3. 3
Click to edit Master title styleIntroduction to O-RA Standard
4. 4
O-RA (Risk Analysis)
A Standard that is intended to be applied toward the problem of managing the
frequency and magnitude of loss that arises from a threat (whether human,
animal, or natural event)
Coupled with the Risk Taxonomy (O-RT) Standard, it provides risk analysts the
specific processes necessary to perform effective FAIR-based information security
risk analysis
5. 5
Risk Analysis
Risk Assessment
Risk Analysis
Identify Evaluate Report
Determines the
significance of the
identified risk
concerns
Risk-related concerns
Identified risk
concerns
Managing ‘How often bad things happen, and how bad they are when they occur‘
6. 6
A Few Key Objectives of O-RA
Used with companion O-RT standard to,
Establish a common language for the information security and risk management
profession
Introduce rigor and consistency into analysis for more effective risk modeling
Educate information security, risk and audit professionals
7. 7
Click to edit Master title styleIntroduction to O-RT Standard
8. 8
O-RT (Risk Taxonomy)
A Standard to provide a single logical and rational taxonomical framework to
understand and/or analyze information security risk
Each factor that drives risk is identified and defined
Limited to describing the factors that drive risk and their relationships to one
another
9. 9
Risk
Why do we Need a Taxonomy for Risk?
Software
Flaws or Faults
So , Is Risk = (Threat *
Vulnerability) / Controls?
If not, what are the factors that drive risk?
10. 10
Risk Taxonomy – High Level
Estimates probable frequency
and magnitude of future loss
Probable frequency within a given
timeframe that a threat agent can
inflict harm on asset
Probable magnitude of
loss resulting from a loss
event
TCap RSPoACF
Risk
Loss
Magnitude
Loss Event
Frequency
Threat Event
Frequency
Vulnerability
Primary
Loss
Secondary
Loss
Contact
Frequency
Probability
of Action
Threat
Capability
Resistance
Strength
Secondary Loss
Event Frequency
Secondary Loss
Magnitude
LEF
LM
TEF
Vuln
11. 11
Risk Taxonomy – Loss Event Frequency
Threat Event
Frequency
Vulnerability
Probable frequency within a given timeframe that a
threat agent will act against an asset
Probability that a threat event can
become a loss event
Contact Frequency
Probability of Action
Threat Capability
Resistance Strength
Probable frequency within a given timeframe that a threat
agent will come into contact with an asset
Probability that a threat agent will act against the asset once the
contact occurs
Probable level of force that a threat agent is capable of applying
against an asset
Strength of a control as compared to a baseline measure of
force
12. 12
Risk Taxonomy – Loss Magnitude
Primary Loss
Secondary
Loss
Occurs directly as a result of threat
agent’s action on the asset
Occurs due to secondary
stakeholders
Secondary Loss Event
Frequency
Secondary Loss
Magnitude
Allows analyst to estimate percentage of time a scenario is
expected to have secondary effects
Losses that are expected dealing with secondary stakeholders
(e.g. fines, loss of market share)
15. 15
FAIR Basic Risk Analysis Methodology
Identify the asset
at risk
Identify the
threat
community
under
consideration
Define the loss
event
Estimate the Threat
Event Frequency
Estimate the Threat
Capability
Estimate Resistance
Strength
Derive Vulnerability
Derive Loss Event
Frequency
Estimate Primary
Loss
Evaluate
Secondary Loss
Estimate
Secondary Loss
Event Frequency
Estimate
Secondary Loss
Magnitude
Derive Primary
Risk
Derive Secondary
Risk
Derive Total Risk
So, why apply risk analysis for E-commerce?
Scoping Evaluate LEF Evaluate LM Derive Risk
16. 16
Click to edit Master title styleData Breaches in Retail Environment
17. 17
Categories of Data Breach
Year 2013 may be remembered as the “year of the retailer breach”
*Source – Verizon 2014 Data Breach investigations Report
20. 20
Click to edit Master title styleMapping of O-RA to E-commerce Domain
21. 21
The Scenario
An E-commerce portal specialized in selling gift items such as fragrance,
books, watches, sunglasses, bags, wallets etc. across the globe. Customer
personal information is stored in the portal whereas his/her credit and debit
card details are stored with external payment gateways and not within the
portal. Portal is available for all the registered and guest users, 24X7.
22. 22
Mapping of Stage 1 to E-commerce Platform
Scoping E-commerce Platform
Key Assets:
Customer Data - personal details like name, contact details and
address
E-commerce server infrastructure such as Web, Application,
Database servers
Customer Credit and Debit card details (But this has been handled by
external payment gateways which are PCI-DSS compliant)
Hackers for gain and to cause disruption
Script kiddies
Internal employees of the organization
The malicious access and misuse of sensitive customer data by
Hackers using the vulnerabilities in the system
Identify the asset at risk
Identify the threat
community under
consideration
Define the loss event
What Asset is at risk?
Risk associated with
what threat?
What does the
loss event look
like?
Note that it excludes events by script kiddies,
internal employees and stipulates the intent to
be malicious and involves data misuse
23. 23
Mapping of Stage 2 to E-commerce Platform
Evaluate LEF
Estimate the
Threat Event
Frequency
Estimate the
Threat Capability
(skills, resources)
Rating Description
Very High(VH) >100 times per year
High(H) Between 1 and 100 times per year
Medium(M) Between 1 and 10 times per year
Low(L) Between 0.1 and 1 times per year
Very Low(VL) Less than once every ten years
Very High(VH) Top 2% as compared to overall threat population
High(H) Top 16% as compared to overall threat population
Medium(M) Average skill and resources (between bottom 16% and top
16%)
Low(L) Bottom 16% as compared to overall threat population
Very Low(VL) Bottom 2% as compared to overall threat population
Probable motive factors are value
of the asset, how vulnerable the
asset is, versus the risk of being
caught
24. 24
Mapping of Stage 2 to E-commerce Platform
Evaluate LEF
Estimate
Resistance
Strength
Rating Description
Very High(VH) Protects against all but the top 2% of an average threat
population
High(H) Protects against all but the top 16% of an average threat
population
Medium(M) Protects against the average threat agent
Low(L) Only protects against bottom 16% of an average threat
population
Very Low(VL) Only protects against bottom 2% of an average threat
population
25. 25
Deriving Vulnerability and LEF using Monte Carlo Simulation
Loss Event frequency is Medium, meaning it can happen between 1 and 10 times per year
Difference between
likely force to be applied
and assets ability to
resist that force
LEF > TEF and TEF > 100%
as it is a %
26. 26
Possible set of ranges to characterize Loss Magnitude for customer data misuse
Stage 3 – Loss Magnitude (Primary)
Primary Loss Magnitude
Loss Forms
Productivity Response Replacement
Fines/
Judgments
Competitive
Advantage
Reputation
L M L - - -
Productivity Loss is considered Low as
the Ecommerce portal is operational and
Replacement Loss is Low as well. The
primary loss magnitude cost associated
here would be due to response
27. 27
Estimating Secondary Loss Probability
Estimating SLEF
Rating Description
Very High(VH) 90% to 100%
High(H) 70% to 90%
Medium(M) 30% to 70%
Low(L) 10% to 30%
Very Low(VL) 0% to 10%
Secondary Loss probability
is Very High as primary
LEF was M and SLEF is VH
28. 28
Stage 3 – Loss Magnitude (Secondary)
Secondary Loss Magnitude
Loss Forms
Productivity Response Replacement Fines/
Judgments
Competitive
Advantage
Reputation
H M
Possible set of ranges to characterize Loss Magnitude for customer data misuse
Response is the time spent by the executives in
meetings, notifications and expenses
inside/outside legal counsel
Response Activities Approx. cost
Executive time 40 hours *
$200/hr=$8000
Notification costs($5 per
customer for ~50,000
customers)
$250,000 USD
Legal expenses $200,USD
Total (approx.) $450,000 USD
29. 29
Stage 4 : Deriving Primary and Secondary Risk
Primary Risk is derived
as probable loss event
frequency(Medium) and probable
future loss Magnitude(Medium)
Secondary Risk is very high as
compared to primary risk due to
the involvement of E-commerce
customer’s data
30. 30
Stage 4 : Deriving Overall Risk
Overall risk is very
High based on the
combination of
Primary and
Secondary risk
Qualitatively Risk
is derived to be
very High, and
Quantitatively, the
magnitude of loss
is Significant
31. 31
Click to edit Master title styleBasic Control Considerations in FAIR Analysis
32. 32
Risk Controls
Risk
Loss
Magnitude
Loss Event
Frequency
Threat Event
Frequency
Vulnerability
Primary
Loss
Secondary
Loss
Contact
Frequency
Probability of
Action
Threat
Capability
Resistance
Strength
Secondary Loss
Event Frequency
Secondary Loss
Magnitude
Avoidance
controls
Deterrent
controls
Response
controls
Vulnerability
controls
Affect the frequency
and/or likelihood of
encountering threats
Affect the likelihood of a
threat acting in a manner
that can result in harm
Affect probability that
a threat’s action will
result in a loss
Affect the amount of loss that
results from a threat’s action
33. 33
Information Security Controls Mapping to E-commerce Platform
Avoidance Controls
Firewall Filters – datacenter as well as cloud,
̶ Enable VPN for communication in a hybrid cloud
̶ Virtual Private Clouds (preferable from Security stand-point)
Physical barriers
Reducing threat population – by implementing Fraud management systems(example EBS)
Deterrent Controls
Policies – IT Security compliance aligning to organizational policy
Logging and Monitoring – Use infrastructure and application monitoring (example, Amazon
CloudWatch and Pingdom)
Asset hardening – Ensure infrastructure Vulnerability is assessed and ensure any issues are
addressed
34. 34
Information Security Controls Mapping to E-commerce Platform
(Contd..)
Vulnerability Controls
Confidentiality, Integrity, Availability (CIA)
Industry bodies like OWASP, CWE and WebAppSec provide vulnerabilities and the
resolutions to the known vulnerabilities to be applied at code and configuration levels
Penetration Testing – VAPT for application and infrastructure. Plan for iterative SAST and
DAST throughout the development and testing life cycle
Response Controls
Back up and Media restore process – have a real-time sync up between master and Slave DB
and archival strategies
Forensic capabilities
Incident response process
35. 35
References
Risk Taxonomy (O-RT),
Version 2.0, Open Group
Standard, C13K, published
by The Open Group,
October 2013; refer to:
www.opengroup.org/boo
kstore/catalog/c13k.htm
Risk Analysis (O-RA),
Open Group Standard,
C13G, published by The
Open Group, October
2013; refer to:
www.opengroup.org/boo
kstore/catalog/c13g.htm
How to Measure
Anything: Finding the
Value of Intangibles in
Business, Douglas W.
Hubbard, John Wiley &
Sons, 2010