37. Risk Treatment Options
Now when we talk about the risk treatment, there are usually four strategic choices for how we deal with risk. The treatment of risk one of course, is that we might just decide, you know what, let’s just terminate whatever that activity is that’s giving rise to the risk. Now, if I were to say and this I would be probably the most unpopular security manager in my corporation if I said this, but I might say, know what, there’s too much malware out there. There’s too many opportunities for people to download junk and be able to infect their systems and cause a cascading effect of damage from the inside of my network. So what I’m going to do is I’m going to terminate any external internet use. You can’t go to the internet while you’re at work.
All right, that is an example. I could terminate that activity. Doing that though might not follow the business strategy because there may be legitimate needs for people to get out to the internet, whether for marketing, for customer evaluations, those types of things. I know I worked with a nuclear facility that had that same idea that the idea of things we could download could be detrimental through email attachments to the internet. And they did. They said the easiest way to deal with that risk is to terminate that activity. So they terminated any external access. Now they were still able to receive email and as far as I understood the process, I didn’t witness it.
But as I understood the process, they used what I like to call an air bridge, meaning there was no physical connection to the outside. They had an outside facing email server. You could send messages to this person’s address. They would be scanned, looked at, read, analyzed to make sure there was no malware, copied to some other media, and manually transferred to an internal email server that could then deliver the message inside after it was determined to be safe. Likewise, all outgoing email went through the same process as well. So that was a way. Now again, I don’t know what the cost benefit was, but considering it was a nuclear facility, I’m thinking there was probably the likelihood of a very large impact if there was a problem over there.
Another option of course, is transference of risk to another party. I use insurance companies as that example because when I take out an insurance policy I’m basically saying I understand that there is a risk and if that happens and there’s an impact, then monetarily I’m hoping for the reimbursement from that insurance company so that I can repair whatever the problems were. Now, it doesn’t mean I might not try to lower my risk to maybe get better rates, but that is a treatment that we have or as an option that we can use for risk. And having just said that lowering my risk potential to get a better rate on my transference or insurance policy means that I can actually combine some of these different risk treatment options together, which, as I just mentioned, one of them was mitigating.
The risk mitigating is, of course, the reduction, realizing we’ll never get rid of it 100%, but trying to reduce, hopefully, the impact or the likelihood of it occurring. Now we also could just tolerate the risk. That means we could just plain old say, you know, I realize there’s a risk that whatever activity is going on has these potentials. I’m not going to invest anything into trying to reduce that. Maybe through mitigation, through a bit of awareness and security training could certainly help. But that might be to the extent that we’re going, we’re just going to basically accept the risk as it is. Now, there are some risk assessment frameworks that we can use as a tool that can be used in helping determine the treatment of risk depending on its severity.
So now having said that, here’s kind of the idea of the framework. It kind of goes back into the roles and responsibilities as far as who can make the decisions about the types of treatment of risk. Now if we look at the risk assessment and we see that we have a low level of risk, that’s something that local management could choose to go ahead and accept or to tolerate. But if it’s a risk level that’s at a medium level, that’s not something we should leave to the low management or local management to make those decisions. That is a decision about the treatment that we should see for the Chief Information Officer.
If it’s a high level of risk, it should be something that’s approved by the Chief Information Officer or maybe the Chief Information Security Officer. And extremely severe levels should be something that’s only approved by the board of directors or at that C suite of levels, CEOs and those type of folks that are at that executive management.
38. Impact
Well a lot of what we’ve talked about is the impact. If we are actually there and find ourselves being exploited and having a loss. The impact is the bottom line for risk management as it is the result of the vulnerability as I said, that was exploited. Now often the impact is modified as a financial loss in the short term. But there are some other corresponding things that we have to worry about for the indirect financial loss in the long term. And again it could be the loss of money. Well what does that mean? As I said, it could have a loss of reputation, of brand, of customers trusting us. We could lose business contacts or business associations that may never come back.
And that’s something that we really have to consider. I saw one aspect of a series of how much an impact can affect like a small business. And I saw some indications that said that if a small business were, through a loss or impact, unable to complete or do the job that that organization has done, the business objectives for an average of a week, seven days, they were just out of business that often. They were never able to recover that money. And many of them ended up eventually out of business altogether. So an impact is something we certainly have to study because it can have a long term effect. Certainly going out of business is pretty long term. We also have to remember that there can be criminal or civil liability as well.
Especially you should be worried if you are in the executive management board of directors because often you are held for the criminal or civil liabilities. Now I used the example of Enron that was going out and doing something to manipulate their books to make it, I guess, look like they were more profitable than they were where it looks like they were actually losing money. That certainly affected shareholders of the company who suddenly one day woke up, found out that they own nothing. It certainly affected employees, employees who may have been invested with their retirement into that corporation. I remember another company that’s local to where I lived. I won’t talk about the name even though it’s out of business. Well, it’s in business but has changed hands many times.
But they were an engineering facility, one of the largest, if not the largest in the world. And I remember that when they basically made some bad financial decisions and went out of business that those people that were working there for 30 years and expecting to retire on their stocks that they had in that company suddenly found out they can’t retire. They had no funds to do that. Do you think there’s a civil liability potential? Well, maybe not so much into bankruptcy but certainly if it’s a loss that we could have avoided through better risk management and of course criminal charges can come out of that as well. So all of those are issues we have to look at when we are deciding about what impact it is and just how serious that impact could be.
39. Lesson 6: Controls Countermeasures
Let’s take a look at our controls. Countermeasures. Now remember, controls were the things we described as policies, procedures, practices and guidelines that we use to help provide assurance that our business objectives are going to be achieved.The countermeasure. Although we can think of it as a control, we often thought of it as a targeted control, and it’s specifically used to help reduce the threat or the vulnerability that we might be seeing.
40. Controls
Now let’s take a look at controls. There are a couple of different ways we can view these and talk about them. The first, of course, would be the control design considerations. Now, in the considerations that might be things that include the measurability and the effectiveness. Now, I know I’ve made a statement about this before, but when we think about a control, there are many, often many solutions that can be just as effective as the others. Some may differ in their effectiveness slightly. There are throughputs some of the extra capabilities or features we might have thought as a bonus.
But measurability is another factor. Measurability is my ability to watch it, to monitor it, to get metric information that lets me know if it’s really doing its job so that I can have an ongoing management or maintenance of that control. Now, if the control has a very complex mechanism for me to be able to get meaningful information from it, as far as the measurability, then it may not even be worth trying to use that control because we could say in a way that it’s not as effective. Now, effectiveness might be, of course, the reduction of the risk, but it also needs to be effective for me to actually know that it’s working and that I can prove that it’s in compliance with whatever our policies or procedures or standards are going to be.
Now, the control strength is another aspect that we look at it. And a lot of those decisions about the strength of a control do depend on the type of control that it is. We have again preventive controls which may be trying to prevent an activity that could be some sort of device that might be screening the content of web pages you visit or firewalls preventing attacks or different types of unwanted traffic from coming in. We may also have detective types of controls. Detective types of controls may again be intrusion detection systems. Or if I move into the physical realm, it could be a motion detector alarm or a closed circuit TV or camera, I guess you could say, but still part of closed circuit TV.
Again, when we’re measuring strength, we can ask questions again of a firewall, what’s its throughput? How does it survive if it’s under stress? So all of those are important aspects to us. Same with cameras. If I need one that can do a pan tilt and zoom, one that works at low level at night, those types of things. Some controls may be manual, some may be automated. And by the way, we often think of an automated control as being much stronger than a manual control. Often we say that because an automated control through the use of automation does not as easily allow people to manually intervene or to get around that particular control. A manual control very easily could just be simply a magnetic key lock at the front entrance of a door. It doesn’t automatically work.
I have to swipe my card by it. The problem is I can hold that door open and let as many people in as I want to because it is manually available for me to circumvent. So those are some of the things we may consider as we are looking at the strength of a control. The control methods, again, we need to evaluate it. Is it a technical type of control or a nontechnical type of control? Many of our nontechnical type of controls again, could go back into the realm of the policies and standards. They certainly could be the use of guards of motion detection equipment. As I mentioned before, technically putting a fence around your compound is a type of control. You’re trying to control the way in which traffic comes in.
Putting razor wire on top of it is trying to help really ensure that you’re controlling the point of entry. Or a technical control could simply be something we use for authentication methods. Again, that could also be part of the detective aspect, needing the fingerprint reader or the retina scan. We also know that from what I’ve just talked about, that controls come in different categories. Those categories are the ways in which we determine what the control is designed to do. I’ve mentioned preventive and detective. We also have some that can be corrective or compensatory or even deterrent.
The fence with the razor wire is a good example of a deterrent type of control trying to deter you from going over the fence, but around and through the main entrance. So again, we look at these controls by these categories and based on all this information, hopefully we can make control recommendations. So we can say that based on what we’ve looked at through the way we’ve categorized and typed the controls, that we cannot document those features and make recommendations as to what might be the best control that we’re looking for in the mitigation of our risk.
41. Residual Risk
Remember. Now we can’t get rid of all risk. No control is 100% effective, so there always is risk. And that risk leftover is called the residual risk. Now, how do we know what the residual risk is going to be? Well, we’re going to find out about that the same way we found out what the original risk was. The original risk we found through the use of risk assessments. Now, after our control is in place, nobody said you’re done with risk assessments. There’s should be subsequent risk assessments. So we can now take a look and see what we have effectively reduced the risk to. Hopefully, I should say, have reduced the risk to so that we can find out what is left over.
And remember, we can use this risk assessment to kind of alter our roadmap. If we found out that we’re not at that desired state that we want to be in, it may tell us that either we have the wrong control, maybe the wrong configurations, or we need to continue to work towards getting ourselves down to that risk that the company or organization was willing to accept. Now, in that aspect, the controls we get should be considered through their costs and benefits. In other words, one of the things we have to ask is, is the cost of that control going to even exceed the benefits that are being achieved? Now, I could use an example here of a large vendor, a Cisco Juniper Palo Alto firewall.
And let’s just say that I have an office, a branch office that’s supporting maybe 50 workers there. And I’m looking at a control like a firewall as a preventive type of control. And I need one that can at least handle those 100 users that are going through with however many sessions of communications they have. And maybe I’m connected to a small Wan connection that gives me only so much bandwidth. So the question is, can I get away with buying one of those million dollar firewalls, those services gateways as they call them, and use that for 100 people? I mean, certainly it would probably give them more than enough throughput, even though it’s probably far exceeds what they can get on their service provider. And it can certainly handle some of them. Half a million new sessions per second, which might certainly be sufficient for the 100 people that are in that office.
But is that investment of a million some odd dollars kind of in excess of the benefits that I’m going to achieve? Or could I have done better with cost wise, with a much smaller unit that can still meet those needs, but might come in at a few hundred dollars instead of getting into that six or seven digit number price tag? And now I realize what I gave you was an extreme scenario, but it is something you should think about. I, in fact, have seen the opposite of that happen. I saw the opposite of that happen for one of these online universities that had many little classrooms all around the place.
And they found an effective control of a firewall, but they actually got one that was incapable of handling the number of sessions that they needed, which meant that they put a lot of expenditure in, put in a control that was effective in reducing the risk. It did control the traffic as needed, it provided the throughput that it needed, but it was insufficient to be able to work for the number of people at each of these offices. In essence, they kind of throttled themselves or did their own denial of service. So I think when we talk about cost, I gave you one extreme of spending way too much money. There is the other extreme of not putting in enough for the proper type of equipment or control that you need.
42. Information Resource Valuation
Let’s take a look at the information resource valuation. Now, some assets can be quantitatively valued, while others it might not be so easy to determine the type of value it has. Now, that’s just a plain old statement. As we said, there can be a lot of factors that get involved as to why we may or may not be able to quantitatively value some sort of information. Now, some of those things that we might not be able to find find as much or easy value to could be things like proprietary information, the way in which your company does business, who your customers are and those types of things. Trade secrets, obviously, patent information.
We see a lot of people do, a lot of companies in a way do lawsuits over infringement of patents. And it’s really hard to be able to really say, what was that loss? Often they have to make estimations about how much a company profited over the violation of their patent personnel identification. Again, we start losing that information, whether internal employees or customers. We don’t know really what the long term effect of that’s going to be. Copyright information. We see that all the time today in the music industry as they’re trying to find ways to reduce the loss of their copyright information. People downloading their movies and their music without having to pay the royalties and the fees. Really hard for them to as well to do an estimation. And that’s the same within your organization as well as information that you’re the owner of that you don’t want to lose.
