Elements of Risk Analysis:
A vulnerability is a weakness or flaw/bug in a system that can be exploited to compromise or attack it. Threats are a set of circumstances or agents that have the potential to cause loss or damage to a system by taking advantage of existing vulnerabilities. Attacks target key security services such as confidentiality (encryption, privacy, anonymity/steganography), integrity (conventional and blind digital signatures, hashes, MAC addresses), and availability (backup, hot/cold sites, redundancy), collectively known as CIA/Confidentiality-Integrity-Availability. Attacks also target security objectives such as authentication (using man-in-the-middle attacks and identity/address spoofing), identification, authorization, non-repudiation, accountability/logging/auditing, etc. Threats exploit vulnerabilities and can be accidental (unintentional human error) or malicious (viruses). Controls (safeguards, countermeasures, protective elements, or security measures) are mechanisms or procedures for mitigating vulnerabilities (using the three directions of prevention, detection, and recovery, and sometimes even deterrence). It is essential to be aware of the costs and scope of controls. Furthermore, controls are subject to vulnerability and threat analysis. For example, an outdated antivirus program poses a significant danger (due to user ignorance, negligence, or malicious intent, or because the antivirus manufacturer does not allow manual updates, instead opting for automatic updates, for example, from the cloud).
Types of risk analysis
Two approaches can be identified when addressing risk analysis: (1) Quantitative analysis. This assigns real numbers to the costs of safeguards and the potential damage. Here, the Annual Loss Exposure (ALE), the Risk of Injury Statement (ROSI), and the probability of an event occurring are defined. This approach can be imprecise and unreliable. The phases of this type of analysis are: (i) Identify and value assets. (ii) Determine vulnerabilities and their impact. (iii) Estimate the probability of exploitation. (iv) Calculate the ALE. (v) Summarize applicable controls and their costs. (vi) Project annual savings from the controls. Risk exposure (or expected loss) is the product of the risk impact multiplied by the risk probability. For example, in the case of the loss of a server, the risk impact is the cost to replace the server, for example, €17,000, and the probability of loss is, for example, 0.10. This results in a risk exposure of 17,000 x 0.10 = 1,700. The overall exposure measured per year is the ALE. In this type of analysis, a cost-benefit analysis of the controls should be performed.
Risk influences the evaluation of the value of a control. A useful measure is the ratio: (risk exposure before implementing the control) minus (risk exposure after implementing the control) divided by (the cost of the control). (2) Qualitative analysis. This judges the organization's relative risk to threats. It is based on judgment, intuition, and experience. It classifies the severity of threats according to the sensitivity of assets. It is subjective and lacks numerical data to justify the return on investment. The stages of qualitative risk analysis are: (i) Identify the scope. Define the problem. (ii) Create a team. Include experts knowledgeable about the subject, managers in charge of implementation, and users. (iii) Identify threats. Select from lists of known threats. Brainstorm new threats, combining threats and vulnerabilities. (iv) Prioritize threats for each asset. Identify the probability of occurrence. Define a fixed threat rating, for example, from low (value 1) to high (value 5). Assign a value to each threat. This is an approximation of the probability of risk from the quantitative approach. (v) Loss Impact. For each threat, determine the loss impact. A fixed ranking is defined, for example, low (value 1) to high (value 5). This is used to prioritize the damage to assets due to the threat. (vi) Total Impact or Risk Factor. This is the sum of the threat priority and the impact priority. For example, for the threat of theft, if the threat priority is 2 and the impact priority is 3, the risk factor is 5; for the threat of fire, if the threat priority is 3 and the impact priority is 5, the risk factor is 8; for the threat of flood, if the threat priority is 2 and the impact priority is 5, the risk factor is 7. (vii) Identify Controls/Safeguards. An initial set of potential controls is established. The controls are associated with each threat. Start with the highest priority risks. (viii) Cost-benefit analyses are performed. This phase can iterate with phase 6. (ix) Classify controls—evaluate safeguards. They are ordered by risk factor. For example, for a fire threat, if the risk factor is 8, a possible safeguard is a fire suppression system, and the cost of the safeguard is €18,000. For a flood or hurricane threat, if the risk factor is 7, a possible safeguard is a business continuity plan, and the cost of the safeguard is €87,000. (x) Communicate the results. This concludes with a written report and is presented to all members in the form of specific meetings according to the hierarchical level of the individuals within the organization. The meeting with managers is not the same as the meeting with lower-level employees.
Final Considerations
Our research group has been working for over twenty years in the field of risk analysis at a global level in all types of organizations and scenarios where information and knowledge must be adequately protected, from embedded systems to large organizations with Web/Web 2.0 network deployments and virtualization and cloud infrastructures.
This article is part of the activities carried out within the LEFIS-APTICE project (funded by Socrates, European Commission).
Bibliography
- Areitio, J. “Information Security: Networks, Computing and Information Systems”. Cengage Learning-Paraninfo. 2010.
- Areitio, J. “Analysis of Information Vulnerability”. Conectrónica Magazine. No. 131. October 2009.
- Areitio, J. “Security Testing to Evaluate and Improve the Level of Security Risks”. Conectrónica Magazine. No. 134. February 2010.
- Norman, TL “Risk Analysis and Security Countermeasure Selection”. CRC Press. 2009.
- Kelsey, T. “Social Networking Spaces: From Facebook to Twitter and Everything in Between”. Apress. 2010.
- Zittrain, J. “The Future of the Internet and How to Stop It”. Yale University Press. 2009.
- Solove, DJ “Understanding Privacy”. Harvard University Press. 2010.
- Wacks, R. “Privacy: A Very Short Introduction”. Oxford University Press. 2010.
- Nissenbaum, H. “Privacy in Context: Technology, Policy and the Integrity of Social Life.” Stanford Law Books. 2009.
- Schneier, B. “Secrets and Lies: Digital Security in a Networked World.” Wiley. 2004.
- O'Harrow, R. “No Place to Hide.” Free Press. 2006.
- Solove, DJ “The Digital Person: Technology and Privacy in the Information Age”. NYU Press. 2006.
- Solove, DJ and Schwartz, P. “Information Privacy Law”. Aspen Publishers, Inc. 2008.
- Solove, DJ and Schwartz, P. “Privacy and the Media.” Aspen Publishers, Inc. 2008.
- Schwartz, P. and Solove, DJ “Information Privacy: Statutes and Regulations”. Aspen Publishers, Inc. 2008.
- Benkler, Y. “The Wealth of Networks: How Social Production Transforms Markets and Freedom.” YaleUniversity. 2007.
- Mather, T., Kmaraswamy, S. and Latif, S. “Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance”. O'Reilly Media. 2009.
- Solove, DJ and Schwartz, P. “Privacy, Information and Technology”. Aspen Publishers, Inc. 2008.
Author:
Prof. Dr. Javier Areitio Bertolín – E.Mail:
Professor at the Faculty of Engineering.
Director of the Networks and Systems Research Group. University of Deusto.
