likelihood of the risk, components of risk management.

• ISO 27001 primarily refers practitioners to ISO 27005, which is the techniques document that
focuses on Information Security Risk Management.

• As previously stated, ISO 27001 is not a law; however, in this period of internationalization, it
has become a way for one business to attest to another business that they are sufficiently
exercising an acceptable level of security controls.

22-07-2024 63
ISO 27005
• ISO 27005 is the “Information Technology—Security
Techniques—Information Security Risk Management” standard released
by the international standards body ISO to provide guidance over
information security risk management processes that are needed for the
implementation of an effective information security management system
(ISMS).
• Though this standard is considered a risk management standard, a
significant portion of the standard deals with risk assessments, which are
of course a key part of a risk management program.

22-07-2024 64
ISO 27005
• ISO 27005 is heavily aligned with NIST SP 800-30 and is written from a
high level perspective
The ISO 27005 standard has 6 major topic areas:
1. Context Establishment.
2. Information Security Risk Assessment.
3. Information Security Risk Treatment.
4. Information Security Risk Acceptance.
5. Information Security Risk Communication.
6. Information Security Risk Monitoring and Review.

22-07-2024 65
ISO 27005
• Context Establishment

• The risk assessment context establishes the guidelines for identifying risks,
determining who is accountable for risk ownership, determining how risks affect
the confidentiality, integrity, and availability of information, and calculating risk
effect and probability.

• Information Security Risk Acceptance

• Organisations should establish their own risk acceptance requirements that take
into account current strategies, priorities, targets, and shareholder interests. This
means documenting everything. Not just for the auditors, but so that you can
refer to them in the future if need be.

22-07-2024 66
ISO 27005
• Information Security Risk Monitoring and Review

• Risks are dynamic and can change rapidly. As a result, they should be actively monitored in order to
detect shifts easily and maintain a complete picture of the risks. Additionally, organisations should
keep a close watch on the following: Any new assets brought into the domain of risk management;
Asset values that need to be adjusted to reflect changing business requirements; New risks, external
or internal, that have not yet been evaluated; and incidents involving information security.

• Information Security Risk Communication

• Effective risk communication and consulting are critical components of the information security risk
management process. It guarantees that people responsible for risk management grasp the rationale
for decisions and the reasons for such actions. Sharing and exchanging ideas about risk also helps
policymakers and other stakeholders reach a consensus on how to handle risk. Continuous risk
communication should be practised, and organisations should establish risk communication strategies
for both routine procedures and emergency situations.

22-07-2024 67
Risk Management Framework
• A framework is some form of logical structure to organize
information or activities.
• The information security risk management framework provides
the logical structure or model to guide a user through the
process of executing an information security risk management.
• focus on foundational concepts associated with risk elements,
high-level activities, formulas, and decision matrices, all of
which are components essential to successfully conducting an
information security risk management within an organization.

22-07-2024 68
Risk Management Framework
• The Risk Management Framework is a template and guideline
used by companies to identify, eliminate and minimize risks.
• It was originally developed by the National Institute of Standards
and Technology to help protect the information systems of the
United States government.

22-07-2024 69
Components of Risk Management
Framework
• There are five components that make up the RMF:
1. identification;
2. measurement and assessment;
3. mitigation;
4. reporting and monitoring; and
5. governance.

22-07-2024 70
Components of Risk Management
Framework
1. Identification
• The first component in implementing the Risk Management
Framework is to identify the risks that the organization faces.
• These might include strategic, legal, operational and privacy risks.
• It is important to note that risk identification is not a one-time process.
• The risks that an organization faces tend to change over time, so risk
assessments will need to be performed on a periodic basis.

22-07-2024 71
Components of Risk Management
Framework
2. Measurement and assessment
• The goal behind the measurement and assessment component is to create a risk
profile for each risk that has been identified.
• There are any number of different ways that organizations might complete the
measurement and assessment phase of the process.
• In some cases, risk measurement might be based on something as simple as how
much capital could potentially be lost as a result of the risk.
• However, in other cases, measuring the potential impact of a risk might be far
more difficult.
• In the field of information security, for example, an organization might attempt to
quantify the cost of a security breach compared with the cost of implementing a
security mechanism that can help to mitigate the risk.

22-07-2024 72
Components of Risk Management
Framework
3. Mitigation
• Risk mitigation involves examining the risks that have been identified
and determining which risks can and should be eliminated, as
opposed to the risks that are deemed to be acceptable.
• Part of this process involves coming up with mitigation strategies,
such as cyber insurance.
• For example, if an organization identifies cybersecurity risks that need to be
dealt with, then it might choose to integrate security controls into its
development lifecycle. Such an organization would likely also put additional
baseline security controls in place.

22-07-2024 73
Components of Risk Management
Framework
4. Reporting and monitoring
• This essentially means regularly reexamining the risks in order
to make sure that the risk mitigation strategies the organization
has adopted are leading to the desired effect.
5. Governance
• Risk governance is the process of making sure that the risk
mitigation techniques that have been adopted are put into place
and that the employees adhere to those policies.

22-07-2024 74
Steps of Risk Management Framework
According to the National Institute of Standards and Technology,
the following seven steps make up the RMF.

22-07-2024 75
Risk Management Framework
• NIST SP800-30.
• ISO 27005.
• Octave.
• FAIR

22-07-2024 76
OCTAVE - Operationally Critical
Threat, Asset, and Vulnerability
Evaluation
• OCTAVE is security risk management framework designed to help
organizations identify, analyze, and manage information security risks.
• It was published by the Software Engineering Institute (SEI) of Carnegie Mellon
University in 1999.
• Octave provides a holistic approach for organizations to identify the following
three crucial pieces of information.
• Information assets crucial for the organization
• Potential threats to the identified assets
• Vulnerabilities that could exploit the assets
• These three combinations help organizations understand which information is
potentially at risk. With this knowledge, an organization can create and
implement mechanisms to minimize the overall risk to its information assets.
22-07-2024 77
OCTAVE
• Currently OCTAVE has 3 different versions:
1. OCTAVE;
2. OCTAVE-S; and
3. OCTAVE-Allegro.

22-07-2024 78
OCTAVE
• OCTAVE is the original framework and is the basis for all OCTAVE types of
frameworks.
• It is recommended for large organizations (according to SEI this typically
means an organization with more than 300 employees) that have the ability
and resources to conduct internal security evaluations and workshops
across the organization.
• This version is the most prescriptive and very closely resembles a
methodology.
• It is very comprehensive and contains various templates such as surveys,
meeting minutes, and guidelines on how to conduct workshops.
• This framework recommends the involvement of a wide variety of people,
many of whom are not directly involved in the risk management function.

22-07-2024 79
OCTAVE-S
• OCTAVE-S was developed for smaller organizations.
• According to SEI, OCTAVE-S was made for organization with less than 100
employees and would require a team of 3–5 people who are knowledgeable about
the company in order to complete the evaluation.
• This framework assumes that the people doing the assessment know about the
company’s assets, security requirements, threats and security practices and thus
do not require the company-wide workshops and meetings that are prescribed in
the original OCTAVE framework.
• The assumption that a company of only 100 employees could dedicate 3–5
people for the execution of a risk assessment is indicative of one of the major
shortcomings of OCTAVE in general; an overall underestimation of the level of
effort it takes to execute an assessment and the reasonable amount of resources
that would have to be applied to be successful.

22-07-2024 80
OCTAVE-Allegro.
• OCTAVE-Allegro is the most recent version of the framework.
• OCTAVE Allegro was specifically streamlined for information security risk assessments.
• Similar to OCTAVE-S, this framework does not require extensive organizational involvement
• Steps
1. Establish Risk Measurement Criteria
2. Develop an Information Asset Profile
3. Identify Information Asset Containers
4. Identify Areas of Concern
5. Identify Threat Scenarios
6. Identify Risks
7. Analyze Risks
8. Select Mitigation Approach

22-07-2024 81
FAIR -Factor Analysis of Information Risk
• The FAIR framework was developed by Risk Management
Insight and has a strong following with several groups including
the Open Group and ISACA.
• This framework has a heavy focus on objectivity.
• In fact, according to the developers of the FAIR framework, the
shortcomings of current risk assessment practices are primarily
the result of information security being practiced as an “art”
rather than a science.
• FAIR is has many complex sounding terms and formulas.

22-07-2024 82
FAIR – 4 Stages
• Stage 1: Identify Scenario Components
a. Identify asset at risk
b. Identify the threat community
• Stage 2: Evaluate Loss Event Frequency
a. Threat Event Frequency (TEF):
b. Threat Capability (Tcap):
c. Estimate Control Strength (CS)
d. Derive Vulnerability (Vuln):
e. Derive Loss Event Frequency (LEF):
• Stage 3: Evaluate Probable Loss Magnitude (PLM)
a. Estimate Worse Case Scenarios:
b. Estimate Probable Loss Magnitude (PLM):
• Stage 4: Derive and Articulate Risk
22-07-2024 83
NIST SP800-30
• The “Risk Management Guide for Information Technology
Systems” or NIST SP800-30 was developed by the National
Institute for Standards and Technology.
• SP800-30 is a high-level approach to risk management and is
not as prescriptive as OCTAVE or FAIR.
• Overall, SP800-30 appears to have been made with a lot of
flexibility and “wiggle-room” to take into consideration the wide
range of organizations that would adopt this as a standard.

22-07-2024 84
Steps in NIST SP800-30
1. System Characterization
2. Threat Identification
3. Vulnerability Identification
4. Control Analysis
5. Likelihood Determination
6. Impact Analysis
7. Risk Determination
8. Control Recommendations
9. Results Documentation
22-07-2024 85
References
• T1: Evan Wheeler, “Security Risk Management”, Syngress
ISBN: 97815, 2011
• T4: Mark Talabis, “Information Security Risk Assessment
Toolkit: Practical Assessments through Data Collection and
Data Analysis”, Syngress; 1 edition, ISBN: 978-1-59749-735- 0,
2012.

22-07-2024 86