Executive Summary
Risk assessment is one of the most essential activities performed in the information security arena. The many benefits of using Security Event Management (SEM) tools are becoming widely recognized, but the value of these tools in facilitating risk assessments is too often overlooked. Despite the many different risk assessment methodologies that currently exist, risk assessment in the most fundamental sense boils down to measuring the value of computing assets and the threats against them. SEM tools help in pinpointing real threats, providing more accurate and complete information than otherwise might be available, yielding objective probability data, helping produce a more complete view of risk, and helping check the validity of asset evaluation. The key is providing objective
data—without objective data, risk assessments lack validity.
data—without objective data, risk assessments lack validity.
Introduction
In information security, risk assessment is often defined as the process of analyzing threats against and vulnerabilities in a computing system, network and/or application and the potential negative impact the compromise of information or capabilities of the system, network, and/or application would cause. Of all the activities in which information security professionals engage, risk assessment is one of the most fundamental if not the most fundamental of them. Consider, for example, the following statement from the Computer Information Security Manager Certification Examination Preparation Manual:
The foundation for effective risk management is a comprehensive risk
assessment... Failing to understand the nature and extent of risks to information
resources and the potential impacts on the organization’s activities, it will not be possible to devise a relevant risk management program.
assessment... Failing to understand the nature and extent of risks to information
resources and the potential impacts on the organization’s activities, it will not be possible to devise a relevant risk management program.
Additionally, risk assessment results are usually used in selecting and implementing suitable and cost-justifiable security control measures. Without the results of accurate risk assessments, inappropriate control measures are likely to be chosen and implemented, resulting in a waste of resources as well as unacceptably high levels of risk.
Although understanding the basic notion of risk assessment and its goals is not difficult,determining how to approach conducting risk assessments is a different matter. Many different risk assessment methodologies have been created; choosing among them is a potentially ominous task. At the highest level of abstraction, these methodologies are either quantitative or qualitative in nature. Quantitative methodologies produce metrics such as expected monetary loss over a period of time; qualitative methodologies yield results such as the amount of risk in terms of high, medium, or low risk for each computing asset. At a much lower level of abstraction, methodologies differ concerning the prescribed specific steps and/or procedures. Carnegie-Mellon University’s Software Engineering Institute (SEI), for example, advocates a risk assessment methodology, Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE), that is substantially different from the International Security Forum’s (ISF’s) Simple to Apply Risk Analysis (SARA). To say that no single widely accepted risk assessment methodology exists today is a major understatement.
Methodologies vary, but most of them have at least some elements in common. In most, for example, the first step in performing a risk assessment is almost always determining asset valuation, i.e, assessing the value of information and computing assets. If the value of an asset is low, risk cannot be very great because risk should at least at some rudimentary level be viewed as the product of asset value multiplied by the probability of a security breach that adversely affects the asset summed over all assets. If on the other hand the value of an asset is high, risk is potentially much higher. The greater the value of an asset and the greater the probability of a security breach that negatively impacts that asset, the greater the risk. Additionally, most methodologies consider existing threats against assets. If an asset is extremely valuable but is isolated from all networks, there are fewer threats than if that asset is fully network-connected. In the former case, remote attackers are not a threat; the opposite is true in the latter case.
Measuring Security-Related Risk
Although most risk assessments are conducted according to a prescribed methodology, subjectivity during the process of conducting risk assessments is currently one of the major drawbacks. Risk assessment teams too often produce completely subjective estimates of both the value of assets and the probability that they will experience security breaches. Although a few individuals have over the years developed considerable savvy in estimating risk, for the most part subjective risk assessments are of limited value, especially when the cost to benefit ratio of these assessments is considered. At least some degree of subjectivity in risk assessment will, unfortunately, invariably be a part of the process; nevertheless, subjectivity can at least to some degree be minimized. Technical methods that include using special software can be deployed to more precisely identify, quantify and document risk than if risk is assessed purely on a subjective basis.
By
E. Eugene Schultz,
Ph.D., CISSP, CISM
High Tower Software, Inc.
No comments:
Post a Comment