Five Steps to Risk Reduction

Transcription

1 Five Steps to Risk Reduction Learn to identify and reduce risk by following these five steps. BY ED WA R D J J 0 P E C K EVERYONE KNOWS it's important to protect the crown jewels - or the corporate equivalent - but it's not always obvious which assets deserve the royal treatment. In the case of one high-tech company with which the author's firm worked, for example, interviews with employees revealed that proprietary software critical to continued operations was not being backed up. The oversight exposed the company to the possibility of a fatal disruption in its production cycle. Thanks to a robust risk management approach, the problem was identified before crisis could strike. Risk analysis enables security professionals to make wellfounded decisions about the allocation of scarce resources, and it provides solid data on which to base funding requests. But to be truly effective, risk analysis cannot be a one-time effort. It must be an ongoing process. (That process at the author's firm is referred to as Continuous Risk Management.) The process usually starts when a problem is identified and follows through until the countermeasures are implemented, tested, and evaluated. After the cycle is completed, its evaluation and testing phase will ensure that any new problems that emerge will be identified, leading the organization back to the start of the risk management cycle. There are five steps in the continuous risk management cycle: planning and direction, risk analysis (-which itself has several components), elevation and presentation, decision making, and implementation and evaluation. Planning and Direction THE FIRST STEP IN THE continuous risk management cycle is planning and direction, which requires the involvement of line managers and their subordinates as well as the support of top management. In this phase, the security manager assembles a multidisciplinary team, and preferably with the team, sets the scope of the analysis (for example, the company might assess a facility in terms of risks due to terrorism), and attempts to identify the most likely problems the team will encounter during the assessment. This step requires in-depth knowledge of the organization's mission and current political and budgetary environment. At the high-tech firm mentioned in the opening to this story, for example, consultants sat down with the director of security and the operations manager, who spelled out the scope of that analysis. They were looking to cover terrorism, competitive intelligence collection, general crime, and internal security issues. Emphasis was placed on protecting human assets and continued operations of the company. The team leader must let the team know/ that the assessment will be honest and unrestricted by fears of challenging the status quo. It should be understood that the analysis may be controversial, unwelcome, or even threatening to others. But those involved in the assessment need to be encouraged to think for themselves, guard their objectivity from inappropriate influences, and deliver the facts with integrity and without fear of retribution. While this may appear to be just good management practice, it becomes especially critical in the analytical environment in order to result in an objective, unpoliticized product. Risk Analysis RISK ANALYSIS IS, OF COURSE, the heart and soul of the continuous risk management process. It can be broken into five steps: asset assessment, threat assessment, vulnerability assessment, qualifying and quantifying risk, and countermeasures identification and analysis. Asset assessment. The first step in a typical risk analysis is the asset assessment, which helps the risk manager identify and focus only on the assets that are worthy of protection. Ideally, the result of the asset assessment is a worksheet that identifies and maps valued assets and their relationship to one another. Without such a worksheet, it will become difficult, if not impossible, to manage and interpret the mass of information that the analyst will gather during subsequent research and interviews. To identify assets, the team will interview program managers, facilities managers, and computer systems managers. (For the purposes of risk management analysis, these individuals can be called "asset managers.") 2000 Security Management Magazine Page 1

2 Through discussion with the asset managers, one can get their impressions of what the expected consequences would be if each individual asset were lost, harmed, or otherwise adversely affected. Using this information the assets can be ranked in order of the consequence of their loss. Also included in the asset assessment is the identification of unwanted events. Since the unwanted event is the focal point of the entire risk analysis, each event that could adversely affect a specific asset is documented and considered in connection with the asset or assets to which it corresponds. Common unwanted events include loss of life due to terrorist bombing and unauthorized access to sensitive files due to weak password policies. Threat. The second step in conducting a risk analysis is the threat assessment. The purpose of this step is to determine which adversaries or events are most likely to cause harm to the identified assets. It replaces intuition with hard data. It also replaces the emphasis on vulnerabilities as the driver for security programs. To determine the threat level posed by adversaries, the team will gather information about the capabilities, intent, and history of adversaries attacking the assets of similar organizations. (Natural disasters, power outages, and accidents can also be included as threats, although they do not possess intent. In that case, the analysts will examine historical data and expert predictions.) In the case of the high-tech firm referred to earlier in the article (a computer operations and call center), the consultants identified potential adversaries in pan by looking at the records of the company's small security department. They noticed incidents of attempted break-ins, bomb threats, and threats by disgruntled employees. From their research, they culled a list of adversaries and potential adversaries. One surprise was the discovery of a case in which a person claiming to be a repairman was caught attempting to steal proprietary data. He was able to leave the premises without being identified, and the company never discovered who had hired him, but the case proved that competitive intelligence operatives belonged on the list of likely adversaries. The assessment went beyond the security records of past incidents and looked at the company's business activities for other clues to potential adversaries. It was determined that taking down the company would result in a significant part of the Internet going down, which could impede the ability of the United States to mobilize its military forces. Thus, the company might become the target of a foreign government or rogue terrorist group attempting cyberwarfare. This risk had not been previously considered. Vulnerability. The third step in a typical risk analysis is the vulnerability assessment, which encompasses the traditional security survey. It requires the analyst to look at an asset as each of the identified adversaries might look at it. Specifically, analysts begin by studying the asset and asking themselves (or other subject matter experts): "If I were a petty thief, how would I steal this asset?" and "If I wanted to physically harm that computer system, what would I do?" and so on down the list of adversaries and unwanted events. Vulnerability information can be obtained from a variety of sources. A good starting place is always the people who work closely to protect the asset. For example, security guards almost always recognize vulnerabilities in their existing countermeasures either through experience or careful evaluation of their surroundings. Likewise, computer system administrators are likely to be aware of information systems vulnerabilities through a combination of experience, professional publications, Web sites that list vulnerabilities, and professional contacts. Through interviews and observation, a number of vulnerabilities were noted at the computer operations and call center. For example, guests could generally walk unbadged and unescorted into the facility. Staff propped open doors when they stepped out for a smoke, or they opened the doors so often that the latches failed. But the analysis showed that the biggest vulnerability was terrorism, which had the ability to wipe out people, operations, and equipment. Observing that the building had virtually no standoff distance, was one-story tall, had a glass front, and had critical operations occurring next to an outer wall, the author's firm concluded that the facility couldn't effectively be hardened against terrorism, which meant that relocation should be considered. (Some lesser measures were recommended in case the company decided to accept the risk). Given that companies have often already implemented some security measures, the analyst will have to consider how to view the asset when assessing vulnerability. There are two possible approaches, which we'll call the progressive approach, which looks at the asset from this point in time forward, and the regressive approach, which views the asset from a point in time before the protective measures - were installed. Progressive analysis. The simplest way to evaluate an asset is to view it in the context of the existing countermeasures. To use this technique, the analyst determines how the existing countermeasures reduce vulnerability to the unwanted events. But the simplest approach is not always the best approach. Although this method gives the analyst a realistic picture of the current situation, it is not especially useful for evaluating what might be the best countermeasures (in terms of efficacy and cost), and it also does not help determine whether any countermeasures currently in place are unnecessary Security Management Magazine Page 2

3 Analysts using this approach should also consider that the existing countermeasures may have been recommended and implemented at a different time, possibly with different threats in mind, or with different assets to protect. The progressive approach can also make it more difficult to add future countermeasures, as issues of compatibility and continuation of the earlier security strategy can limit the number of options available for future countermeasures and can leave the company dependent on outdated and ineffective countermeasures even though more effective technology is available. Regressive analysis. A better way to assess asset vulnerability is to view each item as if it were in an unprotected state, disregarding any protective measures that have been put in place. After rating the vulnerability without the existing countermeasures, the analyst then reevaluates the asset taking into consideration the existing countermeasures. (The differences between the unprotected and protected ratings represent the efficacy of the existing countermeasures.) Ineffective countermeasures can then be identified and can later be recommended for elimination to save or reallocate funds. Although the regressive analysis technique requires a little more work, it is better suited to assessments where an existing countermeasure or security program is being studied for elimination or reduction in resources. The result is a clearer comparison of each countermeasure and the benefit it provides in reducing risks. This information can also be useful to managers in weighing existing countermeasures against replacement options. In short, it provides a metric for risk reduction that is used to make a business case for security funding. Risk assessment. The risk assessment is the phase during which findings from the earlier steps (asset, threat, and vulnerability) are combined to give a complete picture of the risks to an asset or group of assets. Several techniques for calculating risks exist. They range from simple qualitative systems to those based on complex mathematical formulas. Still others are hybrids of the two. While it is not possible to discuss and compare each system in depth here, some common and useful features can be highlighted. With most of the techniques used to calculate risk, the analyst is seeking to aggregate information from the following questions: What is the likely impact if an identified asset is lost or harmed by an identified unwanted event? How? likely is it that an adversary can and will attack those identified assets? What are the most likely vulnerabilities that the adversary or adversaries will use to target the identified assets? At this stage a final worksheet, or grid, is frequently used in aligning all of this information into a readable and easily understood format. In the grid, threat categories and unwanted events are rated as to the asset loss impact, threat, vulnerability, and overall risk. For example, loss of business due to a competitor's acquisition of proprietary data might be judged to have a high loss impact to the company. The threat of a competitor trying to acquire that proprietary data might be judged to be moderate, and the vulnerabilities that would allow them to acquire that data might also be considered moderate. Collectively, those three aspects would constitute an overall moderate risk. Using the master risk analysis worksheet as a guide, the analyst should review all of the important factors associated with that single asset, referring back to the earlier worksheets and supporting data when necessary to understand how each threat and vulnerability increases or decreases the overall risk Security Management Magazine Page 3 By reviewing these ratings, the analyst can finally begin to make an informed judgment on how "at risk" each of the assets is. In the case of the computer operations and call center, the biggest risk was determined to be the loss of life, continued business operations, and operating capability resulting from a terrorist attack. Espionage was judged to be a moderate risk, because, while harmful, it wouldn't necessarily lead to the destruction of the business. Countermeasures. The fifth step in the risk analysis is identifying countermeasures, costs, and trade-offs. The objective is to develop a list of countermeasures, or groups of countermeasures, that provide a range of protective values. One common approach is to organize recommendations into three optional categories: risk averse, risk tolerant, and risk accepting. Risk averse. The risk-averse package gives the optima] solution, which would reduce risk to the greatest degree possible. Risk tolerant. The risk-tolerant option strikes a balance between the needs of security and business constraints, such as funding limitations. Risk acceptance. The risk-acceptance option typically reflects the highest acceptable amount of risk assumed by the company with the least possible cost. This is a highly subjective judgment. When presenting each alternative, the security team should make sure that management understands the level of the risk being accepted and the potential consequences. With regard to the computer operations and call center, for example, the author's firm told management that the facility couldn't be adequately protected from terrorism, and it recommended that critical operations be moved to a secure second facility.

4 As an alternative "risk-tolerant" option, the author's firm suggested a package of countermeasures that included steps such as physically separating the critical computer operations center from the call center, controlling access to the computer center, and providing escorts for visitors. After weighing the costs and potential consequences, the company chose to move its critical operations to another site. To reduce the risk of espionage, the firm recommended such measures as screening of on-site workmen, changing the reception area to a guard service area, reconfiguring and redirecting the CCTV system, and implementing a badging system. This advice was accepted as well. Presentation AFTER AN ANALYSIS is completed, the security manager must make sure that the findings are presented to the appropriate decision-maker within the company, known in risk management parlance as the risk acceptance authority (RAA). The RAA is that person with the resources and authority to fund the recommended countermeasures or to accept the risk for not authorizing them. The security manager may be one or more levels removed from the RAA. It may, therefore, help for the security manager to involve other department heads in promoting the project to senior management. Once the RAA is identified, the analysis must be conveyed in a clear, concise, and compelling manner. By using one or more risk assessment worksheets, the security manager (or other presenter) can show the basic information necessary to create a clearly defined logic trail that supports either a formal briefing or a written analysis report to present the countermeasure case. Decision making. The goal of the entire process up to this point has been to gather good data that can lead to good decision making. If the security team has done its job, it will have collected, analyzed, and presented the facts in such a way that senior management will be compelled to take an honest look at the company's risk picture, and choices will be based on this clear vision rather than on wishful thinking or misconceptions. Structuring a case in this way helps the security department to compete with other business units for resources. The decision-maker must strike the balance between these competing business needs. Once a decision-maker has decided on the analysis and the countermeasures to be employed, it is vital for the analyst and managers to document this decision. This can be done by anyone with a simple memorandum for the record or an addendum to the analysis. The record of the decision (and any resulting actions delegated to subordinates by the decision-maker) should be maintained in the files with the original analysis. In this way, all panics to the decision have a clear understanding of what was decided and what to do next. This process, while not always embraced by individuals making decisions, is nevertheless essential to establishing accountability and recording the decisions made by the organization. When decision-makers choose a course of action based on a thorough risk analysis, they are engaging in risk management. Doing so gives the company a solid basis for its actions and a clear paper trail with documentation of all the relevant factors known at the time, which will serve as a historical record of the careful consideration given to the decision. The well-documented security analysis will strengthen the company's hand should an event occur that leads to the need to defend security choices in court or before governing bodies. Implementation. Once senior management has agreed to implement a given set of countermeasures, it is usually left to the security department or others down the chain of authority to implement the new procedures and see to the installation of equipment. But those initial efforts must be viewed as only the first step in the process. If security is to remain effective over time, the company must also be committed to a continuing process of testing and reevaluation. With regard to evaluation, the organization should monitor changes in assets, threats, and vulnerabilities over time. It must continuously reevaluate the adequacy of countermeasures in light of changes to the risk profile. With regard to testing, a routine should be developed and followed. (When countermeasures are not periodically tested, management cannot be certain that they are working as intended.) Ideally, the more critical the countermeasure, such as an antiterrorism device, the more frequently it should be checked. Whether this entails a review of logs, interviews with operators, or actual penetration testing is typically determined by a combination of factors, including safety, time, cost, and the acceptability of interrupting normal operations. Risk management is evolving into an important tool for many government and industry security professionals. Those who understand how to apply its principles will find that it can help them both in determining the right risk-reduction options and in winning senior management's support for funding those measures. Edward ]. Jopeck is the director of risk management programs with Veridian- Trident Data Systems. Previously, he was a security analyst with the CIA, where he participated in the development of a community-wide risk management training program and can-ducted numerous risk analyses. This article originally appeared in the August 2000 issue of Security Management Security Management Magazine Page 4

5 You will be required to discuss this paper in class on day 1. Please use the space below to prepare in advance any notes which you think will be relevant to discussion Security Management Magazine Page 5