Describe about Fundamental security rules, Qualitative risk assessment and Risk perception and communication?
For secure and private communication Google mail raises some questions. If we consider security issues like hackers etc. Then no doubt Google mail is safe from those attacks more than other options. But information security is more than some hacking attacks or data loss. One of the fundamental principle of information security is ‘confidentiality’. Google Mail breaks that in the following ways.
Their rigorous security check, checks and scans the content of the mail. Whether there is something offensive or not. This gives protection from several attacks. But what about the privacy and confidentiality of the legitimate users?
They makes duplicates of the mails in their data center. This increases the chances of recoverability. But what is the point of confidentiality? Why a confidential mail will be duplicated and stored by some third party who is not either sender or receiver?
From this point of view Google Mail fails to provide a confidential and secure email platform.
I agree with the statement by the author Day, “When an organization makes decisions using a developed security mind, it separates itself from the struggles and costs commonly associated with information security.”
Business and technology have become complementary to one another today. One cannot sustain without other. On the contrary people have learned to use technology but in most of the cases they don’t understand those deeply. They don’t understand the core concepts behind technologies. This becomes a serious issue when it comes to the question of information security. Businesses and people use and deploy information security measurement to save themselves and their data from the consequences of some information security attacks. For example, people use antivirus software to make their information protected from virus attacks. But they keeps downloading data from malicious sites, keeps using infected media etc.
The reason is they don’t understand the concept of virus, how this can effect, and what the best practices of getting rid of those. Installing a mere antivirus will not help until people practices to follow up security best practices in their daily lives. Then it will cut down the risk significantly. As in our example, if people become aware and practices policies like avoiding download from malicious sites, sharing and using removable storage devices safely, not using those in some unknown system, avoiding public and non-protected networks like public Wi Fi etc. Then they will not be exposed to the high sources of virus. Though it does not ensure total protection from viruses but surely cuts down the chances of virus attacks.
Foundations of Risk Management 1
Cloud computing is a relatively new and very promising information technology that is currently taking its shape in industries. Uncertainty is a serious issue with cloud computing and this is due to the very inherent components of cloud computing infrastructure. The security risks are difficult to comprehend and predict.
As virtualization is an integral part of cloud computing infrastructures so the actual storage of data in the pool of storage is unknown to the user. User can understand the potential security issues. But cannot take any security measurements by themselves. They have to depend on the owner of the storage where their data is stored.
The security issues are hard to comprehend because, user will not have any idea about the environment where their data is actually stored. May be there is a good security infrastructure or there may not be. Other than that, based on any of this option and the degree of security present there, the risks of information security both physical and digital, will vary.
Compared to the COIN dynamics, it is harder to predict cloud computing. Because of the following factors,
The geographical location of a storage is not known in advance. It may be beyond the boundaries of country and continent. In that case, the environments will change drastically. The policies and practices will also change and the user of the data will have no control on these.
Even if the storage location in known to the user, he/she have to depend on the information security implementations done by the vendors. It is now their own system, so again they have limited control over it.
In most of the cases, public network like Internet will be used. So there are associated information security risks while transmitting data over the Internet.
There are lots of factors to consider. They may have enormous interdependencies. Putting down than in a compressive matter is very difficult in this case.
The field of information security risks are evolving and changing day by day. Capturing this dynamic nature of the field is another difficult task.
The advice is mainly a quantitative guideline for managing risks. Because the process firsts tries to predict the risks and its chances though use of probability and statistical measurements.
Information technology and the risk management in this domain is a very complex process. There are no one and most suitable approach to follow here in terms of risk management. So, this is not very suitable for IT risk management.
No, security is not always the main threat to availability of information. And the concept of availability varies in the actual scenario. For example, if we consider Google mail service. According to the service level agreement it will be available 99.9% time per month. The rest of the time may be taken for server and data center management and may be the service will be unavailable. Thus there may not be any security reason, for what the service is unavailable.
Consider another scenario. Where, Google main is used by some business. The information technology infrastructure of the business has some security issues and as a result the users are unable to access their Google Mail account. From users standing point. The service is unavailable to them. And that may be beyond the time mentioned in the service level agreement.
Thus for businesses, down time is not tolerable at all. It will eat up their revenues. So availability of systems and services is more important to then than security. It can be explained in another way. There may be some bug in the system and for that the Google’s service for email may go down for quiet sometime. Now, for Google this is important because their service centers are in risk and that is their business. But it may so happen that some another business who is a consumer of Google’s service has lost significant amount of revenue from this downtime and that is beyond the cost of the impact of the reason for the downtime to them.
Foundations of Risk Management 2
A diligence based information security review is a process that helps in determining several options for improving the information security infrastructure of an organization.
In this case, the review process is very important and is needed to be comprehensive. This is because of the nature of the risks and threats. In the context of information security the opponent or the attacker is unknown and intelligent and additionally the system is vulnerable. These vulnerabilities are also much unknown. Thus the degree of uncertainty is quite higher. The review helps to uncover these uncertainties. (Parker, 2008)
There are compliances for meeting or exceeding the standards, regulations, laws and the requirements to follow up these. All these are constrained within the budget of the organization.
Management and stakeholders should support the diligent based review process. From the experience of the author, he has concluded that the process can extend the security by reducing adversities. Thus is gives net saving and profits.
There may be some residual information security risks. Those are also uncertain and unknown. But have little chance to occur.
The success and quality of the review process is pretty much dependent on the quality, experience and the professionalism of the team that carries out the process. The process needs co-operation from all stakeholders and consent for the assets.
It is true that the threat of going to jail compels the employees to follow up the compliances more than they do the same without the threat. Standards like PCI DSS does not imposes any requirement to implement any standardization for online payment on the organization. It says that organizations are requested to implement the same in their business to ensure protection and security to some level more than average.
But in reality people don’t believe or give importance to such requests as information security risks are different than the physical security risks and the consequences cannot be understood without getting effected by it. Organization and people, don’t understand until they are affected. But then it is too late to ignore the consequences.
To avoid this scenario, sometimes, similar standards are ‘imposed’ on organization and employees by saying that they may go to jail if there is some fatal information security consequences from their action that are without any policy or standards.
It does not say that everyone who are not obeying the same will go to the jail. It warns that there are chances of the same.
No, there is not any good analogy of the risks of malware and the cost for implementation of countermeasures to prevent the attacks. Compared to the given graph, the total annual cost and expected annual damage follows almost the same curve. That is, when the expected damage range is higher the cost is also higher, then the range is lowered the cost is also lowered. (Lund, 2008)
But in case of information security risks and the cost associated with implementation of the measurement for those follows different curve. Here, the graph may follow the following pattern,
Here the cost goes high and the risks go low but that is to some extent. After going beyond the optimal level the risks remains in the same level even the cost is kept increasing.
The intersecting point and the discretionary area under the point gives optimization under real scenarios.
Predicting the recurrence interval is difficult for information security risks. Especially for worms and virus attack it is hard to predict. There are counter measurement and also there are also chances that the attacking process will be stronger due to the advanced technologies. In general the intervals goes shorter with time. And he frequency of attacks goes more. But the countermeasures can be used to prevent the attacks.
Quantitative risk assessment
The ALE is the product of the ARO and SLE. Here ARO stands for Annual Rate of Occurrence and SLE is the Single Loss Expectancy. In the given scenario,
The value of the asset is = $2 million.
SLE = $2 million x 70% = $2,000,000.00 x 70% = $1,400,000.00
ARO = 1/10 = 0.1
Thus, ALE is (1,400,000.00 x 0.1) = $140000.00
Qualitative risk assessment
Qualitative Cost Benefit Analysis
Qualitative cost benefit analysis does not focus on accurate measurements of the cost factors related to the assets and impacts of the security risks. On the other hand cost benefit analysis is the process of comparing the cost factors in terms of investments and benefits. This process can be used with quantitative risk assessment and with qualitative risk assessment. Some steps are common to both case but there are some different in the process of carrying out cost benefit analysis in both cases.
In case of qualitative cost benefit analysis the process is,
- Providing description of the cost and benefits. It needs identification of both.
- Then it analyses the contribution of the different interventions that helps in achieving the outcomes that have been observed. This is called as attributing process.
- Then the cost and benefits are compared with one another. The relationships between these two factors are analyzed.
In case of qualitative cost benefit analysis, the evidences of costs and benefits are observed over a range of the values and those are not considered in monetary terms. Thus there is no ration of cost to benefits. Rather the relationships between these two factors are observed and analyzed in this process. (RMIT University, 2004)
CRAMM stands for CCTA Risk Analysis and Management Method. CRAMM is a security risk assessment and management process or tool. This is an automated process. Any type of organization can use CRAM for qualitative risk assessment. The tool helps in justifying some contingency or security investment for the information technology infrastructure including networks, information systems of an organization. The countermeasures are quantifiable. (Yazar, 2002)
FRAP stands for Facilitated Risk Assessment Process. There is a consideration of one system and application in a line of business. There will be a team for FRAP assessment. The team will provide technical, managerial support. The team will brainstorms for finding out the threats, potential hazards, vulnerabilities and the consequences. Then all identified risks are prioritized. Again the team prepares a control and action plan for risk management.
The advantages of FRAP are,
- The process is fast.
- All documentation are done quickly.
- The team exercises the security risks.
Risk analysis is the process of identifying the risks in advance and measuring the impact of those risk in some given context. The result of this analysis is further used in preparing strategies for risk management.
Risk analysis needs identification of risks at the very first place. There are various strategies and techniques for risk identification. A common and widely used one is Risk register. This is a matrix that lists several risks associated to some project. The chances of the risks to occur, the impact and possible countermeasures.
There are two types of risk analysis. Qualitative and quantitative. Quantitative risk analysis processes focuses on finding out the monetary factors related to the risks and the qualitative analysis focuses on the relations and reasons behind the risks. How those can be controlled etc.
Risk analysis is helpful to understand risks in advance and taking some preventive or corrective approach. It also helps to identify the risks that can’t be avoided.
Most of the insurance solutions offer the following is similar context,
- Detailed gap analysis for insurance.
- Survey in network security for assessing the vulnerabilities.
- Scanning for network vulnerability.
- Review and development of security policy
- Internet connectivity vulnerability.
- Scanning for system and database for vulnerabilities.
An insurance for information technology of an organization secures the computing and networking resources of the organization.
According to various studies and researches, the mostly happened security breaches to the databases and stealing of data are the following, (Imperva, 2014)
- Improper and excessive use of access control privileges, unused privileges
- Abuse of privileges
- SQL injection or Input injection
- Weaker audit trail
- DoS or Denial of Service
- Exposure of storage media
- Sensitive and unmanaged data
- Misconfiguration of databases
- Vulnerability exploitation
A database can have different types of users. They will have different type of user controls. Giving excessive access control to some users or giving excessive number of access control to a database and data brings more risks. There are chances of data breach by misuse of those access control. There are two types of injection in some database. One is SQL injection and another is a more revised one called input injection. The second one is more related to big data and data sets. Absence or lack of audit trail and recording of all sensitive transactions of the database imposes several information security risks to an organization. There are chances of malware attack and data stealing. DoS may not steal data but may damage data by making the services available to the users. Some organization lack management and storage of sensitive information in a secure and protective way. Also, a system or database may have several kind of vulnerabilities. Exploitation of such vulnerabilities will result into data breaches.
Insurance is useful in the context of data loss due to information security risks, covers some aspect of the issue. But it cannot give protection from all kind of information security risks to some data set.
An information security insurance is a specially designed insurance policy for mitigation of cyber risks. There are various kinds of information security risks are comes under the roof of information security insurance. Other than data breaches, it saves from network damages and interruption to the business process.
These insurances follows some risk mitigation policies. Those mitigation policies include,
Through promotion of several preventive techniques in the context of information security risks. It helps to reduce the chances of risks to happen and returns more coverage.
Through encouraging implementation of different counter measurements and best practices. It is usually done based on the premiums from the insured and the self-protection level of the insured.
However, there are several confusions in this field. Sometimes organizations fail to understand the policies and how they work. They are sometimes not sure whether the risks will happen in future or not. This increases the uncertainty of their action and also increases chances of happening the risks.
For example, insurance can save from sudden disasters like fire. Suppose, an organization is paying premium of $50000 per year for protection of their data. But the chance of occurrence of fire may be once in ten years and taking further precautions may have reduced the chance more. Then in some cases the organization become confused whether it is beneficial to invest this much money for this purpose or not, where the risks is very unlike to happen.
Risk perception and communication
The risks identified in the digital wildfires (as presented in the Fig. 11 of WEF report) (World Economic Forum, 2013), are,
- Critical system failure
- Cyber attacks
- Massive incident of data fraud/ theft
- Major systematic financial failure
- Backlash against globalization
- Global governance failure
- Failure of diplomatic conflict resolution
- Massive digital information
- Rising religious fanaticism
Some of this risks are technical and rest are subjective. So, there may not be any solid solution for some risks other than following some policies and best practices.
For example, cyber-attacks cab be dealt by using several countermeasures of information security depending on the type of attack and the context. There may be use of hardware, software, access control limitation etc. Same is true for risks like data theft.
But there are some risks that are hard to mitigate. For example, terrorism, failure of diplomatic conflict resolution, massive digital information, rising religious fanaticism.
With the emergence of social media, wide spread use of it by different classes of users and the power of social media have posed such information and security risks. Even if there is some policy or governance, it is hard or almost impossible to monitor it and checking whether that is being followed or not.
For example, in all social media, there is restriction on sharing offensive or abusive comments, false information, porn etc. But in reality there are thousands of example, where these are not followed. But what is the result?
Creation of some policy or governance will not help. This risks are harder to overcome. With each passing day the risks will become more alarming.
The impact of these risks will be fatal for mankind. The impact ranges from breaching of privacy of some individual to some terrorist attack, even war between different races and religious believers.
The consequences are really serious.
A cyber security threat is possible to deal to some extent, but in the other case, even if we can understand the risk, try to make people aware, still can’t be sure that it will work in reality.
Information spread through social media real fast. Consider a situation, when some abusive or religious information have been shared through the social media. Most of the people will believe it at the very first place. Even the logical thinkers. Rather than checking the truth of the information people will keep spreading it. Until it is noticed, it will create damage by then. It is also very hard to taking down some information from social media even if its lifetime is very less.
Metrics are useful for accurate and reliable measurements. Without proper measurement it is hard to manage anything and for businesses this is more applicable. A standard way of measuring information security metric is somewhat diverged. There are some stakeholders who are interested to know the matter from deep down and on the other hand there may be stakeholders who are more interested in surface information. However, experiences show, understanding a matter from bottom level will help to understand the thing better. Like any other case, there are good, useful metrics and useless security metrics.
The metrics should focus on the useful things that really matters to the businesses. Then only the stakeholders will be interested. The metrics should help the business to take some proactive approach in dealing with the issues. (Montville, 2012)
In terms of information security risks, metric help the businesses to understand their standing point. What is the security level achieved by the in the business. But in the same context, it is very hard to build and implement proper and accurate metrics for measurement of affectivity or applicability or importance of metrics. As the topic of MetricCon 7, the question is, is information security metric a real and helpful thing or just creates more confusions.
Businesses are more interested in revenues than complexity of information security. Businesses in other domain than software or IT, even have very little understanding of Information security, its application, importance etc. As a consequence, business stakeholders are supposed to be more interested in business advantages, revenues etc. than security metrics.
The presentations on information security metrics, given by a professional information security practitioner and a business man explains the scenario far better way. For example, both of them have discussed information security metrics and its applicability to business.
But the presentation given by the business man is more lucid and easy to understand by any common person, who have knowledge about business and wants to have some idea about information security metrics and its application in the business.
On the other hand, the presentation given by the security professional is on the same topic. But is gives more complex and technical details. This is not very easy to understand without proper explanation. And it may give lesser information to the business stakeholders. They might not be interested in too much details.
So the bottom line is delivering only the information that is understandable to the targeted audience and will give an important but outlined details.
The presentation by the businessman explains the basics like what are the metric, KPI etc. rather than jumping into the details.
For stakeholders of any business, the presentation by the businessman will be more meaningful.
The relational model is combination of both of the quantitative and qualitative risk analysis processes. It is applicable to any size of organization. However the implementation details may vary. The model follows a patent pending method. There are integrated and automated products as a part of the model. An example is Relational Security Audit Manager or RSAM. It is needed for implementation of the model in medium and larger organization. (Day, 2003)
The original model is a complex one. The author of the book has described a simpler version. The simpler model is focused on defining a series of values those have some meaning in the given context. Then those values are assigned to various objects. Hence the risks are calculated. Based on this risk calculation, some policy will be created for dealing with the risks.
Many of the concerns from the challenges in traditional quantitative and
Qualitative risk assessment models have been addressed and removed in the relational model. For example, it consider both aspect. It calculates the cost factors as well as the qualitative factors, the interrelations of the risks are considered.
The relational model is nearer to the quantitative model. As from the given example, we can see, the model considers different scenarios of information systems in different departments of an organization, then calculates the cost of employee down time. Then while comparing these three, all calculations are done in a same platform. It helps in understanding the cost of some risk more accurately. But the core process of risk analysis is quantitative analysis.
The model will be useful to the management and auditors. Studies and researches have shown that in most of the cases organizations avoid risk analysis due to the complexity of the risk analysis process, and lack of some suitable model for their business. Quantitative risk analysis gives a clear understanding of the risks in terms of the cost factor associated to the risks. But, one challenge here, that there are several other qualitative aspects of an asset or a type of asses. It also plays crucial role.
From that perspective, relational model is a clear as it gives risk analysis from both of the processes. With traditional risk analysis process there were certain challenges. The relational model overcome those challenges and is quite suitable to apply in enterprise computing environment.
Management will have a clear idea of the risks, its impact etc. On the other hand, auditors will be able to carry out auditing as the soft factors are clear with the risks in this model. Also the refined cost factors will give better understanding of the scenario and generalization of the assets in the business.
The model is also free from bias and human factors in the opinions taken from the employees. This is helpful for qualitative risk assessment. Where the qualities or characteristics of the systems have been checked.
Day, K. (2003). Inside the Security Mind. Prentice Hall.
Imperva. (2014). Top Ten Database Threats. Imperva.
Lund, J. R. (2008). A Risk Analysis of Risk Analysis. Journal of Contemporary Water Research & Educ ation, 53-60.
Montville, A. (2012, August 9). To Navigate Your Security Program, Measure Well. Retrieved from Tripwire: https://www.tripwire.com/state-of-security/security-data-protection/to-navigate-your-security-program-measure-well/
Parker, D. B. (2008). A Diligence-Based Idealized Security Review. The Global Voice of Information Security, 35-40.
RMIT University. (2004). Qualitative Cost Benefit Analysis . RMIT University Circle.
World Economic Forum. (2013). Digital Wildfires in a Hyperconnected World. Retrieved from World Economic Forum: https://reports.weforum.org/global-risks-2013/risk-case-1/digital-wildfires-in-a-hyperconnected-world/
Yazar, Z. (2002). A Qualitative Risk Analysis and Management Tool - CRAMM . SANS Institute InfoSec Reading Room.