Information security – risk identification is all

Standards, Security, and Audit
Information security –
risk identification is all

Karsten M. Decker
Job Positions
Karsten M. Decker is owner and CEO of Decker Consulting GmbH.
Previously, he served, among others, as the Managing Director of the
Swiss Center for Scientific Computing and as Assistant Professor at
the University of Bern. As a member of the standard committee INB
NK 149 UK 7 of the Swiss Association for Standardization (SNV),
Karsten Decker actively contributes to the development of the
standards of the ISO/IEC 27000 family in ISO JTC 1/SC 27.
Contact Information
+41 (41) 790-9080
decker@mit-solutions.com
www. mit-solutions.com
linkedin.com/karsten.decker

3
Information security risk identification
What ist it about?
Information security risk identification concerns the
identification of risks associated with the loss of:
 confidentiality;
 integrity;
 availability
for all information within the scope of the risk management
process.
Risk: effect of uncertainty on objectives

4
Why is it important?
Risks not identified in risk identitication are lacking in:
 risk analysis;
 risk evaluation;
 risk treatment.
Poor risk identification
means poor risk management

5
How can it be done?
There are different approaches for methodological risk
identification, for instance:
 the predominantly effect-oriented event-based approach;
 the cause-oriented approach based on assets, threats
and vulnerabilities.

6
What is crucial for success?
Critical success factors are:
 top management takes its leadership role
comprehensively and effectively;
 the scope of risk identification is kept manageable;
 persons involved demonstrate to have sound
assessment skills.

7
The risk management process
Overview

8
Preparing the risk identification process
Overview
To prepare the risk identification process, it is required to:
 determine the context;
 determine the scope of risk assessment;
 determine the necessary risk criteria.

9
Determine the context
The context comprises:
 issues:
outside the control of the organization;
under the control of the organization
that are relevant to its purpose;
 interested parties:
outside the organization;
within the organization
that are relevant for risk management.

10
External issues
 Which issues outside the control of the organization exist
that are relevant to its purpose?
 Society
 Culture
 Political environment
 Legislation
 Normative environment
 Regulatory framework
 Demand for offer
 Overall economic environment
 Technological change
 Environment
 Competitive situation

11
Internal issues
 Which issues under the control of the organization exist
that are relevant to its purpose?
 Culture of the organization
 Policies, objectives and strategies in
place to achieve them
 Governance, organization’s
structure, roles and responsibilities
 Standards, guidelines and models
adopted by the organization
 Contractual relationships
 Processes and procedures
 Capabilities in terms of ressources
and knowledge (capital, time,
persons, processes, systems,
technologies)
 Physical infrastructure
 Information systems and flows
 Audits and risk assessments

12
External interested parties
 Which interested parties outside the organization exist
that are relevant for risk management?
 What are their requirements with respect to information
security?
 Legislators
 Regulators
 Shareholders including owners and
investors
 Suppliers
 Contractors
 Auditors
 Competitors
 Customers
 Industry organizations
 Interest groups
 Acvtivist groups
 General public

13
Internal interested parties
 Which interested parties within the organization exist that
are relevant for risk management?
 What are their requirements with respect to information
security?
 Board of directors
 Executive management
 Line management of business units
 IT management
 Human resource management
 Facility management
 Process and asset owners
 Risk owners
 Information security specialists
 Employees

14
Determine the scope
Two things are required:
 determine the boundaries and applicability of the risk
management process:
functions of the organization (products & services);
processes of the organization;
sections of the organization;
 determine the interfaces and dependencies:
legal;
contractual;
physical;
technical.

15
Determine the necessary risk criteria
Risks associated with the loss of confidentiality, integrity
and availability within the scope of the risk management
process may result in consequences for the business
activities of an organization.
To ensure:
 consistent and reproducible results;
 comparable results, when risk identification is repeated
consequences are described with standardized
consequence criteria.

16
Determine the necessary risk criteria
Examples of consequence criteria
Consequence criteria
for availability
for integrity
for confidentiality
 Service degradation
 Unavailability of
services
 Business interruption
 Incorrect delivery due to
conflicting data
 Impossibility to create a
correct annual financial
statement
 Inability to meet legal
obligations
 Infringement of privacy
of internal or external
users
 Loss of competitive
advantage
 Loss of technological
lead

17
The risk identification process
Process requirements
The risk identification process shall ensure that:
 all risks are considered with the necessary level of detail;
 the results are consistent and reproducible, i.e. they can
be understood by a third party;
 its results are the same when different persons identify
the risks in the same context;
 the results of repeated risk identifications are
comparable.

18
The risk identification process
Approaches to risk identification
Two approaches are commonly used to identify risks:
 an event-based approach;
 an approach based on the identification of assets,
threats and vulnerabilities.
Both approaches are consistent with the principles and
general guidelines of ISO 31000 for risk assessment.
Other approaches may be used but are only recommended
if they are able to meet the process requirements on the
risk identification process.

19
Event-based approach
Overview
Identify risks by looking at:
 events;
 their consequences.
Considered events can:
 have happened in the past;
 be expected for the future.
The event-based approach is
predominantly effect-oriented

20
Events and their causes
Conduct the following two steps:
 describe possible events by considering the questions:
who?
what?
where?
when?
why?
 determine the causes of these events to gain a deeper
understanding of the risks and to provide information on
the underlying threats and vulnerabilities.

21
Events (excerpt from an event catalog)
Event type Event
Internal fraud Forging of data or documents
Execution of an unauthorized transaction
External fraud Theft by third parties
Hacking
Employment practices Failure to terminate employment
Violation of safety regulations
Customers, products and
business practices
Violation of privacy
Abuse of confidential information
Damage to physical assets Destruction by terrorist attacks
Destruction of equipment and facilities
Operation error and system error Failure of an information system
Destruction of the power supply
Execution, fulfillment and handling
of processes
Agreed performance has not been provided
Incomplete customer records

22
Consequences
Describe the possible consequences for all events
determined:
 consequences which cannot be matched with the
objectives of the organization do not contribute to the
risks and can therefore be ignored;
 however, if such consequences are perceived to actually
contribute to risks, this indicates that there are omissions
in the list of objectives of the organization that should be
corrected.

23
Advantages and disadvantages
Advantages:
 can be used with comparatively little effort;
 suitable for creating a first, coarse picture of the
information security risks;
 supports focussing on the critical risks.
Disadvantages:
 existing threats and vulnerabilities are not determined;
 targeted selection of controls in the subsequent risk
handling process is more difficult;
 risks can be overlooked.

24
Asset, threat, vulnerability-based approach
Overview
Identify risks by determining:
 assets:
 threats;
 vulnerabilities;
 associated consequences.
The asset, threat, vulnerability-based approach is
cause-oriented

25
Identification of assets
Primary assets:
 consist of the information of central importance for the
purpose of the organization.
Supporting assets:
 can be viewed as containers in the broader sense to
process, store, archive, or otherwise manipulate or
handle the primary assets;
 can be classified into hardware, software, network,
personnel, site and organization.

26
Threats (excerpt from a threat catalog)
Threat type Examples
Physical damage Fire
Water
Natural events Earth quake
Flooding
Loss of essential services Failure of air-conditioning
Power outage
Disturbance due to radiation Electromagnetic radiation
Thermal radiation
Compromise of information Eavesdropping
Theft of documents
Technical failures Equipment failure
Saturation of the information system
Unauthorized actions Unauthorized use of equipment
Use of counterfeit software
Compromise of functions Abuse of rights
Forging of rights

27
Vulnerabilities (excerpt from a vulnerability catalog)
Vulnerability type Examples
Hardware Insufficient maintenance
Portability
Software Lack of access logging
Complicated user interface
Network Lack of encryption
Single point of failure
Personnel Insufficient security training
Lack of supervision
Site Unstable power grid
Location in an area susceptible to flood
Organization Lack of segregation of duties
No job descriptions

28
Advantages and disadvantages
Advantages:
 allows the consequences of events to be linked
systematically to the vulnerabilities of assets and
controls;
 provides the prerequisites for optimal selection of
controls and risk-based decisions on their breadth and
depth of implementation;
 ensures that all relevant risks are taken into account.
Disadvantages:
 the number of events can grow rapidly in combination.

29
Risk identification in practice
Leadership and commitment
Top management must:
 ensure that the responsibilities for the risk management
process and its application are appropriately positioned
and integrated into the organization;
 convey the importance of the effectiveness of this
process for the success of the organization;
 provide the necessary resources in terms of people,
time, financial resources, and information for the
development of the process, its application and its
continual improvement.

30
Education and training
Information security risk identification is special:
 an intuitive, generic understanding of risks is insufficient;
 risks can only be analyzed when they are identified;
 persons capable of successfully assessing financial or
entrepreneurial risks may lack competence;
 adequate education and/or training is indispensable;
 profound assessment skills throughout the entire
process are required;
 involved persons must have competence and experience
to deal with imprecision and uncertainty.

31
Sensitization and awareness
Effective risk identification requires that:
 new causes of risks and other relevant information are
readily exploited and made available for the risk
identification process;
 all employees at all hierarchical levels of the organization
are aware that they are constantly exposed to
information security risks and shall at all times contribute
to their avoidance;
 everyone is aware that neither IT resources nor the IT
department can be a universally effective and protective
shield.

32
Challenges
Key challenge:
 keep the extent of risk identification manageable.
Two approaches have proven to be practicable:
 focusing:
 coarsening.

33
Continual improvement
Possible approach:
 target a coarse but clear picture of the information
security risks by applying the event-based approach;
 apply the asset, threat, vulnerability-based approach to
provide the basis for determining the inherent risks and
assessing the appropriateness of already implemented
controls;
 apply the asset, threat, vulnerability-based approach to
gradually improve the risk-based preservation of
confidentiality, integrity and availability of information,
and to adapt to current requirements and threats.

34
Further information
This presentation is based on the article
Information security - without methodical risk identification
everything is nothing
published in the Springer journal HMD Praxis der
Wirtschaftsinformatik, 54(1), 21-36, 2017; DOI
10.1365/s40702-017-0288-3 (in German)
An English translation with extended content is in
preparation

THANK YOU
?
+41 (41) 790-9080
decker@mit-solutions.com
www. mit-solutions.com
linkedin.com/karsten.decker

Information security – risk identification is all

More Related Content

Information security – risk identification is all