Security+ TechNotes - Risk Identification



Security is finally starting to become the hot issue it deserves to be in the 21st century. Companies spend tons on security technologies and professionals, and even the home user can no longer ignore the need for information security. But why exactly do we need security? What do we need to secure? And, how much should we spend on it? The answers to these questions differ a lot per organization, but the fact that these questions should be answered in any organization is something that is on its way to becoming common sense.

To find the answers, we first need to identify what we have, our assets. Next, we need to find out if these assets have any vulnerabilities, and if these can pose any possible threats. Then the most difficult part follows: we need to estimate the likeliness of someone actually discovering the vulnerability and exploiting it – the risk. Once the risks are identified they can be reduced, but typically not eliminated, by implementing the proper countermeasures, also referred to as safeguards and controls.

The above essentially describes risk identification, also referred to as risk analysis and risk assessment, in a very simplified form. Risk assessment is part of risk management, a trade apart, a topic you can fill an entire library with. Its main purpose is to determine how much a company can reasonably spend on safeguards to reduce the risk to a tolerable level.

Asset identification

Asset identification is the first step towards a secure organization. Too many companies are too eager to implement the most expensive technology with strong encryption and state-of-the-art authentication systems, without first thoroughly identifying all their assets. Assets include the building and everything in and around it; anything that is part of the organization. This includes information systems and data, but also paper archives and human beings. Asset identification may sound like an easy job, but in many cases, some assets are overlooked, hence not secured. For example, a company implements a firewall for their 2Mbps shared Internet connection, but disregards the backup dial-up connection some distinguished employees have in their office. Also laptops including removable media from remote users, such as frequently traveling sales personnel, are too often ‘forgotten’ when a formal asset identification is not performed prior to developing the company’s security program.

Vulnerability assessment

Once the assets are identified and you know what you need to protect, you can also find out where and how you are vulnerable. A vulnerability assessment should be performed to identify the vulnerabilities of the assets. For example, people tend to talk too much and can be careless with authentication and other sensitive information systems. A corporate web server that serves both internal and external clients can be vulnerable to DoS attacks from the Internet. Operating systems and their configurations need to be checked for holes and possible exploits. Buildings are vulnerable to weather conditions; an office complex in a hurricane-active area for example needs to consider the risk and possible resulting damage of a storm. Every identified asset should be checked for possible vulnerabilities.

Threat identification

When you know where and how you are vulnerable, threat identification will identify how these vulnerabilities can form a threat. A threat is basically anything that can go wrong, such as theft of data and physical assets, an earthquake, a network attack, a computer virus infection and much more. In terms of information security, anything that can tamper with the confidentiality, integrity, and availability of information systems is considered a threat. Confidentiality is all about keeping information secret and available only to authorized individuals. Integrity concerns the trustworthiness of information by ensuring information is not tampered with by unauthorized individuals. At least as important as the previous two is availability – keeping systems, services, and data available to legitimate users. Every topic in the CompTIA Security+ exam relates directly or indirectly to one or more of these three security principals. The same security principals also apply to physical security.

Risk identification

The most difficult part of this entire process is risk identification. A risk is the likeliness of a threat actually leading to an incident. Predicting the chances of something being stolen or damaged is not an easy task. For the sake of budgeting a security program, risks can be quantified in money. The following formulas can aid in quantifying risks:

Single Loss Expectancy (SLE) = asset value x Exposure Factor (EF)

Annualized Loss Expectancy (ALE) = SLE x Annualized Rate of Occurrence (ARO)

These formulas may seem a bit complicated at first, but the real challenge is feeding them with realistic variables. The first formula calculates the Single Loss Expectancy (SLE), which is the damage (e.g. in dollars) to an asset, per specific incident. In most cases, the exact cost of recovering from an incident is difficult to calculate or estimate. When someone steals the backup tapes, the loss for the company can be much higher than just the cost of the tapes. If the data on the tapes end up in the wrong hands, such an incident can have serious consequences. All the direct and indirect costs of a possible incident need to be included. The Exposure Factor (EF) is a percentage that indicates how much damage an incident can cause on a certain asset. Obviously the same incident can cause damage to multiple assets, so you need to calculate this for each asset. So the SLE for an incident with an particular asset, is the asset value factored with the Exposure Factor (EF).

Estimating the Annualized Rate of Occurrence (ARO) – how often an incident occurs per year – is another difficult task. It should be based on statistics gathered from both internal and external sources. In case of physical security, an insurance company can provide realistic statistics for events such as theft and damage caused by storms. You are typically not the first one doing the same or similar calculations for known risks, therefore it is wise to leave it up to companies and consultants that are experienced in risk assessment should. Multiplying the ARO with the SLE from the first formula results in the Annualized Loss Expectancy (ALE), which indicates the money a company can reasonably spend per year on protecting the asset.


Current related exam topics for the Security+ exam:

DOMAIN 5.0: Operational / Organizational Security

5.7 Understand and be able to explain the following concepts of risk identification

- Asset Identification
- Vulnerabilities
- Threat Identification
- Risk Assessment

Date: Saturday, August 18, 2005
Author: Johan Hiemstra
MCSA 2000/2003 Security+ CWNA