CISSP Module 1 Summary: Security and Risk Management

Author: Manvir Kaur, Email:manvir@globaldigitalsecurity.ca

1. Fundamental principals of Security (Security Objectives)-CIA Triad
   The CIA triad is a cornerstone of information security, guiding the implementation of measures to protect data and systems from a wide range of threats and vulnerabilities.
   ⦁ C-Confidentiality-This aspect of the triad focuses on ensuring that sensitive information is accessible only to authorized individuals or entities. It involves safeguarding data from unauthorized access, disclosure, or exposure.
   ⦁ I-Integrity-Integrity pertains to the trustworthiness and accuracy of data. It ensures that data remains unaltered and reliable throughout its lifecycle, safeguarding it from unauthorized modifications or tampering.
   ⦁ A-Availability-Availability ensures that data and services are consistently accessible and operational when needed. It safeguards against disruptions, downtime, and delays, making resources and systems accessible to authorized users.
2. Balanced Security
   Different assets may have varying requirements: some demand strict confidentiality, others rely heavily on data integrity, and some necessitate uninterrupted availability.
   Here’s a brief list of controls and how they align with the components of the CIA triad.
   Confidentiality:
   ⦁ Encryption for data in transit (IPSec, TLS, PPTP, SSH)
   ⦁ Encryption for data at rest (whole disk, database encryption)
   ⦁ Access control (physical and technical)
   Integrity
   ⦁ Access control (physical and technical)
   ⦁ Software digital signing
   ⦁ Hashing (data integrity)
   ⦁ Transmission cyclic redundancy check (CRC) functions
   ⦁ Configuration management (system integrity)
   ⦁ Change control (process integrity)
   Availability:
   ⦁ Co-location and offsite facilities
   ⦁ Rollback functions
   ⦁ Redundant array of independent disks (RAID)
   ⦁ Clustering
   ⦁ Load balancing
   ⦁ Failover configurations
   ⦁ Redundant data and power lines
   ⦁ Software and data backups
   ⦁ Disk shadowing
3. Security Definitions
   Certainly, here are the definitions of each of the key terms in the context of security:
   ⦁ Threat: A threat refers to any potential danger or harmful event that may exploit vulnerabilities in a system or organization. Threats can come in various forms, such as cyberattacks, natural disasters, or human errors, and they have the potential to compromise the security of assets or data.
   ⦁ Vulnerability: A vulnerability is a weakness or flaw in a system, process, or component that can be exploited by a threat to breach security. Vulnerabilities can exist in software, hardware, procedures, or even human behavior and create opportunities for security breaches.
   ⦁ Risk: Risk represents the likelihood or probability of a threat exploiting a vulnerability, potentially resulting in harm or damage to an organization’s assets or objectives.
   ⦁ Exposure: Exposure relates to the state of being vulnerable or susceptible to risks and threats. It refers to the condition where assets, data, or systems are not adequately protected and can be harmed if a threat takes advantage of vulnerabilities.
   ⦁ Control: Controls are measures or countermeasures implemented to safeguard assets and mitigate risks. They can be technical, administrative, or physical in nature and are designed to prevent, detect, or respond to security threats. Controls aim to reduce vulnerabilities and manage exposure to risks effectively.
4. Control Types
   Controls are essential for mitigating an organization’s risk and can be categorized into three primary types: administrative, technical, and physical.
   ⦁ Administrative Controls: These are management-oriented measures. Examples include security documentation, risk management, personnel security, and training.
   ⦁ Technical Controls: These controls involve software or hardware components, such as firewalls, intrusion detection systems (IDS), encryption, and identification and authentication mechanisms.
   ⦁ Physical Controls: These controls are implemented to safeguard facilities, personnel, and resources and include measures like security guards, locks, fencing, and adequate lighting.
   These three control categories collectively address a wide range of security needs within an organization. Also, There are six different functional control functionality.

⦁ Preventive Controls:
Security controls created to prevent an attack.
⦁ Access Control: Prevents unauthorized access to systems and data by enforcing authentication and authorization measures, like passwords, biometrics, and access permissions.
⦁ Firewalls: These network security devices block unauthorized access and filter incoming and outgoing traffic based on predefined security rules.
⦁ Intrusion Prevention Systems (IPS): IPS identifies and prevents potential threats or attacks by monitoring network traffic for malicious activities.

⦁ Detective Controls:
Security controls created to detect an attack.
⦁ Intrusion Detection Systems (IDS): IDS monitors network or system activities to identify and alert on suspicious behavior or security incidents.
⦁ Security Information and Event Management (SIEM): SIEM solutions collect and analyze data from various sources to provide insights into security events and incidents.
⦁ Log Monitoring: Regularly reviewing and analyzing system logs can help detect security issues and breaches.
⦁ Vulnerability Scanning: Scans are conducted to identify weaknesses or vulnerabilities in systems and applications.

⦁ Corrective Controls:
Security controls created to fix/remediate an attack
⦁ Incident Response Plans: These plans outline the steps to be taken when a security incident occurs, helping to contain, mitigate, and recover from security breaches.
⦁ Backup and Recovery: Regular backups and disaster recovery plans are essential for restoring systems and data after a security incident or system failure.
⦁ Patch Management: In addition to prevention, patch management also falls under corrective controls to fix vulnerabilities after they are discovered.
⦁ Access Revocation: When an employee leaves an organization or changes roles, their access to systems and data should be promptly revoked to prevent unauthorized access.

⦁ Deterrent Controls:
Security controls created to to deter or not encourage from performing an attack
⦁ Security Policies and Awareness Training: Security policies set expectations and guidelines, while awareness training educates employees about security best practices, acting as a deterrent against insider threats.
⦁ Physical Security Measures: Physical controls, like access cards and biometric systems, deter unauthorized personnel from entering secure areas.
⦁ Security Cameras: The presence of security cameras can deter both physical and cyber threats by acting as a visible surveillance measure.

⦁ Compensating Controls: Compensating controls are put in place when standard security measures may not be feasible or fully effective. They provide alternative safeguards to achieve the same security objectives. These controls should be carefully considered and documented in a risk management context.

⦁ Recovery Controls: Recovery Controls are a set of measures and strategies aimed at restoring normal operations after a security incident or disaster. They include data backup and restore procedures, disaster recovery plans, redundancy, failover systems, incident response plans, testing, and cloud-based recovery services. These controls are crucial for minimizing downtime, protecting data, and maintaining business continuity following disruptions.
Organizations need to implement a combination of these controls to create a comprehensive cybersecurity strategy. The choice of controls depends on the organization’s specific security needs, risk assessment, and compliance requirements.

5. Security Framework
   The security program should be layered, with each layer supporting the one above it and providing protection to the layer below it. This layered approach allows organizations to incorporate different technologies, methods, and procedures into their security program, making it flexible and adaptable to changing needs. The goal is to build a strong and resilient security program, much like constructing a fortress based on a flexible and structured plan.
   ⦁ Security Program Development-ISO/SEC 27000 Series
   The ISO/IEC 27000 series is a comprehensive collection of international standards and guidelines related to information security management. These standards are designed to help organizations establish, implement, maintain, and continually improve their information security practices. The key components of the ISO/IEC 27000 series include:
   Information Security Management System (ISMS): ISO/IEC 27001 Security Controls
   Risk Management: ISO/IEC 27005 Guidance and Frameworks:
   Privacy Management: ISO/IEC
   Certification and Compliance: ISO/IEC
   ⦁ Enterprise Architecture Development
   Enterprise architecture involves the core elements of an organization, encompassing its structure and function. It represents the components, their interconnections, and their interactions with the external environment.
   ⦁ Zachman Framework Model:
   ⦁ Definition: The Zachman Framework, developed by John Zachman, is a structured approach for organizing and managing an organization’s enterprise architecture. It categorizes and standardizes the various perspectives of an enterprise, helping to improve communication, planning, and alignment.
   ⦁ Summary: The Zachman Framework provides a comprehensive perspective on enterprise architecture, breaking it down into six dimensions: What, How, Where, Who, When, and Why. This framework helps organizations understand and document their architecture from different viewpoints, enabling better decision-making.
   ⦁ TOGAF (The Open Group Architecture Framework):
   ⦁ Definition: TOGAF is a widely used methodology for developing and managing enterprise architectures. It offers a structured approach, a set of processes, and a framework to design, plan, and govern enterprise IT architecture.
   ⦁ Summary: TOGAF provides a detailed and comprehensive approach to enterprise architecture development. It consists of a systematic process for creating architecture and addressing various aspects, such as business, data, applications, and technology. TOGAF is known for its robust methodology and a set of best practices and enables desigining an architecture for complex structures such as banks, military.
   ⦁ DoDAF (U.S. Department of Defense Architecture Framework):
   ⦁ Definition: DoDAF is a framework used by the U.S. Department of Defense to ensure the interoperability and alignment of systems and processes to meet military mission goals. It is designed to support mission-critical operations.
   ⦁ Summary: DoDAF is specifically tailored for the defense sector and focuses on creating architectures that enable effective military operations. It includes standardized viewpoints and data models to ensure systems and technologies work together seamlessly to achieve mission objectives.
   ⦁ MODAF (Ministry of Defence Architecture Framework):
   ⦁ Definition: MODAF is an architecture framework primarily used by the British Ministry of Defence. It is designed to support military support missions and the procurement and management of defense systems.
   ⦁ Summary: MODAF is specialized for military applications and emphasizes the design, development, and management of defense-related systems. It enables interoperability and efficiency in military support operations.
   ⦁ SABSA Model (Sherwood Applied Business Security Architecture):
   ⦁ Definition: The SABSA model is a methodology for developing information security enterprise architectures. It focuses on integrating security into the overall enterprise architecture to ensure comprehensive protection of information assets.
   ⦁ Summary: SABSA is a security-focused framework that helps organizations design and implement information security architectures. It emphasizes aligning security strategies with business objectives and managing security risks effectively.

Security Control Development

COBIT 5 (Control Objectives for Information and Related Technologies):

⦁ Explanation: COBIT 5 is a comprehensive business framework developed by ISACA (Information Systems Audit and Control Association) for managing and governing enterprise IT. It provides a set of guidelines and best practices to ensure effective IT management, align IT with business goals, and maintain governance and control over information and related technologies.
⦁ Summary: COBIT 5 is a framework that helps organizations maximize the value of their IT investments while managing risks and ensuring compliance with regulatory requirements. It offers a structured approach to IT governance and risk management, making it a valuable resource for organizations seeking to improve their IT-related processes.
NIST SP 800-53 (National Institute of Standards and Technology Special Publication 800-53):

⦁ Explanation: NIST SP 800-53 is a set of security controls developed by the U.S. National Institute of Standards and Technology. It is primarily used to protect federal information systems and provides a comprehensive catalog of security controls and guidelines for federal agencies and organizations dealing with sensitive data.
⦁ Summary: NIST SP 800-53 serves as a critical resource for ensuring the security and protection of U.S. federal information systems. It covers a wide range of security controls and measures, making it a valuable reference for organizations seeking to enhance their information security posture, particularly in government-related contexts.
COSO Internal Control-Integrated Framework (Committee of Sponsoring Organizations of the Treadway Commission):

⦁ Explanation: The COSO Internal Control-Integrated Framework is a set of internal corporate controls developed by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission. Its primary purpose is to reduce the risk of financial fraud and ensure effective internal control over financial reporting.
⦁ Summary: COSO’s framework provides guidance and principles for establishing internal controls that help organizations prevent and detect financial fraud, errors, and irregularities. It is widely adopted in corporate governance and financial management to promote transparency, accountability, and reliability in financial reporting.
Process Management Development

ITIL (Information Technology Infrastructure Library):

⦁ Explanation. It offers a framework for organizing and managing IT services to align them with business needs and improve overall service quality.
⦁ Summary: ITIL provides a structured approach to managing IT services throughout their lifecycle. It encompasses various processes and practices, enabling organizations to deliver effective and efficient IT services that support business objectives.
Six Sigma:

⦁ Explanation: Six Sigma is a business management strategy used to achieve process improvement and operational excellence. It emphasizes reducing defects and variations in processes, ultimately leading to better quality, increased efficiency, and enhanced customer satisfaction.
⦁ Summary: Six Sigma employs a data-driven and systematic approach to identify and eliminate process inefficiencies. By focusing on data analysis and problem-solving, organizations can enhance their processes and deliver higher-quality products and services.
CMMI (Capability Maturity Model Integration):

⦁ Explanation: CMMI is an organizational development model for process improvement developed by Carnegie Mellon University. It offers a framework to assess and enhance an organization’s capability to consistently and predictably deliver high-quality products and services.
⦁ Summary: CMMI provides a structured approach to assess and improve an organization’s processes, from initial ad hoc practices to well-defined, consistently managed processes. It enables organizations to achieve higher levels of process maturity and capability.

5. Functionality vs Security
Functionality refers to the features and capabilities of a system or application that enable it to perform its intended tasks efficiently and effectively. It encompasses usability, performance, and the ability to meet business or operational requirements.
Security, on the other hand, focuses on protecting information and information systems from unauthorized access, disclosure, alteration, and destruction. It involves implementing controls and safeguards to mitigate risks and ensure the confidentiality, integrity, and availability of data and systems.
The challenge in information security is to strike a balance between functionality and security. While functionality is essential for meeting business objectives, security is necessary to protect against threats and vulnerabilities. The goal is to implement security measures that do not overly impede functionality but still provide adequate protection.

6. Laws Regulations and Directives
⦁ Federal Privacy Act (1974): This act safeguards personally identifiable information (PII) held in federal databases.
⦁ FISMA (Federal Information Security Management Act of 2002) : This law mandates security measures for government information systems. It requires agencies to establish security policies, conduct assessments, and report on their cybersecurity efforts, enhancing the protection of federal information assets and promoting transparency in security management.
⦁ HIPAA (Health Insurance Portability and Accountability Act): HIPAA focuses on protecting health-related information and was amended to introduce data breach notification requirements.
⦁ HITECH (Health Information Technology for Economic and Clinical Health Act, 2009): HITECH amends HIPAA, updating privacy and security requirements, particularly for business associates handling protected health information (PHI).
⦁ GLBA (Gramm-Leach-Bliley Act): GLBA mandates the protection of consumers’ financial information, particularly related to credit services.
⦁ PCI DSS (Payment Card Industry Data Security Standard): It is a set of security standards designed to protect cardholder data and ensure secure payment card transactions. It requires organizations that handle credit card information to implement specific security measures, such as encryption, access controls, and regular security assessments, to prevent data breaches and fraud. Compliance with PCI DSS is essential for businesses that handle payment card transactions.
⦁ PIPEDA (Personal Information Protection and Electronic Documents Act): PIPEDA establishes guidelines for obtaining consent, safeguarding information, and providing access to personal data, contributing to data protection in Canada.
⦁ The USA PATRIOT Act of 2001: The U.S. legislation enacted this act after the 9/11 attacks to enhance national security and counter-terrorism efforts. It grants authorities the power to conduct surveillance, collect intelligence, and investigate potential threats, particularly related to terrorism.
⦁ The Department of Veterans Affairs Information Security Protection Act: It aims to bolster the security of sensitive information held by the U.S. Department of Veterans Affairs (VA). It requires the VA to implement safeguards and security measures to protect veterans’ data, enhancing privacy and minimizing the risk of breaches or unauthorized access. The act underscores the importance of safeguarding veterans’ information within the VA’s systems

7.Electronic Assets

The digital age has introduced the challenge of protecting intangible assets like data, which now tops the list of assets requiring safeguarding.

8.The Evolution of Attacks

Modern cybercriminals operate discreetly with specific objectives, focusing on activities like identity theft and financial fraud to stay under the radar.

Common Internet Crime Schemes

• Auction fraud
• Ponzi/pyramid schemes
• Counterfeit cashier’s check
• Debt elimination
• Lotteries
• Nigerian letter, or “419”
• Third-party receiver of funds
• Reshipping
• Parcel courier e-mail scheme
• Investment fraud
• Employment/business opportunities
• Escrow services fraud

9. The Evolution of Attacks

The Council of Europe (CoE) Convention on Cybercrime is a pioneering international treaty that aims to combat cybercrime by harmonizing national laws and enhancing cross-border cooperation. It focuses on improving investigative methods and establishes a framework for jurisdiction and extradition, requiring that the crime be recognized in both jurisdictions for extradition to occur.

The Organisation for Economic Co-operation and Development (OECD) is an international organization that promotes economic growth, stability, and improved living standards among its member countries. Its core principles include:

• Security Safeguards principle: Implement reasonable measures to protect data from loss, unauthorized access, modification, and disclosure.
• Openness principle: Communicate data practices and policies transparently, allowing subjects to understand what data is held, how it’s used, and the identity of the organization in possession of that data.
• Individual Participation principle: Individuals have the right to know if an organization possesses their personal information, access that information, rectify inaccuracies, and challenge refusals to do so.
• Accountability principle: Organizations are responsible for adhering to the principles, ensuring compliance with data protection measures.
• Collection Limitation principle: Personal data should be lawfully and fairly collected with the subject’s knowledge and limited in scope.
• Data Quality principle: Maintain accurate, up-to-date, and relevant personal data.
• Purpose Specification principle: Notify subjects of the intended use of their data and only use it for the stated purpose.
• Use Limitation principle: Personal data should only be disclosed or used as per consent or legal authority and for the intended purpose.

The General Data Protection Regulation (GDPR) is a comprehensive European Union (EU) regulation that governs the handling of personal data. Key provisions of GDPR include:

1. Consent: Personal data cannot be used without explicit consent from data subjects.
2. Right to Information: Data controllers and processors must inform data subjects about data usage.
3. Right to Restrict Processing: Data subjects can permit data storage but restrict its processing.
4. Right to be Forgotton: Data subjects can request permanent deletion of their personal data.

Data Breach Reporting: Data controllers must report data breaches within 72 hours of discovery.

10. Import/Export Legal Requirements

Import and export legal requirements govern the international movement of goods and services, ensuring compliance with trade regulations, security, and customs laws. These requirements involve obtaining proper licenses, permits, and documentation, adhering to trade sanctions and embargoes, and accurately classifying products under the Harmonized System (HS) for customs purposes.

Wassenaar Arrangement: It is an international export control regime focused on restricting the export of certain dual-use goods and technologies, which can have both civilian and military applications.

11.Type of legal Systems

1. Civil (Code) Laws: Focus on the fundamental principles of a nation’s constitution, including the rights and powers of citizens and the government.
2. Criminal Laws: Regulate behaviours that are harmful to society and carry penalties such as fines or imprisonment.
3. Civil (Tort) Laws: Address civil wrongs or injuries caused by one party to another, resulting in legal liability.
4. Administrative Laws: Govern the activities and procedures of government agencies, ensuring they act within their authority.
5. Common Law System: Evolved in England and was later adopted by many countries, including the United States. Relies on judicial decisions and precedents to interpret and apply the law. Judges have a significant role in shaping legal principles and rulings. Emphasizes flexibility and adaptability over rigid codes.
6. Customary Law System: Based on long-standing cultural traditions and practices. Typically oral, passed down through generations. Often governs matters related to family, property, and community disputes. Prevalent in indigenous societies and some African countries.
7. Religious Law System: Derived from religious texts and beliefs. The legal system is intertwined with religious teachings and moral codes.  Often found in countries where a specific religion is the dominant or official faith. Examples include Islamic Sharia law and Canon law in the Christian tradition.
8. Mixed Law System: Combines elements of multiple legal systems, often due to historical influences. May blend common law and civil law or incorporate elements of religious or customary law.

12.Intellectual Property Law

Intellectual Property (IP) law is a legal framework that safeguards the creations of the human mind and provides exclusive rights to individuals or entities for their innovative and original works. It encompasses various forms of intangible assets, including patents, copyrights, trademarks, trade secrets, and more. IP law grants creators and inventors the right to control and profit from their intellectual creations, while also protecting against unauthorized use or duplication by others. This legal framework promotes innovation and creativity by offering legal protection for intellectual property and encouraging investment in research, development, and artistic expression.

Trademarks:

• Trademarks are identifiers for companies and products.
• They are automatically protected, and the ™ symbol can be used publicly.
• Registering with the US Patent and Trademark Office allows use of the ® symbol.
• Trademarks should not be confusingly similar to others and should not be descriptive.

Patents:

• Patents protect inventors’ IP rights for 20 years.
• Inventions must be new, useful, and non-obvious.
• Patent trolls manipulate patents for monetary gain.
• Software products are often treated as trade secrets due to patent limitations.

Trade Secrets:

• Trade secrets are critical, confidential business information.
• Disclosure can result in significant damage.
• They are protected by nondisclosure agreements (NDAs).
• Trade secrets are not publicly disclosed, in contrast to patents and copyrights.

Copyright:

• Copyright is a legal protection for original works of authorship.
• It covers various creative forms, including literary, musical, and artistic works.
• Copyright is automatic upon creation; registration is not required.
• It grants creators exclusive rights to reproduce, distribute, and display their work.
• Works for hire grant copyright to employers.
• Copyrights typically last for 70 years after the last author’s death.
• The Digital Millennium Copyright Act (DMCA) addresses digital copyright issues and protections.

Internal Protection of Intellectual Property:

• Implementing access controls and limited permissions to sensitive IP.
• Educating employees about the importance of IP protection and their role.
• Using non-disclosure agreements (NDAs) for confidential information.
• Employing secure storage and backup systems to prevent data loss.
• Regularly monitoring and auditing access to intellectual property.
• Establishing clear IP policies and procedures within the organization.

Software Piracy:

• Unauthorized copying, distribution, or use of software without proper licensing.
• Deprives software developers of revenue and violates copyright laws.
• Common forms include downloading cracked software, sharing license keys, and using unlicensed copies.
• Impacts both individuals and businesses, leading to legal consequences.
• Industry initiatives and software licensing models aim to combat piracy.
• Piracy can result in financial losses and security risks.

Privacy:

• Privacy refers to an individual’s right to control their personal information and protect it from unwanted intrusion.
• It encompasses the confidentiality, security, and autonomy of personal data.
• Privacy is essential for safeguarding personal freedoms, dignity, and personal relationships.
• It applies to various aspects of life, including personal, financial, and online privacy.
• Privacy concerns have escalated in the digital age with the proliferation of data collection and online activities.

Increasing Need for Privacy Laws:

• Technological advancements and data-driven industries have heightened the collection and sharing of personal data.
• Privacy breaches, cybercrimes, and identity theft have become more prevalent, underscoring the need for legal protection.
• New technologies like biometrics, IoT, and AI have expanded the scope of privacy risks.
• The public’s awareness of privacy issues has grown, prompting calls for more stringent regulations.
• Privacy laws, such as the GDPR and PIPEDA, aim to establish clear rules and accountability for the handling of personal data in the digital era.

Data Breach: 

• Unauthorized access, disclosure, or loss of sensitive data, posing risks to individuals and organizations.

13.Policies,Standards,BaselinesIntellectual Property Law

• Policies: High-level, strategic guidelines that outline an organization’s approach to managing data security and privacy. Categories of policies are : 

1. Regulatory Policy: Regulatory policies are rules and guidelines set by governing bodies or authorities to legally enforce specific behaviours, actions, or standards. They often carry legal consequences and are binding for those they apply to.
2. Advisory Policy: Advisory policies provide recommendations, suggestions, or best practices to guide behaviour or decision-making. They are not legally binding but serve as valuable guidance for achieving specific goals or compliance.
3. Informative Policy: Informative policies are documents that provide information or education on a particular topic or issue. They aim to increase awareness and understanding without imposing rules or recommendations.

• Standards: Specific, detailed requirements that must be followed to achieve compliance with policies.

• Baselines: Minimum security requirements or performance standards for a specific area of data protection.

• Guidelines: Suggested best practices or recommendations for achieving a particular goal, offering flexibility.

• Procedures: Step-by-step instructions for implementing specific actions or processes in alignment with policies and standards.

Security Policy: A security policy is a documented set of rules, guidelines, and principles that outline an organization’s approach to safeguarding its assets, data, and systems. It serves as a foundation for establishing security measures, controls, and procedures to protect against various threats and vulnerabilities.

14.Risk Management

Risk management is a crucial process that involves identifying, assessing, and mitigating or transferring risks to reduce their probability or impact. Understanding and evaluating risks are vital for the success of a security program. This involves assessing assets, identifying threats and vulnerabilities, and prioritizing risks. By assigning a value to each risk, informed decisions can be made regarding the best mitigation methods. Ongoing evaluation is essential as new threats continually emerge, requiring security professionals to stay updated and vigilant.

Risk Management Lifecycle:

1. Risk Assessment: Involves system characterization, threat and vulnerability identification, and determining the likelihood and impact of risk events.
2. Risk Analysis: Can be qualitative (using subjective terms) or quantitative (using numerical values) to assess risks.
3. Mitigating Risk: Organizations can reduce, transfer, accept, or avoid risks.
4. Residual Risk: The remaining risk after mitigation is performed.

Risk Perspectives:

• Asset-based risk management focuses on protecting assets.
• Outcomes-based risk management assesses risks based on desired outcomes.
• Process-based risk management emphasizes safety outcomes.
• Vulnerability-based risk management revolves around inherent weaknesses.
• Threat-based risk management considers the entities that can perform attacks.

Risk Analysis:

• Management prioritizes and decides how to handle risks, such as mitigation, acceptance, transfer, or avoidance.
• Risk can be rated using impact, likelihood, and exposure.
• Qualitative analysis is opinion-based, while quantitative analysis uses numeric values.
• Simulations, like penetration testing, provide quantitative data.

13. Risk measurement Model

• Asset Value (AV) is an asset’s worth.
• Exposure Factor (EF) is the percentage of an asset that could be lost.
• Single Loss Expectancy (SLE) is AV multiplied by EF.
• The Annual Rate of Occurrence (ARO) indicates how often a risk event might occur.
• The Annual Loss Expectancy (ALE) is SLE multiplied by ARO, representing potential annual losses.

Via Contracts:

• Minimum security requirements form the baseline security configuration.
• Service Level Agreements (SLAs) are part of contracts and contain enforceable metrics for services or products.

14. Quantitative Risk

Quantitative risk assessment involves assigning numerical values to various risk factors, allowing for a more precise and objective evaluation of risk. It’s particularly useful for making data-driven decisions and conducting cost-benefit analyses. Key components include:

1. Single Loss Expectancy (SLE): This is the expected monetary loss from a single occurrence of a risk event. The formula for SLE is SLE = Asset Value (AV) x Exposure Factor (EF).
   • AV: The monetary value of the asset.
   • EF: The percentage of the asset’s value that could be lost if a risk event occurs.
2. Annual Rate of Occurrence (ARO): ARO represents the expected number of times a specific risk event is likely to occur in a year. It’s typically expressed as a decimal.
3. Annual Loss Expectancy (ALE): ALE calculates the expected annual loss from a risk event. The formula for ALE is ALE = SLE x ARO.

Quantitative risk analysis provides concrete values that help organizations prioritize risks and make informed decisions regarding mitigation strategies