Module 4

Risk Management

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 1
 Module Objectives

By the end of this module, you should be able to:

4.1 Define risk management and describe its importance
4.2 Explain the risk management framework and process model, including major
components
4.3 Define risk appetite and explain how it relates to residual risk
4.4 Describe how risk is identified and documented
4.5 Discuss how risk is assessed based on likelihood and impact
4.6 Describe various options for a risk treatment and risk control strategy
4.7 Discuss conceptual frameworks for evaluating risk controls and formulate a cost-
benefit analysis
4.8 Compare and contrast the dominant risk management methodologies
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 2
 Introduction to Risk Management

• The upper management of an organization is responsible for overseeing,

enabling, and supporting the structuring of IT and information security functions
to defend its information assets.
• Part of upper management’s information security governance requirement is the
establishment and support of an effective risk management (RM) program.
• To keep up with the competition, organizations must design and create safe
environments in which their business processes and procedures can function.
• These environments must maintain confidentiality and privacy and assure the
integrity of an organization’s data—objectives that are met by applying the
principles of risk management.
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 3
 Sun Tzu and the Art of Risk Management

• If you know the enemy and know yourself, you need not fear the result of a
hundred battles. If you know yourself but not the enemy, for every victory gained
you will also suffer a defeat. If you know neither the enemy nor yourself, you will
succumb in every battle. —Sun Tzu
• Know yourself:
• Know the enemy:

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 4
 The Risk Management Framework (1 of 4)

• Risk management involves discovering and understanding answers to some

key questions about the risk associated with an organization’s information
assets:
1. Where and what is the risk (risk identification)?
2. How severe is the current level of risk (risk analysis)?
3. Is the current level of risk acceptable (risk evaluation)?
4. What do I need to do to bring the risk to an acceptable level (risk
treatment)?

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 5
 The Risk Management Framework (2 of 4)

• Risk management: the process of identifying risk, assessing its relative

magnitude, and taking steps to reduce it to an acceptable level.
• Risk identification: the recognition, enumeration, and documentation of risks to
an organization’s information assets.
• Risk assessment: a determination of the extent to which an organization’s
information assets are exposed to risk.
• Risk treatment (risk control): the application of safeguards or controls that
reduce the risks to an organization’s information assets to an acceptable level.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 6
The Risk Management Framework and
Process

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 7
 The Risk Management Framework (4 of 4)

• The RM framework consists of five key stages:

1. Executive governance and support
2. Framework design
3. Framework implementation
4. Framework monitoring and review
5. Continuous improvement

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 8
 Defining the Organization’s Risk Tolerance
and Risk Appetite
• Risk appetite:
• Residual risk:
• Risk tolerance (risk threshold):

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 9
 The Risk Management Process

• The RM plan guides the implementation of the RM process, in which risk

evaluation and remediation is conducted.
• This process uses the following tasks:
− Establishing the context
− Identifying risk
− Analyzing risk
− Evaluating the risk and comparing uncontrolled risks against the risk appetite
− Treating the unacceptable risk
− Summarizing the findings
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 10
 RM Process Preparation—Establishing the
Context (1 of 2)
• As the RM process team convenes, it is initially briefed by representatives of the
framework team and possibly by the governance group.
• These groups seek to provide executive guidance for the work to be performed
by the RM process team, and to ensure that the team’s efforts are in alignment
with managerial intent, as documented in the RM policy.
• The context in this phase is the understanding of the external and internal
environments the RM team will be interacting with as it conducts the RM
process.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 11
 Risk Assessment: Risk Identification

• The first operational phase of the RM process is the identification of risk.

• At this stage, managers must:
1. Identify the organization’s information assets
2. Classify them
3. Categorize them into useful groups
4. Prioritize them by overall importance

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 12
 Organizational Assets
Used in Systems (1 of 2)
Information System Risk Management Components Example Risk Management Components
Components
People Internal personnel Trusted employees
External personnel Other staff members
People we trust outside our organization
Strangers
Procedures Procedures IT and business standard procedures
IT and business-sensitive procedures
Data Data/information Transmission
Processing
Storage

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 13
 Organizational Assets
Used in Systems (2 of 2)
Information System Risk Management Components Example Risk Management Components
Components
Software Software Applications
Operating systems
Utilities
Security components
Hardware Hardware Systems and peripherals
Security devices
Network-attached process control devices and
other embedded systems (Internet of Things)
Networking Networking Local area network components
Intranet components
Internet or extranet components
Cloud-based components

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 14
 Assessing the Value of Information Assets
• As each information asset is identified, categorized, and classified, a relative value
must be assigned to it to ensure that the most valuable information assets are given the
highest priority when managing risk.
• Which information asset:

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 15
 Prioritizing (Rank-Ordering) Information
Assets
• The final step in the risk identification process is to prioritize, or rank-order, the
assets.
• This goal can be achieved by using a weighted table analysis.
− List information assets
− Select criteria
− Specify criteria weights
− Assess each asset
− Calculate weighted averages
− Rank order by score
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 16
 Weighted Table Analysis of Information
Assets (1 of 2)
Criterion → Impact on Impact on Impact on
Revenue Profitability Reputation
# Criterion Weight → 0.3 0.4 0.3 TOTAL Importance (0-5; Not
Information Asset → (1.0) Applicable to
Critically Important)
1 Customer order via 5 5 5 5 Critically Important
SSL (inbound)
2 EDI Document Set 1− 5 5 3 4.4 Very Important
Logistics bill of lading
to outsourcer
(outbound)

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 17
 Weighted Table Analysis of Information
Assets (2 of 2)
Criterion → Impact on Impact on Impact on
Revenue Profitability Reputation
3 EDI Document Set 2- 4 5 4 4.4 Very Important
Supplier orders
(outbound)
4 Customer service 3 3 5 3.6 Very Important
request via e-mail
(inbound)

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 18
 Threat Assessment

• Realistic threats need investigation; unimportant threats are set aside.

• Weighted tables can assist in assessing threats.
• Threat assessment:

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 19
 Threats to Information Security
Threat Examples
Compromises to intellectual property Software piracy or other copyright infringement
Deviations in quality of service from service providers Fluctuations in power, data, and other services
Espionage or trespass Unauthorized access and/or data collection
Forces of nature Fire, flood, earthquake, lightning, etc.
Human error or failure Accidents, employee mistakes, failure to follow policy
Information extortion Blackmail threat of information disclosure
Sabotage or vandalism Damage to or destruction of systems or information
Software attacks Malware: viruses, worms, macros, denial of services,
or script injections
Technical hardware failures or errors Hardware equipment failure
Technical software failures or errors Bugs, code problems, loopholes, back doors
Technological obsolescence Antiquated or outdated technologies
Theft Illegal confiscation of equipment or information
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 20
 Vulnerability Assessment

• Specific avenues threat agents can exploit to attack an information asset are
called vulnerabilities.
• Examine how each threat could be perpetrated and list the organization’s assets
and vulnerabilities.
• The process works best when people with diverse backgrounds within an
organization work iteratively in a series of brainstorming sessions.
• At the end of the risk identification process, a prioritized list of assets with their
vulnerabilities is achieved.
− Can be combined with weighted list of threats to form threats-vulnerabilities-
assets (TVA) worksheet
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 21
 Vulnerability Assessment of a DMZ Router (1
of 2)
Threat Possible Vulnerabilities
Compromises to intellectual property Router has little intrinsic value, but other assets protected by this
device could be attacked if it is compromised.
Espionage or trespass Router has little intrinsic value, but other assets protected by this
device could be attacked if it is compromised.
Forces of nature All information assets in the organization are subject to forces of
nature unless suitable controls are provided.
Human error or failure Employees or contractors may cause an outage if configuration
errors are made.
Information extortion Router has little intrinsic value, but other assets protected by this
device could be attacked if it is compromised.
Quality-of-service deviations from service Unless suitable electrical power conditioning is provided, failure
providers is probable over time.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 22
 Vulnerability Assessment of a DMZ Router (2
of 2)
Threat Possible Vulnerabilities
Sabotage or vandalism IP is vulnerable to denial-of-service attacks.
Device may be subject to defacement or cache poisoning.
Software attacks IP is vulnerable to denial-of-service attacks.
Outsider IP fingerprinting activities can reveal sensitive
information unless suitable controls are implemented.
Technical hardware failures or errors Hardware could fail and cause an outage. Power system failures
are always possible.
Technical software failures or errors Vendor-supplied routing software could fail and cause an
outage.
Technological obsolescence If it is not reviewed and periodically updated, a device may fall
too far behind its vendor support model to be kept in service.
Theft Router has little intrinsic value, but other assets protected by this
device could be attacked if it is stolen.
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 23
 The TVA Worksheet (1 of 2)

Asset 1 Asset 2 Asset 3 ... ... ... ... ... ... Asset n
Threat 1 T1V1A1 T1V1A2 T1V1A3 T1V1A4
T1V2A1 T1V2A2 ... ...
T1V3A1 ...
...
Threat 2 T2V1A1 T2V1A2 T2V1A3
T2V2A1 ... ...
...
Threat 3 T3V1A1 T3V1A2
... ...
Threat 4 T4V1A1
...

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 24
 The TVA Worksheet (2 of 2)

Asset 1 Asset 2 Asset 3 ... ... ... ... ... ... Asset n
Threat 5
Threat 6
...
...
Threat n
Legend: 1 2 3 4 5 6 7 8 ...
Priority of
effort

These bands of controls should be continued through all asset-threat pairs.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 25
 Risk Assessment: Risk Analysis

• Risk analysis assesses the relative risk for each vulnerability and assigns a risk
rating or score to each information asset.
• The goal is to develop a repeatable method to evaluate the relative risk of each
vulnerability that has been identified and added to the list.
• If a vulnerability is fully managed by an existing control, it can be set aside.
• If it is partially controlled, you can estimate what percentage of the vulnerability
has been controlled.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 26
NIST Generic Risk Model with Key Risk
Factors

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 27
 Determining the Likelihood of a Threat Event

• Likelihood is the overall rating—a numerical value on a defined scale—of the

probability that a specific vulnerability will be exploited or attacked, commonly referred
to as a threat event.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 28
 Risk Likelihood

Rank Description Percent Likelihood Example

0 Not Applicable 0% likely in the next 12 months Will never happen
1 Rare 5% likely in the next 12 months May happen once every 20 years
2 Unlikely 25% likely in the next 12 months May happen once every 10 years
3 Moderate 50% likely in the next 12 months May happen once every 5 years
4 Likely 75% likely in the next 12 months May happen once every year
5 Almost Certain 100% likely in the next 12 months May happen multiple times a year

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 29
 Assessing Potential Impact on Asset Value

• Once the probability of an attack by a threat has been evaluated, the organization
typically looks at the possible impact or consequences of a successful attack.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 30
 Risk Impact

Rank Description Example # of Productivity Financial Impact

Records Hours Lost
0 Not applicable No impact N/A N/A N/A
threat
1 Insignificant No interruption, no exposed data 0 0 0
2 Minor Multi-minute interruption, no 0 2 $20,000
exposed data
3 Moderate Multi-hour interruption, minor 499 4 $175,000
exposure of data
4 Major One-day interruption, exposure 5,000 8 $2,000,000
of data
5 Severe Multi-day interruption, major 50,000 24 $20,000,000
exposure of sensitive data

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 31
 Aggregation and Uncertainty

• If the RM process begins to overwhelm an organization, the RM team can begin

merging or aggregating groups of assets, threats, and their associated risks into
more general categories.
• It is not possible to know everything about every vulnerability, such as the
likelihood of an attack against an asset or how great an impact a successful
attack would have on the organization.
• The degree to which a current control can reduce risk is also subject to
estimation error.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 32
 Risk Determination

• Once the likelihood and impact are known, the organization can perform risk
determination using a formula that seeks to quantify certain risk elements.
• In this formula, risk equals likelihood of threat event (attack) occurrence
multiplied by impact (or consequence), plus or minus an element of uncertainty.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 33
Clearwater IRM Risk Rating Matrix

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 34
 Risk Rating Worksheet (1 of 3)

Asset Vulnerability Likelihood Impact Risk-Rating Factor

Customer service E-mail disruption 3 3 9
request via e-mail due to hardware
(inbound) failure
Customer service E-mail disruption 4 3 12
request via e-mail due to software
(inbound) failure
Customer order via Lost orders due to 2 5 10
SSL (inbound) Web server
hardware failure

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 35
 Risk Rating Worksheet (2 of 3)

Asset Vulnerability Likelihood Impact Risk-Rating Factor

Customer order via Lost orders due to 4 5 20
SSL (inbound) Web server or ISP
service failure
Customer service E-mail disruption 1 3 3
request via e-mail due to SMTP mail
(inbound) relay attack
Customer service E-mail disruption 2 3 6
request via e-mail due to ISP service
(inbound) failure

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 36
 Risk Rating Worksheet (3 of 3)

Asset Vulnerability Likelihood Impact Risk-Rating Factor

Customer service E-mail disruption 3 3 9
request via e-mail due to power failure
(inbound)
Customer order via Lost orders due to 1 5 5
SSL (inbound) Web server denial-
of-service attack
Customer order via Lost orders due to 2 5 10
SSL (inbound) Web server
software failure
Customer order via Lost orders due to 1 5 5
SSL (inbound) Web server buffer
overrun attack

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 37
 Risk Evaluation

• Once the risk ratings are calculated for all TVA triples, the organization needs to
decide whether it can live with the analyzed level of risk.
• If residual risk is greater than risk, look for treatment strategies to further reduce
the risk.
• If residual risk is less than risk appetite, document the results and proceed to
the latter stages of risk management.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 38
 Documenting the Results of Risk
Assessment
• The final summarized document is the ranked vulnerability risk worksheet.
• The worksheet describes asset, asset relative value, vulnerability, loss
frequency, and loss magnitude.
• The ranked vulnerability risk worksheet is the initial working document for the
next step in the risk management process

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 39
 Risk Assessment Deliverables

Deliverable Purpose
Information asset and classification Assembles information about information assets, their sensitivity
worksheet levels, and their value to the organization
Information asset value weighted table Rank-orders each information asset according to criteria developed
analysis by the organization
Threat severity weighted table analysis Rank-orders each threat to the organization's information assets
according to criteria developed by the organization
TVA controls worksheet Combines the output from the information asset identification and
prioritization with the threat identification and prioritization, identifies
potential vulnerabilities in the "triples," and incorporates extant and
planned controls
Risk ranking worksheet Assigns a risk-rating ranked value to each TVA triple, incorporating
likelihood, impact, and possibly a measure of uncertainty

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 40
 Risk Treatment/Risk Response (1 of 2)

• After the risk management (RM) process team has identified, analyzed, and
evaluated the level of risk currently inherent in its information assets (risk
assessment), it then must treat the risk that is deemed unacceptable when it
exceeds its risk appetite.
• This process is also known as risk response or risk control.
• As risk treatment begins, the organization has a list of information assets with
currently unacceptable levels of risk; the appropriate strategy must be selected
and then applied for each asset.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 41
 Risk Treatment/Risk Response (2 of 2)

• Once the project team for InfoSec development has identified the information
assets with unacceptable levels of risk, the team must choose one of four basic
strategies to treat the risks for those assets:
− Mitigation
− Transference
− Acceptance
− Termination

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 42
 Process Communications, Monitoring, and
Review
• As the process team works through the various RM activities, it needs to
continually provide feedback to the framework team about the relative success
and challenges of its RM activities, to improve not only the process but the
framework as well.
• Process communications involve requesting and providing information as
direct feedback about issues that arise in the implementation and operation of
each stage of the process.
• Process monitoring and review involves establishing and collecting formal
performance measures and assessment methods to determine the relative
success of the RM program.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 43
 Managing Risk

• The goal of InfoSec is to bring residual risk in line with an organization’s risk appetite,
not to bring risk to zero.
• Rules of thumb for selecting a strategy:

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 44
 Residual Risk

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 45
 Risk-Handling Action Points

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 46
 Risk Treatment Cycle

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 47
 Feasibility and Cost-Benefit Analysis

• Before implementing one of the control strategies for a specific vulnerability, the
organization must explore all consequences of vulnerability to information
assets.
• There are several ways to determine the advantages/disadvantages of a specific
control.
• Items that affect the cost of a control or safeguard include cost of development or
acquisition, training fees, implementation cost, service costs, and cost of
maintenance.
• Common sense dictates that an organization should not spend more to protect
an asset than it is worth; this decision-making process is called a cost-benefit
analysis (CBA) or an economic feasibility study.
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 48
 Asset Valuation (1 of 2)

• Asset valuation involves estimating real/perceived costs associated with design,

development, installation, maintenance, protection, recovery, and defense
against loss/litigation.
• Process result is the estimate of potential loss per risk.
• Expected loss per risk stated in the following equation:
− Annualized loss expectancy (ALE) =
single loss expectancy (SLE) ×
annualized rate of occurrence (ARO)
− SLE = asset value × exposure factor (EF)
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 49
 Asset Valuation (2 of 2)

• CBA determines if an alternative being evaluated is worth the cost incurred to control
the vulnerability.

− The CBA is most easily calculated using the ALE from earlier assessments, before
implementation of the proposed control:

▪ CBA = ALE(prior) – ALE(post) – ACS

− ALE(prior) is the annualized loss expectancy of risk before implementation of the

control.

− ALE(post) is the estimated ALE based on control being in place for a period of time.

− ACS is the annualized cost of the safeguard.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 50
 Alternate Risk Management Methodologies

• The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Method was a
risk evaluation methodology promoted by Carnegie Mellon University’s Software Engineering
Institute (SEI), and it had three versions:
− The original OCTAVE Method, for large organizations
− OCTAVE-S, for smaller organizations of about 100 users
− OCTAVE-Allegro, a streamlined approach for InfoSec assessment and assurance
• Factor Analysis of Information Risk (FAIR), by Jack A. Jones, became CXOWARE, which built
FAIR into an analytical software suite called RiskCalibrator. FAIR was adopted by the Open
Group as an international standard for risk management and rebranded as Open FAIR™. Later,
CXOWARE became RiskLens, and the FAIR Institute was established.

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 51
 ISO and NIST RMF

• The International Organization for Standardization (ISO) has several standards related to
information security and two that specifically focus on risk management:
− ISO 27005 information technology — security techniques — information security risk
management
− ISO 31000 risk management – guidelines
• The National Institute of Standards and Technology (NIST) has modified its fundamental
approach to systems management and certification/accreditation to one that follows the industry
standard of effective risk management.
• Two key documents describe the RMF:
− SP 800-37, Rev. 2 Risk Management Framework for Information Systems and
Organizations
− SP 800-39 Managing Information Security Risk: Organization, Mission, and Information
System View
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 52
ISO 27005 Information Security Risk
Management Process

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 53
ISO 31000 Risk Management Principles,
Framework, and Process

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 54
NIST Organization-Wide Risk Management
Approach

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 55
 NIST RMF Framework

Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 56
 Selecting the Best RM Model

• For organizations that have no risk management process in place, a

recommended approach is to begin by studying the models presented earlier in
this module and identifying what each offers to the envisioned process.
• Other organizations may hire a consulting firm to provide or even develop a
proprietary model.
• When faced with the daunting task of building a risk management program from
scratch, it may be best to talk with other security professionals, perhaps through
professional security organizations like ISSA, to find out how others in the field
have approached this problem.
• No two organizations are identical, so what works well for one organization may
not work well for others.
Michael E. Whitman and Herbert J. Mattord, Principles of Information Security, 7th Edition. © 2022 Cengage. All Rights Reserved. May not be
scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 57