**2. Risk management**

Risk management focuses on understanding and managing risks to an organization. This chapter focuses on information security (also referred to as information assurance (IA)) risks. Wheeler [3] in his book on risk management stated that "The goal of risk management is to maximize the output of the organization (in terms of services, products, revenue, [mission accomplishment], and so on), while minimizing the chance for unexpected outcomes". This goal is best accomplished through the use of an established, proven framework for managing information security risks to organizations. This chapter proposes an approach based on the structure provided by the NIST.

The approach described by the NIST is used in this chapter due to several factors. First, the NIST approach has been developed to be consistent with and harmonize with international standards to the extent appropriate. These international standards include those of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) 3. This approach is also being adopted and used by the U.S. government for virtually all government organizations, as well as other private organizations regulated by the U.S. government.

The approach described by the NIST is based on a 4-step process, used within a 3-tiered structure. The 3-tiered structure is used to depict the principal functional areas within an organization as they relate to risk management decision-making – the organization, mission/business process, and information systems Tiers – described in Section 2.2. The risk management process and the 4-steps in the process – frame, assess, respond, and monitor – are described in Section 2.3.

#### **2.1. Risk management overview**

Information security practitioners are transitioning from a compliance-based, checklist type of approach to a more risk managed approach to security [3]. This is being done largely due to practicality and resource constraints [3]. It is not possible to eliminate risk in an

<sup>3</sup> The NIST risk management structure is aligned with ISO/IEC 3100, *Risk Management – Principles and Guidelines*; 31010, *Risk Management – Risk Assessment Techniques*; 27001*, Information technology – Security techniques – Information Security Management Systems – Requirements*; and 27005, *Information Technology – Security Techniques – Information Security Risk Management Systems*.

information system, and is resource intensive to try [3, 4]. In order to effectively manage resources and maintain usability of the system, it is necessary to implement a risk managed approach to securing Information Technology (IT) systems.

To understand this change, it is important to start with a good definition of risk. A good definition in this case is one that can be understood operationally and can be easily used to clarify the process. Not surprisingly, there are many different definitions of risk. Wheeler [3] defines risk as: "the probable frequency and probable magnitude of future loss of confidentiality, integrity, availability or accountability". Accountability is not commonly accepted as being a part of the definition of risk, is not included in the definition of risk used by the NIST4, and thus will not be included in the definition of risk used in this chapter. The definition of risk used for this chapter is therefore:

**Risk:** The probable frequency and probable magnitude of future loss of an organization's operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation resulting from a loss of confidentiality, integrity, or availability.

There are two fundamentally different approaches to Information security risk management activities used by organizations:

1. Compliance-based; and

206 Risk Management – Current Issues and Challenges

and risk monitoring plan.

an approach based on the structure provided by the NIST.

**2. Risk management** 

by the U.S. government.

are described in Section 2.3.

*Management Systems*.

**2.1. Risk management overview** 

The IA OM® metric is a good choice for use as an enterprise risk management metric, as

 Demonstrates to senior management how such metrics can be used over time to track and improve their organization's ability to meet its overall risk management strategy

Risk management focuses on understanding and managing risks to an organization. This chapter focuses on information security (also referred to as information assurance (IA)) risks. Wheeler [3] in his book on risk management stated that "The goal of risk management is to maximize the output of the organization (in terms of services, products, revenue, [mission accomplishment], and so on), while minimizing the chance for unexpected outcomes". This goal is best accomplished through the use of an established, proven framework for managing information security risks to organizations. This chapter proposes

The approach described by the NIST is used in this chapter due to several factors. First, the NIST approach has been developed to be consistent with and harmonize with international standards to the extent appropriate. These international standards include those of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) 3. This approach is also being adopted and used by the U.S. government for virtually all government organizations, as well as other private organizations regulated

The approach described by the NIST is based on a 4-step process, used within a 3-tiered structure. The 3-tiered structure is used to depict the principal functional areas within an organization as they relate to risk management decision-making – the organization, mission/business process, and information systems Tiers – described in Section 2.2. The risk management process and the 4-steps in the process – frame, assess, respond, and monitor –

Information security practitioners are transitioning from a compliance-based, checklist type of approach to a more risk managed approach to security [3]. This is being done largely due to practicality and resource constraints [3]. It is not possible to eliminate risk in an

<sup>3</sup> The NIST risk management structure is aligned with ISO/IEC 3100, *Risk Management – Principles and Guidelines*; 31010, *Risk Management – Risk Assessment Techniques*; 27001*, Information technology – Security techniques – Information Security Management Systems – Requirements*; and 27005, *Information Technology – Security Techniques – Information Security Risk* 

described in this chapter, due to its versatility as a management metric. This metric:

with respect to its risk management strategy, and its monitoring plan; and

 Measures information security risk management activities within an organization; Shows organizational senior management where their organization currently stands

2. Risk management-based.

Each of these approaches, while working toward the overall objective of ensuring the confidentiality, integrity, and availability of the organization's information and information systems, attempts to meet that objective in a fundamentally different way. Compliancebased approaches default to including controls from the best practice or other framework they are implementing – not including a prescribed control is the exception [5]. On the other hand, risk management-based approaches default to not including a control unless its need and utility can be justified by a risk analysis [5].

#### *2.1.1. Compliance and best practice frameworks*

Failure to comply with the legal and regulatory structures confronting an organization can result in penalties, loss of contracts, loss of confidence, loss of business, and stock price declines [6]. Some of the requirements that organizations may need to maintain compliance with include:

 U.S. Legal requirements (e.g., the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA);

<sup>4</sup> The definition of risk provided by the NIST is: "A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. [Note: Information system-related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation]" [17].


IA OM®

A risk-based approach to information security is what the U.S. government is transitioning to with the release of the NIST Special Publication (SP) 800-37 [2] and SP 800-39 [3, 17]. The NIST has developed a series of SPs to focus on information security risk management, starting with an enterprise view in SP 800-39 [17], an information system view in SP 800-37 [2], and by providing an approach for performing risk assessments in SP 800-30 [18]. NIST SP 800-53 [19] provides a catalog of security controls, and recommends "baselines" of security controls based on the sensitivity of the information on the system. These baselines are intended to be customized, or "tailored" to meet the needs of the information and the information system when consideration of the system's environment, connectivity, and

When addressing information security risk management activities, the NIST and other authors divide organizations into three levels [17, 20]. The NIST [17] identifies these tiers as

Each tier has different organizational risk management responsibilities. However, despite their different perspectives and roles, they all use the same 4-step risk management process described in Section 2.3 for risk management actives within their Tier. This 3-tiered structure

threats are considered [19].

the:

1. Organization;

**2.2. 3-Tiered risk management structure** 

2. Mission/Business Process; and

3. Information Systems.

is depicted in Figure 1.

**Figure 1.** Risk Management Tiers**5**

5 This figure is adapted from Figure 2 on page 9 of NIST SP 800-39 [17].

as an Enterprise Risk Management Metric 209

Compliance with these requirements is often a part of an organization's due diligence [7]. The focus on best practice frameworks frequently focuses on satisfying the auditor/examiner, helping to meet compliance requirements rather than the organizations genuine information security needs [8, 9]. Unfortunately, these checklist or compliancebased approaches to information security risk management provide static, "one-size-fits-all" information security "solutions" [3]. One result of this approach is the common perception among information security practitioners that "if you are secure you *may* be compliant, but if you are only compliant you are certainly not secure" [6].

There are a number of best practice frameworks for information security, including the Information Technology Infrastructure Library (ITIL) [10], COBIT [11], and the ISO/IEC 27001 [12], 27002 [13], and 27005 [14]. Unfortunately, these approaches are dated almost as soon as they are published due to the speed of change on the Internet and within the IT security arena [15]. Attackers are very adaptable, and change their tactics quickly. In addition, a checklist or compliance-based approach assumes that every system requires the same protection as every other system, without regard for cost, information sensitivity, and mission or business impact [3]. However, there are often considerable differences in the types of systems deployed in an enterprise, and the information they contain. Since the information contained in the IT system is normally the critical asset requiring protection, the protective mechanisms that should be implemented will depend largely on the sensitivity of the information processed, stored, or transmitted by the system [8].

However, best practice frameworks do provide a useful method for ensuring that all aspects of an IT information security program are considered when using a risk managed approach to IT information security requirements development. Due to the need of organizations to remain compliant with respect to specific legal requirements and industry frameworks some form of compliance-based approach is likely to remain necessary.

#### *2.1.2. Risk managed approaches*

Risk-based approaches to securing information systems allow organizations to customize their information security protections, based in the needs of their organization. Using a riskbased approach requires consideration of the information processed, stored, or transmitted by the information system, as well as consideration of the IT system's environment, connectivity, and threat environment [7, 16]. Other considerations include the cost of implementing security controls weighted against the impact on the mission and business operations of the organization should a loss of confidentiality, integrity, or availability of the information occur [7].

A risk-based approach to information security is what the U.S. government is transitioning to with the release of the NIST Special Publication (SP) 800-37 [2] and SP 800-39 [3, 17]. The NIST has developed a series of SPs to focus on information security risk management, starting with an enterprise view in SP 800-39 [17], an information system view in SP 800-37 [2], and by providing an approach for performing risk assessments in SP 800-30 [18]. NIST SP 800-53 [19] provides a catalog of security controls, and recommends "baselines" of security controls based on the sensitivity of the information on the system. These baselines are intended to be customized, or "tailored" to meet the needs of the information and the information system when consideration of the system's environment, connectivity, and threats are considered [19].

#### **2.2. 3-Tiered risk management structure**

When addressing information security risk management activities, the NIST and other authors divide organizations into three levels [17, 20]. The NIST [17] identifies these tiers as the:

1. Organization;

208 Risk Management – Current Issues and Challenges

PCI-DSS)).

International frameworks (e.g., Basel, Basel II); and

if you are only compliant you are certainly not secure" [6].

the information processed, stored, or transmitted by the system [8].

form of compliance-based approach is likely to remain necessary.

*2.1.2. Risk managed approaches* 

information occur [7].

Non-U.S. Legal requirements for organizations operating outside the United States;

Industry standards (e.g., the Payment Card Industry Data Security Standard (PCI or

Compliance with these requirements is often a part of an organization's due diligence [7]. The focus on best practice frameworks frequently focuses on satisfying the auditor/examiner, helping to meet compliance requirements rather than the organizations genuine information security needs [8, 9]. Unfortunately, these checklist or compliancebased approaches to information security risk management provide static, "one-size-fits-all" information security "solutions" [3]. One result of this approach is the common perception among information security practitioners that "if you are secure you *may* be compliant, but

There are a number of best practice frameworks for information security, including the Information Technology Infrastructure Library (ITIL) [10], COBIT [11], and the ISO/IEC 27001 [12], 27002 [13], and 27005 [14]. Unfortunately, these approaches are dated almost as soon as they are published due to the speed of change on the Internet and within the IT security arena [15]. Attackers are very adaptable, and change their tactics quickly. In addition, a checklist or compliance-based approach assumes that every system requires the same protection as every other system, without regard for cost, information sensitivity, and mission or business impact [3]. However, there are often considerable differences in the types of systems deployed in an enterprise, and the information they contain. Since the information contained in the IT system is normally the critical asset requiring protection, the protective mechanisms that should be implemented will depend largely on the sensitivity of

However, best practice frameworks do provide a useful method for ensuring that all aspects of an IT information security program are considered when using a risk managed approach to IT information security requirements development. Due to the need of organizations to remain compliant with respect to specific legal requirements and industry frameworks some

Risk-based approaches to securing information systems allow organizations to customize their information security protections, based in the needs of their organization. Using a riskbased approach requires consideration of the information processed, stored, or transmitted by the information system, as well as consideration of the IT system's environment, connectivity, and threat environment [7, 16]. Other considerations include the cost of implementing security controls weighted against the impact on the mission and business operations of the organization should a loss of confidentiality, integrity, or availability of the


Each tier has different organizational risk management responsibilities. However, despite their different perspectives and roles, they all use the same 4-step risk management process described in Section 2.3 for risk management actives within their Tier. This 3-tiered structure is depicted in Figure 1.

**Figure 1.** Risk Management Tiers**5**

<sup>5</sup> This figure is adapted from Figure 2 on page 9 of NIST SP 800-39 [17].

## *2.2.1. Organization tier*

At the organization tier, risk to the entire organization is considered and managed. Part of the responsibility for managing risk throughout the organization is the process of "risk framing", establishing the context within which all organizational risk management activities will be conducted [17]. Risk framing establishes the governance framework from which are derived the risk management activities and the risk tolerance of the organization. Other activities occurring at Tier 1 include:

IA OM®

(RMF)8 and the system development life cycle 9 are performed here, to ensure each information system meets its technical, mission, and security requirements. In this tier, "information system owners, common control providers, system and security engineers, and information system security officers make risk-based decisions regarding the implementation, operation, and monitoring of organizational information systems" [17].

The risk management process is comprised of a number of discrete steps. These steps take place at different times within the process, and possibly at multiple times in the process due the iterative nature of risk management activities. It is important that all of the steps are completed for a risk management program to be fully effective. These steps apply to risk management activities taking place at each tier within the organization, so this process is equally applicable to risk management activities taking place at Tier 1 as it is at Tier 2 or 3.

Risk framing is a governance activity that is performed at Tier 1. Its principal output is a risk management strategy "that addresses how organizations intend to assess risk, respond to risk, and monitor risk" [17]. The risk management strategy is created as a joint effort between an organization's senior management and/or executives in conjunction with the risk executive (function) [17]. The risk management strategy explicitly states the assumptions, constraints, risk tolerances, and priorities or trade-offs used in making investment and operational decisions for the organization [17]. It also details what types of risk responses are supported, how risk is assessed, and how risk is monitored for the

1. Identifying risks (threats and associated vulnerabilities) to an organizational asset,

9 The system development life cycle established by the NIST is described in NIST SP 800-64, *Security Considerations in* 

2. Estimating the potential impact and likelihood of the risk materializing, and

8 The RMF is described in detail in NIST Special Publication (SP) 800-37, available from: http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf

NIST describes four distinct steps in the risk management process. These steps are:

**2.3. Risk management process** 

1. Risk Framing 2. Risk Assessment 3. Risk Response 4. Risk Monitoring

*2.3.1. Risk framing* 

organization [17].

*2.3.2. Risk assessment* 

Risk assessment is the process of:

activity, or operation;

*the System Development Life Cycle*, Oct. 2008 [23].

as an Enterprise Risk Management Metric 211


The Risk Executive (Function) (REF) is an individual or group within the organization that serves in an advisory role to organizational decision makers at all 3-tiers. The REF does not make decisions for the organization; rather it informs decision makers about the risks to the system, network, and the organization that may result from a particular risk decision. The REF considers risk from a holistic perspective, considering mission and business risks, in addition to security risks. This risk consideration is done with an organization-wide perspective, allowing the REF's recommendations to evaluate the potential impact of accepting risks in one area or system on other systems or the organization.
