Karsten M. Decker is an expert in information security standards and risk identification. He currently works as the owner and CEO of Decker Consulting GmbH, and previously held positions including Managing Director of the Swiss Center for Scientific Computing and Assistant Professor at the University of Bern. He actively contributes to the development of ISO/IEC 27000 information security standards. The document provides an overview of information security risk identification, including why it is important, how it can be done, and what factors are critical to its success. It discusses preparing for the process, different approaches like event-based and asset-threat-vulnerability models, and requirements.
2. Karsten M. Decker
Job Positions
Karsten M. Decker is owner and CEO of Decker Consulting GmbH.
Previously, he served, among others, as the Managing Director of the
Swiss Center for Scientific Computing and as Assistant Professor at
the University of Bern. As a member of the standard committee INB
NK 149 UK 7 of the Swiss Association for Standardization (SNV),
Karsten Decker actively contributes to the development of the
standards of the ISO/IEC 27000 family in ISO JTC 1/SC 27.
Contact Information
+41 (41) 790-9080
decker@mit-solutions.com
www. mit-solutions.com
linkedin.com/karsten.decker
3. 3
Information security risk identification
What ist it about?
Information security risk identification concerns the
identification of risks associated with the loss of:
confidentiality;
integrity;
availability
for all information within the scope of the risk management
process.
Risk: effect of uncertainty on objectives
4. 4
Information security risk identification
Why is it important?
Risks not identified in risk identitication are lacking in:
risk analysis;
risk evaluation;
risk treatment.
Poor risk identification
means poor risk management
5. 5
Information security risk identification
How can it be done?
There are different approaches for methodological risk
identification, for instance:
the predominantly effect-oriented event-based approach;
the cause-oriented approach based on assets, threats
and vulnerabilities.
6. 6
Information security risk identification
What is crucial for success?
Critical success factors are:
top management takes its leadership role
comprehensively and effectively;
the scope of risk identification is kept manageable;
persons involved demonstrate to have sound
assessment skills.
8. 8
Preparing the risk identification process
Overview
To prepare the risk identification process, it is required to:
determine the context;
determine the scope of risk assessment;
determine the necessary risk criteria.
9. 9
Preparing the risk identification process
Determine the context
The context comprises:
issues:
outside the control of the organization;
under the control of the organization
that are relevant to its purpose;
interested parties:
outside the organization;
within the organization
that are relevant for risk management.
10. 10
Preparing the risk identification process
External issues
Which issues outside the control of the organization exist
that are relevant to its purpose?
Society
Culture
Political environment
Legislation
Normative environment
Regulatory framework
Demand for offer
Overall economic environment
Technological change
Environment
Competitive situation
11. 11
Preparing the risk identification process
Internal issues
Which issues under the control of the organization exist
that are relevant to its purpose?
Culture of the organization
Policies, objectives and strategies in
place to achieve them
Governance, organization’s
structure, roles and responsibilities
Standards, guidelines and models
adopted by the organization
Contractual relationships
Processes and procedures
Capabilities in terms of ressources
and knowledge (capital, time,
persons, processes, systems,
technologies)
Physical infrastructure
Information systems and flows
Audits and risk assessments
12. 12
Preparing the risk identification process
External interested parties
Which interested parties outside the organization exist
that are relevant for risk management?
What are their requirements with respect to information
security?
Legislators
Regulators
Shareholders including owners and
investors
Suppliers
Contractors
Auditors
Competitors
Customers
Industry organizations
Interest groups
Acvtivist groups
General public
13. 13
Preparing the risk identification process
Internal interested parties
Which interested parties within the organization exist that
are relevant for risk management?
What are their requirements with respect to information
security?
Board of directors
Executive management
Line management of business units
IT management
Human resource management
Facility management
Process and asset owners
Risk owners
Information security specialists
Employees
14. 14
Preparing the risk identification process
Determine the scope
Two things are required:
determine the boundaries and applicability of the risk
management process:
functions of the organization (products & services);
processes of the organization;
sections of the organization;
determine the interfaces and dependencies:
legal;
contractual;
physical;
technical.
15. 15
Preparing the risk identification process
Determine the necessary risk criteria
Risks associated with the loss of confidentiality, integrity
and availability within the scope of the risk management
process may result in consequences for the business
activities of an organization.
To ensure:
consistent and reproducible results;
comparable results, when risk identification is repeated
consequences are described with standardized
consequence criteria.
16. 16
Preparing the risk identification process
Determine the necessary risk criteria
Examples of consequence criteria
Consequence criteria
for availability
Consequence criteria
for integrity
Consequence criteria
for confidentiality
Service degradation
Unavailability of
services
Business interruption
Incorrect delivery due to
conflicting data
Impossibility to create a
correct annual financial
statement
Inability to meet legal
obligations
Infringement of privacy
of internal or external
users
Loss of competitive
advantage
Loss of technological
lead
17. 17
The risk identification process
Process requirements
The risk identification process shall ensure that:
all risks are considered with the necessary level of detail;
the results are consistent and reproducible, i.e. they can
be understood by a third party;
its results are the same when different persons identify
the risks in the same context;
the results of repeated risk identifications are
comparable.
18. 18
The risk identification process
Approaches to risk identification
Two approaches are commonly used to identify risks:
an event-based approach;
an approach based on the identification of assets,
threats and vulnerabilities.
Both approaches are consistent with the principles and
general guidelines of ISO 31000 for risk assessment.
Other approaches may be used but are only recommended
if they are able to meet the process requirements on the
risk identification process.
19. 19
Event-based approach
Overview
Identify risks by looking at:
events;
their consequences.
Considered events can:
have happened in the past;
be expected for the future.
The event-based approach is
predominantly effect-oriented
20. 20
Event-based approach
Events and their causes
Conduct the following two steps:
describe possible events by considering the questions:
who?
what?
where?
when?
why?
determine the causes of these events to gain a deeper
understanding of the risks and to provide information on
the underlying threats and vulnerabilities.
21. 21
Event-based approach
Events (excerpt from an event catalog)
Event type Event
Internal fraud Forging of data or documents
Execution of an unauthorized transaction
External fraud Theft by third parties
Hacking
Employment practices Failure to terminate employment
Violation of safety regulations
Customers, products and
business practices
Violation of privacy
Abuse of confidential information
Damage to physical assets Destruction by terrorist attacks
Destruction of equipment and facilities
Operation error and system error Failure of an information system
Destruction of the power supply
Execution, fulfillment and handling
of processes
Agreed performance has not been provided
Incomplete customer records
22. 22
Event-based approach
Consequences
Describe the possible consequences for all events
determined:
consequences which cannot be matched with the
objectives of the organization do not contribute to the
risks and can therefore be ignored;
however, if such consequences are perceived to actually
contribute to risks, this indicates that there are omissions
in the list of objectives of the organization that should be
corrected.
23. 23
Event-based approach
Advantages and disadvantages
Advantages:
can be used with comparatively little effort;
suitable for creating a first, coarse picture of the
information security risks;
supports focussing on the critical risks.
Disadvantages:
existing threats and vulnerabilities are not determined;
targeted selection of controls in the subsequent risk
handling process is more difficult;
risks can be overlooked.
24. 24
Asset, threat, vulnerability-based approach
Overview
Identify risks by determining:
assets:
threats;
vulnerabilities;
associated consequences.
The asset, threat, vulnerability-based approach is
cause-oriented
25. 25
Asset, threat, vulnerability-based approach
Identification of assets
Primary assets:
consist of the information of central importance for the
purpose of the organization.
Supporting assets:
can be viewed as containers in the broader sense to
process, store, archive, or otherwise manipulate or
handle the primary assets;
can be classified into hardware, software, network,
personnel, site and organization.
26. 26
Asset, threat, vulnerability-based approach
Threats (excerpt from a threat catalog)
Threat type Examples
Physical damage Fire
Water
Natural events Earth quake
Flooding
Loss of essential services Failure of air-conditioning
Power outage
Disturbance due to radiation Electromagnetic radiation
Thermal radiation
Compromise of information Eavesdropping
Theft of documents
Technical failures Equipment failure
Saturation of the information system
Unauthorized actions Unauthorized use of equipment
Use of counterfeit software
Compromise of functions Abuse of rights
Forging of rights
27. 27
Asset, threat, vulnerability-based approach
Vulnerabilities (excerpt from a vulnerability catalog)
Vulnerability type Examples
Hardware Insufficient maintenance
Portability
Software Lack of access logging
Complicated user interface
Network Lack of encryption
Single point of failure
Personnel Insufficient security training
Lack of supervision
Site Unstable power grid
Location in an area susceptible to flood
Organization Lack of segregation of duties
No job descriptions
28. 28
Asset, threat, vulnerability-based approach
Advantages and disadvantages
Advantages:
allows the consequences of events to be linked
systematically to the vulnerabilities of assets and
controls;
provides the prerequisites for optimal selection of
controls and risk-based decisions on their breadth and
depth of implementation;
ensures that all relevant risks are taken into account.
Disadvantages:
the number of events can grow rapidly in combination.
29. 29
Risk identification in practice
Leadership and commitment
Top management must:
ensure that the responsibilities for the risk management
process and its application are appropriately positioned
and integrated into the organization;
convey the importance of the effectiveness of this
process for the success of the organization;
provide the necessary resources in terms of people,
time, financial resources, and information for the
development of the process, its application and its
continual improvement.
30. 30
Risk identification in practice
Education and training
Information security risk identification is special:
an intuitive, generic understanding of risks is insufficient;
risks can only be analyzed when they are identified;
persons capable of successfully assessing financial or
entrepreneurial risks may lack competence;
adequate education and/or training is indispensable;
profound assessment skills throughout the entire
process are required;
involved persons must have competence and experience
to deal with imprecision and uncertainty.
31. 31
Risk identification in practice
Sensitization and awareness
Effective risk identification requires that:
new causes of risks and other relevant information are
readily exploited and made available for the risk
identification process;
all employees at all hierarchical levels of the organization
are aware that they are constantly exposed to
information security risks and shall at all times contribute
to their avoidance;
everyone is aware that neither IT resources nor the IT
department can be a universally effective and protective
shield.
32. 32
Risk identification in practice
Challenges
Key challenge:
keep the extent of risk identification manageable.
Two approaches have proven to be practicable:
focusing:
coarsening.
33. 33
Risk identification in practice
Continual improvement
Possible approach:
target a coarse but clear picture of the information
security risks by applying the event-based approach;
apply the asset, threat, vulnerability-based approach to
provide the basis for determining the inherent risks and
assessing the appropriateness of already implemented
controls;
apply the asset, threat, vulnerability-based approach to
gradually improve the risk-based preservation of
confidentiality, integrity and availability of information,
and to adapt to current requirements and threats.
34. 34
Risk identification in practice
Further information
This presentation is based on the article
Information security - without methodical risk identification
everything is nothing
published in the Springer journal HMD Praxis der
Wirtschaftsinformatik, 54(1), 21-36, 2017; DOI
10.1365/s40702-017-0288-3 (in German)
An English translation with extended content is in
preparation