Re: Risk Assessment/Management

[Fred Cohen <fred.cohen () all net>]

On Oct 29, 2005, at 3:02 PM, Mark Brunner wrote:

> I am looking for a tool, template or clear example of how to  
> perform a Risk
> Assessment, and then manage the mitigation or acceptance of risk.   
> I've read
> a lot of the available information regarding the theory,  
> methodologies and
> strategy, but am having a real hard time taking the concepts and  
> applying
> them to real world items.  I've boiled my risk assessment effort to  
> 5 key
> questions to start with for ease of creating some kind of matrix
> (spreadsheet for now).

Sadly - actually gladly - there is and cannot be such a thing. Risk  
management is a management activity (technically a part of  
governance) that has people who are authorized to make business  
decisions for the enterprise making those decisions based on  
information available to them. If you use a spreadsheet that gets  
filled in with facts anyone can just gather and plug in for  
determining what business to go into, then build a similar one for  
managing risk. If you actually require that people think about issues  
and make business decisions for what business they go into, then you  
need to do the same thing for managing risk.

> For instance, I try to use the following:
> 1.    What are the resources - Information & Information Systems -  
> I'm actually
> interested in protecting?

Certainly making a model of your business and mapping the effects of  
failure to meet protection objectives into that business model will  
help you identify systems of particular interest in context.

>     Easy enough to figure out which are the critical items once an  
> inventory is
> made and relationships are established.

Not really that easy, but indeed it can be done with adequate  
business understanding and technology understanding combined..

> 2.    What is the value of those resources, monetary or otherwise?
>     Easy enough to get the replacement costs of hardware, software,  
> config
> time, etc. but how do you valuate the data?  Based on time and  
> effort to
> recreate?

None of these are sound bases. The sound basis is the impact on the  
business of failure to maintain protection objectives.

> 3.    What are the all the possible threats that that those  
> resources face?
>     Where can I get a compendium of risks to apply to each item for  
> Yes/No
> response?

Not the right approach. There is a whole art and science associated  
with understanding threats. Start at http://all.net/ under "New  
Security Database" => Threats. This provides a list that is useful  
for generic by-class threat assessment which can be carried out when  
needed based on consequence analysis previously mentioned.

> 4.    What is the likelihood of those threats being realized?
>     Am I supposed to GUESS at this?  How to quantify?

Capabilities and intents as shown by history tells you whether or not  
to worry about these issues. This requires a lot of historical data  
and knowledge.

> 5.    What would be the impact of those threats on my business or  
> personal
> life, if they were realized?
>     Easy enough to figure out, based on criticality and function.

This is the wrong direction. You should already know the consequences  
by the prior analysis and from there drive into the threats that can  
realize those consequences.

> I would appreciate any assistance offered.  I'm floundering...

This is explained at a reasonable level of detail in:
    The Chief Information Security Officer's Tookit: Governance  
Guidebook

A quick overview of the issues are identified at http://all.net/
    Click on the "Security Architecture" graphic.

> Thanks,
> Mark

Hope it helps,

FC
-- This communication is confidential to the parties it is intended  
to serve --
Security Posture            securityposture.com          tel/fax
University of New Haven               unhca.com        925-454-0171
Fred Cohen & Associates                 all.net      572 Leona Drive
Security Management Partners    policygeeks.com    Livermore, CA 94550