An Introduction To Risk Analysis

Risk analysis is a complex science. Hopefully, the following notes may provide a framework upon which to study this in more depth:


 

WHAT IS RISK ANALYSIS?

   

    A TEXT BOOK DEFINITION

      A procedure to identify threats & vulnerabilities, analyze them to ascertain the exposures, and highlight how the impact can be eliminated or reduced.

 

    ANOTHER DEFINITION

      A process to determine what security is appropriate for a system or environment.

   

    THE BOTTOM LINE

      The security you implement should be commensurate with the risks applicable. Risk Analysis should enable you to achieve this goal.

      It should also help you establish where to invest your security budget for the best return.

 

   

TYPES OF RISK ANALYSIS

 

     QUANTITATIVE RISK ANALYSIS

      -    Two Elements Used: Probability and Likely Loss

     -    An 'ALE' is produced (via Probability x Likely Loss)

     -    Several Drawbacks

                        Eg: no accurate probability database

                        probability is usually unique to case

                        expected loss hard to establish

                        'expected' not easy to accept!  

     -    In fairly limited use

   

    QUALITATIVE RISK ANALYSIS

      -    Widely used

      -    Estimated potential loss/impact used

      -    No probability database required

      -    Risk 'level' often produced

 

 

QUALITATIVE RISK ANALYSIS

MEASURING RISK

                           

   

BUILDING A SECURITY MODEL

                             

   

ELEMENTS IN THE EQUATION

THREAT:            Nasty things that can happen

ATTACK:            Made by a threat when it occurs

VULNERABILITY:     Weakness... makes a system more prone to attack or an attack more likely to succeed

CONTROL:           A control is a 'countermeasure' for a vulnerability.

IMPACT:            A successful attack has an impact

BUSINESS IMPACT:   This is what we must reduce or prevent!

 

ALL THESE PUT TOGETHER GIVE US A FRAMEWORK TO MANAGE SECURITY WITH

 

 

   

THREAT/VULNERABILITY/CONTROL

EXAMPLES

 

                             

   

    THREAT                   Fire                         Software Error

     

    VULNERABILITY    Presence of              Complexity

                                      flammable

                                      materials

   

    CONTROLS             Sprinklers                   Design and

                                      Extinguishers            development

                                      Etc                            standards

                                                                       Change control

 

   

 

QUALITATIVE RISK ANALYSIS

PRACTICAL APPLICATION

                           

USING THIS MODEL WE CAN BEGIN TO MEASURE AND QUANTIFY.

FOR INSTANCE: VULNERABILITY v CONTROL

A significant vulnerability with no or little control in place to address it is bound to increase the risk of a successful attack.

Conversely, low vulnerability and substantial control will reduce the risk of successful attack.

 

HOWEVER

If the IMPACT is always going to be LOW, then substantial control may NOT be necessary or desirable, and may signify overspend.

This is one of the reasons why ALL the elements in the model must be integrated into your risk analysis approach (some techniques do not provide full linkage with impact).

 

 

 

THIS IS NOT TRIVIAL TO ACHIEVE... BUT IF YOU CAN ACHIEVE IT, THE BENEFITS ARE SUBSTANTIAL


 

 

 

 

Security Information
If you have any news related to security risk analysis, you can submit it via our contact page.

If you are also happy for it to be considered for the ISO17799 Newsletter, please state this, and it will be forwarded to the publishers of that journal.