微信客服:xiaoxionga100
微信客服:ITCS521
00115M-无代写
时间:2024-04-22
latrobe.edu.au CRICOS Provider 00115M
CSE1ICB – Introduction to Cybersecurity
Lecture 6: Threats and Risks II
Dr Hooman Alavizadeh
Computer Science & Information Technology
Semester I - 2023
Assessing risk
(Identify, analyse, evaluate)
3La Trobe University
Threat Modeling Example
▪ An example of security (threat)
modelling in a network
▪ Can be quantifies using NVD
National Vulnerability Database
▪ https://nvd.nist.gov/vuln/search
▪ Using Vulnerability CVE IDs:
▪ CVE-2017-8530
▪ CVE-2017-8495
▪ etc.
4La Trobe University
Risk assessment
• Deliberate (fraud, disruption, defacement, activism)
• Accidental (process failure, lack of training or guidance)
• Environmental (force majeure, e.g. fire of flood)
Determine the key threats faced by the business
• Internal (existing conditions within the enterprise)
• External (conditions outside the boundaries that still impact us)
• Locus of control (do we have any direct influence?)
Identify and classify vulnerabilities
▪ Goals of a risk assessment process:
5La Trobe University
Risk assessment
• Financial (fines, loss of profit, increased costs)
• Reputational (loss of consumer confidence, brand damage)
• Regulatory (loss of license, sanctions)
Determine the harm the threats will cause
• Historical data (internal data from previous incidents)
• Industry standards (external actuarial data)
Establish a framework for likelihood estimates
▪ Goals of a risk assessment process:
6La Trobe University
Risk assessment function
▪ To be effective, a risk assessment function requires the
following components:
▪ An agreed risk management approach and toolset:
̶ Has the risk management strategy been completed?
▪ Agreed roles and responsibilities:
̶ Do we know who will assess, articulate and monitor the enterprise risks?
▪ An agreed method and medium of presenting assessed risks:
̶ What format and forum will both new and existing risks be presented?
▪ Agreed frequency of risk revision / reassessment:
̶ When are managed risks reviewed, to ensure they are still within risk-appetite?
Responding to risk
(Accept or treat?)
8La Trobe University
Responding to risk
▪ When we have identified, analysed and evaluated each risk, we
must decide on an appropriate treatment approach:
• “Do nothing” – record and monitor the risk only
Accept the risk
• Make a fundamental change in organisational practices to remove the factors that lead to the risk
Avoid the risk
• Introduce additional change the reduces the likelihood or impact of the risk
Mitigate the risk
• Agree with other parties to share the impact of a risk, or to collaborate to reduce likelihood
Share the risk
• Purchase an instrument or legal agreement to cover losses that may result from a risk
Transfer the risk
9La Trobe University
Risk acceptance example #1
▪ An organisation decides to build a new facility in a geologically
stable region of the world
̶ An assessment of environmental risks is
performed, and the likelihood of earthquake
is extremely rare (based on historical data and
geological science)
̶ Despite the impact of an earthquake being
potentially high, the extremely low likelihood
results in a very low assessed risk
̶ The organisation decides not to include resilience
against such a disaster in the building’s design
▪ The organisation therefore makes a risk-based decision and
avoids the cost of earthquake-resistant construction
10La Trobe University
Risk acceptance example #2
▪ An individual is involved in a serious road incident, and is
approached by emergency personnel
̶ The individual is asked for personal information
to assist with their care
̶ They are confident that these are genuine
emergency personnel, and that by supplying
the requested information, the personnel may
be better equipped to assist and that the
consequences of the incident may be reduced
▪ The individual makes an intuitive risk-based
decision to share personal information to
assist with a crisis, where they wouldn’t
share this information otherwise with a stranger
11La Trobe University
Risk acceptance example #3
▪ A company realises that a flaw in one of their software
products may cause manufacturing errors, resulting in costs to
their customers
̶ The flaw is minor, but the software is deployed
in hundreds of locations
̶ The cost of rushing out a fix will be very expensive
and disruptive, whereas a regular update in
one month can implement the fix for free
̶ The company decides to manage the issue via
communication and wait for the scheduled
update to fix the software
▪ The company made a risk-based decision to delay the fix based
on cost, and manage the reputational impact separately
12La Trobe University
Risk avoidance
▪ Risk avoidance is where a fundamental change to a process or
situation is made to remove the underlying cause of a risk
▪ This is an appropriate treatment approach when:
̶ The assessed risk exceeds the risk tolerance (and cannot be accepted)
̶ No suitable controls can be implemented to bring the risk within tolerance
Risk avoidance example
• Connecting a sensitive legacy system to a corporate network is
regarded as dangerous, due to network threats
• The sensitive system itself is too old to be adequately secured using
any practical means
• The owner opts to keep the system air-gapped from the network, and
absorb the additional operational cost and effort
13La Trobe University
Risk transfer
▪ Risk transfer is where some or all of the financial liability of a
negative consequence can be shifted to another entity
▪ This is most commonly implemented as an insurance policy
̶ Impact or likelihood of risk
are not affected
̶ Damage will still happen with
the same frequency
̶ It is someone else’s problem
to pay for these damages
▪ Cyber insurance is a rapidly growing
market
14La Trobe University
Risk transfer
▪ Insurance only covers the financial impact of a risk
̶ Reputational damage is still possible
̶ Regulatory or legal recourse is still possible
▪ Consequences of the decision to transfer risk must be very
carefully considered and understood
̶ Financial damage may be deferred
̶ Other forms of damage are still possible
̶ In some cases (e.g. banking) regulations do not allow transfer of liability
o E.g. loss of customer data is always the responsibility of the bank, and cannot be
deferred or shared with any other party
15La Trobe University
Something to consider…
▪ Traditional insurance policies require certain controls to be in
place before they will cover damage or harm; for example:
̶ Your doors and windows must have locks for your home insurer to reduce your
premiums or excess
̶ Your car must be roadworthy and registered or your 3rd-party damage
insurance may not pay for an accident
▪ What kinds of controls will cyber insurers require companies to have, before
they will allow risk transfer to occur?
▪ How will they ensure their customers comply with these requirements?
▪ How might this arrangement be exploited?
16La Trobe University
Risk mitigation
▪ Any risk, or portion of risk, that cannot be avoided, accepted or
transferred we must mitigate
▪ This is the “bread and butter” of an
information security professional
▪ For every critical system, asset or change
to a critical system or asset, we:
̶ Model the threats that may occur and harm the
system or asset
̶ Understand the impact and likelihood of these
threats if they manifest
̶ Select controls to reduce either impact or
likelihood
17La Trobe University
Risk mitigation
▪ We mitigate risk by selecting controls to reduce the impact or
the likelihood of harm to a system or asset
▪ These controls may take three general forms:
Technical
• A logical countermeasure that is implemented using technical means, such as a firewall or an
access control system
Administrative
• A process or documentation-based countermeasure, such as an approval workflow or
policy document
Physical
• A physical countermeasure such as a lock, security camera or a physical barrier
18La Trobe University
Scenario A sensitive area in a corporate building may be
entered by using an access pass reader to open
the door.
Risk assessment A lost or stolen access pass may allow an
unauthorised person to gain access, simply by
swiping the access pass they have stolen or found.
Mitigating control Add a PIN pad to the door, requiring a unique PIN
for each authorised person and pass.
Result By having a PIN pad in addition to the access pass
reader, an unauthorised person cannot gain entry
by simply stealing or finding an access pass. They
must also know the unique PIN that corresponds to
the access pass, in order to successfully enter the
sensitive area.
19La Trobe University
Risk mitigation example #2
Scenario A company utilises a cloud storage solution to host
some of their company documentation, to allow
easy access to mobile sales representatives.
Risk assessment A breach of the cloud service might expose the
company’s data to an unauthorised party, resulting
in reputational or financial damage.
Mitigating control Encrypt the data at rest, and only decrypt when
requested by an authorised staff member.
Result By encrypting the data, any breach of the cloud
service would result in the attacker obtaining an
encrypted data set. Without the key, they cannot
read the data and therefore cannot perpetrate any
harm against the company. This has reduced the
impact of the assessed data breach risk.
20La Trobe University
Treating risk
▪ An important consideration when choosing to mitigate risk, is
that the cost of treatment should be balanced against cost of
any harm
▪ For example, it does not make sense to spend $1,000,000 to
mitigate a risk that may only result in $100,000 damage…
▪ To be accurate this relies on a technique known as quantitative
risk assessment
̶ This requires a lot of historical data to be accurate
̶ Cyber risks have not been around long, and are not well documented
̶ Therefore, assessing the cost of risks can be very difficult!!
21La Trobe University
Monitoring risk
▪ Risks are not static, and must be monitored and tracked over
time in order for their management to be effective
▪ Some key points to note:
▪ Has the risk been realised at any point?
▪ Was the risk response implemented effectively?
▪ Has the likelihood or impact of the assessed risk changed, due to:
̶ A change in the business strategy or structure?
̶ A change to market place or economy?
̶ A change to threat landscape or threat actors?
22La Trobe University
External risk relationships
▪ Businesses share risk with their business partners
̶ Tech support partner has access to systems
̶ Their own personnel risk is therefore shared – a malicious insider at the tech
partner may cause harm to the business
▪ Becoming common to share risk and threat information with
partners through established bodies
FS ISAC Financial Services Information Sharing and Analysis Centre
Industry forum for sharing threat information across the global financial sector
CERT Computer Emergency Response Team
Australian government funded body for cross-industry dissemination of threat intelligence
NGISS National Government Information Sharing Strategy
Information sharing within and between the Australian government departments
TISN Trusted Information Sharing Network
Australian government programme for critical infrastructure services
23La Trobe University
Threats
▪ Information assets are subject to different threat sources:
Deliberate attacks
• Ransomware
• Phishing / spam
• Malicious insiders
Environmental
disruptions
• Earthquake
• Storms or floods
Human errors
• Lack of training
• Lack of clear process
• Simple oversights
Machine errors
• Hardware failure
• Electrical or magnetic
interference
Structural failures
• Engineering mistakes
• Poor materials
• Fatigue due to age
24La Trobe University
Cyber risk assessment
▪ To counter cyber threats, we must assess and manage cyber
security risks
▪ Cyber (or information) security risks:
▪ Arise from the potential loss of confidentiality, integrity, or availability of
information or information systems
▪ Reflect the potential adverse impacts to:
̶ Organizational operations (i.e., mission, functions, image, or reputation)
̶ Organizational assets
̶ Individuals (staff, customers, general public)
▪ Managing cyber risk is critical to managing business
25La Trobe University
Cyber risk assessment
▪ Risk assessment is the methodical process of:
̶ Identifying cyber risks
̶ Estimating the impact and likelihood of cyber risks
̶ Prioritizing the treatment of cyber risks.
▪ Assessing risk requires the careful analysis of:
̶ Threat information
̶ Vulnerability information
▪ The intent is to determine the extent to which circumstances or
events could adversely impact an organization and the
likelihood that such circumstances or events will occur.
26La Trobe University
Cyber risk assessment
▪ Accurate risk assessment relies on a large body of quality
information regarding likelihood and impact
▪ Several factors make this more difficult in cyber security:
̶ Historical data is limited due to the relative newness of the field
̶ Information is not often shared due to commercial sensitivity
▪ By comparison, a car insurer has many years of accident
statistics across many countries and millions of drivers – this
allows accurate predictions to be made based on a number of
factors
▪ Cyber insurers and industry information sharing bodies seek to
create such data sets and allow better prediction
27La Trobe University
Calculating risk
▪ Two methods exist by which we calculate the level of risk to
which an asset or entity is exposed
Quantitative Risk Assessment
• Uses precise mathematical formulae to calculate
the values of likelihood and impact
• Allows very accurate prediction of occurrence
and any losses which may occur
Qualitative Risk Assessment
• Based on pre-defined scales of value and the
perception of the risk assessor
• Less accurate but does not require the precise
modelling data of the quantitative method
28La Trobe University
Quantitative risk assessment
▪ Relies on factual and measurable data, and therefore a rich and
reliable data set is required
▪ Risk may be calculated using several numeric values
ALE = SLE x ARO
SLE
(Single Loss Expectancy)
What money will be lost if the risk being
assessed actually happens? What will the
damage to the asset or the company be?
ARO
(Annual Rate of Occurrence)
How many times in a one-year interval is this
event likely to happen?
ALE
(Annual Loss Expectancy)
The amount expected to be lost each year as a
result of this risk
29La Trobe University
Quantitative risk assessment - Example
▪ A large software developer wants to assess the risk of reducing
the testing cycle during its monthly release process.
▪ This change has been forecast to save the company around
$250,000 per annum in testing costs and release delays.
▪ If a major release fails QA, it requires on average $50,000 in
additional developer time to fix the error at the last minute
▪ The test cycles occur 12 times per year, and on average four of
the cycles reveal major flaws that need to be rectified prior to
QA
Should the company try to save money by doing less testing before
QA?
30La Trobe University
Quantitative risk assessment - Example
▪ Let’s calculate the risk
̶ SLE (Single Loss Expectency)
o Each time the software fails testing, it will cost the company $50,000 in developer
overtime to fix the release
̶ ARO (Annual Rate of Occurrence)
o The software releases fail testing on average four times a year
̶ ALE (Annual Loss Expectancy)
o 50,000 x 4 = $200,000 per annum in additional developer costs
▪ This is less than the $250,000 that could be saved by not doing
so much testing, so based on this assessment method it makes
financial sense to consider reducing the testing.
▪ What other impacts does this assessment NOT consider…?
31La Trobe University
Qualitative risk assessment
▪ In contrast to the quantitative method, qualitative risk
assessment does not require any maths
▪ When adopting a qualitative methodology, a company will
agree on sensible thresholds for determining likelihood and
impact of an adverse event
▪ Likelihood is often expressed in a five-tier model, with
thresholds based on company history and industry trendsAlmost certain The event is likely to occur at least annually
Likely The event is likely to occur on average once every two years
Possible The event is likely to occur on average once every five years
Unlikely The event is likely to occur on average once every seven years
Rare The event is likely to occur on average once every ten years
32La Trobe University
Qualitative risk assessment
▪ The risk assessor can then estimate the damage a risk will
produce, aligned to several different dimensions
▪ Thresholds will vary based on industry, risk appetite, company
size and economic conditions
Consequences
Insignificant Minor Moderate Major Catastrophic
Financial
impact
Losses less than
$5,000
Losses between
$5,000 and
$50,000
Losses between
$50,000 and
$1,000,000
Losses between
$1,000,000 and
$10,000,000
Losses exceed
$10,000,000
Reputation
impact
Short-term
negative
community media
coverage
Short-term
negative national
media coverage
Medium-term, or
recurring negative
lead stories in
national media
Long-term negative
targeted lead
stories, Short-term
negative
international stories
Extended
negative media
coverage,
Parliamentary
enquiry
Management
impact
Absorbed within
BAU operations
Business unit
management
involved
Business line
executive
management
involved
Business line
executive group
management
involved
Group executive
or director
involved
33La Trobe University
Qualitative risk assessment
▪ To describe the risk, a matrix combining the assessed impact
and likelihood values is used
IMPACT
Insignificant Minor Moderate Major Catastrophic
L
IK
E
L
IH
O
O
D
Almost certain Low Medium High Excessive Excessive
Likely Low Medium Medium High Excessive
Possible Low Low Medium Medium High
Unlikely Low Low Medium Medium High
Rare Low Low Low Medium High
34La Trobe University
Qualitative risk assessment - Example
▪ A freight company wants to assess the risk of hosting their
customer database in a cloud-based facility
▪ The cloud provider has only reported one data breach in five
years of operation
▪ The freight company stores sensitive customer information,
including payment card details
▪ Loss of these data would mean reporting a serious data breach
to the Australian Information Commissioner, and probably
result in customer-based fraud and negative publicity
35La Trobe University
Qualitative risk assessment - Example
▪ Let’s assess the risk:
̶ Likelihood
o Given the infrequent data breaches experienced by the cloud provider, a value of
‘once every five years’ is reasonable
̶ Impact
o Reporting to the OAIC, negative media coverage, senior management in damage
control, possible fines and lawsuits from customers
̶ Risk = MEDIUM
Possible The event is likely to occur on average once every five years
Moderate
Losses between $50,000
and $1,000,000
Medium-term, or
recurring negative lead
stories in national media
Business line executive
management involved
Thank you
latrobe.edu.au CRICOS Provider 00115M
CSE1ICB – Introduction to Cybersecurity
Lecture 6: Threats and Risks II
Dr Hooman Alavizadeh
Computer Science & Information Technology
Semester I - 2023
Assessing risk
(Identify, analyse, evaluate)
3La Trobe University
Threat Modeling Example
▪ An example of security (threat)
modelling in a network
▪ Can be quantifies using NVD
National Vulnerability Database
▪ https://nvd.nist.gov/vuln/search
▪ Using Vulnerability CVE IDs:
▪ CVE-2017-8530
▪ CVE-2017-8495
▪ etc.
4La Trobe University
Risk assessment
• Deliberate (fraud, disruption, defacement, activism)
• Accidental (process failure, lack of training or guidance)
• Environmental (force majeure, e.g. fire of flood)
Determine the key threats faced by the business
• Internal (existing conditions within the enterprise)
• External (conditions outside the boundaries that still impact us)
• Locus of control (do we have any direct influence?)
Identify and classify vulnerabilities
▪ Goals of a risk assessment process:
5La Trobe University
Risk assessment
• Financial (fines, loss of profit, increased costs)
• Reputational (loss of consumer confidence, brand damage)
• Regulatory (loss of license, sanctions)
Determine the harm the threats will cause
• Historical data (internal data from previous incidents)
• Industry standards (external actuarial data)
Establish a framework for likelihood estimates
▪ Goals of a risk assessment process:
6La Trobe University
Risk assessment function
▪ To be effective, a risk assessment function requires the
following components:
▪ An agreed risk management approach and toolset:
̶ Has the risk management strategy been completed?
▪ Agreed roles and responsibilities:
̶ Do we know who will assess, articulate and monitor the enterprise risks?
▪ An agreed method and medium of presenting assessed risks:
̶ What format and forum will both new and existing risks be presented?
▪ Agreed frequency of risk revision / reassessment:
̶ When are managed risks reviewed, to ensure they are still within risk-appetite?
Responding to risk
(Accept or treat?)
8La Trobe University
Responding to risk
▪ When we have identified, analysed and evaluated each risk, we
must decide on an appropriate treatment approach:
• “Do nothing” – record and monitor the risk only
Accept the risk
• Make a fundamental change in organisational practices to remove the factors that lead to the risk
Avoid the risk
• Introduce additional change the reduces the likelihood or impact of the risk
Mitigate the risk
• Agree with other parties to share the impact of a risk, or to collaborate to reduce likelihood
Share the risk
• Purchase an instrument or legal agreement to cover losses that may result from a risk
Transfer the risk
9La Trobe University
Risk acceptance example #1
▪ An organisation decides to build a new facility in a geologically
stable region of the world
̶ An assessment of environmental risks is
performed, and the likelihood of earthquake
is extremely rare (based on historical data and
geological science)
̶ Despite the impact of an earthquake being
potentially high, the extremely low likelihood
results in a very low assessed risk
̶ The organisation decides not to include resilience
against such a disaster in the building’s design
▪ The organisation therefore makes a risk-based decision and
avoids the cost of earthquake-resistant construction
10La Trobe University
Risk acceptance example #2
▪ An individual is involved in a serious road incident, and is
approached by emergency personnel
̶ The individual is asked for personal information
to assist with their care
̶ They are confident that these are genuine
emergency personnel, and that by supplying
the requested information, the personnel may
be better equipped to assist and that the
consequences of the incident may be reduced
▪ The individual makes an intuitive risk-based
decision to share personal information to
assist with a crisis, where they wouldn’t
share this information otherwise with a stranger
11La Trobe University
Risk acceptance example #3
▪ A company realises that a flaw in one of their software
products may cause manufacturing errors, resulting in costs to
their customers
̶ The flaw is minor, but the software is deployed
in hundreds of locations
̶ The cost of rushing out a fix will be very expensive
and disruptive, whereas a regular update in
one month can implement the fix for free
̶ The company decides to manage the issue via
communication and wait for the scheduled
update to fix the software
▪ The company made a risk-based decision to delay the fix based
on cost, and manage the reputational impact separately
12La Trobe University
Risk avoidance
▪ Risk avoidance is where a fundamental change to a process or
situation is made to remove the underlying cause of a risk
▪ This is an appropriate treatment approach when:
̶ The assessed risk exceeds the risk tolerance (and cannot be accepted)
̶ No suitable controls can be implemented to bring the risk within tolerance
Risk avoidance example
• Connecting a sensitive legacy system to a corporate network is
regarded as dangerous, due to network threats
• The sensitive system itself is too old to be adequately secured using
any practical means
• The owner opts to keep the system air-gapped from the network, and
absorb the additional operational cost and effort
13La Trobe University
Risk transfer
▪ Risk transfer is where some or all of the financial liability of a
negative consequence can be shifted to another entity
▪ This is most commonly implemented as an insurance policy
̶ Impact or likelihood of risk
are not affected
̶ Damage will still happen with
the same frequency
̶ It is someone else’s problem
to pay for these damages
▪ Cyber insurance is a rapidly growing
market
14La Trobe University
Risk transfer
▪ Insurance only covers the financial impact of a risk
̶ Reputational damage is still possible
̶ Regulatory or legal recourse is still possible
▪ Consequences of the decision to transfer risk must be very
carefully considered and understood
̶ Financial damage may be deferred
̶ Other forms of damage are still possible
̶ In some cases (e.g. banking) regulations do not allow transfer of liability
o E.g. loss of customer data is always the responsibility of the bank, and cannot be
deferred or shared with any other party
15La Trobe University
Something to consider…
▪ Traditional insurance policies require certain controls to be in
place before they will cover damage or harm; for example:
̶ Your doors and windows must have locks for your home insurer to reduce your
premiums or excess
̶ Your car must be roadworthy and registered or your 3rd-party damage
insurance may not pay for an accident
▪ What kinds of controls will cyber insurers require companies to have, before
they will allow risk transfer to occur?
▪ How will they ensure their customers comply with these requirements?
▪ How might this arrangement be exploited?
16La Trobe University
Risk mitigation
▪ Any risk, or portion of risk, that cannot be avoided, accepted or
transferred we must mitigate
▪ This is the “bread and butter” of an
information security professional
▪ For every critical system, asset or change
to a critical system or asset, we:
̶ Model the threats that may occur and harm the
system or asset
̶ Understand the impact and likelihood of these
threats if they manifest
̶ Select controls to reduce either impact or
likelihood
17La Trobe University
Risk mitigation
▪ We mitigate risk by selecting controls to reduce the impact or
the likelihood of harm to a system or asset
▪ These controls may take three general forms:
Technical
• A logical countermeasure that is implemented using technical means, such as a firewall or an
access control system
Administrative
• A process or documentation-based countermeasure, such as an approval workflow or
policy document
Physical
• A physical countermeasure such as a lock, security camera or a physical barrier
18La Trobe University
Scenario A sensitive area in a corporate building may be
entered by using an access pass reader to open
the door.
Risk assessment A lost or stolen access pass may allow an
unauthorised person to gain access, simply by
swiping the access pass they have stolen or found.
Mitigating control Add a PIN pad to the door, requiring a unique PIN
for each authorised person and pass.
Result By having a PIN pad in addition to the access pass
reader, an unauthorised person cannot gain entry
by simply stealing or finding an access pass. They
must also know the unique PIN that corresponds to
the access pass, in order to successfully enter the
sensitive area.
19La Trobe University
Risk mitigation example #2
Scenario A company utilises a cloud storage solution to host
some of their company documentation, to allow
easy access to mobile sales representatives.
Risk assessment A breach of the cloud service might expose the
company’s data to an unauthorised party, resulting
in reputational or financial damage.
Mitigating control Encrypt the data at rest, and only decrypt when
requested by an authorised staff member.
Result By encrypting the data, any breach of the cloud
service would result in the attacker obtaining an
encrypted data set. Without the key, they cannot
read the data and therefore cannot perpetrate any
harm against the company. This has reduced the
impact of the assessed data breach risk.
20La Trobe University
Treating risk
▪ An important consideration when choosing to mitigate risk, is
that the cost of treatment should be balanced against cost of
any harm
▪ For example, it does not make sense to spend $1,000,000 to
mitigate a risk that may only result in $100,000 damage…
▪ To be accurate this relies on a technique known as quantitative
risk assessment
̶ This requires a lot of historical data to be accurate
̶ Cyber risks have not been around long, and are not well documented
̶ Therefore, assessing the cost of risks can be very difficult!!
21La Trobe University
Monitoring risk
▪ Risks are not static, and must be monitored and tracked over
time in order for their management to be effective
▪ Some key points to note:
▪ Has the risk been realised at any point?
▪ Was the risk response implemented effectively?
▪ Has the likelihood or impact of the assessed risk changed, due to:
̶ A change in the business strategy or structure?
̶ A change to market place or economy?
̶ A change to threat landscape or threat actors?
22La Trobe University
External risk relationships
▪ Businesses share risk with their business partners
̶ Tech support partner has access to systems
̶ Their own personnel risk is therefore shared – a malicious insider at the tech
partner may cause harm to the business
▪ Becoming common to share risk and threat information with
partners through established bodies
FS ISAC Financial Services Information Sharing and Analysis Centre
Industry forum for sharing threat information across the global financial sector
CERT Computer Emergency Response Team
Australian government funded body for cross-industry dissemination of threat intelligence
NGISS National Government Information Sharing Strategy
Information sharing within and between the Australian government departments
TISN Trusted Information Sharing Network
Australian government programme for critical infrastructure services
23La Trobe University
Threats
▪ Information assets are subject to different threat sources:
Deliberate attacks
• Ransomware
• Phishing / spam
• Malicious insiders
Environmental
disruptions
• Earthquake
• Storms or floods
Human errors
• Lack of training
• Lack of clear process
• Simple oversights
Machine errors
• Hardware failure
• Electrical or magnetic
interference
Structural failures
• Engineering mistakes
• Poor materials
• Fatigue due to age
24La Trobe University
Cyber risk assessment
▪ To counter cyber threats, we must assess and manage cyber
security risks
▪ Cyber (or information) security risks:
▪ Arise from the potential loss of confidentiality, integrity, or availability of
information or information systems
▪ Reflect the potential adverse impacts to:
̶ Organizational operations (i.e., mission, functions, image, or reputation)
̶ Organizational assets
̶ Individuals (staff, customers, general public)
▪ Managing cyber risk is critical to managing business
25La Trobe University
Cyber risk assessment
▪ Risk assessment is the methodical process of:
̶ Identifying cyber risks
̶ Estimating the impact and likelihood of cyber risks
̶ Prioritizing the treatment of cyber risks.
▪ Assessing risk requires the careful analysis of:
̶ Threat information
̶ Vulnerability information
▪ The intent is to determine the extent to which circumstances or
events could adversely impact an organization and the
likelihood that such circumstances or events will occur.
26La Trobe University
Cyber risk assessment
▪ Accurate risk assessment relies on a large body of quality
information regarding likelihood and impact
▪ Several factors make this more difficult in cyber security:
̶ Historical data is limited due to the relative newness of the field
̶ Information is not often shared due to commercial sensitivity
▪ By comparison, a car insurer has many years of accident
statistics across many countries and millions of drivers – this
allows accurate predictions to be made based on a number of
factors
▪ Cyber insurers and industry information sharing bodies seek to
create such data sets and allow better prediction
27La Trobe University
Calculating risk
▪ Two methods exist by which we calculate the level of risk to
which an asset or entity is exposed
Quantitative Risk Assessment
• Uses precise mathematical formulae to calculate
the values of likelihood and impact
• Allows very accurate prediction of occurrence
and any losses which may occur
Qualitative Risk Assessment
• Based on pre-defined scales of value and the
perception of the risk assessor
• Less accurate but does not require the precise
modelling data of the quantitative method
28La Trobe University
Quantitative risk assessment
▪ Relies on factual and measurable data, and therefore a rich and
reliable data set is required
▪ Risk may be calculated using several numeric values
ALE = SLE x ARO
SLE
(Single Loss Expectancy)
What money will be lost if the risk being
assessed actually happens? What will the
damage to the asset or the company be?
ARO
(Annual Rate of Occurrence)
How many times in a one-year interval is this
event likely to happen?
ALE
(Annual Loss Expectancy)
The amount expected to be lost each year as a
result of this risk
29La Trobe University
Quantitative risk assessment - Example
▪ A large software developer wants to assess the risk of reducing
the testing cycle during its monthly release process.
▪ This change has been forecast to save the company around
$250,000 per annum in testing costs and release delays.
▪ If a major release fails QA, it requires on average $50,000 in
additional developer time to fix the error at the last minute
▪ The test cycles occur 12 times per year, and on average four of
the cycles reveal major flaws that need to be rectified prior to
QA
Should the company try to save money by doing less testing before
QA?
30La Trobe University
Quantitative risk assessment - Example
▪ Let’s calculate the risk
̶ SLE (Single Loss Expectency)
o Each time the software fails testing, it will cost the company $50,000 in developer
overtime to fix the release
̶ ARO (Annual Rate of Occurrence)
o The software releases fail testing on average four times a year
̶ ALE (Annual Loss Expectancy)
o 50,000 x 4 = $200,000 per annum in additional developer costs
▪ This is less than the $250,000 that could be saved by not doing
so much testing, so based on this assessment method it makes
financial sense to consider reducing the testing.
▪ What other impacts does this assessment NOT consider…?
31La Trobe University
Qualitative risk assessment
▪ In contrast to the quantitative method, qualitative risk
assessment does not require any maths
▪ When adopting a qualitative methodology, a company will
agree on sensible thresholds for determining likelihood and
impact of an adverse event
▪ Likelihood is often expressed in a five-tier model, with
thresholds based on company history and industry trendsAlmost certain The event is likely to occur at least annually
Likely The event is likely to occur on average once every two years
Possible The event is likely to occur on average once every five years
Unlikely The event is likely to occur on average once every seven years
Rare The event is likely to occur on average once every ten years
32La Trobe University
Qualitative risk assessment
▪ The risk assessor can then estimate the damage a risk will
produce, aligned to several different dimensions
▪ Thresholds will vary based on industry, risk appetite, company
size and economic conditions
Consequences
Insignificant Minor Moderate Major Catastrophic
Financial
impact
Losses less than
$5,000
Losses between
$5,000 and
$50,000
Losses between
$50,000 and
$1,000,000
Losses between
$1,000,000 and
$10,000,000
Losses exceed
$10,000,000
Reputation
impact
Short-term
negative
community media
coverage
Short-term
negative national
media coverage
Medium-term, or
recurring negative
lead stories in
national media
Long-term negative
targeted lead
stories, Short-term
negative
international stories
Extended
negative media
coverage,
Parliamentary
enquiry
Management
impact
Absorbed within
BAU operations
Business unit
management
involved
Business line
executive
management
involved
Business line
executive group
management
involved
Group executive
or director
involved
33La Trobe University
Qualitative risk assessment
▪ To describe the risk, a matrix combining the assessed impact
and likelihood values is used
IMPACT
Insignificant Minor Moderate Major Catastrophic
L
IK
E
L
IH
O
O
D
Almost certain Low Medium High Excessive Excessive
Likely Low Medium Medium High Excessive
Possible Low Low Medium Medium High
Unlikely Low Low Medium Medium High
Rare Low Low Low Medium High
34La Trobe University
Qualitative risk assessment - Example
▪ A freight company wants to assess the risk of hosting their
customer database in a cloud-based facility
▪ The cloud provider has only reported one data breach in five
years of operation
▪ The freight company stores sensitive customer information,
including payment card details
▪ Loss of these data would mean reporting a serious data breach
to the Australian Information Commissioner, and probably
result in customer-based fraud and negative publicity
35La Trobe University
Qualitative risk assessment - Example
▪ Let’s assess the risk:
̶ Likelihood
o Given the infrequent data breaches experienced by the cloud provider, a value of
‘once every five years’ is reasonable
̶ Impact
o Reporting to the OAIC, negative media coverage, senior management in damage
control, possible fines and lawsuits from customers
̶ Risk = MEDIUM
Possible The event is likely to occur on average once every five years
Moderate
Losses between $50,000
and $1,000,000
Medium-term, or
recurring negative lead
stories in national media
Business line executive
management involved
Thank you
latrobe.edu.au CRICOS Provider 00115M
