Fundamentals of IT risk analysis
IT risk analysis determines the systems that need protection and helps the IT manager determine which protective actions are most cost effective.
Providers of security and anti-malware products like to spread images of young hackers wearing hoodies as a threat to IT systems. But, more often, employees of a company pose a greater threat to information security. Insiders are responsible for about 70 percent of the incidents; external attackers who exploit security vulnerabilities account for about 30 percent. The ISO/IEC 27005 standard  on IT risk management lists poorly trained or careless employees, disgruntled or malicious employees, and dishonest or recently fired employees as the main hazards.
At the same time, the profile of the external attacker is also changing. The romantic notion of the lonesome hacker sitting in an apartment and stealing data for the joy of being able to do so is far from the norm. Hacking today is usually a business where prices are defined by supply, demand, and ancillary costs (see the box titled "Cost and Benefits for Attackers.")
In this climate, every business needs to be aware of potential security threats, and it helps to have a systematic strategy for quantifying risk and assigning priorities as to which problems are most urgent. The business tool for getting to grips with vulnerability assessment is risk analysis. Risk analysis helps a company identify the risks, calculate the financial impact, identify vulnerabilities, assess threats, and put a value on the damage that would occur if someone were to exploit existing vulnerabilities and conflicts. The goal is not just to find the most glaring vulnerability or the most expensive loss scenario – risk analysis attempts to evaluate the severity of an attack in the context of the likelihood the attack will occur, showing IT managers which prevention measures will give the most protection for the IT dollar.
Understanding Risk Analysis
A thorough risk analysis does not simply look at individual departments but studies the entire enterprise. Effective risk analysis begins with identifying which assets to protect and discovering their financial value. The four main objectives of a threat and risk analysis are the following:
- Evaluating assets and their financial value
- Identifying threats
- Quantitatively and qualitatively assessing the impact of risks
- Ensuring the efficiency of the countermeasures in comparison to the potential impact of the risk
The risk associated with an attack (R) is computed as
R = E × P,
where E is the extent of damage and P is the probability of an occurrence.
Risk analysis distinguishes between primary and secondary damage. Primary damage includes damage caused by production outages, replacement costs, and personnel costs. These types of costs are relatively easy to quantify. It is much more difficult to identify secondary damage, which includes loss of reputation and loss of trust among customers and business partners (factors that can sometimes even lead to insolvency of a company).
To compute the probability of an occurrence, you need to consider the estimated expense for an attacker implementing the attack, compared with the potential benefit of the attack. For example: An attacker is more likely to launch an attack that will lead to acquiring stolen credit card data (which results in a fast and easy payoff for his time) than in acquiring the invitation list for the company's annual Christmas party (which has only limited value). At the same time, the attacker is more likely to seek "low-hanging fruit" – a relatively insecure target that won't cost much effort – even if the payoff isn't as great as it would be with an attack on a valuable but well-defended target.
Costs and Benefits for Attackers
The first thing to know about security risk analysis is that professional attackers also operate within a business model, in which the most probable action is the one that minimizes risk and provides the best return for the hacker's time. Intruders often launch their attacks using systems rented from wholesale operating within the underground economy.
The security experts at Kaspersky Lab examined this black market some time ago. Renting a botnet with 1,000 machines costs around US$ 30 from the "Discount Bot Shop" or from "Bot-Seller"; volume discounts take the price for 5,000 down to US$ 140. The business relationship is established on Jabber, ICQ, or another forum (Figure 1). The monthly price for a bulletproof hoster, that imposes no restrictions on its customers, lie between US$ 20 and 120.
If you want to stay invisible from the law enforcement authorities while controlling botnets or transferring funds, you need what are known as crypter-cloud services. US$ 60 will buy you lifetime use of Saddam's Crypter – although it is hard to say what lifetime means with a service using this kind of name.
In addition to the attack infrastructure, hackers also need software suitable for this purpose (i.e., malware). The Black Shades Net remote administration tool, for example, is available from EUR 40. The IP Killer DDoS tool, or the Pieces of Eight Stealer, are available to the general public for EUR 35. If you want to distribute an exploit on the Internet, it will cost you about EUR 500 per month.
But criminals can also save themselves all of this effort by simply reverting to verified credit card data or hijacked PayPal accounts, which they can actually buy at a reasonable price (Figure 2).
The fairly low prices suggest that the supply of illicit services and software is greater than the demand. People who do not use hijacked accounts themselves, but resell them, make very little profit, as you can see. The fact that the direct and reputational damage of their victims is often disproportionately higher than the revenue they receive does not deter these cyper-criminals one bit. (Jan Kleinert)
The textbook formulas for computing the risk are less than clear. For companies that prefer their information expressed in dollars and cents, security and backup solution provider Symantec publishes an annual study. The report "Cost of a Data Breach in 2013"  is based on data losses that 277 listed companies suffered in nine countries.
Even taking into account Symantec's vested interest in selling solutions, the reported numbers are still shocking: Each data set lost costs a company an average of EUR 151 per record. (A data record breaks down to the customer and billing data associated with one person.) In the financial, industrial and energy sectors, the cost is EUR 200, compared with just EUR 93 in the public sector. And the trend is rising; in 2011, the average value was just EUR 146.
Of all potential causes of data loss and embezzlement, malicious attacks have the heaviest impact on a company's budget, according to the study. Criminal insiders and social engineering cause EUR 136 of damage per stolen record. Employee negligence or operator errors cost an average of EUR 138 per record.
To compute these figures, the Ponemon Institute accounted for both direct and indirect costs. Ponemon has incorporated the data and trends it collected into an online data breach cost calculator for Symantec  (Figure 3). However, the smallest company size addressed in the list is "Less than 500" employees, so the estimates are thus not necessarily accurate for a small consultancy or startup.
The risk analysis rule of thumb: Think like a hacker and you know will how you need to protect yourself. It is very important to know how an attacker proceeds, what motivates the attacker, how valuable the company's assets are, and why an attacker might be specifically interested in these assets. This is the only way to ensure that effective risk analysis takes place. Penetration testing can also be used for further assessment.
After identifying all the risks, you can start to identify countermeasures. You might not be able to do everything you want to do – the solution must be consistent with your company's financial resources. To compare and prioritize the available options, you need to determine the expected total damage resulting from an incident and the expected recovery costs. Assessing probability is one of the most difficult processes in risk analysis. Your study of probabilities must include statistics, as well as statements by external service providers, feedback from penetration testers, and information on asset values.
The difficulty is to take into account the many root causes of insecurity. A matrix-based method from ISO 31010  with qualitative scales (Figure 4) is a useful tool. The ALARP principle ("As Low As Reasonably Practicable") applies for the yellow area. Risks in this area should be reduced as far as possible, but only with acceptable technical and financial effort.
Every company must launch a custom analysis process tailored for its own situation, and standards and rules must serve as the basis for this process. The standards of particular importance are ISO/IEC 27005 (Introduction to Risk Management), ISO/IEC 27001 (Information Security Management, ), ISO 31010 (Evaluation methods in risk management, ), the BSI standard 100-3, the SANS Risk List , and the IT Infrastructure Library (ITIL).
The result of the risk analysis study will be a plan of action that addresses the possible threats through some combination of:
- Risk acceptance – The company is aware of the possible risk but has determined through the cost-benefit analysis that the threat is not sufficient to warrant action.
- Risk avoidance – Concrete steps the company will take to eliminate potentially threats.
- Risk reduction – Steps that don't fully eliminate but do serve to minimize risk. For example, upgrading an older system that is no longer supported with security patches does not prevent intrusion, but it is a simple and cost-effective way to reduce the possibility of a successful attack. (The BSI IT Baseline Protection Standard is often used as a tool for assessing risk reduction strategies.)
- Risk transfer – Covering all or part of the potential financial risk through insurance, or outsourcing the risk.
The choice for how to assign risks within these categories depends on the cost-benefit ratio and the company's available resources. Smart admins are aware that these risks should not be considered in isolation, but always holistically.
Web-based attacks are largely automated today, from identifying targets, through discovering the weak points, to completing the attack. Well-armed groups of companies find it relatively easy to ward off this type of risk, but smaller companies have a harder time mustering the resources to meet the challenge.
A study by Imperva underlines the trend towards attacks against small and medium-sized businesses. Security systems for these smaller companies are usually far less well developed and maintained than those of large corporations, which places even more importance on working smart and prioritizing prevention measures.
Risk analysis is primarily about minimizing the most severe risks and getting the best possible result from the company's security investment. The techniques described in this article are designed to empower management to take the most urgent, realistic, and cost-effective measures to reduce the impacts of existing risks.
- Information on the ISO/IEC 27000 standards: http://www.iso27001security.com
- Symantec study "Cost of a Data Breach in 2013": https://symantec-corporation.com/servlet/formlink/f?kPugHuQYCDB&ACTIVITYCODE=164216&inid=GL_NA_WP_Ponemon-2013-Cost-of-a-Data-Breach-Report_daiNA_cta72382_aid164216
- Risk calculator by Symantec: https://databreachcalculator.com
- ISO standard 31010: http://www.iso.org/iso/catalogue_detail?csnumber=51073
- SANS risk list: http://www.sans.org/critical-security-controls/
Buy this article as PDF
HP's annual Cyber Risk report offers a bleak look at the state of IT.
But what do the big numbers really mean?
.NET Core execution engine is the basis for cross-platform .NET implementations.
The Xnote trojan hides itself on the target system and will launch a variety of attacks on command.
Spammers go low-volume, and 90% of IE browsers are unpatched.
Adobe scrambles to release patches for vulnerable Flash Player.
Four-inch-long computer on a stick lets you boot a full Linux system from any HDMI display device.
New statute would require companies to report break-ins to consumers.
Weird data transfer technique avoids all standard security measures.
FIDO alliance declares the beginning of the end for old-style login authentication.