Risk Assessment

• Risk analysis can be divided into two major types:

Quantitative Risk Analysis

Qualitative Risk Analysis

Quantitative Risk Analysis:

A Quantitative risk analysis attempts to assign an objective numeric value (cost) to the components (assets and threats) of the risk analysis. In quantitative risk analysis all elements of the process, including asset value, impact, threat frequency, safeguard effectiveness, safeguard costs, uncertainty, and probability are measured and assigned a numeric value. However, achieving a purely quantitative risk analysis is impossible.

Qualitative Risk Analysis:

A qualitative risk analysis is scenario-driven and doesn’t attempt to assign numeric values to the components (assets and threats) of the risk analysis. In qualitative risk analysis, we develop real scenarios that describe a threat and potential losses to organizational assets. Unlike a quantitative risk analysis, it’s possible to conduct a purely qualitative risk analysis

Risk Control is a safeguard or countermeasure that reduces risk associated with a specific threat. The absence of a safeguard against a threat creates vulnerability and increases the risk.

Risk control can be done through one of three general remedies:

RISK REDUCTION:

Mitigating risk by implementing the necessary security controls, policies, and procedures to protect an asset. This can be achieved by altering, reducing, or eliminating the threat and/or vulnerability associated with the risk

RISK ASSIGNMENT:

To avoid the outcomes of risk, we can assign the potential loss associated with a risk to a third party, such as an insurance company.

RISK ACCEPTANCE:

It involves the acceptance of the loss associated with a potential risk.

https://resources.infosecinstitute.com/risk-management-concepts/#gref

• Qualitative and Quantitative Risk Analysis

Risk Analysis is often conducted in two different ways – Qualitative and Quantitative. For a proper risk assessment of any project plan or project management system, it is vital to understand the basic defining difference between them.

Qualitative or Quantitative?

Risk analysis is conducted in two significant ways — qualitative and quantitative risk analysis. These two type of risk analysis can be conducted simultaneously or in a chosen order, and even within a defined period gap. Sometimes, business managers and project leaders are unable to differentiate between these two approaches. It is vital to understand the basic defining difference between them.


Understanding Qualitative Risk Analysis

The objective of conducting a qualitative risk analysis is to acquire safety against recognized risks and to increase the alertness of management, team members, and all personnel who are vulnerable to them.


Understanding Quantitative Risk Analysis

Quantitative risk analysis is more focused on the implementation of safety measures that have been established, in order to protect against every defined risk



http://www.brighthubpm.com/risk-management/33403-qualitative-and-quantitative-risk-analysis/

• Information gathering techniques

Delphi technique – here a facilitator distributes a questionnaire to experts, responses are summarized (anonymously) & re-circulated among the experts for comments. This technique is used to achieve a consensus of experts and helps to receive unbiased data, ensuring  that no one person will have undue influence on the outcome

• Calculating Expected Monetary Value (EMV)

Expected Monetary Value analysis (EMV)

Quantitative risk analysis & modeling techniques- commonly used for event-oriented as well as project-oriented analysis:
Expected Monetary Value analysis (EMV) – A statistical concept that calculates the average outcome when the future includes scenarios that may or may not happen (generally: opportunities are positive values, risks are negative values). These are commonly used in a decision tree analysis

http://www.clarizen.com/community/clarizen-training-center/how-to-articles/advanced-practices/Risk-Management-Useful-Tools-and-Techniques-how-to.html

Expected Monetary Value is a recommended tool and technique for Quantitative Risk Analysis in Project Risk Management.


Suppose you are leading a construction project. Weather, cost of construction material, and labor turmoil are key project risks found in most EMVStorm construction projects:

Project Risks 1 - Weather: There is a 25% chance of excessive snow fall that’ll delay the construction for two weeks which will, in turn, cost the project $80,000.
Project Risks 2 - Cost of Construction Material: There is a 10% probability of the price of construction material dropping, which will save the project $100,000.
Project Risks 3 - Labor Turmoil: There is a 5% probability of construction coming to a halt if the workers go on strike. The impact would lead to a loss of $150,000

though this example is from the construction industry, the theory is applicable to other industries, such as software development and manufacturing.


In this Expected Monetary Value example, we have two negative project risks (Weather and Labor Turmoil) and a positive project risks (Cost of Construction Material). The Expected Monetary Value for the project risks:

    Weather: 25/100 * (-$80,000) = - $ 20,000
    Cost of Construction Material: 10/100 * ($100,000) = $ 10,000
    Labor Turmoil: 5/100 * (-$150,000) = - $7,500


This means that if the:

    Weather negative project risks occurs, the project loses $20,000,
    Cost of Construction Material positive project risks occurs, the project gains $10,000, and
    Labor Turmoil negative project risks occurs the project loses $ 7,500EMVFinal

The project’s Expected Monetary Value based on these project risks is:

-($20,000) + ($10,000) – ($7,500) = - $17,500


Therefore, if all risks occur in the construction project, the project would lose $17,500. In this scenario, the project manager can add $17,500 to the budget to compensate for this. This is a simplistic Expected Monetary Value calculation example. Another technique used to calculate complex Expected Monetary Value calculations is by conducting Decision Tree Analysis.

http://www.brighthubpm.com/risk-management/48245-calculating-expected-monetary-value-emv/

• Monte Carlo Technique

Modeling and Simulation – Done using Monte Carlo Technique. In simulation project model is calculated many time (iterated), with the input values randomized from a probability distribution function and a probability distribution is made. Cost Risk Analysis use CBS or WBS. Schedule Risk analysis use PDM.
http://www.pmpnotes.com/pmp-notes/risk-management/

• What is Monte Carlo simulation?

Monte Carlo simulation (also known as the Monte Carlo Method) lets you see all the possible outcomes of your decisions and assess the impact of risk, allowing for better decision making under uncertainty. 

Monte Carlo simulation is a computerized mathematical technique that allows people to account for risk in quantitative analysis and decision making. The technique is used by professionals in such widely disparate fields as finance, project management, energy, manufacturing, engineering, research and development, insurance, oil & gas, transportation, and the environment.
Monte Carlo simulation furnishes the decision-maker with a range of possible outcomes and the probabilities they will occur for any choice of action.. It shows the extreme possibilities—the outcomes of going for broke and for the most conservative decision—along with all possible consequences for middle-of-the-road decisions.
The technique was first used by scientists working on the atom bomb; it was named for Monte Carlo, the Monaco resort town renowned for its casinos
http://www.palisade.com/risk/monte_carlo_simulation.asp

• CRAMM

Based on the UK Government's preferred risk assessment methodology, CRAMM has been completely redeveloped by Siemens Enterprise Communications Limited to become a total information security toolkit
http://www.cramm.com

• CRAMM (CCTA Risk Analysis and Management Method) is a risk management methodology, currently on its fifth version, CRAMM Version 5.0. 

CRAMM comprises three stages, each supported by objective questionnaires and guidelines. The first two stages identify and analyze the risks to the system. The third stage recommends how these risks should be managed
https://en.wikipedia.org/wiki/CRAMM

• CRAMM is a risk analysis method developed by the British government organization CCTA (Central Communication and Telecommunication Agency), now renamed zhe Office of Government Commerce (OGC). A tool having the same name supports the method: CRAMM. The CRAMM method is rather difficult to use without the CRAMM tool. The first releases of CRAMM (method and tool) were based on best practices of British government organizations. At present CRAMM is the UK government’s preferred risk analysis method, but CRAMM is also used in many countries outside the UK. CRAMM is especially appropriate for large organizations, like government bodies and industry.

https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory/rm-ra-methods/m_cramm.html

• Cobra software tool enables security Risk Assessment to be undertaken by organizations themselves. It evaluates the relative importance of all threats and vulnerabilities, and generates appropriate solutions and recommendations. It will automatically link the risks identified with the potential implications for the business unit. Alternatively, a particular area or issue can be examined 'stand alone', without any impact association. COBRA comes equipped with four discrete knowledge bases that can be further customized using the Module Manager component. 

https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory/rm-ra-tools/t_cobra.html

• What Are Some Common Risk Assessment/Management Methodologies and Tools? There are numerous risk assessment/management methodologies and tools. The following methodologies and tools were developed for managing risks in information systems. 

•National Institute of Standards & Technology (NIST) Methodology
•OCTAVE®
•FRAP
•COBRA
•Risk Watch

7.4 COBRA
The Consultative, Objective and Bi-functional Risk Analysis (COBRA) process was originally created by C & A Systems Security Ltd. in 1991. It takes the approach that risk assessment is a business issue rather than a technical issue. It consists of tools that can be purchased and then utilized to perform self-assessments of risk, while drawing on the expert knowledge embedded in the tools. The primary knowledge bases are:
https://www.sans.org/reading-room/whitepapers/auditing/introduction-information-system-risk-management-1204

• EAR / Pilar

EAR / PILAR is the software that implements and expands Magerit RA/RM Methodology. It is designed to support the risk management process along long periods, providing incremental analysis as the safeguards improve
http://rm-inv.enisa.europa.eu/methods_tools/t_EAR_Pilar.html

• Magerit is an open methodology for Risk Analysis and Management, developed by the Spanish Ministry of Public Administrations, offered as a framework and guide to the Public Administration. Given its open nature it is also used outside the Administration.

Magerit v2 has been structured into three books:

Book I: Methodology. It describes the core steps and basic tasks to carry out a project for risk analysis and management; the formal description of the project; the application to the development of information systems and it provides a large number of practical clues, as well as the theoretical foundations, together with some other complementary information.

Book II: Catalogue of elements. It provides standard elements and criteria for information systems and risk modeling: asset classes, valuation dimensions, valuation criteria, typical threats, and safeguards to be considered; it also describes the reports containing the findings and conclusions (value model, risk map, safeguard evaluation, risk status, deficiencies report and security plan), thus contributing to achieve uniformity.

Book III: Practical techniques. It describes techniques frequently used to carry out risk analysis and management projects such as: tabular and algorithmic analysis; threat trees, cost-benefit analysis, dataflow diagrams, process charts, graphical techniques, project planning, working sessions (interviews, meetings, presentations), and Delphi analysis. The application of the methodology can be supported by the software PILAR / EAR, which exploits and increases its potentialities and effectiveness (PILAR is limited to the Spanish Public Administration. EAR is a commercial product).

https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory/rm-ra-methods/m_magerit.html

• Ebios

Ebios is a software tool developed by Central Information Systems Security Division (France) in order to support the Ebios method. The tool helps the user to produce all risk analysis and management steps according the five EBIOS phases method and allows all the study results to be recorded and the required summary documents to be produced. The Ebios tool is open source and free.
http://rm-inv.enisa.europa.eu/methods_tools/t_ebios.html

• Risk Assessment Methodologies

OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation)
FAIR (Factor Analysis of Information Risk)
NIST RMF (National Institute of Standards and Technology’s Risk Management Framework)

OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation) tools, techniques, and methods that are used in risk based information security for strategic assessment and planning

FAIR (Factor Analysis of Information Risk) is a framework for comprehending, examining and evaluating information risk

https://miguelbigueur.com/2015/08/02/risk-assessment-methodologies/#more-864

• SP 800-30 Rev. 1

Guide for Conducting Risk Assessments
The purpose of Special Publication 800-30 is to provide guidance for conducting risk assessments of federal information systems and organizations, amplifying the guidance in Special Publication 800-39.
https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final

• The goal of risk management is to deliver optimal security at a reasonable cost.

CIA Triad
The risk is related to vulnerabilities, which threaten confidentiality (C), integrity (I), and availability (A) of the assets.
Confidentiality is about not disclosing sensitive information to other people
Integrity is about preserving the state of the system—we don’t want attackers to change our data
We do want our systems to be up and running. Hence availability is considered.

Quantitative analysis is about assigning monetary values to risk components.

Let’s analyze the example of a hard drive failure to better understand how it works.
Let’s first describe the threat, vulnerability, and risk.
    Threat—hard drive failure
    Vulnerability—backups done rarely
    Risk—loss of data

The asset is data. The value of the asset (AV) is assessed first—$100,000, for example
Let’s discuss the single loss expectancy (SLE).
It contains information about the potential loss when a threat occurs (expressed in monetary values).
It is calculated as follows:

SLE = AV x EF
where EF is an exposure factor
Exposure factor describes the loss that will happen to the asset as a result of the threat (expressed as a percentage value)
SLE is $30,000 in our example when EF is estimated to be 0.3.

The annualized rate of occurrence (ARO) is described as an estimated frequency of the threat occurring in one year.
ARO is used to calculate ALE (annualized loss expectancy). ALE is calculated as follows
ALE = SLE x ARO

ALE is $15,000 ($30,000 x 0.5)
when ARO is estimated to be 0.5 (once in two years).


Cost/Benefit Analysis
Let’s continue the example from the previous section.
Annualized loss expectancy (ALE) is $15,000.
This means that the potential loss is $15,000 in one year when the data is lost as a result of the hard drive failure.

A countermeasure can be used to reduce the potential loss.
It happens when the management decides to reduce the risk.
This countermeasure should not cost more than $15,000 per year
it wouldn’t be logical from a business point of view (we don’t want to spend more money than we can potentially lose).


the annual value of the countermeasure to the company
COUNTERMEASURE_VALUE = ALE_PREVIOUS – ALE_NOW – COUNTERMEASURE_COST

ALE_PREVIOUS: ALE before implementing the countermeasure
ALE_NOW: ALE after implementing the countermeasure
COUTERMEASURE_COST: the annualized cost of countermeasure (please note that it’s not only purchasing cost—maintenance cost is included).

Risk Handling

Risk can be handled in the following ways:
Risk reduction—the risk is reduced to an acceptable level (countermeasures implemented
Risk avoidance—stopping the activity, which leads to the risk
Risk transference—the risk is transferred to the insurance company
Risk acceptance—accepting the cost of potential loss (no countermeasures)


Countermeasures
the types of countermeasures (also called controls) that are implemented in the case of risk reduction.

three types of countermeasures:
Administrative (e.g., security awareness training should not be forgotten, because people are the weakest point in the security chain)
Technical (e.g., firewall)
Physical (e.g., locks)


https://resources.infosecinstitute.com/quantitative-risk-analysis/#gref

• Red Hat Enterprise Linux 4

Security Guide

1.2. Security Controls
Computer security is often divided into three distinct master categories, commonly referred to as controls:
Physical
Technical
Administrative
These three broad categories define the main objectives of proper security implementation

1.2.1. Physical Controls
Closed-circuit surveillance cameras
Motion or thermal alarm systems
Security guards
Picture IDs
Locked and dead-bolted steel doors
Biometrics (includes fingerprint, voice, face, iris, handwriting, and other automated methods used to recognize individuals)

1.2.2. Technical Controls
Encryption
Smart cards
Network authentication
Access control lists (ACLs)
File integrity auditing software

1.2.3. Administrative Controls
Training and awareness
Disaster preparedness and recovery plans
Personnel recruitment and separation strategies
Personnel registration and accounting

https://web.mit.edu/rhel-doc/4/RH-DOCS/rhel-sg-en-4/s1-sgs-ov-controls.html

• Detective Administrative Controls

•  Security reviews and audits.
•  Performance evaluations.
•  Required vacations.
•  Background investigations.
•  Rotation of duties.

Information security controls can be classified as physical, technical, or administrative. These are further divided into preventive and detective controls.
http://www.blacksheepnetworks.com/security/info/misc/handbook/015-019.html

• The annualized loss expectancy (ALE) is computed as the product of the asset value (AV) times the annualized rate of occurrence (ARO). The other formulas displayed here do not accurately reflect this calculation. 

The annualized rate of occurrence (ARO) is described as an estimated frequency of the threat occurring in one year.
ARO is used to calculate ALE (annualized loss expectancy). ALE is calculated as follows
ALE = SLE x ARO

The annualized loss expectancy (ALE) is the product of the annual rate of occurrence (ARO) and the single loss expectancy (SLE). It is mathematically expressed as:

    A L E = A R O × S L E {\displaystyle {ALE}={ARO}\times {SLE}} {\displaystyle {ALE}={ARO}\times {SLE}}

Suppose that an asset is valued at $100,000, and the Exposure Factor (EF) for this asset is 25%. The single loss expectancy (SLE) then, is 25% * $100,000, or $25,000.

The annualized loss expectancy is the product of the annual rate of occurrence (ARO) and the single loss expectancy. ALE = ARO * SLE

For an annual rate of occurrence of one, the annualized loss expectancy is 1 * $25,000, or $25,000.

For an ARO of three, the equation is: ALE = 3 * $25,000. Therefore: ALE = $75,000
https://en.wikipedia.org/wiki/Annualized_loss_expectancy

• the annualized loss expectancy for a website against the threat of attack is $82,000

After implementing a new web application firewall, the new annualized loss expectancy would be $20,000
The web application firewall costs $55,000 per year to implement and maintain

single loss expectancy × annualized rate of occurrence = ALE

the value of the web application firewall to the company:
(ALE before the control is implemented) – (ALE after the control is implemented) – (annual cost of control) = value of control
82,000 -20,000 -55,000 = 7000

The web application firewall saves the company in loss expenses:
82000-20000 = 62000

• A small office for a company is valued at $600,000

It is estimated that fire would destroy 75 percent of the facility

the single loss expectancy (SLE) for the facility suffering from a fire?
asset value ($600,000) × exposure factor (75%) = $450,000

single loss expectancy (SLE)
asset value × exposure factor (EF) = SLE

• FAILURE MODE & EFFECTS ANALYSIS (FMEA)

failure modes and effects analysis (FMEA) is a step-by-step approach for identifying all possible failures in a design, a manufacturing or assembly process, or a product or service. It is a common process analysis tool.
https://asq.org/quality-resources/fmea

• FMEA — failure mode and effects analysis — is a tool for identifying potential problems and their impact.

FMEA is a qualitative and systematic tool, usually created within a spreadsheet, to help practitioners anticipate what might go wrong with a product or process. In addition to identifying how a product or process might fail and the effects of that failure, FMEA also helps find the possible causes of failures and the likelihood of failures being detected before occurrence.

https://www.isixsigma.com/tools-templates/fmea/fmea-quick-guide/

• Information Risk Assessment Methodology 2 (IRAM2)

The ISF’s Information Risk Assessment Methodology 2 (IRAM2) has been designed to help organisations better understand and manage their information risks. This new methodology provides risk practitioners with a complete end-to-end approach to performing business-focused information risk assessments.
https://www.securityforum.org/tool/information-risk-assessment-methodology-iram2/

• Open Source Security Testing Methodology Manual (OSSTMM)

It has been primarily developed as a security auditing methodology assessing against regulatory and industry requirements. It is not meant to be used as a standalone methodology but rather to serve as a basis for developing one which is tailored towards the required regulations and frameworks.

OSSTMM rules of engagement

At the beginning of a pentesting project, OSSTMM recommends a set of activities in producing the documents covering the following:

Project scope

Confidentiality and non-disclosure assurance

Emergency contact information

Statement of work change process

Test plan

Test process

Reporting standards

OSSTMM channels

OSSTMM test cases cover most of the 10 security domains identified by the International Information System Security Certification Consortium (ISC)². They are divided into five channels (alternatively called sections or security areas):

Human security focuses on assessing personnel security awareness levels and the effectiveness of the security training in the organisation. 

Physical security assesses access controls, security processes and physical locations such as buildings, perimeters and military bases.

Wireless communications covers different forms of wireless which can be intercepted or disrupted, including Wi-Fi networks, RFID and so on.

Telecommunications covers the different communication channels in the organisation, including VoIP, PBX and voicemail

Data networks is the channel which focuses on computer and network security and describes the following activities

Network surveying

Identification

Access process

Service identification

Authentication

Spoofing

Phishing

Resource abuse

OSSTMM uses the concept of modules, defining them as a set of processes or phases which are applicable for each channel

The four modules defined by OSSTMM are:

Phase I: Regulatory

Phase II: Definitions

Phase III: Information phase

Phase IV: Interactive controls test phase

https://www.futurelearn.com/courses/ethical-hacking-an-introduction/1/steps/522778

• Threat and Risk Assessment Working Guide

This document entitled Threat and Risk Assessment Working Guide provides guidance to an individual (or a departmental team) carrying out a Threat and Risk Assessment (TRA) for an existing or proposed IT system.

http://www.iwar.org.uk/comsec/resources/risks/itsg-04e.pdf

• Information Security Policy Templates

Is it a Policy, a Standard or a Guideline?

A policy is typically a document that outlines specific requirements or rules that must be met. In the information/network security realm, policies are usually point-specific, covering a single area. For example, an "Acceptable Use" policy would cover the rules and regulations for appropriate use of the computing facilities

A standard is typically a collection of system-specific or procedural-specific requirements that must be met by everyone. For example, you might have a standard that describes how to harden a Windows 8.1 workstation for placement on an external (DMZ) network. 

A guideline is typically a collection of system specific or procedural specific "suggestions" for best practice. They are not requirements to be met, but are strongly recommended. 

https://www.sans.org/security-resources/policies

• Top 10 Questions for the Threat Agent Risk Assessment (TARA) methodology 

What is the purpose of TARA?

TARA is a method to distill the immense number of possible threats into a manageable picture of the most likely attacks to occur, based upon the objectives and methods of those who possess the capability and desire to do harm.

Why should my organization incorporate TARA?

TARA can help if your organization is challenged with building a practical, accurate, and comprehensive security risk analysis which scales and adapts to the changing risk landscape.

What are the primary benefits of TARA?

I have seen 3 primary areas of benefit.

1. Greatly distilling the cloud of potential attacks, down to a manageable list of likely attacks

2. Improving the quality of risk and control evaluations, to better understand the value of security investments

3. Communicating risks and recommendations to management and non-security audiences

Is TARA a tool, application, device, or checklist?

TARA is a way of analyzing risks (risk of loss) based upon the relationship between attacker’s capability and desire to cause loss, the applicable vulnerabilities, controls, and the residual exposures.  The method can be incorporated into risk analysis tools, applications, and processes.

https://itpeernetwork.intel.com/top-10-questions-for-the-threat-agent-risk-assessment-tara-methodology/#gs.1k5alx

• An asset is what we’re trying to protect.

Asset – People, property, and information. 

Threat – Anything that can exploit a vulnerability, intentionally or accidentally, and obtain, damage, or destroy an asset.

A threat is what we’re trying to protect against.

Vulnerability – Weaknesses or gaps in a security program that can be exploited by threats to gain unauthorized access to an asset.

A vulnerability is a weakness or gap in our protection efforts.

Risk – The potential for loss, damage or destruction of an asset as a result of a threat exploiting a vulnerability.

Risk is the intersection of assets, threats, and vulnerabilities.

https://www.threatanalysis.com/2010/05/03/threat-vulnerability-risk-commonly-mixed-up-terms/

• EBIOS Risk Manager (EBIOS RM) is the method for assessing and treating digital risks, published by National Cybersecurity Agency of France (ANSSI) with the support of Club EBIOS. It provides a toolbox that can be adapted, of which the use varies according to the objective of the project. EBIOS Risk Manager is compatible with the reference standards in effect, in terms of risk management as well as in terms of cybersecurity.

The EBIOS RM method can be used for several purposes:

    setting up or reinforcing a management process of the digital risk within an organisation;

    assess and treat the risks relating to a digital project, in particular with the aim of a security accreditation;

    define the level of security to be achieved for a product or service according to its use cases and the risks to be countered, in the perspective of a certification or accreditation for example.

https://www.ssi.gouv.fr/guide/ebios-risk-manager-the-method/