Risk Assessment Of Information Technology

Published Date: 02 Nov 2017

In this graduation project, I reviewed National Institute of Standards and Technology (NIST) publication of Information Technology. Moreover, general information about risk and risk management was given in the project. An example adopted from Commonwealth of Virginia, Information Technology Risk Management Guideline Virginia Information Technologies Agency is discussed to better present the implementation. Furthermore, the obtained results were presented and solutions were discussed as well.

Computers are used every area of our life. That is why this age is called as the era of Information Technology. No one can imagine a world without computers, because it is very fast and it is also easy to accomplish tasks.

Information Technology (IT) is basically the use of computers and software to manage information. It is concerned with the development, management, and use of computer-based information systems. IT plays important role in the sectors of Telecommunications, Banks, and Businesses etc.

Every organization uses information technology. For example, e-mail helps to communicate among employees, suppliers and customers, and also organizations are using IT to improve the way they design and manage customer relationships.

Each organization has missions. IT systems serve to better accomplish these missions.

Organizations may face obstacles during processes, which can pose some risks on their endeavors. Risk management plays crucial role in protecting an organization's information assets, therefore IT security is an important part of risk management process. IT experts must help their organizations' management and they must realize and manage organizations uncertainties.

2 BASIC CONCEPTS OF RISK MANAGEMENT

2.1 WHAT IS RISK? WHAT IS RISK MANAGEMENT?

Disaster comes from danger and risk is the danger so it may turn into disaster. Considering vulnerability without hazard, it is not dangerous. It is dangerous when these two terms come together, because then they become risk. Managing and reducing risk is possible. For that reason, people need to be sensitive for the environment, they need to act careful and they need to aware of weaknesses to existing dangers, then people can take measures for the dangers turn into disasters.

There are many explanations of risk, but therein IT risks will be considered.

According to National Institute of Standards and Technology," Risk for information technology is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization." (5) For that reason, risk management is an important part of information technology, because managing risk is not easy and risk is strictly tied to uncertainty.

Considering Figure 1, Risk management is about planning, assessing, handling, monitoring, and reporting risks. Firstly, risk should identify, according to risk management, and then risk manager will eliminate the impact of negative events through their plan. For the risk management, reducing and avoiding risk is the crucial part of that, but sometimes managers need to accept the risk, because doing nothing may be the best solution for their project.

http://upload.wikimedia.org/wikipedia/commons/2/2d/Risk_Management_Elements.jpg

Figure 1. Risk Management Elements

Considering Figure 1, first of all people should plan the risk according to answering what, when, how questions. They should establish a strategy by establishing goals and objectives. Then, risk is needed to identified and analyzed. Risk identification activities are concerning about what the risks are. After that, risk should be mitigated. It is the prime purpose of risk handling. Lastly, it should be observed and reported. Risk management process is continuous process of tracking and evaluating the risks.

When looking at the risk management according to IT, it is about protecting the confidentiality, integrity and availability of information. For protection of this information, we need to understand and respond the situations that may cause failure of this objective.

3 RISK ASSESSMENT OF INFORMATION TECHNOLOGY

There are two main approaches for the risk assessment that are quantitative and qualitative risk assessment.

Quantitative risk assessment involves numerical values for likelihood and impact. For this assessment, risk is calculated and then it is decided to be acceptable or not. Although this is a common approach of risk measurement in many areas, it is not preferable in information systems. (6) For the information systems, qualitative risk assessment is suitable assessment because, it is hard to determine a value to assets, and also it is hard to identify frequency. (6)

Qualitative risk assessment defines detailed probability of consequences. Sometimes it is hard to describe some events by using numerical variables, for that reason, people uses qualitative risk assessment for their organizations. This assessment gives risk results as "High", "Moderate" and "Low".

For some cases, risk is acceptable. When considering Figure 2, risk is admissible for event A since it has low values. For event B, it is between lower and upper limits, for that reason decision-making is hard. For event C, it is above the limits and it is unacceptable.

Figure 2. Risk Evaluation

Qualitative risk assessment includes six steps, which are identification of threats, identification of vulnerabilities, control analysis, likelihood determination, impact determination and risk determination. This assessment is used for information technology.

3.1 IDENTIFICATION OF THREATS

Threat: "The potential for a threat source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability." (5)

Threat-Source: "According to National Institute of Standards and Technology, threat source is intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally trigger a vulnerability." (5)

In this step, threat and threat-source must be described. Threats should involve threat-source to ensure correct assessment.

There are three common threat-sources, which are (5);

• Natural Threats such as floods, earthquakes, hurricanes

• Human Threats such as virus infection, unauthorized access

• Environmental Threats such as power failure, pollution, chemicals, water damage

Table 1. Human Threats (5)

Threat-Source

Threat Actions

Hacker

Hacking

Social engineering

System intrusion

Unauthorized system access

Computer criminal

Computer crime (e.g., cyber stalking)

Fraudulent act (e.g., replay, impersonation, interception)

Information bribery

Spoofing

System intrusion

Terrorist

Bomb/Terrorism

Information warfare

System attack (e.g., distributed denial of service)

System penetration

System tampering

Industrial espionage (companies, foreign governments, other government interests)

Economic exploitation

Information theft

Intrusion on personal privacy

Social engineering

System penetration

Unauthorized system access

Insiders (poorly trained, disgruntled, malicious, negligent, dishonest, or terminated employees)

Assault on an employee

Blackmail

Browsing of proprietary information

Computer abuse

Fraud and theft

Information bribery

Input of falsified, corrupted data

Interception

Malicious code (e.g., virus, logic bomb, Trojan horse)

Sale of personal information

System bugs

System intrusion

System sabotage

Unauthorized system access

These are the estimation of some human threats. According to this identification, organizations may overcome some attacks.

The threat should be recognized according to environment. Information about natural threats exists, such as earthquakes, storms. Many government and organizations identified common threats. There are many threats and for that reason; some infraction detection tools are becoming more widespread. According to that, government or organizations collect data on security actions. In this way, organizations or government has ability to improve identifying threats. Sources of information include, but are not limited to, the following(5):

Intelligence agencies (for example, the Federal Bureau of Investigation’s National Infrastructure Protection Center)

Federal Computer Incident Response Center (FedCIRC)

Mass media, particularly Web-based resources such as SecurityFocus.com, SecurityWatch.com, SecurityPortal.com, and SANS.org.

3.2 IDENTIFICATION OF VULNERABILITIES

Vulnerability: "A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy." (5)

Due to vulnerability, businesses may lose money and reputation, and services may be disrupted. For information technology, security is a long-term process that needs to be considered. Lack of technical precaution which basis on hardware and software, or physical security weaknesses or unconscious users cause vulnerability. Therefore, precautions should be reviewed at frequent intervals, the necessary corrections should be made, and operational staff should be trained about safety issue.

In table 2, there are some examples of vulnerability/threat pairs (5);

Table 2. Vulnerability/Threat Pairs

Vulnerability

Threat

Threat Action

Terminated employees’ system identifiers (ID) are not removed from the system

Terminated employees

Dialing into the company’s network and accessing company proprietary data

Company firewall allows inbound telnet, and guest ID is enabled on XYZ server

Unauthorized users (e.g., hackers, terminated employees, computer criminals, terrorists)

Using telnet to XYZ server and browsing system files with the guest ID

The vendor has identified flaws in the security design of the system; however, new patches have not been applied to the system

Unauthorized users (e.g., hackers, disgruntled employees, computer criminals, terrorists)

Obtaining unauthorized access to sensitive system files based on known system vulnerabilities

Data center uses water sprinklers to suppress fire; tarpaulins to protect hardware and equipment from water damage are not in place.

Fire,

negligent persons

Water sprinklers being turned on in the data center.

These are some important vulnerability/threat pairs that should be considered, but we do not forget that there may increase types of vulnerability in the future.

3.3 CONTROL ANALYSIS

The aim of this step is to analyzing of the controls in order to reduce or eradicate likelihood of an event, which exercises system vulnerability. (5) This step should also consider that if control is in-place or planned or not.

There are two methods for the security controls, which are technical and nontechnical methods. Technical controls are computer software, hardware and firmware such as identification and authentication mechanisms. (5) Nontechnical controls are operational controls and management. (5)

3.4 LIKELIHOOD DETERMINATION

The aim of this step is to indicate likelihood rating of high, moderate or low according to identification of each risk.

Table 3. Likelihood Definitions (5)

Likelihood Definition

High

The threat-source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective.

Medium

The threat-source is motivated and capable, but controls are in place that may impede successful exercise of the vulnerability.

Low

The threat-source lacks motivation or capability, or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised.

According to likelihood determination, these following factors should be considered(5):

Vulnerability nature

Capability and motivation of threat-source

Existence and effectiveness of current controls.

3.5 IMPACT DETERMINATION

Impact analysis is about to determine negative impact of threat. The impact level can be described according to loss of integrity, availability and confidentiality. Qualitative assessment ratings are high, medium and low.

The following list provides a brief explanation about impact levels;

Loss of Integrity (5): Integrity of data needs to be protected from inappropriate alteration. If there are unjustified modifications in the IT system, it causes loss of integrity. These modifications must be fixed, because it causes wrong decisions.

Loss of Availability (5): IT systems should be available for their end users, since unavailable system influences firm’s mission. In business or education life, availability is very important, because their life rely on the network connection.

Loss of Confidentiality (5): Confidentiality is also important part of impact determination. It should be protected from unauthorized usage. If confidential information is disclosed, it may cause a national threat.

Table 4. Magnitude of Impact Definitions (5)

Impact Definition

High

Exercise of the vulnerability (1) may result in the highly costly loss of major tangible assets or resources; (2) may significantly violate, harm, or impede an organization’s mission, reputation, or interest; or (3) may result in human death or serious injury.

Medium

Exercise of the vulnerability (1) may result in the costly loss of tangible assets or resources; (2) may violate, harm, or impede an organization’s mission, reputation, or interest; or (3) may result in human injury.

Low

Exercise of the vulnerability (1) may result in the loss of some tangible assets or resources or (2) may noticeably affect an organization’s mission, reputation, or interest.

3.6 RISK DETERMINATION

The aim of this step is to determine the level of risk. It is combination of threat likelihood and impact.

In table 5, the sample risk determination matrix indicates risk ratings. Risk level is calculated by multiplying likelihood ratings and impact ratings.

According to NIST(5);

Likelihood level is 1.0 for High, 0.5 for Medium, 0.1 for Low,

Impact level is 100 for High, 50 for Medium, and 10 for Low.

Multiplying threat likelihood and threat impact gives risk ratings.

Table 5. Sample Risk Determination Matrix (5)

Impact

Low(10)

Moderate(50)

Likelihood

High(1.0)

Low

10 X 1.0 = 10

Moderate

50 X 1.0 = 50

Moderate

(0.5)

Low

10 X 0.5 = 5

Moderate

50 X 0.5 = 25

Low(0.1)

Low

10 X 0.1 = 1

Moderate

50 X 0.1 = 5

High(5): After the calculation of risk, if it says high, then system needs to be corrected strongly as soon as possible. System may continue to work, however there must be a plan to correct that problem.

Moderate(5): After the calculation of risk, if it says moderate, then system needs to corrected and a plan must be improved to handle these problems in an acceptable period of time.

Low(5): After the calculation of risk, if it says low, then the system authorizing official, which is managing risks decisions ( accepting risk or not), must determine system correction or they need to accept the risk if the risk is very low.

4 HOW IS RISK MANAGED?

Four main strategies for risk management, they are mitigation, transference, acceptance and avoidance. Risk management strategy minimizes the risk and also helps to reduce the negative effect or probability of the risk. Cost is important for organizations for that reason, risk management strategy is related with that and for accomplishing the strategy, these steps must be described.

4.1 MITIGATION

The aim of mitigation is decreasing or fixing negative impact of vulnerability. Eradication of all risk is not applicable and it is also close to impossible. Installing a patch will be very useful for risk mitigation. For mitigation of risk, people should install antivirus software; may educate people about threats etc.

4.2 TRANSFERENCE (6)

Transference is the process that provides to shift risk to other firms. Most people use transference in their life but it is not useful for IT systems. For example, insurance companies help to transfer risk from person to insurance firm. However, that doesn't mean that you reduce the likelihood. It decreases the impact on the organization.

4.3 ACCEPTANCE

Acceptance of risk is about doing nothing to against a threat and accepting that threat. In other words, it is about being fully aware that the risk exists and doing nothing. Low risks can be acceptable. The managers may accept some high risks but sometimes this cause a problem. After that, IT staffs should try to handle these problems.

4.4 AVOIDANCE

Avoidance provides prevention according to existing vulnerability. In other words, risk is avoided when the individual refuses to accept the risk. For example, not flying in order to not to take the risk of air crash. This is avoidance from the risk. Another example for that, a website of one of university was disclosed that let the students view their pictures, IDs and grades. Detecting about this risk, university removed this page and then they did new web page for the university.

5 EXAMPLE

This example is taken from Virginia Information Technologies Agency(VITA). The aim of example is to help each Commonwealth of Virginia (COV) Agency according to analyzing risks of its IT systems and protecting COV’s source material through its mission. They were applied risk assessment methods according to National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30, "Risk Management Guide for Information Technology Systems". This example is about Information Technology Assessment for Budget Formulation System (BFS). COV’s Budget Formulation Agency was applied risk assessment for BFS to provide requirement of Information Technology Risk Management Standard SEC501-01. Risk assessment was repeated by BFA every 3 years or if they were had big changes in their system. This example was done on July 2007.

Figure 3. IT System Boundary Diagram(1)

C:\Users\Dilsad\Desktop\diagram.jpg

Considering Figure 3, it shows system and network architecture. Figure includes all components of the system. BFS and Budget Consolidation System connected to Switch and then it goes data center router, passes data center firewall and with agency internal IP network, client and system administrator connects each other.

In order to show implementation of the methodology studied in this project, a case study run by Commonwealth of Virginia’s Budget Formulation Agency has been presented in detail.

Identification of vulnerabilities(1)

Vulnerability is flaw or weakness in the system. In this example, Staff of the Commonwealth of Virginia (COV) Budget Formulation Agency (BFA), identified vulnerabilities for their budget formulation system (BFA) by interviewing with BFA system owner, data owner and BFA operational and technical support personnel, they used automated ITRSK tool and they also reviewed their previous BFA risk assessment vulnerabilities. Interviewing with BFA system owner, data owner and BFA operational and technical support personnel would help them to recognize some of basic vulnerabilities in the system. Automated ITRSK tool was also useful for identification of vulnerabilities. Handling vulnerability is not easy. It is process, so reviewing previous BFA risk assessment vulnerabilities will be very useful, because they may face same vulnerability again and it may help to see future vulnerability of the system.

Identification of threats(1)

If existing vulnerability has potential to exploit, then it leads to threat. In this example, threats are identified by using automated ITRSK tool, interviewing BFS system owner, data owner and system administrators to get some information about existing threats for BFS and by looking at the previous BFS risk assessment and analyzing the effect of the BFS threats to the environment.

In table 6, there are some threats for BFS;

Table 6. Credible Threats (1)

Credible Threats Identified for the BFS

Air Conditioning Failure

Earthquakes

Aircraft Accident

Fire (Major or Minor)

Biological Contamination

Flooding/Water Damage

Blackmail

Fraud/Embezzlement

Bomb Threats

Human Error

Chemical Spills

Malicious Use

Communication Failure

Loss of Key Personnel

Computer Crime

Cyber-Terrorism

By looking at them, we can see the three types of threats, which are human, natural and environmental threats.

Vulnerability and threat pairs cause risks. In this example, BFA is also summarizes some risk by gathering this pairs. For example, according to Budget Formulation Agency, unauthorized use of terminated BFS users identifiers did not removed from BFS and it is caused confidentiality and integrity of BFS data. Another example of that is when there is a fire, wet-pipe sprinkler system will work and BFS data center will not be available no longer.

Control analysis

For the control analysis, we need to focus the control is in place or planned. In this example, IT security controls are planned and in place for BFS system. They had done table for this part of risk management. Table consists control area, in-place or planned and description of controls. Firstly, they decided control area and then is it in-place or planned and after they described the controls. Choosing one of example from this, control area of BFS is IT security roles and responsibilities, it is in-place and it requires written IT security roles for BFS and BFA. Another example of this, control area is risk assessment. It is in place because this report indicates risk assessment of BFS in July 2007, it is built on previous BFS risk assessment in July 2004, and it is planned that BFA will verify the current risk assessment in July 2008 and 2009.

Likelihood determination

Likelihood ratings are low, moderate and high. For this example, BFA defines likelihood rating for BFS. Considering fire risk, it will run sprinkler system and it will damage BFS. There is not any control for the water damage, for that reason, effectiveness of controls is low and also fire possibility in the data center is low. By looking these risks, we can say risk likelihood rating is moderate because the threat-source is motivated and capable, but controls are in place that may prevent from the vulnerability.

Another example for that is unauthorized use of BFS data. Closing user accounts won’t be the solution so effectiveness of controls is low. Learning user ID and password is low risk, so threat source capability is low. Moreover, physical access to the building is low because of its protection. By looking these risks, we can say risk likelihood rating is moderate.

Impact determination

Impact is rated as high, moderate and low. These ratings used to evaluate impact of BFS risk on the BFA.

In table 7, there are risk impact ratings definitions of Commonwealth of Virginia;

Table 7. Risk Impact Rating Definitions (1)

Risk Impact Rating Definitions

Magnitude of Impact

High

Moderate

Low

Through BFA, by looking at fire risk, it will run sprinkler system and it will cause damage on BFS. For that reason, BFS will be unavailable. This is the impact of the risk and it is rated as high. This causes loss of availability.

Unauthorized use of user IDs will cause unauthorized modification or disclosure of BFS data and the impact rated as high. Unauthorized uses of IDs bring loss of confidentiality and integrity with them.

Risk determination

Risk determination is about likelihood and impact of the risk and risk ratings rely on these two subjects. We have impact and likelihood of some examples, so we can calculate risk ratings through them. For example, for the risk that fire runs sprinkler system and causes damage of BFS, likelihood rating was moderate and impact rating was high so risk rating is moderate. For another example, likelihood rating was moderate and impact rating was high so risk rating is moderate.

There are recommendations for the some identified risks in the system according to BFA;

Table 8. Recommendations (1)

Recommendations

Risk

No.

Risk Summary

Risk Rating

1

Fire would activate sprinkler system causing water damage & compromising the availability of BFS.

Moderate

2

Unauthorized use of unneeded user IDs could compromise confidentiality & integrity of BFS data.

Moderate

3

Unauthorized access via ad-hoc privileges could compromise of confidentiality & integrity of BFS data.

Moderate

4

Loss or theft of USB drives could result in compromise of confidentiality of BFS data.

High

Discussion of the case study, each steps of risk management methodology applied successfully. They identified threats and vulnerabilities nicely. After that, control assessed and determined likelihood and impact. With gathering these things, they recognized risks of the system. We can see some example of that in this risk assessment matrix;

Table 9. Risk Assessment Matrix (1)

Risk Assessment Matrix

Risk

No.

Vulnerability

Threat

Risk

Risk

Summary

Risk

Likelihood

Rating

Risk

Impact

Rating

Overall Risk

Rating

1

Wet-pipe

sprinkler

system in

BFS Data

Center.

Fire

Compromise

of BFS

availability.

Fire would

activate

sprinkler

system

causing water

damage &

compromising

the

availability of

BFS.

Moderate

High

Moderate

2

BFS user

identifiers

(IDs) no

longer

required are

not

removed

from BFS in

timely

manner.

Unauthorized

Use

Compromise

of confidentiality

&

integrity of

BFS data.

Unauthorized

use of

unneeded

user IDs

could

compromise

confidentiality & integrity

of BFS data.

Moderate

High

Moderate

This report helps senior management to understand their systems deficiency so with this methodology, they can use resources effectively and they also have chance to correct errors and decrease potential losses.

6 CONCLUSION

Risks should evaluate and manage effectively for IT systems. Some project managers do not consider risks of the project, so it causes the project failure. According to risk management, we need to examine risks well, because organizations do not want to waste time, their personnel and they don’t want to face unexpected costs. By applying risk assessment methodologies to projects help to take precaution for possible damages on organization’s systems. For the organizations cost, reputation and time is important, for that reason they need to apply risk management very careful.

Herein, I studied risk management methodologies for Information Technology System projects. In order to present implementation of risk management to IT systems a case study presented in Information Technology Risk Management Guideline Virginia Information Technologies Agency (VITA) have been studied .The main problems mention in this example, unauthorized uses and access of data, fire, and malicious use of computer crime. They tried to understand their risks for the system and tried to handle these problems with identifying them. Risk assessment is very useful for identifying security weaknesses and calculating risk. I used qualitative risk assessment because we can not measure everything for IT systems and it helps us to understand the rank of risks. I can also say that, they applied this methodology successfully, because they followed up all the steps of risk management carefully. In this context, my graduation project includes;

Defining risk and risk management

Defining risk assessment methodologies

Threat Identification

Vulnerability Identification

Control Analysis

Determination of Likelihood

Determination of Impact

Determination of Risk

How risk managed

Example of Risk Management

To sum up, I tried to review NIST publication of Information Technology and then I reviewed it on an example to understand every steps of this risk assessment graduation project successfully.