Home > Articles

  • Print
  • + Share This
This chapter is from the book

This chapter is from the book

Risk Management and Analysis

Understand risk management and how to use risk analysis to make information security management decisions.

Risk management is the process of assessing risk and applying mechanisms to reduce, mitigate, or manage risks to the information assets. Risk management is not about creating a totally secure environment. Its purpose is to identify where risks exist, the probability that the risks could occur, the damage that could be caused, and the costs of securing the environment. Even if there is a risk to information assets, risk management can determine that it would cost more to secure the asset than if it was damaged or disclosed.

Risk management is not as straightforward as finding the risk and quantifying the cost of loss. Because risks can come from varying sources, an information asset can have several risks. For example, sales data stored on a network disk has the risk of

  • Unauthorized access from internal or external users

  • Loss from a software or hardware failure

  • Inaccessibility because of a network failure

Risk management looks at the various possibilities of loss, determines what would cause the greatest loss, and applies controls appropriately. As the risk manager, you might want to reduce all the risk to zero. This is a natural emotional reaction to trying to solve risk. However, you might find that it is impossible to prevent unauthorized access from internal users while trying to ensure accessibility of the data. Here, you must look at the likelihood of the risk and either look for other mitigations or accept it as a potential loss to the organization.

Assessing risk for information security involves considering the types of loss (risk category) and how that loss might occur (risk factor).

Risk Category

  • Damage—Results in physical loss of an asset or the inability to access the asset, such as cutting a network cable.

  • Disclosure—Disclosing critical information regardless of where or how it was disclosed.

  • Losses—These might be permanent or temporary, including the altering of data or the inability to access data.

Risk Factor

  • Physical damage—Can result from natural disasters or other factors, such as power loss or vandalism.

  • Malfunctions—The failure of systems, networks, or peripherals.

  • Attacks—Purposeful acts whether from the inside or outside. Misuse of data, such as unauthorized disclosure, is an attack on that information asset.

  • Human errors—Usually considered accidental incidents, whereas attacks are purposeful incidents.

  • Application errors—Failures of the application, including the operating system. These are usually accidental errors, whereas exploits of buffer overflows or viruses are considered attacks.

Every analyzed information asset has at least one risk category associated with one risk factor. Not every asset has more than one risk category or more than one risk factor. The real work of the risk analysis is to properly identify these issues.

Risk Analysis

Risk analysis is a process that is used to identify risk and quantify the possible damages that can occur to the information assets to determine the most cost-effective way to mitigate the risks. A risk analysis also assesses the possibility that the risk will occur in order to weigh the cost of mitigation. As information security professionals, we would like to create a secure, risk-free environment. However, it might not be possible to do so without a significant cost. As a security manager, you will have to weigh the costs versus the potential costs of loss.

Risk Analysis

Identifies a risk, quantifies the impact, and assesses a cost for mitigating the risk.

Business Versus Government Risk Analysis

A risk analysis for a government agency is no different from one performed for a nongovernment organization. The difference is how the information is used. Nongovernment entities can use the costs of mitigating the risk and the expected gain to determine whether to add countermeasures and which ones would be the most cost-effective. Most nongovernment entities work like this, including nonprofit corporations.

Because of laws, regulations, and legislative oversight, government agencies (particularly on the federal levels) have to run in a risk adverse environment rather than a risk-managed environment. Thus, agencies provide security controls that minimize the risk to a zero-cost, regardless of the costs, to prevent them from being campaign fodder. It is why the government will spend more money to secure systems than a private corporation will.

On completion of the risk analysis, the information allows the risk manager to perform a cost-benefit analysis (CBA), comparing safeguards or the costs of not adding the safeguards. Costs are usually given as an annualized cost and can be weighed against the likelihood of occurrence. As a general rule, safeguards are not employed when the costs of the countermeasure outweighs the potential loss. For example, an information asset is worth $10,000 should it be lost. Table 3.1 shows a possible analysis of this asset.


Cost of Countermeasure





By doing nothing, if the asset is lost, there could be a complete loss that costs $10,000.



If the countermeasure costs $5,000, you will gain $5,000 in providing the protection by mitigating the loss.



The cost of the countermeasure equals the cost of the asset. Here, you might weigh the potential for the countermeasure to be needed before making a decision.



With the countermeasure costing more than the asset, the benefit does not make sense in this case in terms of financial cost.

For information security planning, the risk analysis allows management to look at the requirements and balance them with business objectives and the costs. For an information security program to be successful, the merging of security processes and procedures with the business requirements is essential. A major part of that is the protection of the assets, and the risk assessment helps in that analysis.

Identifying Threats and Vulnerabilities

The previous section identified the various risk categories and factors that go into a risk analysis. For that analysis to weigh the potential for a risk to occur, the analysis should identify the threats and vulnerabilities that could occur.

There is no single way to identify whether a threat or vulnerability could occur in the environment being analyzed. Most environments are so complex that a vulnerability in one area could affect another area of the business. These cascading errors could be caused not only by a malicious attack, but also by errors in processing, which are called illogical processing.

Threat Agents

These are what cause the threats by exploiting vulnerabilities.

Identifying the threats to information assets is the process of identifying the threat agents that can cause a threat to the environment. Threat agents can be human, programmatic (such as an error or malware), or a natural disaster. The risk factors in the previous section provide a view into the number of possible threat agents an asset could have. Audits look at all the potential threat agents and determine which factors result in the risk to the asset.

After the threat agents, vulnerability, and risk have been identified, the risk analysis then concentrates on the loss potential, or what would be lost if the threat agent exploited the vulnerability. Whether the loss is from corruption or deletion of data to the physical destruction of computer and network equipment, there will be a cost to the loss of the asset. The loss is not limited to the cost of the asset. Risk analysis should also consider the loss of productivity, whether it be a delay or halt in work.

Loss Potential

This is what would be lost if the threat agent is successful in exploiting a vulnerability.

Delayed Loss

This is the amount of loss that can occur over time.

Not every loss will occur immediately. Take disclosure of critical data, for example. The loss from when the data is disclosed might not happen immediately. But if the disclosure was to a competitor involved in industrial espionage, the potential loss could occur over time in the form of lost clients and business. The loss potential for this type of delayed loss can attempt to estimate the costs to recover. Because the nature of the losses are unknown, making this type of estimate can be difficult.

Another delayed loss can be embedded in the cost of business. If data that is used to calculate fees, taxes, or other fiscal obligations is corrupted, a loss potential exists for interest and penalties that would have to be paid when the problems are discovered, which will be more than the costs to repair the damage. In more extreme cases, your organization could lose the confidence of its customers and investors, which could cause additional damage.

Asset Valuation

There are two ways to evaluate assets and the risk associated with their loss. The quantitative approach attempts to assign a dollar value to the risk for analyzing the cost of the potential effectiveness of the countermeasure. A qualitative approach uses a scoring system to rank threats and effectiveness of the countermeasures relative to the system and environment. Most commercial organizations prefer the quantitative approach because it allows for a way to plan budgets and for nontechnical management to understand the impact of their decisions.

Quantitative Versus Qualitative

A quantitative approach to risk analysis uses monetary values to assess risk. The qualitative approach uses a scoring system to determine risk relative to the environment.However, a qualitative analysis is good for understanding the severity of the risk analysis relative to the environment, which is easier for some to understand.

When using the quantitative approach, you should remember that it cannot quantify every asset and every threat. When looking at the values at the extremes, whether high or low, the numbers tend to not reflect the reality of the quantitative analysis. It is up to the team doing the risk analysis to determine which approach is best.

An Internal Risk Analysis Versus Using Outside Consultants

Some might feel that their own systems and security professionals could perform the risk assessment. They do know the systems and understand the processing that occurs. However, although the people your company employs might be very competent, they might be too intimate with operations to be able to tell a technical risk from a process risk. Outsiders do not have the same ties, so they are not prejudiced by "what has been."

When selecting an outside company to do a risk assessment, make sure it has the resources to understand the latest security information and industry best practices so it can provide a complete risk assessment. It must understand all the risks involved in all aspects of information technology. Because these companies do this on a daily basis, they have more insights into what to expect as they perform their tests.

Risk analysis is an investigation into the various assets, assigning risk and determining mitigations. To do this, the risk assessment team must investigate all the assets, taking into account all the variables that can affect the costs. The steps that are followed in a risk analysis are

  1. Identify the assets.

  2. Assign value to the assets.

  3. Identify the risks and threats corresponding to each asset.

  4. Estimate the potential loss from that risk or threat.

  5. Estimate the possible frequency of the threat occurring.

  6. Calculate the cost of the risk.

  7. Recommend countermeasures or other remedial activities.

Each step is explained in Step By Step 3.1.


3.1 Risk Analysis Steps

  1. Identify the assets. When you identify your information assets, you must consider more than the systems and network components. Information assets can also be the organization's data. A company's sales data that contains customer information and buying habits is as much of an asset as the disk and systems that store the information. Risk analysts will look at the organization's business process and ask which information is important to the business processes. In this process, more emphasis can be put on the information that is important, such as sales data, rather than the company phone book.

  2. This is where maintaining documentation and having a solid configuration management system can help. Rather than forcing a full discovery of all assets, including programs and databases, the documentation and configuration management systems can point to the bulk of the assets and provide a basis to begin the analysis. This is not to say that a risk assessment cannot be performed without this help. Some risk assessments are performed to gather this information, which is perfectly reasonable when establishing a new or more stringent information security program.

  3. Next, you must assign value to the assets. Assigning value is not a simple task. For hardware or software, the value can be the purchase or the replacement costs. Setting the value to information assets is where the process becomes difficult. To determine value, you would answer the following questions:

    • How much revenue does this data generate?

    • How much does it cost to maintain?

    • How much would it cost if the data were lost?

    • How much would it cost to recover or re-create?

    • How much would it be worth to the competition?

  4. After all the assets are identified, the analysis then identifies all the threats and risks. The various risk categories are examined, and the various factors are applied until a list of possible threats is created. There is no scientific way to determine which risk categories apply to an asset—it is a subjective determination. However, some common sense should prevail. For example, data cannot be damaged by fire, but the disks on which it resides can be. The risk for the data could be damage or unavailability because of hardware failure, which reduces a number of risk factors and potential countermeasures.

  5. The next step is to go through the various assets and the threats to estimate how much would be lost if the threat occurs. Obviously, this is easy for hardware and software because costs can be taken from invoices or actual replacement costs. But what happens when the asset is data? How much would it cost if access to critical data were lost? How much would it cost to be recovered or regenerated? What if it was improperly disclosed?

  6. When estimating the costs for the loss, all factors should be considered. For example, if workstations are infected with a virus, the cost of recovery should be counted, and so should the loss of productivity. Estimating productivity loss is not easy because the salaries and benefits for each employee affected should be considered, as well as the duration of the loss. Although a number of employees at different salary levels might work on the recovery effort, many times an estimate is based on an average salary. The numbers produced are appropriate for a risk analysis.

    The estimated cost of the potential loss is used to calculate the single-loss expectancy (SLE) for the asset. SLE uses the asset value and the exposure factor (see step 5) to give the dollar amount of the potential loss if the threat came to pass. These calculations are discussed in step 6.

    Single-Loss Expectancy (SLE)

    This is the amount of the potential loss for a specific threat.

  7. The frequency of occurrence is used to estimate the percentage of loss on a particular asset because of a threat. Also called the exposure factor (EF), this value recognizes that a threat does not result in a total loss. For example, a fiber-optic cable running between two buildings being cut by a maintenance worker affects only the cable and the productivity for its cut, which might be only 20% of the organization's infrastructure. For this asset, the EF would be 0.20 for calculations.

  8. Risk analysis is based on the loss over the course of a year. The annualized rate of occurrence (ARO) is the ratio of the estimated possibility that the threat will take place in a 1-year time frame. The ARO can be expressed as 0.0 if the threat will never occur, through 1.0 if the threat will always occur. For example, the ARO for a workstation virus might be set to 1.0, whereas a power outage to the network operations center that might occur once every 4 years would have an ARO of 0.25.

    Risk Analysis Variables

    Variables of risk analysis are annualized loss expectancy, annualized rate of occurrence, exposure factor, and single loss expectancy.

  9. Now that the collection of facts and figures has been completed, the next step is to plug in the various calculations to determine the annualized loss expectancy (ALE), which tells the analyst the maximum amount that should be spent on the countermeasure to prevent the threat from occurring. If the countermeasure costs more than the ALE, it can indicate a risk that the organization might take. This is discussed later in this chapter.

  10. To determine the ALE, each threat undergoes the following calculation:

    6.1. The SLE is calculated by multiplying the value of the asset by the EF:

    SLE = asset value x EF

    6.2. The ALE is calculated by multiplying the SLE by the ARO:

    ALE = SLE x ARO

    To illustrate these calculations, Table 3.2 has a short example with a few assets using a mythical Web server system.

    This sample organization uses a network operations center (NOC) that cost $500,000 to set up where the major threat is a fire. Should there be a fire, a 45% total loss is estimated. However, according to the fire department, the area where the NOC is located has a fire every 5 years, resulting in an ARO of 0.20. Using these values, the ALE for the NOC is $45,000.

    Similar calculations were made on the other assets. The asset values and EF were discovered as part of the audit; the ARO was also determined as part of the investigation. For example, when worried about power failure on the Web servers, the utility company was asked about the average length of outage in the area. In this example, the utility company predicted a major outage once every 2 years, thus resulting in a 0.50 ARO.

    Using the ALE, the organization has an overview of the risks, their likelihood of happening, and what would be lost if the threat occurred. It is also known how much can be spent to protect the asset against the threats. For example, protecting against a power failure on the Web servers should cost no more than $3,125. After some investigation, the cost of an uninterruptible power supply that works in the NOC is revealed to cost $4,500. A business decision could be made to not employ the counter- measure because it would cost more than the loss.

  11. The final step is to recommend countermeasures or other activities to mitigate the risk. This is the topic of the following sections.




Asset Value





Network operations center







Web servers

Power failure






Web data







Customer data







Qualitative Risk Analysis

A qualitative risk analysis is a more subjective analysis that ranks threats, countermeasures, and their effectiveness on a scoring system rather than by assigning dollar values. There are various ways of doing this from group decisions such as the Delphi method to using surveys and interviews for their ranking system.

Doing a qualitative risk analysis is a bit different from a quantitative analysis. In a quantitative analysis, the analyst does not have to be an expert in the business of the organization or have an extensive knowledge of the systems. Using her basic knowledge, she can analyze the basic business processes and use formulas to assess value to the asset and threats. Qualitative analysts are experts in the systems and the risks being investigated. They are able to use their expertise, along with the users of the system, to give the threats appropriate ranks.

To do a qualitative risk analysis, the major threats are identified and the scenarios for the possible sources of the threat are analyzed. The scores generated in this analysis show the likelihood of the threat occurring, the potential for the severity, and the degree of loss. Additionally, the potential countermeasures are analyzed by ranking them for their effectiveness.

When the analysis is completed, the scores for the threat are compared to the countermeasures. If the scores for the countermeasure are greater than the threat, it usually means that the countermeasure will be more effective in protecting the asset. However, remember that this is a subjective analysis, so the meanings of the rankings are also open to interpretation.

Countermeasure Selection and Evaluation

Organizations employ countermeasures, or safeguards, to protect information assets. In selecting the proper countermeasures, it makes good business sense to find a countermeasure that is also the most cost-effective. Determining the most cost-effective countermeasure is called a cost/benefit analysis.

A cost/benefit analysis looks at the ALE, the annual cost of the safeguard, and the ALE after the countermeasure is installed to determine whether the costs show a benefit for the organization. The calculation can be written as follows:

Value of Countermeasure = ALE (without countermeasure) – Cost (safeguard) – ALE (with countermeasure)

Using the Web server example from Table 3.2, let's say that the cost of a universal power supply (UPS)—to purchase and operate—is $1,000 per year. Even with the UPS, the exposure factor (EF) is reduced to 5% (0.05) because a power outage that lasts longer than the UPS can supply power is possible. The utility reports that an outage that will last longer than the UPS occurs once every 5 years, reducing the annual rate of occurrence (ARO) to 20% (0.20). Thus, the following calculation should be used:

    ALE (with UPS) = Cost (Web server) x EF x ARO

    ALE (with UPS) = $25,000 x $1,250 x 0.20

    ALE (with UPS) = $250

With the UPS, the ALE is now $250. Using that for the cost/benefit analysis, you can calculate the following:

    Value of countermeasure = $3,125 – $1,000 – $250

    Value of countermeasure = $1,875

With the value of the countermeasure at $1,875 and the cost at $1,000, the benefit of $875 per year for the countermeasure makes it a benefit for the organization.

One area skipped over was the operation cost of the UPS. The cost of operating the UPS can be a combination of power usage, modifications that might have been necessary to install the device, maintenance, and so on. When looking at the actual cost of the countermeasure during a cost/benefit analysis, all the costs need to be considered. If the countermeasure affects productivity, the loss must be accounted for. Should there be additional testing, those costs also must go into the cost of the countermeasure to get its true cost.

This is also not a straightforward analysis. Some threats might occur once over a period of 10 years or more. Even for expensive assets, an ARO of less than 0.10 can cause the analyst to consider whether the countermeasure is worth the cost over the entire time to prevent the threat. For example, the likelihood of an earthquake destroying the network operations center in the New York City area is very low, even in an area that has seen some earthquakes. Seismologists might think that an earthquake causing some damage would occur once every 15 years (an ARO of 6.67%). But is this enough of a threat to provide countermeasures for?

Effectiveness and Functionality of Countermeasures

Choosing a countermeasure for the amount of cost is a pure business way of analyzing risk. However, as security professionals, we understand that regardless of the cost, the countermeasure is not worth using unless it protects the asset. Information security professionals should work with business people to select the most effective counter- measure that will function to properly protect the asset.

Another consideration is countermeasures that can protect against multiple threats. That potential earthquake in New York might be mitigated by the rigorous building construction guidelines that keep buildings from toppling in high winds. In an information security context, a firewall can be used as a filter to prevent various network-based attacks and as a content filter to stop malicious mobile code.

Tying It Together

Risk assessment tells the organization what the risks are; it is up to the organization to determine how to manage the risks. Risk management is the trade-off an organization makes regarding that risk. You should remember that not every risk could be mitigated. It is the job of management to decide how that risk is handled. In basic terms, the choices are

  • Do nothing—If you do this, you must accept the risk and the potential loss if the threat occurs.

  • Reduce the risk—You do this by implementing a countermeasure and accepting the residual risk.

  • Transfer the risk—You do this by purchasing insurance against the damage.

These decisions can be made only after identifying the assets, analyzing the risk, and determining countermeasures. Management uses these steps to make the proper decisions based on the risks found during this process. Figure 3.3 illustrates these steps.

Figure 3.3 The three steps of a risk analysis.

Residual Risk

This is the value of the risk after implementing the countermeasure.

  • + Share This
  • 🔖 Save To Your Account