Topic no. 1:
Make personal reflections in your answer on:
a) It is not difficult to intercept wireless signals and, depending on the protocol, extract security information. An on-going court case against Google is deciding whether it is an invasion of privacy for Google Streetview cars to collect wireless password data along with video data for extending Google maps. What is your opinion?
b) The Story of Send (https://www.youtube.com/watch?v=5Be2YnlRIg8 ) is an animation showing the path a Google Mail message, from your home or company, through a Google data centre, and then to the intended recipient (please notice how Google is promoting their “greenness”). Could you recommend Google Mail for secure and private corporate communication?
c) “When an organization makes decisions using a developed security mind, it separates itself from the struggles and costs commonly associated with information security” (Day 2003, p. 284). Do you agree or disagree with this statement? Why or why not?
Topic no. 2:
These are important concepts that you must fully understand. Make some personal reflections in your answer on the following:
- Any discussion on risk typically refers to, or directly clashes with, the notion of uncertainty. In the readings for this module it is assumed that the likelihood (or probability) of a threat can be calculated within accepted tolerances or estimated by experts, again within accepted tolerances. This is a basic premise of risk management. Uncertainty on the other hand refers to situations where we cannot make such calculations or estimations due to a lack of data or expertise, or more worryingly, the complexity involved is beyond our present comprehension. This predicament was made famous by former US Defence Secretary Donald Rumsfeld in his famous 2002 Unknown unknowns speech referring to the Iraq war, which you viewed above. The complexity of the Iraq situation for the US government was represented in this famous single Powerpoint chart (image above), discussed here in the New York Times. Is Cloud Computing any less complex to comprehend?
- Another area where uncertainty must be dealt with in a structured way is in environment discussions, particularly around climate change. Review this short 4-page advice on uncertainty from the Intergovernmental Panel on Climate Change. Would you say that this advice is mainly a qualitative or quantitative guideline? Is it applicable to IT Risk and Technology Risk in general?
- Many of the approaches taken to perform an IT Security Risk assessment are based on rating threats and impacts on assets in terms of confidentiality, integrity and availability – the so-called CIA triad for information security. Consider availability for a moment. For a business person, avoiding an outage in service is critical. Google applications such as Google Mail and Google Docs have a Service Level Agreement of being available 99.9% of the time each month, which translates into less than 44 minutes of down time per month (or less than 9 hours per year). Do you think poor security is the main threat to the availability of systems? Given some additional funds, as an IT manager would you tend to spend them on security or availability? Availability is often the winner here as it carries a more obvious business impact, or in short, Availability trumps Security in terms of business risk.
Topic no. 3:
Watch this video: http://youtu.be/RW9hOBCSy0g
Discuss the following points:
a) Why is it important for management to show ‘due diligence’ during the decision-making process, and how can risk management help with this? Donn Parker, a veteran security practitioner, believes that due diligence is sufficient to support informed security decision-making and that risk management is unnecessary, and largely without merit. Mr. Parker presents his case in the video you just viewed, or you can read a more precise written summary of his case. https://dl.dropboxusercontent.com/u/46696310/ITC596%20References/mod%206/2008%20Don%20Parker%2C%20Due%20Diligence%20based%20security%2C%20ISSA.pdf
b) Mr. Parker mentions that the main driver for security nowadays is compliance, such as PCI DSS for secure credit card payments, while other laws, particularly in the US, carry possible legal penalties. Mr. Parker would argue that the threat of going to jail is more of a motivation for executives to support better security initiatives as compared to a well-argued risk assessment. Would you agree with Mr. Parker, and do you think the executives of a company might do time behind bars for IT security breaches?
c) The reading from Blakely, McDermott and Geer stated that in IT Risk analysis we need to learn more from risk techniques in other domains outside of security. Consider the example here on page 58 of this engineering risk paper (https://dl.dropboxusercontent.com/u/46696310/ITC596%20References/mod%206/16122769-A-Risk-Analysis-of-Risk-Analysis.pdf) which gives an analysis of how high to build a levee (small dam) to prevent flooding damage to a given area of land. The higher the dam, the less likely that there will be a flood.
However the initial and ongoing costs are more for a higher dam. Given all the costs and data on rainfall patterns, there is an optimal or best dam height as shown in the example. Can you see an analogy with malware defences, and a possible path to determine an optimal amount of protection?
d) The notion of recurrence intervals is important in natural disaster planning, particularly for insurance companies. The severe flooding in Brisbane, Australia in 2011 was described as a 1-in-30 year flood. What would you say is the recurrence interval for a major security incident (say a worm breakout) in your company?
Topic no. 4:
Quantitative risk management involves assigning a probability to the chances of an attack as well as determining how much damage a successful attack is likely to cause. This topic explores the fundamentals of this approach, which is based on the ALE (Average Loss Expectancy) formula. We also look at another important quantitative measure: ROSI (Return on Security Investment). A positive ROSI indicates that a security investment is justified from a financial standpoint, and can be used to convince management to fund a security solution.
- Reading 7: Ozier, W. (2004). Risk analysis and assessment. In Information security management handbook( 5th ed., pp. 795-820). Boca Raton, FL: Auerbach.
- Reading 8: Geer, D., Soo Hoo, K., & Jaquith, A. (2003). Information security: Why the future belongs to the quants. IEEE Security and Privacy, 1(4), 24-32. doi: http://doi.ieeecomputersociety.org/10.1109/MSECP.2003.1219053
- Reading 9: Endorf, C. (2004). Measuring ROI on security. In Information security management handbook (5th ed., pp. 685-688). Boca Raton, FL: Auerbach.
- Reading 10: Berinato, S. (2003). Everything’s coming up ROSI. In CIO: Australia’s magazine for information executives. Retrieved from http://www.cio.com.au/pp.php?id=700624897&fp=4&fpid=17
- Reading 11: Jacobson, R. V. (2002). Risk assessment and risk management. In S. Bosworth & M. E. Kabay (Eds.), Computer security handbook (4th ed., pp. 47-1-47-16). New York: John Wiley.
Commentary: Absolute and Relative ROSI
Make sure you’re aware of the distinction between the different ROSI calculations that appear in the readings. We might call these the absolute ROSI and the relative ROSI. Assume the following scenario (similar to that which appears in Reading 7 under the heading ‘ROSI Example’):
“You have been asked to protect a small database that contains critical business data. This data is valued at $2 million and has never been compromised. Based on recent events in similar companies with this type of server and data, you determine that such an attack will occur once every ten years. Further, you determine that if such an attack occurs, about 70% of the data in the database will be destroyed. The current access controls in place on this database cost the company $15,000 per year. What is the ROSI on these controls?”
This scenario is absolute because we have no previous data to compare with. Hence, we use the straightforward ROSI formula of Annual Loss Expectancy (ALE) - Current Cost of Control (CCC) = ROSI
In this case:
SLE = Exposure Factor (EF) * Asset Value (AV) = 0.70 * $2,000,000 = $1,400,000
ALE = Single Loss Expectancy (SLE) * Annualized Rate of Occurrence (ARO) = $1,400,000 * 0.1 = $140,000
ROSI = ALE – CCC = $140,000 - $15,000 = $125,000
There is a flaw with this method, however. Assume the ALE in this case is higher (i.e., we expect to lose more data annually from this type of threat) – adding up the numbers, we get a higher ROSI even though the control might be ineffective! However, if the data is available, we can use a ‘before and after’ approach to calculating the ROSI. Let’s take Endorf’s example about the IDS that appears in Reading 8.
Original ALE (without the IDS control) = $500,000
IDS costs the company $250,000 per year.
The IDS is 80% effective, which reduces the original ALE to $500,000 * .80 = $100,000
This means the IDS has saved us $400,000 a year.
The relative ROSI is found via the following formula (see Reading 9) Savings – Mitigation Cost = ROSI
Hence, $400,000 - $250,000 = $150,000
When looking at the bigger picture, this makes sense. If our IDS costs $250,000 per year but has helped save $400,000 per year then we are better off to the tune of $150,000 annually.
This is another area that is critical that you understand. Work through this problem to make sure that you understand the principles and the process:
You have been asked to protect a small database that contains critical business data. This data is valued at $2 million and has never been compromised. Based on recent events in similar companies with this type of server and data, you determine that such an attack will occur once every ten years. Further, you determine that if such an attack occurs, about 70% of the data in the database will be destroyed. What is the ALE for this scenario?
Question no. 5:
Qualitative risk assessment relies more on observational, subjective data rather than hard facts. There are many advantages to this approach. ‘Hard numbers’ are often difficult to come by when assessing security threats. One reason for this is that so many firms are reluctant to report security breaches – thus the real chances of being attacked tend to be underestimated. Qualitative assessment, in contrast, allows a more ‘seat of the pants’ approach. In this topic, we examine several well known methods of conducting a qualitative risk assessment. Note the difference in approach between Peltier and Munteanu, and especially note Munteanu’s introduces two new factors: time constraints and the moral hazard facing the analyst.
Reading 12: Peltier, T. (2005). Quantitative versus qualitative risk assessment. In Information security risk analysis (2nd ed., pp. 77-114).
- Reading 13: Munteanu, A. (2006). Information Security Risk Assessment: The Qualitative Versus Quantitative Dilemma. Paper presented at the Proceedings of the 6th International Business Information Management Association (IBIMA) Conference.
Make personal reflections in your answer on the following:
a) Explain how cost benefit analysis can be performed when doing a qualitative risk assessment.
b) Do some research on the Web to locate some different qualitative risk assessment implementations (i.e., FRAAP, OCTAVE, OWASP, CRAMM, etc). Name and briefly describe two (2) of these.
c) One of your colleagues wants a brief description of the 30 minute Risk Analysis and how it works. What do you tell them?
Topic no. 6:
Taking out an insurance policy is the most common approach for transferring risk. Cyber insurance, however, is still in its infancy and faces many challenges before being fully accepted as a market solution in the same way as traditional insurance.
- Reading 14: Gordon, L. A., Loeb, M. P., & Sohail, T. (2003). A framework for using insurance for cyber-risk management. Communications of the ACM, 46(3), 81-85. doi:10.1145/636772.636774
- Reading 15: T Majuca, R. P., Yurcik, W., & Kesan, J. P. (2005). The evolution of cyberinsurance. Retrieved from http://arxiv.org/ftp/cs/papers/0601/0601020.pdf
Also visit the following webpages before completing your topic.
http://datalossdb.org/ -The Data Loss Database is a site that lists all major reported data loss events.
http://datalossdb.org/analysis - lists and analysis the breach types of data loss.
One of the most embarrassing and potentially costly incidents for any large organisation is the public loss of data, whether it be customer data, health data or simply corporate data on employees. The largest incident to date is a loss of 150 million records by the Shanghai Roadway in 2012, and perhaps most infamously, 94 million records on credit card data lost by TJX in 2007.
In many cases, the cost of litigation and restoring public confidence is exorbitant, and therefore seems a prime candidate for companies to use insurance for protection. Consider the Breach Types, which are essentially the vulnerabilities exploited to steal data, and how an insurance policy might account for and price the risk of data loss for a given company.
How would you assess if a company is a good risk against these Breach Types and would you trust your analysis? Discuss you views on your answer.
Topic no. 6:
People process risk differently and many of our intuitive judgments about risk are flawed. In this topic, we touch on the issue of risk perception, which also has implications on how we educated others about risk.
- Reading 16: Slovic, P. (1987). Perception of risk. Science, 236(4799), 280-285. doi: 10.1126/science.3563507
- Reading 17: Asgharpour, F., Liu, D., & Camp, L. J. (2007). Mental models of security risks. Lecture Notes in Computer Science, 4886, 367-377. doi: 10.1007/978-3-540-77366-5_34 http://ezproxy.csu.edu.au/login?url=http://dx.doi.org/10.1007/978-3-540-77366-5_34
Rolf Dobelli, a Swiss writer, recently translated his successful business book on this topic from German to English, called The Art of Thinking Clearly, and you can watch him explain the premise of Cognitive Biases.
- Read about Rolf Dobelli here: http://www.dobelli.com/
- Read more about cognitive biases here: http://en.wikipedia.org/wiki/Cognitive_bias
- And a more exhaustive list here: http://en.wikipedia.org/wiki/List_of_cognitive_biases
- The World Economic Forum (WEF) list of global risk (interactive graphic that requires a Chrome or Firefox browser)
- In the Digital Wildfires section of the World Economic Forum report considers the risks in a hyper-connected world: http://reports.weforum.org/global-risks-2013/risk-case-1/digital-wildfires-in-a-hyperconnected-world/#read
Both readings this week talk about the mental models we use to assess risk, and the limitations that they bring. Generally we are bound by a large set of cognitive biases which we often are unaware of operating in our decision-making processes. After watching the video above and reading about cognitive biases, discuss on the forum which cognitive biases seem most relevant to making IT Risk decisions.
The reading by Slovic considers some of the large risks that we face in terms of technology and our response to say industrial accidents. The World Economic Forum (WEF) compiles a list of global risks each year, and if you visited the interactive graphic on the website (link provided above), you will see that there are 50 risks listed, rated for impact and likelihood, over a 10-year horizon. Find the risks specifically related to IT technology.
The Digital Wildfires section of the WEF report considers the risks in a hyper-connected world. Examine the diagram (Figure 11 on the Digital Wildfires webpage) showing related risks.
Discuss on your blog what role IT Security has in reducing both the likelihood and impact of these risks.
Topic no. 7:
The relational risk assessment process was pioneered by the author of your text, Kevin Day. It is similar in style to a qualitative risk analysis, but with more emphasis on concepts such as vulnerability inheritance and chained risk
Chapter 8 from Day, K. (2003). Inside the security mind: Making the tough decisions. Upper Saddle River, NJ: Prentice Hall.
a) In chapter 8 of Inside The Security Mind, Kevin Day cites the following problems with traditional models of risk management:
- difficult to reasonably assign a value to an object
- difficult to calculate the chance per year that a threat will occur (and we might also add the following):
- difficult to calculate the Threat Exposure Factor for an object
- takes a great deal of time and resources
- risk decisions are based primarily on opinion (hence, the experience of the risk management team plays a large part in the outcome)
And for both qualitative and quantitative:
- it is hard to evaluate security relationships with either model
- neither model scales well to a large environment
Does the relational model that Day proposes adequately address any of these concerns? If so, how?
b) Is the relational model nearer in spirit to the quantitative or qualitative approaches? Justify your answer.
c) Would the relational model would be useful in an enterprise setting? Would the relational model be acceptable to management, and to the auditors? Discuss on the Forum.
Topic no. 8:
You are asked the question: Is our security better this year than last year? Could you respond? And if so how? This is the type of question that may only be answered if you have collected some type of metrics relating to the domain under consideration. As Lord Kelvin (1824-1907) once famously said ‘When you can measure what you are speaking about, and express it in numbers, you know something about it; but when you cannot measure it, when you cannot express it in numbers, your knowledge of it is of a meager and unsatisfactory kind’.
- Reading 18: Jaquith, A. (2007). Defining security metrics. In Security metrics: Replacing fear, uncertainty and doubt (chapters 1 and 2). Upper Saddle River, NJ: Addison-Wesley.
Andrew Jaquith is a leading authority on security metrics and he explains most of his book’s content in this video series. Mr. Jaquith also created a site called securitymetrics.org, and has been running a small annual conference series called MetricCon since 2006. Take a look at some of the presentations from Metricon 7, held in 2012.
Read the following this summary and comment in your Blog .
Consider the following two presentations – this one and this one. One is by a business person and the other by a seasoned security professional. Which do you think will have the more appeal to a set of business stakeholders? Discuss your thoughts on your Blog.
- Two references in each topic with in-text citations.
- 200 words for each topic.