Management of Information Security, 6th ed.

- Whitman & Mattord

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
1
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Learning Objectives

• Upon completion of this chapter, you should be able to:

• Define risk management and its role in the organization
• Describe risk management techniques to identify and prioritize
risk factors for information assets
• Explain how risk is assessed based on the likelihood of adverse
events and the effects on information assets when events occur
• Discuss the use of the results of the risk identification process

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
2
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Introduction to the Management of Risk in
Information Security
Chapter 06: Risk Management: Assessing Risk

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Risk Management

• Therefore I say: One who knows the enemy and knows

himself will not be in danger in a hundred battles
• One who does not know the enemy but knows himself
will sometimes win, sometimes lose
• One who does not know the enemy and does not know
himself will be in danger in every battle
Sun Tzu

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
4
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Introduction
• InfoSec managers and technicians are the defenders of
information
• They constantly face a myriad of threats to the
organization’s information assets
• A layered defense is the foundation of any InfoSec
program

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
5
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Knowing Yourself and Knowing the Enemy

• When operating any kind of organization, a certain amount of risk

is always involved
• For an organization to manage risk properly, managers should
understand how information is collected, processed, stored, and
transmitted
• Knowing yourself in this context requires identifying which
information assets are valuable to the organization, categorizing
and classifying those assets, and understanding how they are
currently being protected
• Knowing the enemy means identifying, examining, and
understanding the threats facing the organization’s information
assets
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
6
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

What is Risk?

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
7
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Risk Levels

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
8
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Risk Matrix

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
9
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Risk Management

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
10
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

The Information Security Risk Management

Framework

• Risk management is the process of discovering and

assessing the risks to an organization’s operations and
determining how those risks can be controlled or
mitigated
• This process involves discovering and understanding
answers to some key questions with regard to the risk
associated with an organization’s information assets:
• Where and what is the risk (risk identification)?
• How severe is the current level of risk (risk analysis)?
• Is the current level of risk acceptable (risk evaluation)?
• What do I need to do to bring the risk to an acceptable level (risk
treatment)?
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
11
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

The Information Security Risk Management

Framework (Continued)

• Risk management is a complex operation that requires a

formal methodology; this approach to RM involves two
key areas: the RM framework and the RM process
• The RM framework is the overall structure of the strategic
planning and design for the entirety of the organization’s RM
efforts
• The RM process is the implementation of risk management, as
specified in the framework
• The RM framework and the RM process are continuous
improvement activities, which means they are ongoing,
repetitive, and designed to continually assess current
performance in order to improve future RM results
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
12
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
13
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

The Information Security Risk Management

Framework (Continued)

• The RM framework consists of five key stages:

• Executive governance and support
• Framework design
• Framework implementation
• Framework monitoring and review
• Continuous improvement
• This model is adapted to be in alignment with an ISO
standard, while others are based on industry standards
or proprietary models

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
14
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Key Roles and responsibilities in Risk management

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
15
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Key Risk Indicators (KRI)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
16
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Roles of Communities of Interest in Managing Risk

• Each of the three communities of interest directly linked to

managing the risks to information assets has a particular strategic
role to play:
• InfoSec—Because members of the InfoSec community best understand the
threats and attacks that introduce risk, they often take a leadership role in
addressing risk
• IT—This group is responsible for building secure systems and ensuring their
safe operation
• General management and users—When properly trained and kept aware of
the threats faced by the organization, this group plays a part in the early
detection and response process. Members of this community also ensure
that sufficient resources are allocated to the InfoSec and IT groups to meet
the security needs of the organization

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
17
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Executive Governance and Support

• The entire RM program begins with a formal acknowledgement by

the organization’s most senior governance group that RM is
invaluable and critical to the organization’s long-term
sustainability and viability
• After acknowledging this, the group formally commissions the
development and eventual implementation of the RM project
• Prior to the actual design of the framework, the governance group
must demonstrate its commitment to the RM effort by notifying
the entire organization that:
1. a major RM project is underway,
2. the project is of the utmost importance to the strategic future of the
organization, and
3. the participation and cooperation of all aspects of the organization are
mandated and are crucial to the project’s success
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
18
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Executive Governance and Support (Continued)

• Additional tasks performed by the governance group during the

framework design phase include:
• Ensuring compliance with all legal and regulatory statutes and
mandates
• Guiding the development of, and formally approving, the RM policy
• Recommending performance measures for the RM effort and ensuring
that they are compatible with other performance measures in the
organization
• Assigning roles and responsibilities
• Ensuring that the selected goals and objectives are appropriate and in
alignment with the organization’s strategic goals and objectives
• Providing needed resources

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
19
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Legal and Regulatory Compliance

• It is the governance group’s responsibility to ensure that

the RM process is in complete compliance with all
applicable requirements
• This is commonly done by assigning a member of the
organization’s legal team (when there is one) to the RM
framework team, or by requiring that all work products
from the team are reviewed and approved by the
designated legal counsel

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
20
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

The RM Policy

• For RM program development and implementation, the project

leader, in cooperation with the governance group, drafts a risk
management policy
• While no two policies are identical, most RM policies include:
• Purpose and scope
• RM intent and objectives
• Roles and responsibilities of subordinate groups
• Resource requirements
• Risk appetite and tolerances
• RM program development guidelines
• Special instructions and revision information
• References to other key policies, plans, standards, and guidelines

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
21
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Assigning Key Responsibilities

• As the organization moves forward with RM

development efforts, key responsibilities have to be
specified by the governance group:
• Who will be the project manager of the RM framework team?
• Who will be assigned to the framework team?
• Who will be assigned to the process team?
• Who will manage each of these teams?
• In most organizations, either the CIO, CISO, or their
equivalent leads the RM effort
• In many instances, the CIO serves as the champion and
the CISO as the project manager
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
22
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Assigning Key Responsibilities (Continued)

• Like every other major organizational effort, all managers have a

vested interest in the success of the RM process and should
support it:
• InfoSec management must lead the way with skill, professionalism, flexibility,
and subject expertise because it works with the other communities of
interest to coordinate the project so it reflects the need to balance the
constant tradeoffs between the organization’s need to use information and
its responsibility to protect it
• IT management must appoint representatives who understand how IT
supports the needs of the broader organization and how IT interacts with
InfoSec with regard to the protection of information assets
• General management must support the RM function by providing
representatives who understand how the business areas of the organizations
use information, how InfoSec is critical to the effective use of that
information, and how those areas are impacted by the RM project
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
23
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Developing Priorities and Objectives and Providing

Resources

• Once the members of the RM framework team have

been identified, the governance group should
communicate its intent, priorities, and desired outcomes
for the overall RM program
• The project leader will then translate this intent into a
set of goals and objectives for the RM effort
• Once a policy has been developed, or concurrently with
development of that policy, the governance group must
allocate the resources needed to support RM program
development and implementation

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
24
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Framework Design

• In this stage, the framework team begins designing the

RM process by which the organization will understand its
current levels of risk and determine what, if anything, it
needs to do to bring that level down to an acceptable
level in alignment with the risk appetite specified earlier
in the process
• At this stage, the organization may select a methodology,
or it may even decide to develop its own methodology
• The framework team must also formally document and
define the organization’s risk appetite and draft the RM
plan
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
25
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Defining the Organization’s Risk Tolerance and Risk

Appetite

• As the governance group communicates its intent to the

RM framework development team, it also needs to
communicate its general perspective on what level of
risk is acceptable and what risk must be reduced or
resolved in some fashion
• The amount of risk that remains after all current controls
are implemented is residual risk
• The difficulty lies in the process of formalizing exactly
what the organization “can live with,” which is its risk
appetite

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
26
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

The Risk Management Plan

• The document that contains specifications for the

implementation and conduct of the RM efforts is
referred to as the risk management plan
• The RM plan includes not only the specifications of the
RM process but also of the RM framework
• Whereas the RM policy focuses on the “who and why” of
RM, the plan is focused on the “who and how”

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
27
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Framework Implementation

• Once the framework team has finished designing the RM

program (framework and process), it begins
implementing the program
• The RM process provides general steps to follow in the
conduct of risk evaluation and remediation and is
designed to be intentionally vague so it can be adapted
to any one of the methodologies available

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
28
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Framework Implementation (Continued)

• The implementation of the RM plan, specifically including the RM

process, could be based on a number of traditional IT
implementation methods:
• The organization may distribute the plan to all mid- to upper-level managers
for a desk check prior to deployment
• The organization could pilot test it in a small area to gauge initial issues and
success prior to deployment across the entire organization
• The organization may use a phased approach in which only a portion of the
RM program is initially implemented, such as initial meetings with key
managers or initial inventory of information assets
• The bold organization may simply choose a direct cutover (also known as a
cold turkey conversion) in which the new RM project is launched in totality
across the entire organization

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
29
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Framework Monitoring and Review

• After the initial implementation and as the RM effort proceeds,

the framework team continues to monitor the conduct of the RM
process while simultaneously reviewing the utility and relative
success of the framework planning function itself
• The framework itself only exists as a methodology to design and
implement the process, so once the framework is documented in
the RM plan, the success of the process becomes the greatest
concern
• Once the RM process is implemented and operating, the
framework team is primarily concerned with the monitoring and
review of the overall RM process cycle

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
30
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Continuous Improvement

• Continuous improvement is the process of implementing

a formal program designed to continuously review and
improve any type of organizational effort
• The difference between current outcomes and the ideal
outcomes envisioned is commonly referred to as the gap;
the assessment between the two is known as a gap
analysis
• The performance measures implemented in the RM
process provide the data used to assess the performance
outcome of the overall RM effort

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
31
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 The Risk Management Process
Chapter 06: Risk Management: Assessing Risk

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

The Risk Management Process

• During the implementation phase of the RM framework,

the RM plan guides the implementation of the RM
process, in which risk evaluation and remediation of key
assets are conducted
• The RM process uses the specific knowledge and
perspective of the team to complete the following tasks:
• Establishing the context
• Identifying risk
• Analyzing risk
• Evaluating the risk
• Treating the unacceptable risk
• Summarizing the findings
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
33
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

RM Process Preparation—Establishing the Context

• The context in this phase is the understanding of the

external and internal environments the RM team will be
interacting with as it conducts the RM process
• It also means understanding the RM process as defined
by the framework team and having the internal
knowledge and expertise to implement it
• Finally, it means ensuring that all members of the RM
process team understand the organization’s risk appetite
statement and are able to use the risk appetite to
translate that statement into the appropriate risk
treatment when the time comes
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
34
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Risk Assessment: Risk Identification

• The first operational phase of the RM process is the

identification of risk, which begins with the process of
self-examination
• At this stage, managers must:
1. identify the organization’s information assets,
2. classify them,
3. categorize them into useful groups, and
4. prioritize them by overall importance
• The RM process team has to initially confirm or define
the categories and classifications to be used for the
information assets, once identified
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
35
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Identification of Information Assets

• The risk identification process begins with the

identification and cataloging of information assets,
including people, procedures, data, software, hardware,
and networking elements
• In the most general sense, an information asset is any
asset that collects, stores, processes, or transmits
information, or any collection, set, or database of
information that is of value to the organization

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
36
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Identification of Information Assets (Continued)

• Some commercial RM applications simplify the decision

by separating information assets from media, which in
this context include hardware, integral operating
systems, and utilities that collect, store, process, and
transmit information, leaving only the data and
applications designed to directly interface with the data
as information assets for the purposes of RM
• By separating components that are much easier to
replace (hardware and operating systems) from the
information assets that are in some cases almost
irreplaceable, the RM effort becomes much more
straightforward
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
37
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
38
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Identifying Hardware, Software, and Network

Assets

• Many organizations use asset inventory systems to keep

track of their hardware, network, and software
components
• Whether automated or manual, the inventory process
requires a certain amount of planning
• Determine which attributes of each of these information
assets should be tracked, which will depend on the
needs of the organization and its risk management
efforts

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
39
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Identifying Hardware, Software, and Network

Assets (Continued)

• When deciding which attributes to track for each

information asset, consider the following list of potential
attributes:
• Name • Manufacturer’s model or
• Asset tag part number
• IP address • Software version, update
• MAC address revision, or FCO number
• Asset type • Physical location
• Serial number • Logical location
• Manufacturer name • Controlling entity

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
40
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Identifying People, Procedures, and Data Assets

• Responsibility for identifying, describing, and evaluating

these information assets should be assigned to managers
who possess the necessary knowledge, experience, and
judgment
• As these assets are identified, they should be recorded
via a reliable data-handling process like the one used for
hardware and software

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
41
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Identifying People, Procedures, and Data Assets

(Continued)
• People • Data
• Position name/number/ID • Classification
• Supervisor name/number/ID • Owner/creator/manager
• Security clearance level • Size of data structure
• Special skills • Data organization used
• Procedures • Online or offline
• Description • Physical Location
• Intended purpose • Media access method
• Software/hardware/networking • Backup procedures
elements to which it is tied
• Location where procedure
documents are stored for
reference
• Location where documents are
stored for update purposes
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
42
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
43
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Classifying and Categorizing Information Assets

• Once the initial inventory is assembled, determine whether its

asset categories are meaningful to the RM program
• Inventory should also reflect sensitivity and security priority
assigned to each information asset
• A data classification scheme should be developed that categorizes
these information assets based on their sensitivity and security
needs
• Each of these categories designates the level of protection needed
for a particular information asset
• Classification categories must be comprehensive and mutually
exclusive

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
44
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Assessing Values in Information Assets

• As each information asset is identified, categorized, and classified,

a relative value must be assigned
• Relative values are comparative judgments made to ensure that
the most valuable information assets are given the highest
priority, for example:
• Which information asset is the most critical to the success of the
organization?
• Which information asset generates the most revenue?
• Which information asset generates the highest profitability?
• Which information asset is the most expensive to replace?
• Which information asset is the most expensive to protect?
• Which information asset’s loss or compromise would be the most
embarrassing or cause the greatest liability?

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
45
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
46
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
47
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Prioritizing (Rank Ordering) Information Assets

• The final step in the risk identification process is to

prioritize, or rank order, the assets
• This goal can be achieved by using a weighted table
analysis
• Such tables can be used as a method of valuing
information assets by ranking various assets based on
criteria specified by the organization
• This method may prove to be much more
straightforward than a raw estimation based on some
other more ambiguous assessment

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
48
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
49
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Threat Assessment

• Armed with a properly classified inventory, you can

assess potential weaknesses in each information asset—
a process known as threat assessment
• Any organization typically faces a wide variety of threats;
if you assume that every threat can and will attack every
information asset, then the project scope becomes too
complex
• To make the process less unwieldy, each step in the
threat identification and vulnerability identification
processes is managed separately and then coordinated
at the end
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
50
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Identifying Threats

• Each threat presents a unique challenge to information

security and must be handled with specific controls that
directly address the particular threat and the threat
agent’s attack strategy
• Before threats can be assessed in the risk identification
process, however, each threat must be further examined
to determine its potential to affect the targeted
information asset
• In general, this process is referred to as a threat
assessment

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
51
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
52
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Assessing Threats

• The following questions can help in understanding the

various threats and their potential effects on an
information asset
• Which threats
• represent an actual danger to our organization’s information?
• are internal and which are external?
• have the highest probability of occurrence?
• have the highest probability of success?
• could result in the greatest loss if successful?
• are the organization least prepared to handle?
• cost the most to protect against?
• cost the most to recover from?
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
53
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
54
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Prioritizing Threats

• Just as it did with information assets, the organization

should conduct a weighted table analysis with threats
• The organization should list the categories of threats it
faces, and then select categories that correspond to the
questions of interest
• In extreme cases, the organization may want to perform
such an assessment of each threat by asset, if the
severity of each threat is different depending on the
nature of the information asset under evaluation

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
55
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Vulnerability Assessment

• Once the organization has identified and prioritized both

its information assets and the threats facing those assets
it can begin to compare information asset to threats
• This review leads to the creation of a list of
vulnerabilities that remain potential risks to the
organization
• Vulnerabilities are specific avenues that threat agents
can exploit to attack an information asset
• A list should be created for each information asset to
document its vulnerability to each possible or likely
attack
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
56
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
57
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

The TVA Worksheet

• At the end of the risk identification process, an

organization should have
• a prioritized list of assets and
• a prioritized list of threats facing those assets
• The prioritized lists of assets and threats can be
combined into a Threats-Vulnerabilities-Assets (TVA)
worksheet, in preparation for the addition of
vulnerability and control information during risk
assessment
• This provides a starting point for a risk assessment, along
with the other documents and forms
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
58
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
59
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Risk Assessment: Risk Analysis
Chapter 06: Risk Management: Assessing Risk

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Risk Assessment: Risk Analysis

• Assessing the relative risk for each vulnerability is

accomplished via a process called risk analysis
• Risk analysis assigns a risk rating or score to each specific
vulnerability
• While this number does not mean anything in absolute
terms, it enables you to gauge the relative risk associated
with each vulnerable information asset, and it facilitates
the creation of comparative ratings later in the risk
treatment process

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
61
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Assessing Risk

• Estimating risk is not an exact science; thus some

practitioners use calculated values for risk estimation,
whereas others rely on broader methods of estimation
• The goal is to develop a repeatable method to evaluate
the relative risk of each of the vulnerabilities that have
been identified and added to the list

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
62
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
63
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
64
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Mitigation of Applicable Controls

• If a vulnerability is fully managed by an existing control, it

can be set aside
• If it is partially controlled, estimate what percentage of
the vulnerability has been controlled

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
65
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Determining the Likelihood of a Threat Event

• Likelihood is the overall rating—a numerical value on a

defined scale—of the probability that a specific
vulnerability will be exploited
• A simple method of assessing risk likelihood is to score
the event on a rating scale:

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
66
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
67
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Assessing Potential Impact on Asset Value

• Once the probability of an attack by a threat has been evaluated,

the organization will typically look at the possible impact or
consequences of a successful attack
• The impact of an attack (most often as a loss in asset value) is of
great concern to the organization in determining where to focus
its protection efforts
• Most commonly, organizations will create multiple scenarios to
better understand the potential loss of a successful attack, using a
“worst case/most likely outcome” approach
• It is useful for organizations to retain this information, as it can
also be used during contingency planning

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
68
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
69
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
70
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Aggregation

• If the RM process begins to overwhelm an small/medium

business, the RM team can begin merging together or
aggregating groups of assets, threats, and their
associated risks into more general categories
• Aggregation is one tool to assist in the RM process;
others include using simpler methodologies (although
the method shown here is relatively simplistic) with
more qualitative approaches, or purchasing applications
that guide the organization through the entire process

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
71
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Uncertainty

• It is not possible to know everything about every

vulnerability, such as the likelihood of an attack against
an asset or how great an impact a successful attack
would have on the organization
• The degree to which a current control can reduce risk is
also subject to estimation error
• Uncertainty is an estimate made by the manager using
judgment and experience

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
72
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Risk Determination

• Once the likelihood and impact are known, the

organization can perform risk determination using a
formula that seeks to quantify certain risk elements
• In this formula, risk equals likelihood of threat event
(attack) occurrence multiplied by impact (or
consequence), plus or minus an element of uncertainty
• Most organizations simply accept the uncertainty factor
and go with a simpler formula: Likelihood × Impact

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
73
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Risk Determination (Continued)

• Information asset 1 faced with threat 1 is at risk with general

vulnerability 1. The risk rating for A1V1T1 (or T1V1A1 if you prefer)
has been assigned a Likelihood value of 3 and an Impact value of
5. You estimate that assumptions and data are 90 percent accurate
(uncertainty of ± 10%). The resulting risk rating is 15 ± 1.5, so your
risk rating range is 13.5–16.5 on a 25-point scale
• Information asset 2 faced with threat 2 is at risk with general
vulnerabilities 2 and 3. The risk rating for A2V2T2 has a Likelihood
rating of 4 and an Impact rating of 4. The risk rating for A2V3T2
has a Likelihood rating of 3 and an Impact rating of 2. You estimate
that assumptions and data are 80 percent accurate. The resulting
risk rating for A2V2T2 is 16 ± 3.2 (range of 12.8–19.2). The risk
rating for A2V3T2 is 6 ± 1.2 (range of 4.8–7.2)
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
74
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
75
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
76
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Risk Evaluation

• Once the risk ratings are calculated for all TVA triples, the
organization needs to decide whether it can live with the
analyzed level of risk—in other words, the organization
must determine its risk appetite
• This is the risk evaluation stage
• The organization must translate its risk appetite from the
general statement developed by the RM framework
team (and based on guidance from the governance
group) to a numerical value it can compare to each
analyzed risk

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
77
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
78
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Documenting the Results of Risk Assessment

• The efforts to compile risks into a comprehensive list

allow the organization to make informed choices from
the best available information
• It is also of value for future iterations of the process to
document the results in a reusable form

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
79
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
80
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Evaluating Risk

• Once the risk has been identified and its relative severity against
the value of the information asset has been evaluated, the
organization must decide whether the current level of risk is
acceptable or something must be done
• If the RM process team completes its analysis and shares its
findings with the framework team and/or governance group, and
the executive decision makers state, “We can live with that,” then
the process moves on to the monitoring and review function,
where the organization keeps an eye on assets, threats, and
vulnerabilities for a trigger to restart the RM process anew.
• If the decision makers indicate that they are not comfortable with
the current level of risk, then the next stage of the RM process
proceeds: risk treatment
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
81
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Evaluating Risk (Continued)

• Another factor that makes this process even more

challenging is that the solution for one information asset
may positively or negatively affect the level of risk in
other information assets
• The bottom line is that once the risk is known, it requires
extensive deliberation and understanding before the
“yea or nay” decision is made
• Another step performed during risk evaluation is the
prioritization of effort for the treatment of risk, which
occurs in the next step of the RM process

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
82
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Risk Treatment/Risk Control

• Risk treatment, also known as risk control, is the process

of doing something about risk once the organization has
identified risk, assessed it, evaluated it, and then
determined that the current level of remaining risk—the
residual risk—is unacceptable
• A variety of options are open to organizations, including
removing the information asset from harm’s way,
modifying how it is currently protected, and passing the
responsibility for its protection or replacement to third
parties

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
83
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Process Communications, Monitoring, and Review

• As the process team works through the various RM activities, it

needs to continually provide feedback to the framework team
about the relative success and challenges of its RM activities
• This feedback is used to improve not only the process, but the
framework as well
• It is critical that the process team have one or more individuals
designated to collect and provide this feedback as well as a formal
mechanism to submit it to the framework team
• These process communications facilitate the actions in the process
monitoring (for feedback) and review (for assessment)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
84
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Chapter Summary

• Risk management examines and documents an organization’s

information assets
• Management is responsible for identifying and controlling the
risks that an organization encounters. In the modern organization,
the InfoSec group often plays a leadership role in risk management
• A key component of a risk management strategy is the
identification, classification, and prioritization of the organization’s
information assets
• Assessment is the identification of assets, including all the
elements of an organization’s system: people, procedures, data,
software, hardware, and networking elements

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
85
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Chapter Summary

• The human resources, documentation, and data information

assets of an organization are not as easily identified and
documented as tangible assets, such as hardware and software.
These more elusive assets should be identified and described
using knowledge, experience, and judgment
• You can use the answers to the following questions to develop
weighting criteria for information assets:
• Which information asset is the most critical to the success of the
organization?
• Which information asset generates the most revenue?
• Which information asset generates the highest profitability?
• Which information asset is the most expensive to replace?
• Which information asset is the most expensive to protect?
• Which information asset’s loss or compromise would be the most
embarrassing or cause the greatest liability?
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
86
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Summary

• After identifying and performing a preliminary classification of

information assets, the threats facing an organization should be
examined. There are 12 general categories of threats to InfoSec
• Each threat must be examined during a threat assessment process
that addresses the following questions: Which of these threats
exist in this organization’s environment? Which are the most
dangerous to the organization’s information? Which require the
greatest expenditure for recovery? Which require the greatest
expenditure for protection?
• Each information asset is evaluated for each threat it faces; the
resulting information is used to create a list of the vulnerabilities
that pose risks to the organization. This process results in an
information asset and vulnerability list, which serves as the
starting point for risk assessment
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
87
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Summary (Continued)

• A TVA worksheet lists the assets in priority order along one axis,
and the threats in priority order along the other axis. The resulting
grid provides a convenient method of examining the “exposure” of
assets, allowing a simple vulnerability assessment
• The goal of risk assessment is the assignment of a risk rating or
score that represents the relative risk for a specific vulnerability of
a specific information asset
• If any specific vulnerability is completely managed by an existing
control, it no longer needs to be considered for additional controls

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
88
distributed with a certain product or service or otherwise on a password-protected website for classroom use
 Management of Information Security, 6th ed. - Whitman & Mattord

Summary (Continued)

• The risk identification process should designate what function the

resulting reports serve, who is responsible for preparing them,
and who reviews them. The TVA worksheet and the ranked
vulnerability risk worksheet are the initial working documents for
the next step in the risk management process: assessing and
controlling risk

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
89
distributed with a certain product or service or otherwise on a password-protected website for classroom use