What is risk management identify four strategies for addressing a particular risk?

Risk Management Strategy

The risk management strategy is one of the key outputs of the risk framing component of the NIST risk management process. Typically developed at the organization level, the risk management strategy specifies procedures and methodologies with which mission and business and information system risk managers perform risk assessment, risk response, and risk monitoring activities. As illustrated in Figure 13.3, the risk management strategy reflects organizational governance decisions in terms of risk assumptions, risk constraints, risk priorities, risk tolerance, and risk acceptance criteria and may—particularly under centralized governance models—also prescribe risk assessment, response, and monitoring practices and methodologies to be used at mission and business and information system tiers. Determining and communicating organizational risk tolerance is one of the most important elements in risk management strategy, as tolerance levels influence all risk management components [25]. Risk tolerance is also a fundamental input to information security management activities conducted throughout the steps in the Risk Management Framework, affecting security control selection, security control assessment, contingency planning, continuous monitoring, and system authorization decisions.

Abstract

Risk management strategies for business continuity and disaster recovery planning require a review of the risks and plans for addressing, or mitigating, each of those risks to an acceptable level. In some cases, risks are accepted as is; in other cases, risks are transferred, and in still other cases, risks are minimized to a level acceptable to the organization. One of the fundamental tasks in managing IT risk for BC/DR planning focuses on backup and recovery strategies to ensure the confidentiality, integrity, and availability of data in both the production environment and the DR location.

Risk Strategy

The risk management strategy reflects the organization’s view of how it intends to manage risk—potentially of all types but at least within a discrete category of risk—including policies, procedures, and standards to be used to identify, assess, respond to, monitor, and govern risk. The strategy specifies strategic planning assumptions, constraints, decision-making criteria, and other factors influencing risk management in the organization, including context-specific and overall articulations of organizational risk tolerance. Risk management strategy identifies senior leaders and other stakeholders with significant decision-making authority and, in the context of describing risk governance, should clearly describe the information flows and decision-making processes related to risk management. Following NIST guidance to agencies in Special Publication 800-39, comprehensive organizational strategies for managing the risk associated with agency information systems include clear expression of risk tolerance, preferred or endorsed methodologies for risk assessment, primary risk response alternatives, descriptions of risk-based decision criteria and decision-making processes, and organizational approaches for monitoring risk [27]. The development and implementation of the organizational risk strategy is assumed in NIST guidance to be the responsibility of the risk executive (whether that role corresponds to an individual, a group, or an organizational function).

Travel Risk Assessment

The best risk management strategy combines several techniques, including quality insurance coverage, sound risk management procedures and protocols, and expert advice.26

The travel risk assessment looks at potential risks that employees may encounter while on business travel, the likelihood of those risks occurring, the potential impact those risks may cause the business if it does occur, and the cost of implementing strategies to mitigate, reduce, or eliminate the risks.

Risk assessments can be done on two levels—one for general business travel and a second, more comprehensive one for specific travel destinations, especially if the destination is known to be hostile or dangerous.

Pretravel intelligence is very important in the second level. You need to be able to evaluate State Department warnings not just of the destination location but also of surrounding areas as spillover of dangerous activity can occur. Other types of information important to gather at this point would be “the level of political instability, the activity of terrorist organizations, the region’s health hazards and the local emergency medical care, local criminal activity, and driving hazards.”27 I would add to this any censorship legislation, especially regarding Internet access and social media postings. For example, Facebook is prohibited in China.

Risk Management Strategy

There are two aspects to your risk management strategy at work here. First, you have an obligation to report, but the results may not shine favorably on you or your organization’s performance. So be it. Welcome to metrics. Second, you have an obligation to inform management on key risk issues.

You need one or more dashboards (see Figure 16.6) to track your priorities. As you get comfortable with assembling the data of importance and various means of presentation, using simple applications of Excel or PowerPoint, you will develop ideas for broader and more specific uses.

CM Strategy

The CM strategy aligns the CM activities with the organization-wide risk management strategy.28 Through an understanding of the organization’s strategic goals and objectives, the CM requirements can be developed to address the monitoring and assessment frequency of security controls, and customize status reporting to ensure consistency across the organization. This further supports each of the organizational tier’s information needs required for making risk-based decisions. For the strategy to be effective and support the organization’s risk management function, it needs to be comprehensive, broadly encompassing the technology, processes, procedures, operating environment, and people [2].

The organization’s information requirements can be different at each of the organizational tiers, requiring strategies tailored specifically to a tier. Therefore, to meet the goal of maintaining consistency across the organization, the implementation of the organization-wide CM strategy needs to be driven by the leadership to ensure that the CM strategy evolves as requirements for information change at each tier. In addition to enabling information reuse across the organization, a consistent understanding of the CM strategy ensures a cost-effective implementation of the processes, procedures, tools, and techniques to all organizational information systems, achieving a broad organization-wide situational awareness. The CM strategy can also help the organization use an integrated approach to more efficiently react, such as by changes in a single information system or in the organization’s threat environment.

Tip

The CM strategy [2] should:

Reflect the organization’s risk tolerance (including helping set priorities and consistent management of risk);

Include metrics that provide meaningful indications of security status at all organizational tiers;

Ensure continued effectiveness of all security controls;

Address verifying compliance with information security requirements derived from organizational missions/business functions, federal legislation, directives, regulations, policies, and standards/guidelines;

Be informed by all organizational IT assets and aids to maintain visibility into the security of the assets;

Ensure knowledge and control of changes to organizational systems and environments of operation; and

Maintain awareness of threats and vulnerabilities.

An organization-wide CM strategy provides a comprehensive view of the CM requirements of all organizational tiers. These requirements may be derived from multiple sources including the key metrics and the frequency of security controls monitoring and assessments deemed necessary to provide an indication of the information security and risk posture. CM strategies can also be developed at a specific tier29 to address local requirements. However, to enable an organization-wide approach to CM, tier-specific strategies will need to be driven from a consistent application of the methodologies and practices used at the higher organizational tiers (i.e., tier 3 strategies should encompass tier 2 policies, procedures, and processes). This ensures that any condition that would require the tier-specific strategy to be updated also triggers additional updates to strategies in the higher tiers so that security-related information captured at the lower tiers maintains relevance in supporting organization-wide risk-based decisions across the organization.

Note

In July 2010, OMB released a policy30 that clarified the roles and responsibilities for cybersecurity. In this policy, the Department of Homeland Security (DHS)31 was identified as having the responsibility for implementing the operational aspects of the cybersecurity of civilian federal information systems.32 The scope of responsibility as it relates to CM included the government-wide and agency-specific monitoring and assessment of areas such as cybersecurity operations and incident response [5]. In addition, DHS’s role was further clarified in a Federal Information Security Memorandum33 published in August 2011 in which federal agencies were required to report34 to DHS on metrics through automated35 or manual data feeds. For example, starting in 2012, DHS started publishing Annual FISMA Reporting Metrics.36 Within the annual FISMA reporting metrics, CM was identified as a “key element to managing an information security program is having accurate information about security postures, activities and threats” [6]. Finally, the Federal Information Security Modernization Act of 2014 codified DHS’s role37 in administering the implementation of information security policies for federal agencies, overseeing agencies’ compliance with those policies, and assisting OMB in developing those policies. [7]

Safety instrumented systems

Safety instrumented systems (SIS) are deployed as part of a comprehensive risk management strategy utilizing layers of protection to prevent a manufacturing environment from reaching an unsafe operating condition. The basic process control system (BPCS) is responsible for discrete and continuous control necessary to operate a process within normal operational boundaries. In the event that an abnormal situation occurs that places the processing outside of these normal limits, the SIS is provided as an automated control environment that can detect and respond to the process event and maintain or migrate it to a “safe” state—typically resulting in equipment and plant shutdowns. As a final layer of protection, manufacturing facilities utilize significant physical protective devices including relief valves, rupture disks, flare systems, governors, and so on to act as a final level of safety prior to the plant entering dangerous operating limits. These events and corresponding actions are shown in Figure 4.12.

The risks that originate within the SIS relating to cyber incidents are twofold. First, since the system is responsible for bringing a plant to a safe condition once it is determined to be outside normal operational limits, the prevention of the SIS from properly performing its control functions can allow the plant to transition into a dangerous state that could result in operational disruptions, environmental impact, occupational safety, and mechanical damage. In other words, simple denial-of-service (DoS) attacks can translate into significant risk from a cyber event.

On the other side, since the SIS operationally overrides the BPCS and its ability to control the plant, the SIS can also be used maliciously to cause unintentional equipment or plant shutdowns, which can also result in similar consequences to a service denial attack. In other words, an attacker that gains control of an SIS can effectively control the final operation of the facility.

In both cases, the need to isolate the SIS to the greatest extent possible from other basic control assets, as well as eliminate as many potential threat vectors as possible, is a reasonable approach to improving cyber security resilience. SIS programming, though performing in a similar manner to controller programming previously discussed, is not typically allowed in operational mode. This means that highly authorized applications like SIS programming tools and SIS engineering workstations can be removed from ICS networks until they are required. SIS systems must be tested on a periodic basis to guarantee their operation. This provides a good time to also perform basic cyber security assessments, including patching and access control reviews in order to make sure that the safety AND security of the SIS remains at the original design levels.

Risk Management Strategy (Context)

Both NIST and ISO/IEC require an organizational policy (or ISMS policy) that aligns with the risk management strategy43 (or context). The risk management strategy is developed as an output of the risk framing (or context definition). The framing44 (context) definition is established as a part of the risk management process45 discussed in Chapter 6, Risk management.

Risk Tolerance and Uncertainty

Organizations need to determine the levels and types of risk that are acceptable. Risk tolerance is determined as part of the organizational risk management strategy to ensure consistency across the organization. Organizations also provide guidance on how to identify reasons for uncertainty when risk factors are assessed, since uncertainty in one or more factors will propagate to the resulting evaluation of level of risk, and how to compensate for incomplete, imperfect, or assumption-dependent estimates. Consideration of uncertainty is especially important when organizations consider advanced persistent threats (APTs) since assessments of the likelihood of threat event occurrence can have a great degree of uncertainty. To compensate, organizations can take a variety of approaches to determine likelihood, ranging from assuming the worst-case likelihood (certain to happen sometime in the foreseeable future) to assuming that if an event has not been observed, it is unlikely to happen. In determining likelihood, they should also consider the probability of an attack being attempted and its probability of success. Organizations also determine what levels of risk (combination of likelihood and impact) indicate that no further analysis of any risk factors is needed.

Information security risk assessments

In general, comprehensive assessments of information security risk are required to establish a thorough understanding of the risk factors affecting an organization. Furthermore, such assessments must be made with respect to risk-based policies and standards in the absence of useful statistics on incidents. Adopting a process to rigorously assess the risk associated with information security threats is essential to developing a coherent information security risk management strategy[1,3].

Since the essence of security is to mitigate the effect of threats, all estimates of risk should begin with identifying the spectrum of distinct threats. Threats were defined previously, but what is meant by “distinct” in this context?

Distinctness implies a set of characteristics that distinguishes one threat from another. Characterizing threats under general headings such as “terrorism,” “street crime,” and “hate crime” may be useful for sociologists and politicians, but it is not particularly helpful in developing a risk management strategy. So how does one specify that a given threat is distinct from another and why does it matter to a risk assessment strategy? These questions will be answered following a brief digression on risk.

Recall (1.1) was introduced as an operational definition of risk and was formulated in terms of three components, likelihood, vulnerability and impact. This was somewhat hyperbolically referred to as the Fundamental Expression of Risk. However, it is not a true mathematical equation because each component in (1.1) appears to have equal magnitude and this condition is not true in general.

One important feature to notice about this expression is that if a single component is zero, there is no risk. The implication is that if there is no risk, the threat being evaluated does not exist for all practical purposes. Put another way, absent one or more components of risk, a given threat is simply not threatening.

In addition, the notion of “cost” broadly defined is missing from (1.1). Although cost is not a fundamental component of risk per se, it plays an important role in real-world decisions on security.

For example, it is not uncommon to encounter security risk scenarios where the magnitude of one component of risk is significant but remediation is cost prohibitive. Therefore, despite the assessed risk no action is taken to address it. The cost associated with risk mitigation is a reality associated with real-world risk management processes that would not appear in a strictly academic view.

Although a measurement of risk is ideal, it is not always possible to provide a quantitative estimate. The reality is that a qualitative view of each component is sometimes the best option available. The good news is that such a view is often sufficient to make a meaningful decision on risk mitigation. Moreover, a sophisticated security risk manager understands when quantitative measurements of risk will yield meaningful results and when it is futile to even try.

With that background, the risk assessment process can now be described, and, in particular, the critical role of risk factors in developing an effective risk management strategy. As noted earlier, the first step in a security risk assessment is to identify the spectrum of impactful and distinct threats to an organization. In order to address the question of threat distinctness, the crucially important concept of a “risk factor” must be reintroduced and defined as follows:

A risk factor is a feature, characteristic or condition that enhances one or more components of risk for a specific threat or mode of threat implementation. It is the spectrum of risk factors that drive the required mitigation methods.

The logic associated with risk factors as the basis for risk management is compelling to the point of appearing circular: If risk factors are those features that enhance one or more components of risk for a given threat, then addressing all the risk factors is required in order to effectively manage that threat.

A medical analogy is again illustrative. Consider the threat of cardiovascular disease. Some well-known risk factors for this threat are high blood pressure, obesity, a high concentration of certain types of cholesterol in the blood, smoking, lack of exercise, being male (or a postmenopausal female), diabetes, and a family history of cardiovascular disease.

These risk factors were determined through large population studies that enabled scientists to correlate the presence of a risk factor with the likelihood of a future threat incident. In other words, people had varying rates of heart attacks based on the number and magnitude of one or more risk factors.

The likelihood of a future threat incident increases by some quantifiable amount with each additional risk factor, an artifact of the plethora of data established over years of studying relatively homogeneous models such as humans. In other words, the more risk factors displayed by a patient, the higher is the likelihood he or she will suffer a heart attack in a specific interval of time.

The risk increases with the duration of the time interval under consideration.5 An individual who displays all of the significant risk factors would likely be a candidate for aggressive medical therapy as determined by a bona fide medical risk manager, for example, a cardiologist.

A Venn diagram can be used to illustrate the intersection of risk factors, a condition that would amplify the likelihood component of risk for the threat of heart attacks as shown in Fig. 1.1.

A similar diagram can be created for any threat. Physical security threats are illustrative of the utility of such diagrams. Consider the threat of vehicle-borne explosive attacks by anti-Western elements against the headquarters of an international bank. Risk factors for this attack might include the following:

the country where the facility is located;

the iconic status of this particular facility or the bank in general (in other words, a symbolic association with Western culture and/or a particular government);

the historical use of this mode of attack by groups of concern;

the proximity of the facility to vehicular traffic.

Note that the first three risk factors enhance the likelihood component of risk for this threat while the last one enhances the vulnerability component of risk. Understanding the nature of the contribution to risk for a given risk factor is important in managing the risk associated with each impactful and distinct threat. For example, reducing the profile of a company or facility would affect the potential for attack, but would do nothing to reduce the vulnerability or the potential damage/loss should an attack occur.

Fig. 1.2 illustrates the Venn diagram for the set of risk factors associated with a given target and relative to this threat. If all of these risk factors existed for a given target, the risk is enhanced relative to a target that possessed less risk factors.

To further illustrate this important point, if the impactful threats were groups concerned about the global hegemony of fast food corporations, the likelihood component of risk might be significantly altered from the anti-Western terrorists noted earlier. In that case the security strategy might not include this threat as a priority for remediation.

The long-awaited answer to the question of what makes one threat distinct from another can now be presented. Simply put, any two threats are equivalent if the type and magnitude of their respective risk factors are identical. Conversely, if their risk factors differ in either type or magnitude, the two threats are distinct and each threat must be addressed separately as part of a risk mitigation strategy.

This test for distinctness has a very practical implication. Namely, threats can be logically grouped according to their risk factors. In addition, simultaneously addressing the risk factors will effectively manage all of the threats with risk factors in common. Note that if one risk factor is not addressed, it means at least one vulnerability exists for each threat to which that risk factor applies.

The key to an effective risk mitigation strategy is to address all the risk factors for each distinct and impactful threat. A graphic that depicts the risk management process is captured in Fig. 1.3 [3].