Chapter 8Risk Management: Assessing and Controlling RiskChapter OverviewChapter ObjectivesSet-up NotesLecture Notes and Teaching Tips with Quick QuizzesQuick QuizQuick QuizQuick QuizQuick QuizQuick QuizQuick QuizQuick QuizKey TermsManagement of Information Security 8-1Chapter 8Risk Management: Assessing and Controlling RiskChapter OverviewThe eighth chapter of the text presents essential risk mitigation strategy options and opens the discussion of how to control risk. This will include identifying risk control classification categories, using existing conceptual frameworks to evaluate risk controls, and formulating a cost benefit analysis. Readers will learn how to maintain and perpetuate risk controls. As a method to contrast the approach presented in the earlier parts of the chapter, the OCTAVE approach to managing risk is introduced.Chapter ObjectivesWhen you complete this chapter, you will be able to:- Understand and select from the risk mitigation strategy options to control risk- Identify the risk control classification categories- Use existing conceptual frameworks to evaluate risk controls, and formulate a cost benefit analysis- Maintain and perpetuate risk controls- Understand the OCTAVE approach to managing risk, and locate more detailed information about it if and when necessarySet-up NotesThis chapter could be completed in a single class session, if there is sufficient time to cover the material. Unless the students have not had the opportunity to read the material in advance (in some settings, the textbooks are not made available until the first class meeting), it may be prudent to have a general discussion of the topic, with detailed lecture to follow at the next class meeting. The subject matter can be covered in 1.25 to 2.5 hours.Management of Information Security 8-2Lecture Notes and Teaching Tips with Quick QuizzesIntroductionTo keep up with the competition, organizations must design and create a safe environment in which business processes and procedures can function. This environment must maintain confidentiality and privacy and assure the integrity and availability of organizational data. These objectives are met via the application of the principles of risk management.Quick Quiz1. What are the main responsibilities of a proper business environment? ANSWER: This environment must maintain confidentiality and privacy and assure the integrity and availability of organizational data.Management of Information Security 8-3Risk Control StrategiesAn organization must choose one of four basic strategies to control risks: 1. Avoidance: applying safeguards that eliminate or reduce the remaining uncontrolled risks for the vulnerability 2. Transference: shifting the risk to other areas or to outside entities 3. Mitigation: reducing the impact should the vulnerability be exploited4. Acceptance: understanding the consequences and accept the risk without control or mitigationAvoidanceAvoidance is the risk control strategy that attempts to prevent the exploitation of the vulnerability. Avoidance is accomplished through:- Application of policy- Application of training and education- Countering threats- Implementation of technical security controls and safeguardsTransferenceTransference is the control approach that attempts to shift the risk to other assets, other processes, or other organizations. This may be accomplished by rethinking how services are offered, revising deployment models, outsourcing to other organizations, purchasing insurance, or by implementing service contracts with providers.MitigationMitigation is the control approach that attempts to reduce, by means of planning and preparation, the damage caused by the exploitation of vulnerability. This approach includes three types of plans: - the disaster recovery plan (DRP), - incident response plan (IRP), and - business continuity plan (BCP). Mitigation depends upon the ability to detect and respond to an attack as quickly as possible.Management of Information Security 8-4AcceptanceAs described above, mitigation is a control approach that attempts to reduce the impact ofan exploited vulnerability. In contrast, acceptance of risk is the choice to do nothing to protect an information asset and to accept the outcome from any resulting exploitation. This control, or lack of control, assumes that it may be a prudent business decision to examine the alternatives and conclude that the cost of protecting an asset does not justify the security expenditure.The only valid use of the acceptance strategy occurs when the organization has:- Determined the level of risk to the information asset- Assessed the probability of attack and the likelihood of a successful exploitation of a vulnerability- Approximated the ARO of the exploit- Estimated the potential loss from attacks- Performed a thorough cost benefit analysis- Evaluated controls using each appropriate type of feasibility- Decided that the particular asset did not justify the cost of protectionManagement of Information Security 8-5Quick Quiz2. What are the four basic strategies available for controlling risk? ANSWER: Avoidance: applying safeguards that eliminate or reduce the remaining uncontrolled risks for the vulnerability, Transference: shifting the risk to other areas or to outside entities, Mitigation: reducing the impact should the vulnerability be exploited, Acceptance: understanding the consequences and accept the risk without control or mitigations.Risk Control Strategy SelectionRisk control involves selecting one of the four risk control strategies for the vulnerabilities present within the organization. If the loss is within the range of losses the organization can absorb, or if the attacker’s gain is less than expected costs of the attack, the organization may choose to accept the risk. Otherwise, one of the other control strategies will have to be selected. Some rules of thumb on strategy selection are:- When a vulnerability exists: Implement security controls to reduce the likelihood of a vulnerability being exercised.- When a vulnerability can be exploited: Apply layered controls to minimize the risk or prevent occurrence.- When the attacker’s potential gain is greater than the costs of attack: Apply protections to increase the attacker’s cost, or reduce the attacker’s gain, using technical or managerial controls.Management of Information Security 8-6- When potential loss is substantial: Apply design controls to limit the extent of the attack,