RISK MANAGEMENT:

AT THE HEART OF SECURITY

DECISION-MAKING
FOR THE CISO
Kirk Bailey, CISSP, CISM

Ernie Hayden, CISSP

Chief Information Security Officer

University of Washington
kirkb01@washington.edu

Chief Information Security Officer

Port of Seattle
Hayden.e@portseattle.org

THE CURRENT TECHNOLOGY

RISK PICTURE
PLENTY OF MONSTERS
OUT THERE!

AT THE HEART
OF MOST TECHNOLOGY-BASED RISK

True Cost of Convenience Model:

Security vs Convenience
Liability vs Convenience
A different way to look at your risk

The Convenience Factor

Increased

Less

More

The Convenience Factor

Increased

Less

More

The Convenience Factor

Increased

Increased
Crossover
Point moves
based on
Security
Needs, etc.

Less

More

The Convenience Factor

Buy Insurance Increased

Increased

Shift in
Crossover
PointMore
Convenience
Allowed

Less

Buy Insurance /
Transfer Risk

More

The Convenience Factor

Add Security Controls
Increased

Increased

Add
Security
Controls

Shift

Less

More

COMING TO GRIPS WITH

RISK MANAGEMENT
AS A CISO
Different kinds of risk management:
Daily work issues
Larger strategic and planning issues
Different approaches, models, and tools
can be used by a CISO

SECURITY PROFESSION EXPERTISE LEVELS

Technology
Security

Information
Security

Strategic
Security

Risk Management
Firewalls
Intrusion Detection
Network Security
Viruses, Worms,
Crimeware
System Hardening
Encryption
Engineering

Technology
Problems

Terrorism & CyberCrime

Business Continuity
/ Disaster Planning

Regional Interests
(Including Cyber and Natural
Disasters)

Intellectual Property

Business / Financial
Integrity

Nation State Interests

Intelligence

Regulatory Compliance

Professional Alliances

Industrial Espionage

Privacy

Politics

Forensics & Investigations

Strategies and Tactics

Business
Problems

Critical Security
Problems

R E S E A R C H
Chart Based on Forrester, April 2005
And Enhanced/Modified by Kirk Bailey and Ernie Hayden

The POS Risk In Basket

Microsoft Word Zero-Day Exploits
Microsoft Only Releases 4 vs 8 Patches
What is the Risk of not having the other 4?

Implications of Federal Rule on Criminal Procedure

regarding E-Discovery?
What about IM? Voicemail? Email?

How Securely Handle TSA Data?

Transmission, Storage

House Audit of Personal Information Handling

PCI Compliance Issues
Vista Roll Out Concerns

UW
Information
Systems
Security
Risk Mapping

RISK AREAS
UW ERM program has
identified four (4) general
Risk Areas for defining,
grouping and analyzing
risks. They are:

Compliance
Financial
Operational
Strategic

RISK REGISTER

example

ISS OPERATIONAL RISK (5 identified):

Computing Systems:
Loss, disruption or unauthorized use of computing
resources
Network / Telecommunications:
Loss, degradation or unauthorized access of
network/telecommunication resources
Data Management:
Destruction, corruption or theft of information
Physical and Environmental Management:
Theft, destruction or unauthorized access to facilities or
assets
Environmental/natural caused damage to facilities,
assets or harm to people

example

ISS STRATEGIC RISK (6 identified):

Organizational Authority (lack of it):
Unnecessary financial costs
Unable to correct high risk incidents or behavior
upon notice
Loss of competitive advantage
Overall security may suffer as a result of
competing priorities
Strategic Business Partnering and Alliances:
Missed legal and regulatory interests
Missed business opportunities

Rank

Description

Injuries

Financial Loss

Asset Loss

Catastrophic

Multiple
deaths or
severe
permanent
disabilities

$10M > or 6% > of

Operational
Budget

Disastrous

Death or
extensive
injuries

$3M - $10M or 6%
of
Operational
Budget

Serious

Medical
treatment

$250K - $3M or 2%
of
Operational
Budget

Major damage
to assets

Minor

First aid
treatment

$50K - $250K or 1%
of Operational
Budget

Minor loss or
damage to
assets

Insignificant

No injuries

< $50K or 0.5% of

Operational
Budget

Complete loss
of assets

Significant
loss of assets

Little or no
impact on
assets

Interruption
of Services

Reputation &
Image

Performance
Loss

1 month >

Substantiated, public
embarrassment, very
high multiple
impacts, high
widespread news
profile, third party
actions

>50%
variation to
Key
Performance
Indicators
(KPIs)

1 week - 1
month

Substantiated, public
embarrassment, high
impact, high news
profile, third party
actions

25 - 50%
variation to
KPI

> 1 day to < 1

week

Substantiated, public
embarrassment,
moderate impact,
moderate news
profile

10 - 25%
variation to
KPI

1/2 - 1 day

Substantiated, low
impact, low news
profile

5 - 10%
variation to
KPI

Unsubstantiated, low
impact, low profile or
no news items

Up to 5%
variation to
Key
Performance
Indicators
(KPI)

< 1/2 day

Risk Ranking: measures of likelihood and impact are

multiplied to determine the level of risk.

Almost
Certain

10

15

20

25

Likely

12

16

20

Possible

12

15

Unlikely

10

Rare

Insignificant

Minor

Serious

Disastrous

Catastrophic

LIKELIHOOD
IMPACT

RISK MANAGEMENT HEAT CHARTS

RISK MAP
WITHOUT CONTROLS

RISK MAP
WITH CURRENT CONTROLS

11

1
4

8
7

12

9
5

10

RISK MAP
MTIGATION PLAN

11
7

4
6

11

9
10

12

6
10

12

CES 2007: Gates Launches

Windows Home Server at
CES 2007 (HP, AMD partner on home
server, due in second half of 2007

Says one Microsoft source, carefully speaking in the

hypothetical: "It would be nice to come out with a very
low-cost/low profile server--something easy to use and
easy to add large hard drives to. It would not only back
up all the PCs in your house, but also handle patch
management, anti-virus, spam filtering, anti-spyware,
firewall management, AND also act as a TV server."

Discussion Point: Risk assessment of this idea?

Technology Response vs Risk

Response
I will say this ...organized cybercrime is now capable of by-passing
ALL current industry standard security measures. We (the
security/technology industry) are making the wrong bets
concerning possible solution sets. If you manage security by the
book or rely heavily on technology counter-measures you are
playing into the skilled adversary's hands. You would be better off
not wasting your time and spend it instead on staffing and planning
for incident response, reputation loss and notification costs.

Risk Mitigation Considerations

Handling Reputation Loss?
Risk of Notifying or Not?
How Respond When Technology Fails?

Thanks!