Relating Risk to Vulnerability

1. Phillip Banks PE, CPP © The Banks Group Inc. - 2017

2. “If we don’t understand vulnerability we won’t understand risk.” Unknown “Risk management is a systematic response to uncertainty.”1 1CSE/RCMP Harmonized Threat and Risk Assessment Methodology, October 23rd, 2007

3. Risk Is a person or situation that poses a possible threat to the security of something. The effect of uncertainty on objectives1. Vulnerability Is a weakness or gap in a security protections, control measures or processes that can be exploited by an adversary to remove, damage or destroy an asset. 1Risk Management Principles and Guidelines, AS NZS ISO 31000:2009

4. Risk has three key characteristics1: It looks ahead into the future; There is an element of uncertainty e.g. a condition or a situation exists that might cause a problem for the project in the future; It is related to the outcome. 1Project Complexity and Risk Assessment Tool, Version 1.4,. Treasury Board of Canada Secretariat

5. Risk = P x I Risk = P x I x V Risk = PA (1 – PI) C Risk = P x I x M Risk = Probability x Impact Security Controls Risk = P X E (Exploitability of Protection)

6. Adversary? Threat(s)? Adversary Objectives? Capabilities and Strengths? Adversary Determination? Knowledge, Training and Experience? Timeline? ???????

7. © The Banks Group Inc. - 2016

8. Risk is never static. Risk can be within or outside our sphere of control. Risk is affected by both the adversary and the target. A convertible asset requires multi-stage “risk continuum” consideration. What can be done to positively affect the “risk triangle”? Corporate “Risk Appetite”? Probability

9. Quantifiable Risk Risk we can precisely measure and record with numbers: How many security controls are present? Is the control strength rated? How many attacks per day do we see? How many times did this happen in the past? How many vulnerabilities exist? etc. Qualifiable Risk Risk we have an idea about but can't accurately measure and is thus subjective: How confident are we with the code-base? Do we think the project has had sufficient review? Do we think this control is efficient? etc.

10. Possibility – An event that could occur. Probability – The likelihood of the event occurring. A “possibility” is any event which has a “probability” of occurrence which is greater than “0”.

11. A threat-event will take place? The threat-event will be mitigated to some degree? The adversary will be 100% successful? What probability? Impossible? Even Chance? Certain?

12. Historical record Anecdotal info Police sources Industry sources Networking Credible intelligence Security technology inputs Industry experience …………………….?

13. Probability of a six being on the upper surface of one dice…? Probability of two sixes being on the upper surface of two dice…? Probability of three sixes being on the upper surface of three dice…?

14. A system with three components fails if one or more components fail. The probability that any given component will fail is 1/10. What is the probability that the system will fail?

15. Business impact analysis S.W.O.T analysis Past experience Risk manager In-house counsel Public relations Employees Etc...

16. Probability Impact Critical Medium Low High

17. • R = Risk to the facility of an adversary gaining access to assets (ranges from 0 to 1.0). • PA = Probability of an adversary attack during a period of time. • PE = Probability of Preventing the Event. • = P(I) INTERUPTION x P(N) NEUTRALIZATION • C = Consequence Value. Note: If PE is the probability of preventing the event then [1-PE] must be the probability of the adversary being successful R = PA * [1-(PE)] *C * The Design and Evaluation of Physical Security Systems, Garcia, Mary Lynn, Butterworth-Heinemann, 2001 Risk = Probability Vulnerability Impact

18. Vulnerabilities are always present? Vulnerabilities are not static. Vulnerabilities become transparent if not treated. Vulnerabilities are measurable.

19. Control Measures Vulnerability Parameters?

20. What is vulnerable? Why is it vulnerable? What makes it vulnerable? Is the vulnerability easily exercised? Can the vulnerability be mitigated?

21. Management and Measurement Identify vulnerabilities. Establish parameters. Identify options. Implement options. Measure outcome. Remediate as required. Monitor and report. Vulnerability Register.

22. Vulnerability Vulnerability Type Threat Relationship Dependency ? Remediation WHAT IS IT? P, P or T Tailgating People Daily Operations Access Management Protocol Education and Awareness, Signage, Anti- Passback

23. Pareto Analysis Pair-wise Comparison Fault Tree Analysis Attack Tree Analysis Failure Mode & Effect Analysis Failure Modes, Effects & Criticality Analysis C.A.R.V.E.R (modified) Cause & Effect (Ishikawa) Monte Carlo Simulation _____________________? Qualitative vs Quantitative

24. Fit-for-Purpose: A protection/control measure which is formally selected and mitigates the known and reasonably foreseeable threats. State-of-Readiness: A protection/control measure which is implemented, operated, maintained and demonstrably capable of mitigating known or reasonably foreseeable threats.

25. Rating Fit-for-Purposes Scoring Rationale 5 Protection selected based on recognized standard or leading practice. A formal performance level was identified and is still being met or exceeded. 3 Protection not specifically appropriate for the threat, operational or functional environment or it is only nominally achieving the required level of performance. 1 Protection is inappropriate for threat, operational or functional environment or is not meeting a required level of performance. Rating State-of-Readiness Scoring Rationale 5 Protection is functioning as designed and is operational in all respects. There is little or no down-time and there is no record of it being compromised. 3 Protection is primarily functioning as designed although there is occasional down-time due to loss- of-service or periodic break- down. 1 Protection is not functioning or not being in a State-of-Readiness due to periodic loss-of-service or break-down.

26. Fit-for-Purpose and State-of-Readiness ratings are independent so the overall rating is the product of the two. A protection which is both fully Fit-for-Purpose and in a complete State-of-Readiness should achieve a score of 25. If the assessor believes Fit-for-Purpose = 5 but the State-of-Readiness = 3 then the overall rating of the protection is 15 or 60% effective and it has a vulnerability level of 40%.

27. 1. Develop the protection design to meet DBT. 2. Identify appropriateelements of the design. 3. Identify how protection system will be evaluated for effectiveness over time.

28. Characteristic Insider Criminal Organized Crime Objective Steal assets such as tools, parts. Steal large quantity of valuable assets. Steal large quantities of finished product. Motivation Personal gain, revenge. Personal gain. Large gain for criminal organization. Base Enhanced Base Enhanced Base Enhanced Planning/System Knowledge Good depending on position. Significant. Some, opportunistic. Significant if in collusion with insider. Good to high level. Extensive information and level of access. Weapons None Edged weapons Edged weapons Hand guns, shot guns Unlikely Wide array of weapons Tools and Equipment Access keys or credentials. Access keys, credentials & combinations. Hand tools or readily available tools at the facility. Hand and power tools. Hand tools or readily available tools at the facility. Access keys, credentials and combinations. Hand and power tools. Contaminants N/A N/A N/A N/A N/A N/A IMPACT (damage) to Asset(s) Minimal Notable Notable Significant Notable to Significant Significant to Critical Injury to Persons No Possible but unintentional Possible but unintentional Possible Possible but unintentional Possible and intentional Fatalities No No No Possible but unintentional Possible but unintentional Possible and intentional

29. 1The Design and Evaluation of Physical Protection Systems, Mary Lynn Garcia, Sandia National Laboratories, Albuquerque, New Mexico, Butterworth- Heinemann, 2001

30. Define the Context – Measuring What? Identify all contributing security element(s). Use known or reasonably foreseeable threat(s). Step through the process and assign scores – Does it make sense? Team approach/peer review.

31. Protection Deter Deny Detect Delay Respond Protection Score % Cont. Comments Fence 3 3 0 3 0 9 11 Bldg Const. 5 5 0 5 0 15 19 AM & IDS 1 3 5 3 3 15 19 CCTV 3 1 5 0 5 14 18 Sec Guards 5 3 3 3 5 19 24 Employees 1 0 3 0 3 7 9 18 15 16 14 16 Actual Score = 79 Possible Score = 115 Overall Effectiveness = 69%

32. PROBABILITY IMPACT VULNERABILITY 1. Collecting, recording and analyzing information and data to develop security intelligence. 2. Networking and contact development. 3. Modeling and threat forecasting 1. Business impact analysis. 2. Identification of critical structures, operations and people. 3. Implementation and maintenance of organizational resilience. 1. Criticality analysis. 2. Threat and threat event identification. 3. Vulnerability analysis e.g. Pareto, CARVER & Monte Carlo Simulation etc. 4. Vulnerability assessment and reduction.

33. Practice risk management or become very good at crisis management. Your choice….. Risk Management Crisis Management?

34. Phillip Banks PE, CPP The Banks Group Inc. #4 – 1310 Wilkinson Road Comox, British Columbia Canada V9M 0B3 604.762.5852 pbanks@thebanksgroup.ca www.thebanksgroup.ca © The Banks Group Inc. - 2017

35. Protection of Assets Manual, ASIS International Industry Guidelines on a Framework for Risk Related Decision Support, UKOOA, 1999 GRiP – A flexible approach for calculating risk as- a function of consequence, vulnerability and Threat, R.G. Whitfield, W.A. Beuhring and G.W. Bassett, Argon National Laboratory, ANL/DIS -113, Decision and Information Services Division, January 2011. Maturity Framework for Assuring Resiliency Under Stress, Carnegie-Mellon University, Don O’Neill, 2008 Pareto-Optimal Situation Analysis for Selection of Security Measures, Andres Ojamaa, Enn Tyugu, Jyri Kivimaa, IEEE, 2008 Concept of Vulnerability in Chemical Plants, Journal of Chemical & Pharmaceutical Research, 6(7); 1448-1454, Dongfen Zhao, Su Hu, Cong An, Shuang Chen, Yifei Meng - 2004 Quantified Risk is a Weak Hypothesis, “A critical survey of results and assumptions”, Vilhelm Verendel, Chalmers University, 2009 General Security Risk Assessment Guideline, ASIS International Guidelines Committee, 2003 Indicators and criteria for measuring vulnerability: Theoretical Basis and Requirements, Jӧrn Birkmann, 2006 Defining and assessing quantifying security risk measures using vulnerability lifecycle and CVSS metrics, Hyun Chul Jon and Yashwant K. Malaiya, Colorado State University, Fort Collins, Colorado, USA, 2011 Risk Analysis and the Security Survey, Third Edition, James F. Broder, CPP, Butterworth-Heinemann, 2006 AS/NZS ISO 31000:2009 Standard, Risk Management Principles and Guidelines (Superseding AS/NZS4360:2004) AS/NZS HB 167:2006 Security Risk Management Standard Handbook The Design and Evaluation of Physical Protection Systems, Mary-Lynn Garcia, Sandia National Laboratories, 2001 Risk Assessment and Management for Critical Asset Protection (RAM-CAP), ASME Innovative Technologies Institute LLC, Washington, DC, 2004 Business Risk Assessment, David McNamee, The Institute of Internal Auditors, 1998 w3.epa.gov, Defining Risk Characterization http://www.algebra.com/algebra/homework/Probability-and-statistics/Probability-and-statistics.faq.question.419808.html

Relating Risk to Vulnerability

Du liest eine Vorschau.

Hier ansehen

Relating Risk to Vulnerability

Weitere Verwandte Inhalte

Diashows für Sie (20)

Ähnlich wie Relating Risk to Vulnerability (20)

Weitere von Resolver Inc. (20)

Aktuellste (20)