Re: Vulnerability vs. Risk Assessments

[Brad Judy <win-hied () BRADJUDY COM>]

To continue on the posts about the risk equation, a risk assessment
inherently focuses on steps that are absent from a vulnerability assessment.
Depending on the assessor's existing knowledge of the environment, a risk
assessment must include steps that identify the connections between business
processes and technology, to identify the importance of various components
to the function of the business.  (I include an asset inventory and
classification in this phase.) This fills in the value portion.  An assessor
must have a strong knowledge of the true threats to the environment, which
is aided by any information available on past incidents, security related
logs, knowledge of industry trends, etc.  Some spot-checking of
vulnerabilities is important, although it may not be as complete of a check
as a dedicated vulnerability assessment (these are the aggravating
circumstances).  Then one has to take into account the levels of monitoring,
protections, redundancy, response plans, business continuity, disaster
recovery, etc (the mitigating circumstances).



Keep in mind that some folks limit their scope to electronic
threat/vulnerability/countermeasures and fail to include some basics like
physical security, natural disasters, employee hiring/training practices,
policies, etc.  A full risk assessment has a pretty broad scope and can be a
big undertaking.



There are several examples of this online, including some of the work I did
at UC Boulder, which links to other online resources -
http://www.colorado.edu/its/security/itriskmanagement/



Brad Judy







From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Eric Case
Sent: Thursday, November 05, 2009 10:10 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Vulnerability vs. Risk Assessments



Here is Ira Winkler's "formula" for risk.





Here it is as plain text:

Risk = ((Threat * Vulnerability) / Countermeasures) * Value



Threats (Malicious and Malignant) are the people or entities who can do you
harm if given the opportunity.  Threats are outside your control and you
cannot change them effect them directly.

Vulnerabilities are the wearknesses that allow the threat to exploit you.

Countermeasures are the precautions you take.  Reducing the exposure is a
countermeasure.

Value is the potential loss you can experience.  More than a hard asset,
value can be Monetary, Nuisance, Competitor Value, etc.  Most things can be
turned into a monetary value but sometimes they are left as reputation, etc.



The value part can be very fluid.  Take a simple malware infection.  On a
"stupid user's" machine, the value may be less than on the Provost's
machine, which may still be less than on the CISO's machine.  The same
Countermeasures are in place on all the machines but the Provost can have a
Nuisance factor to deal with, but the CISO can have a major loss of
reputation and a Nuisance factor to deal with.





Vulnerability Assessments are typically looking for technical weaknesses and
Risk Assessments typically look for things that can impact the enterprise on
more than a technical level.

-Eric



Eric Case, CISSP

eric (at) ericcase (dot) com

http://www.linkedin.com/in/ericcase



From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gary Dobbins
Sent: Wednesday, November 04, 2009 8:21 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Vulnerability vs. Risk Assessments



While I definitely agree with the other responses, I also find this variant
on the formula helpful when explaining to non-IT's or non-tech's:



Risk = Asset * Threat * Vulnerability



Asset represents what other formulae sometimes call "impact".  I just feel
it's a bit more intuitive to call it "asset" since execs think of assets
easily, so do accountants.



Drive any one of those three factors toward zero, and you affect risk
directly.



e's.g.

Remove the asset, no risk.  Keep sensitive data out of harm's way.

Reduce threats, lower risk.   Block unnecessary traffic, encrypt laptops.

Reduce vulnerabilities, reduce risk.  Patch systems.



Nice thing about having Vulnerabilities in the formula is they are one of
the factors you can sometimes directly control through system management.



Asset reduction can be done with data handling/access controls.



Threat reduction can be done with technical measures, but not always.









From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mike Waller
Sent: Wednesday, November 04, 2009 9:32 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Vulnerability vs. Risk Assessments



The below is a pretty good explanation. From my experience, a vulnerability
assessment is a look at a system/site/application/firewall/whatever with an
eye towards all of the vulnerable points. Once you identify the
vulnerabilities, you would then move to a risk assessment by determining
what the threat, potential impact and likelihoods are.

On Wed, Nov 4, 2009 at 9:13 PM, St Clair, Jim <Jim.StClair () gt com> wrote:

Hi Chris,

Yes they are often used interchangeably, causing confusion. If you think of
the risk formula (threat X impact X likelihood = risk) then a vulnerability
assessment focuses on more technical issues (either a port is closed or not)
while a risk assessment should be more specific to a business/ process (this
open port creates high risk in web services supporting health records).

Both are useful, and should be conducted periodically. It's only unfortunate
when a service provider calls it the latter but can only deliver the former.

James A. St.Clair, CISM, PMP
Senior Manager
Global Public Sector
Grant Thornton LLP
T  703-637-3078
F  703-637-4455
C  703-727-6332
E  jim.stclair () gt com



The people in the independent firms of Grant Thornton International Ltd
provide personalized attention and the highest quality service to public and
private clients in more than 100 countries. Grant Thornton LLP is the U.S.
member firm of Grant Thornton International Ltd, one of the six global
audit, tax and advisory organizations. Grant Thornton International Ltd and
its member firms are not a worldwide partnership, as each member firm is a
separate and distinct legal entity.
In the U.S., visit Grant Thornton LLP at http://www.grantthornton.com/.

-----Original Message-----

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Chris Kidd
Sent: Wednesday, November 04, 2009 9:03 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Vulnerability vs. Risk Assessments

I'm having a hard time articulating the difference between these two types
of assessments, so I'm hoping someone can clearly define them. Any thoughts
are appreciated.

Thanks,
Chris

Chris Kidd
Chief Information Security and Privacy Officer
The University of Utah
650 Komas Drive, Suite 102
Salt Lake City, UT 84108
Office: 801.587.9241
Cell: 801.747.9028
chris.kidd () utah edu

http://www.secureit.utah.edu

In accordance with applicable professional regulations, please understand
that, unless expressly stated otherwise, any written advice contained in,
forwarded with, or attached to this e-mail is not intended or written by
Grant Thornton LLP to be used, and cannot be used, by any person for the
purpose of avoiding any penalties that may be imposed under the Internal
Revenue Code.
--------------------------------------------------------------------------
This e-mail is intended solely for the person or entity to which it is
addressed and may contain confidential and/or privileged information. Any
review, dissemination, copying, printing or other use of this e-mail by
persons or entities other than the addressee is prohibited. If you have
received this e-mail in error, please contact the sender immediately and
delete the material from any computer.