By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
Objective: Summarize risk management processes and concepts. Topics: - risk acceptance - risk avoidance - risk transference - risk mitigation - risk register - risk matrix/risk heat map - risk assessment - risk awareness - risk appetite - qualitative risk assessment - quantitative risk assessment - single loss expectancy (SLE) - annualized loss expectancy (ALE) - annualized rate of occurrence (ARO) - business impact analysis (BIA) - recovery time objective (RTO) - recovery point objective (RPO) - mean time to repair (MTTR) - mean time between failures (MTBF) - single point of failure Risk Analysis Risk is the possibility of or exposure to loss or danger. Risk management is the process of identifying and reducing risk to a level that is acceptable and then implementing controls to maintain that level. Risk comes in various types. Risk can be internal, external, or multiparty. Banks provide a great example of multiparty risk: Because of the ripple effects, issues at banks have effects on other banks and financial systems. Risk analysis helps align security objectives with business objectives. This involves dealing with how to calculate risk and return on investment. Risk analysis identifies risks, estimates the effect of potential threats, and identifies ways to reduce the risk without the cost of the prevention outweighing the risk. Risk is a function of threats, vulnerabilities, and potential impact.
The level of risk is often assessed by using the following simple equation: Risk = Threat × Vulnerability × Impact
To determine the relative danger of an individual threat or to measure the relative value across multiple threats to better allocate resources designated for risk mitigation, it is necessary to map the resources, identify threats to each, and establish a metric for comparison. A business impact analysis (BIA) helps identify services and technology assets as well as provide a process by which the relative value of each identified asset can be determined if it fails one or more of the CIA (confidentiality, integrity, and availability) requirements. The failure to meet one or more of the CIA requirements is often a sliding scale, with increased severity as time passes. Recovery point objectives (RPOs) and recovery time objectives (RTOs) in incident handling, business continuity, and disaster recovery must be considered when calculating risk. Risk Register Risk assessment should not be a one-time event. As an organization evolves, change is inevitable. Risk management needs to be part of a continual framework from which risk can easily be communicated and continually adapted. A risk register, usually implemented as a specialized software program, cloud service, or master document, gives an organization a way to record information about identified risks. Risk registers often include enterprise- and IT-related risks. With threats and vulnerabilities identified, the organizations can then implement controls to manage the risk appropriately. (The next section discusses these techniques.) The risk register should contain specific details about the risks, especially any residual risks the organization faces as a result of controls or mitigation techniques employed.
Common contents of a risk register include the following: - Risk categorization groupings - Name and description of the risk - A measure of the risk through a risk score - The impact to the organization if the risk is realized - The likelihood of the risk being realized - Mitigating controls - Residual risk - Contingency plans that cover what happens if the risk is realized The risk register is a strategic component for an organization. The register also helps ensure that an organization’s risk tolerance and risk appetite are correctly aligned with the goals of the business. As a result, reporting from a risk register should be clear and understandable. The outputs should be available and visible across the business, including to management and senior executives responsible for strategy, budget, and operations. A risk register provides a single point of entry to record information about identified risks to the organization. An organization might have one risk register for information systems and another risk register for enterprise risks, but the two are increasingly being combined. Risk Response Techniques Risk management involves creating a risk register document that details all known risks and their related mitigation strategies. Creating the risk register involves mapping the enterprise’s expected services and data sets, as well as identifying vulnerabilities in both implementation and procedures for each. Risk cannot be eliminated outright in many cases, but mitigation strategies can be integrated with policies for risk awareness training ahead of an incident. Formal risk management deals with the alignment of four potential responses to each identified risk: - Avoidance: Risk avoidance seeks to eliminate the vulnerability that gives rise to a particular risk. This is the most effective solution, but it often is not possible due to organizational requirements. For example, eliminating email to avoid the risk of email-borne viruses is an effective solution but is not likely a realistic approach. - Transference: With risk transference, a risk or the effect of its exposure is transferred by moving to hosted providers that assume the responsibility for recovery and restoration. Alternatively, organizations can acquire insurance to cover the costs of equipment theft or data exposure. Insurance related to the consequences of online attacks is known as cybersecurity insurance. - Acceptance: With risk acceptance, an organization recognizes a risk, identifies it, and accepts that it is sufficiently unlikely or of such limited impact that corrective controls are not warranted. Risk acceptance must be a conscious choice that is documented, approved by senior administration, and regularly reviewed. - Mitigation/deterrence: Risk mitigation involves reducing the likelihood or impact of a risk’s exposure. Risk deterrence involves putting into place systems and policies to mitigate a risk by protecting against the exploitation of vulnerabilities that cannot be eliminated. Most risk management decisions focus on mitigation and deterrence, balancing costs and resources against the level of risk and mitigation that will result.
Bruce Schneier, a well-known cryptographer and security expert, was asked after the tragic events of 9/11 if it would be possible to prevent such events from happening again. “Sure,” he replied. “Simply ground all the aircraft.” Schneier gave an example of risk avoidance, albeit one he acknowledged as impractical in today’s society. Consider the simple example of an automobile and its associated risks. If you drive a car, you have likely considered those risks. The option to not drive deprives you of the many benefits the car provides that are strategic to your individual goals in life. As a result, you have come to appreciate mitigating controls such as seat belts and other safety features. You accept the residual risks and might even transfer some of the risk through a life insurance policy. Certainly, when it comes to the risks of the vehicle itself, insurance plays a vital role. Not carrying insurance even carries risk itself because insurance is often required by law. Examples abound of people who have even accepted that risk, making a conscious choice to drive without insurance. Finally, the choices you make related to risk often result in residual risk. Living in a high-crime neighborhood might spur someone to put bars on a home’s windows. That’s one problem seemingly mitigated. However, in case of a fire, the bars would render common egress points in the home no longer accessible. Remember that risk can be avoided, transferred, accepted, or mitigated. Be sure you understand the different examples of when each would apply. Threat Assessment Before discussing risk assessment, you must consider threat assessment. “Attacks, Threats, and Vulnerabilities” discusses and compares the different types of attacks, threats, and vulnerabilities. A threat can be thought of as the potential that a vulnerability will be identified and exploited. A threat vector is the method a threat uses to get to the target. Threat vectors, as discussed in Part I, include viruses, worms, botnets, malware, phishing attacks, and keyloggers. Analyzing threats can help an organization develop security policies and prioritize securing resources. Threat assessments are performed to determine the best approaches to securing the environment against a threat or class of threats. Threats might exist, but if an environment has no vulnerabilities, it faces little or no risk. Likewise, little or no risk affects environments that have vulnerability without threat. Consider the simple analogy of a hurricane. Few would argue that a hurricane represents a threat. However, consider a home on the coast in Florida and a home inland in the Midwest. The former is certainly vulnerable to a hurricane, whereas the latter is not. Probability is the likelihood that an event will occur. In assessing risk, it is important to estimate the probability or likelihood that a threat will occur. Assessing the likelihood of occurrence of some types of threats is easier than assessing other types. For example, you can use frequency data to estimate the probability of natural disasters. You might also be able to use the mean time to failure (MTTF) and mean time before repair (MTBF), both covered later in this guide, to estimate the probability of component problems. Determining the probability of attacks by human threat sources is difficult. Threat source likelihood is assessed using skill level, motive, opportunity, and size. Vulnerability likelihood is assessed using ease of discovery, ease of exploit, awareness, and intrusion detection. Threat source types can be classified into four areas: - Adversarial: Threats from individuals, groups, organizations, and nation-states that intend to do harm - Accidental: Actions by regular and privileged users that are not of malicious intent but that occur inadvertently - Structural: Equipment and software failures - Environmental: Natural and human-caused disasters, such as fires, floods, hurricanes, infrastructure failures, and unusual events The guide “Threat Actors, Vectors, and Intelligence Sources” covers these adversarial and accidental threat actors. It is particularly important to understand the difference and overlap between natural and human-caused disasters. Typically, a natural disaster such as a tornado is beyond an organization’s control. Most often those types of disasters are an act of nature. A fire, on the other hand, could be an act of nature, caused by a lightning storm, or it could be arson. Furthermore, consider the internal versus external components of a threat source. In fact, across all four of the categories just listed, the threat source can be either internal or external. The adversary might be an insider or an outsider looking to cause harm. Even accidental threats, which are typically internal, can be caused externally (by a customer, for example). Structural threats are commonly internal, but in today’s interconnected world, organizations depend on the systems of many partners and third parties that are external to the organization. Finally, even environmental threats such as a fire or flood can be caused by an insider or an outsider. Threat assessments must consider internal and external categories of threats. Either of these can apply to environmental and human-caused threats. Risk Assessment Recall that assessing risk is largely a function of threat, vulnerability, and impact. However, an important factor must be considered between the threat and the vulnerability: the likelihood that a threat will occur to exploit a vulnerability.
As a result, a risk assessment consists of the following five steps:
After performing a threat assessment and vulnerability assessment, you must consider the likelihood that the threats identified might actually occur. To most accurately gauge the probability of an event occurring, you need to use a combination of estimation and historical data. Most risk analyses use a fiscal year to set a time limit on probability and confine proposed expenditures, budget, and depreciation. A common categorization resulting from likelihood assessment might be based on a qualitative probability rated as high, medium, or low. Be sure to consider the motivation and capability of the threat source, the nature of the vulnerability, and the existence and effectiveness of current controls to mitigate the threat. Often the three values are translated into numeric equivalents for use in quantitative analytical processes: high (1.0), medium (0.5), and low (0.1). The next section further compares qualitative and quantitative measures. Responses must be coupled with the likelihood determined in the risk analysis. For example, the risk analysis might advocate putting corrective measures in place as soon as possible for all high-level threats. Medium-level threats might require an action plan for implementation as soon as is reasonable, and low-level threats might be dealt with as possible or might simply be accepted. By nature, risk always has the potential for negative impact. Given a particular likelihood of occurrence, organizations must next determine the magnitude of the impact. A simple measure of impact can range from very low to very high or from negligible impact to catastrophic impact. The size of the impact varies in terms of cost and impact on critical factors. Considering both the impact assessment and the risk assessment together helps you assess the probabilities and consequences of risk events if they are realized.
The table below provides a risk matrix that can help you understand the level of risk as either low, medium, or high for both likelihood and impact. When a risk matrix is color coded, it is referred to as a risk heat map.
Level of Risk Based on Likelihood and Impact
Based on the risk matrix, you can prioritize risks to establish an importance ranking from most critical to least critical. Ranking risks in terms of their criticality or importance is an important business function because it provides insight into where resources might be needed to prevent or mitigate high-probability risk events. A risk map or risk heat map is a visual tool for communicating specific risks an organization faces. A heat map helps an organization identify and prioritize risks by using the level of risk based on likelihood and impact data. Qualitative vs. Quantitative Measures The preceding discussions are largely qualitative because they do not attempt to assign dollar values to the risk analysis process. Quantitative measures give the clearest measure of relative risk and expected return on investment or risk reduction on investment. Not all risk can be measured quantitatively, though, so qualitative risk assessment strategies are needed. The culture of an organization greatly affects whether its risk assessments can be performed via quantitative (numeric) or qualitative (subjective/relative) measures. Qualitative risk assessment can involve brainstorming, focus groups, surveys, and other similar processes to determine asset worth and valuation to the organization. Uncertainty is also estimated, allowing for a relative projection of qualitative risk for each threat, based on position in a risk matrix/heat map that plots the probability (very low to very high) and impact (very low to very high). Numeric values can be assigned to each state (very low = 1, low = 2, moderate = 3, and so on) to perform a quasi-quantitative analysis, but because the categories are subjectively assigned, the result remains qualitative. Quantitative results are generally easier for senior management to understand, but intensive labor and time are required to gather all related measurements. Compared to quantitative measures, qualitative measures tend to be less precise, more subjective, and more difficult in assigning direct costs for measuring ROI/RROI (return on investment/rate of return on investment). Because a quantitative assessment is less subjective than a qualitative one, the process requires that a value be assigned to each of the various components. To perform a quantitative risk assessment, an estimation of potential losses is calculated. Next, the likelihood of some unwanted event is quantified, based on the threat analysis. Finally, depending on the potential loss and likelihood, the quantitative process arrives at the degree of risk. Each step relies on the concepts of single loss expectancy, annual rate of occurrence, and annual loss expectancy.
Remember the difference between quantitative (numeric) and qualitative (subjective/relative) measures. Quantitative (think quantity) measures are expressed numerically, whereas qualitative (think quality) measures are expressed as “good” or “bad.” Single Loss Expectancy Single loss expectancy (SLE) is the expected monetary loss every time a risk occurs. SLE equals asset value multiplied by the threat exposure factor, which is the percentage of the asset lost in a successful attack.
The formula looks like this: Asset value × Exposure factor = SLE
Consider an example of SLE using denial-of-service (DoS) attacks. Firewall logs indicate that the organization was hit hard one time per month by DoS attacks in each of the past 6 months. You can use this historical data to estimate that you likely will be hit 12 times per year. This information helps you calculate the SLE and the ALE. (The ALE is explained in greater detail shortly.) An asset is any resource that has value and must be protected. Determining an asset’s value can most mean determining the cost to replace the asset if it is lost. Simple property examples fit well here, but figuring asset value is not always so straightforward. Other considerations could be necessary, including the value of the asset to adversaries, the value of the asset to the organization’s mission, and the liability issues that would arise if the asset were compromised. The exposure factor is the percentage of loss that a realized threat could have on a certain asset. In the DoS example, imagine that 25% of business would be lost if a DoS attack succeeded. The daily sales from the website are $100,000, so the SLE would be $25,000 (SLE = $100,000 × 0.25). The possibility of certain threats is greater than that of others. Historical data presents the best method of estimating these possibilities. Annual Rate of Occurrence The annual rate of occurrence (ARO) is the estimated possibility of a specific threat taking place in a one-year time frame. The possible range of frequency values is from 0.0 (the threat is not expected to occur) to some number whose magnitude depends on the type and population of threat sources. When the probability that a DoS attack will occur is 50%, the ARO is 0.5. After you calculate the SLE, you can calculate the ALE, which gives you the probability of an event happening over a single year. Annual Loss Expectancy The annual loss expectancy (ALE) is the expected monetary loss that can be expected for an asset from risk over a one-year period. ALE equals SLE times ARO: SLE × ARO = ALE ALE can be used directly in a cost/benefit analysis. Going back to our earlier example, if the SLE is estimated at $25,000 and the ARO is 0.5, the ALE is $12,500 ($25,000 × 0.5 = $12,500). In this case, spending more than $12,500 to mitigate risk might not be prudent because the cost would outweigh the risk. Calculating risk includes the following formulas: SLE = Asset value × Exposure factor ALE = SLE × ARO Business Impact Analysis Business impact analysis (BIA) is the process of determining the potential impacts resulting from the interruption of time-sensitive or critical business processes. IT contingency planning for both disaster recovery and operational continuity relies on conducting a BIA as part of the overall plan to ensure continued operations and the capability to recover from disaster. Whereas a risk assessment focuses on the relative likelihood of potential threats to an organization, a BIA focuses on the relative impact of the loss of operational capability on critical business functions. Conducting a business impact analysis involves identifying critical business functions and the services and technologies required for them, along with determining the associated costs and the maximum acceptable outage period. For hardware-related outages, the assessment should also include the current age of existing solutions, along with standards for the expected average time between failures, based on vendor data or accepted industry standards. Planning strategies are intended to minimize this cost by arranging recovery actions to restore critical functions in the most effective manner based on cost, legal or statutory mandates, and calculations of the mean time to restore. Critical Functions A business impact analysis is a key component in ensuring continued operations. For that reason, it is a major part of a business continuity plan (BCP) or continuity of operations plan (COOP). The focus is ensuring the continued operation of key mission and business processes. U.S. government organizations commonly use the term mission-essential functions to refer to functions that need to be immediately functional at an alternate site until normal operations can be restored. Essential functions for any organization require resiliency. Organizations also must identify the dependent systems for both the functions and the process that are critical to the mission or business. Identification of Critical Systems A BCP must identify critical systems and components. If a disaster is widespread or targets an Internet service provider (ISP) or key routing hardware point, an organization’s continuity plan should detail options for alternate network access. This should include dedicated administrative connections that might be required for recovery. Continuity planning should include considerations for recovery in case existing hardware and facilities are rendered inaccessible or unrecoverable. It should also consider the hardware configuration details, network requirements, and utilities agreements for alternate sites. Single Points of Failure A single point of failure is a potential risk posed by a flaw in business continuity planning that allows one fault or malfunction to take down an entire system or enterprise. Single points of failure are avoided with redundancy and various fault-tolerant protocols. For example, single points of failure can be eliminated by using server clustering technology, redundant switches, and redundant network connections. Naturally, systems that support critical missions or business processes should not be subject to single points of failure. High availability describes the process for ensuring system redundancy and proper failover. Maintaining such systems requires more resources and is more expensive. As a result, high availability is ideal for mission-critical systems that cannot be unavailable. Ensuring the continued operation of critical functions, or mission-essential functions, is a major component of the risk management process. This task starts with identifying and understanding systems that are directly relevant to the mission or goals of the organization. Such systems should be designed for high availability and should not be subject to single points of failure. Recovery Objectives Recovery point objective (RPO) and recovery time objective (RTO) are crucial in risk mitigation planning. RPO, which specifically refers to data backup capabilities, is the amount of time that can elapse during a disruption before the quantity of data lost during that period exceeds business continuity planning’s maximum allowable threshold. Simply put, RPO specifies the allowable data loss. It determines up to what point in time data recovery can happen before business is disrupted. For example, if an organization does a backup at 10:00 p.m. every day and an incident happens at 7:00 p.m. the following day, everything that changed since the last backup would be lost. The RPO in this context is the backup from the previous day. If the organization set the threshold at 24 hours, the RPO would be within the threshold because it is less than 24 hours. The RTO is the amount of time within which a process must be restored after a disaster to meet business continuity requirements. The RTO is how long the organization can go without a specific application; it defines how much time is needed to recover after a notification of process disruption. Be certain that you understand the distinction between RPO and RTO. RPO designates the amount of data that will be lost or will have to be re-entered because of network downtime. RTO designates the amount of time that can pass before the disruption begins to seriously impede normal business operations. MTTF, MTBF, and MTTR When systems fail, one of the first questions asked is “How long will it take to get things back up?” It is better to know the answer to such a question before disaster strikes than try to find the answer afterward. Fortunately, established mechanisms can help you determine this answer. Understanding these mechanisms is a big part of the overall analysis of business impact. Mean time to failure (MTTF) is the length of time a device or product is expected to last in operation. It represents how long a product can reasonably be expected to perform, based on specific testing. MTTF metrics supplied by vendors about their products or components might not have been collected by running one unit continuously until failure. Instead, MTTF data is often collected by running many units for a specific number of hours and then is calculated as an average based on when the components fail. MTTF is one of many ways to evaluate the reliability of hardware or other technology and is extremely important when evaluating mission-critical systems hardware. Knowing the general reliability of hardware is vital, especially when it is part of a larger system. MTTF is used for nonrepairable products. When MTTF is used as a measure, repair is not an option. Mean time between failures (MTBF) is the average amount of time that passes between hardware component failures, excluding time spent repairing components or waiting for repairs. MTBF is intended to measure only the time a component is available and operating. MTBF is similar to MTTF, but it is important to understand the difference. MTBF is used for products that can be repaired and returned to use. MTTF is used for nonrepairable products. MTBF is calculated as a ratio of the cumulative operating time to the number of failures for that item. MTBF ratings can be predicted based on product experience or data supplied by the manufacturer. MTBF ratings are measured in hours and are often used to determine the durability of hard drives and printers. For example, typical hard drives for personal computers have MTBF ratings of about 500,000 hours. These risk calculations help determine the life spans and failure rates of components. These calculations help an organization measure the reliability of a product. One final calculation assists with understanding approximately how long a repair will take on a component that can be repaired. The mean time to repair (MTTR; also called mean time to recovery) is the average time required to fix a failed component or device and return it to production status. MTTR is corrective maintenance. The calculation includes preparation time, active maintenance time, and delay time. Because of the uncertainty of these factors, MTTR is often difficult to calculate. In order to reduce the MTTR, some systems have redundancy built in so that when one subsystem fails, another takes its place and keeps the whole system running. Mean time between failures (MTBF) is the average time before a product requires repair. Mean time to repair (MTTR) is the average time required to fix a failed component or device and return it to production status. On the other hand, mean time to failure (MTTF) is the average time before a product fails and cannot be repaired. MTBF and MTTR consider a component that can be repaired, whereas MTTF considers a component that cannot be repaired. Impact As the name suggests, a businesses impact analysis (BIA) requires careful examination of the potential business impact. The loss of a business process or function is likely to result in some sort of impact, which is measured as part of a BIA to understand the severity. This can simply include an impact rating of low, medium, or high. A more complex analysis considers the different types of impacts that result from the loss of a functional business process. Consider, for example, the importance of availability to an e-commerce site. The most obvious consequence is the loss of sales and income if web servers are not available. You likely can imagine other potential consequences. When measuring impact, an organization should consider potential consequences across a broad set of categories, including the following: - Facilities and physical property - Intellectual property - Finance The preceding example of the loss of web servers for an e-commerce site clearly shows a potentially severe impact on finance. In addition, the company’s reputation would be impacted. The loss of web servers might not impact personal life and safety, but the loss of emergency management systems might. Subsequently, the loss of fire suppression systems could certainly have a significant impact on facilities and physical property. These factors together could further impact an organization financially. Further assessing impact requires drilling down into the specifics and other calculations. How long can the web servers be down? How much money will be lost per hour? How long can the business remain viable as a result? If an entire facility is destroyed, do alternative sites exist from which to do business? Understanding the impact of an adverse event is a key component of risk management. Impact should consider life, property, safety, finance, and reputation. Quiz questions: 1. Which of the following is the monetary loss that can be expected for an asset from risk over a year? A. ALE B. SLE C. ARO D. BIA 2. Your manager needs to know, for budgetary purposes, the average life span for each of the firewall appliances. Which of the following should you provide? A. MTBF B. RPO C. RTO D. MTTF 3. An organization is increasingly subject to compliance regulations and is making strong efforts to comply with them but is still concerned about issues that might occur. Management decides to buy insurance to help cover the costs of a potential breach. Which of the following risk response techniques is the organization using? A. Avoidance B. Transference C. Acceptance D. Mitigation 4. Which of the following equations best represents the proper assessment of exposure to danger? A. Risk = Threat × Vulnerability × Impact B. Impact = Risk × Threat × Vulnerability C. Vulnerability = Threat × Risk × Impact D. Threat = Risk × Impact × Vulnerability Answer 1: A. The annual loss expectancy (ALE) is the expected monetary loss that can be expected for an asset from risk over a one-year period. It is calculated by multiplying the single loss expectancy by the annual rate of occurrence (SLE × ARO). Therefore, answers B and C are incorrect. Answer D is incorrect because this is a business impact analysis, which is the process for determining potential impacts resulting from the interruption of business processes. Answer 2: D. The mean time to failure is the length of time a device or product is expected to last in operation. It represents how long a product can reasonably be expected to perform, based on specific testing. Answer A is incorrect because the mean time between failures (MTBF) is the average amount of time that passes between hardware component failures, excluding time spent repairing components or waiting for repairs. Answers B and C are incorrect because RPO and RTO are used for risk-mitigation planning. The recovery point objective (RPO) specifies the allowable data loss. The recovery time objective (RTO) is the amount of time within which a process must be restored after a disaster to meet business continuity requirements. Answer 3: B. Insurance is a classic example of transferring risk. Answers A, C, and D are incorrect because although these are all methods of transferring risk, none of them transfers the risk from one organization to another. Answer 4: A. Risk is a function of threats, vulnerabilities, and potential impact. Assessing the level of risk is often portrayed through the simple equation Risk = Threat × Vulnerability × Impact. Answers B, C, and D are incorrect because threat, vulnerability, and impact are considered together to provide an appropriate measure of risk.
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.