Expert Part 2

             
             
  Home About Gamma Tour our Web Site Events White Papers Services Visitors' Book How to contact us
        IMS Internal Control ISMS Smart Cards Common Criteria
                 

Second Understand Your Risk

Risk assessment tools often use sophisticated algorithms to calculate risk. In this series of articles we used the Symantec Expert risk assessment technology, which sadly - despite its unique capabilities - no longer seems to be on sale. In simple terms, the three primary components of risk, i.e. threat, vulnerability and asset, are each decomposed in accordance with accepted attributes such as motivation, capability and likelihood for threat, ease of exploitation and harm for vulnerability, and confidentiality, integrity and availability for asset. Mathematics then provides a way to calculate the volume of the risk cube and hence a measure of relative risk.

Safeguards can also be assigned values in terms of the same set of attributes collectively used to describe threats, vulnerabilities and assets, allowing us to reduce the volume of the risk cube. The question then arises, "by how much should I reduce my risk?".

Strategies for reducing risk

Let us first ignore threats and assets. We can do this by fixing the size of the threat and asset faces of the risk cube. Take a look at the diagram opposite. It shows the damage caused by vulnerabilities to a typical standalone NT 4.0 laptop with a modem for Internet connection, or remote access to a corporate WAN/LAN.

Each data point represents a real vulnerability, and therefore an individual risk cube.

The data were calculated using Expert 3.0.

graph showing the damage caused by known computer vunlerabilities on a 0-10 scale. The damage lies between 2 and 10.

There are four strategies we can use for reducing risk

  • fix every vulnerability
  • fix those which can be fixed for "free" and then fix those within a given budget
  • chose a balance of technical and non-technical (i.e. physical, procedural, personnel, etc.) safeguards
  • fix those which cause the greatest damage first.

Which is the best strategy?

The diagram below shows the effect of applying safeguards in order of their effectiveness at reducing risk (greatest first). All safeguards relevant to fixing the NT laptop vulnerabilities have been applied.

Some safeguards are more effective at reducing risk than others, but there is also overlap. In other words some safeguards tackle the same vulnerability. Moreover, some vulnerabilities cannot be completely countered.

graph showing the ability of different safeguards to reduce risk. In the example, the risk with no safeguards has an index of 35000. This drops rapidly to 15000 with the deployment of about one third of the applicable safeguards and then slowly to 12000 with the introdtion of 60% of the applicable safeguards.. The remaining safeguards have a negligable effect.

Thus, the shape of the curve is completely reasonable, exhibiting an initial sharp decline flattening out to a non-zero constant value.

Clearly an attempt to fix all of the vulnerabilities, will not actually reduce the risk to zero. Moreover, over a third of the fixes are comparatively ineffective. Thus the risk avoidance strategy of fixing every vulnerability, although guaranteed to minimise risk, is potentially an expensive and time wasting strategy.

The second, third and fourth strategies hand pick a selection of safeguards, distributed across the spectrum of safeguards. The distribution is respectively a function of cost, type of safeguard and safeguard-effectiveness. The fourth strategy ranks the safeguards exactly as given in the above figure. It invites selection of the first 25 safeguards (there are about 100 in total) necessary to reduce the risk by 50%. It then invites the selection of another 30 safeguards and thereby reduce the overall risk by 66%. The other strategies will rank the safeguards in a different order and have the tendency to invite the selection of less effective safeguards first. Overall, these are less efficient strategies. The fourth strategy is therefore the best.

How can we reduce more risk?

Since not all vulnerabilities can be successfully countered, the only ways left to reduce the risk are to decrease the threat or decrease the value of the assets. Let us first consider decreasing the threat, for example by the introduction of firewalls, physical security, sound recruitment practices and user training.

graph showing an almost linear relationship between decreasing risk measure and increasing number of threat-reducing safeguards.

The effect of threat reducing safeguards can be quite dramatic as evidenced in the diagram opposite. This should not be unexpected, because the safeguard will tend to reduce the threat component of every risk cube simultaneously. Consider, for example, the hacking threat. A significant proportion of our NT laptop vulnerabilities are potentially exploitable in this way. However, if the laptop is given the benefit of a firewall on dial up to the corporate LAN, the effect of the firewall will be to reduce the volume of all those risk cubes associated with vulnerabilities that could be exploited by a hacker. The action of asset value reducing safeguards is similar.

But how much risk do I need to mitigate?

The big question, of course, is just how much risk do I need to mitigate. Click here for some answers to that perplexing question.

Would you like to know more?
             
             
             
 
Gamma is an ISO/IEC 27001:2005 and BS EN ISO 9001: 2000 registered company, certified for the provision of information security consultancy.  BSI certificate numbers IS 85916 and FS  30710.  Please send comments to webmaster@gammassl.co.uk or complete our Visitors'Book. Gamma Secure Systems, Diamond House, Frimley Road, Camberley, Surrey, GU15 2PS, UK Tel: +44 1276 702500 - Fax: +44 1276 692903Copyright © Gamma Secure Systems Limited 1999-2003
 
 
Page last updated: 17 January, 2003