Monday, 24 December 2007

A Generic Security Risk Management Methodology

SEI Risk Management Paradigm (Copyright Carnegie Melon University)
Classifying Risks - Classifying or categorizing like or related risks helps build a clearer picture of the project’s risks. Eliminating duplicates and merging similar risks can possibly increase the return on investment for mitigation, i.e. eliminate or reduce more than one risk at a time through the same mitigation plan.

Evaluate the basic risk attributes of probability and impact in order to provide a basis for relative comparison to other risks. This assists in planning a risk response strategy by determining which risks are the most important. A risk’s criticality is based on the interaction of how likely it is to happen and the magnitude of the consequence (negative or positive) to the project.

Prioritise the risks relative to one another in order to decide how to allocate resources for mitigation particularly if the project team has identified a large number of risks.

Assign Responsibility - A key to risk management is team member ownership of and accountability for risks. The project manager should ensure that responsibility for every risk is assigned internally to a team member even if a risk is to be transferred outside of the direct control of the project team. The risk owner is to act as the project manager or sub-contract manager on behalf of the project team in order to ensure that nothing falls through the cracks.

Determine the strategy that will be followed in response to the risk. In order to decide on a response strategy consider the following questions:

  1. Can we live with this risk?
  2. Can we do anything to mitigate or avoid the risk within a reasonable budget and timeframe?
  3. If yes, what would be the measurable goals so we can tell we are done mitigating the risk?
  4. Would it be just as effective to deal with the risk if and when it becomes a problem?

What is left?

Residual Risk – after countermeasure is installed, there is still some risk, which is the residual risk

(Threats x vulnerability x asset value) x control gap = residual risk

Total risk – when a company chooses not to implement any type of safeguard. Reasoning for this would be because of the cost/benefit analysis results.

Threats x vulnerability x asset value = total risk


It Is a Method, Not the Solution

Risk Management is just a means to an end… Good Corporate Governance!

Bibliography (For the various prior risk posts)

1. Anderson, R. J. (2001) “Security Engineering – A guide to building dependable distributed systems”. John Wiley & Sons
2. Bell and La Padula. (1975) “Secure Computer System: Unified Exposition and Multics Interpretation”, ESD-TR-75-306, ESD/AFSC, Hanscom AFB, Bedford, MA
3. Bosworth, Seymour & Kabay, M. E. (Ed.) (2002) “Computer security Handbook” Fourth Edition, John Wiley & Sons Inc. USA
4. Boyd, C. and Mathuria, A. (2003) “Protocols for Authentication and Key Establishment”. Springer-Verlag, Berlin, Germany
5. Curtis L. Smith, John A. Schroeder, Scott T. Beck, and James K. Knudsen (2001) “MODELING POWER NON-RECOVERY USING THE SAPHIRE RISK ASSESSMENT SOFTWARE”, Bechtel BWXT Idaho, LLC. Viewed 20th March 2006 ( )
6. Delphi Group (2005) “Time-Based Analysis: Process De-engineering (TBA)” White Paper.
7. Dodson, Bryan & Nolan, Dennis (2005 Ed) “The Reliability Engineering Handbook” Quality Publishing.
8. Ford, W. and Baum, M. S. (1997) “Secure Electronic Commerce”. Prentice Hall
9. Garfinkel, S. and Spafford, G. (2001) “Web Security, Privacy & Commerce”. 2nd Edition. Cambridge, Mass: O'Reilly
10. Ghosh, A. K. (1998) “E-Commerce Security”. Wiley
11. Kalakota, R. and Whinston, A. B. (1996) “Frontiers of Electronic Commerce”. Addison-Wesley
12. Keong, Tan Hiap (2004) “Risk Analysis Methodologies” (Last Viewed 27th March 2005)
13. Infosec Graduate Program. Purdue University. Available on March 12, 2006 at
14. Lawrence, E., Corbitt, B., Fisher, J., Lawrence, J. and Tidwell, A. (1999) “Internet Commerce” 2nd Edition, Wiley
15. Mauw, Sjouke & Oostdijk, Martijn (2004) “Foundations of Attack Trees” Eindhoven University of Technology, Emerald
16. Microsoft (2004) “The Security Risk Management Guide” v1.1, Microsoft Corporation, USA
17. MIL-STD-1629 “Procedures for Performing a Failure Mode, Effects and Criticality Analysis”
18. Moore, Andrew P., Ellison, Robert J. & Linger Richard C. (2001) “Attack Modeling for Information Security and Survivability”, Carnegie Mellon University. The Software Engineering Institute US
19. Myagmar, Suvda, Lee Adam J. & Yurcik, William (2005) “Threat Modelling as a Basis for Security Requirements”, National Center for Supercomputing Applications (NCSA)
20. NIST (800-42) “Guideline on Network Security Testing” NIST Special Publication 800-42
21. NIST (800-12) “An Introduction to Computer Security: The NIST Handbook” (Special Publication 800-12)
22. NIST (800-41) “Guidelines on Firewalls and Firewall Policy” (Special Publication 800-41)
23. NIST (800-27) “Computer Security” (Special Publication 800-27)
24. NIST (800-30) “Risk Management Guide for Information Technology Systems” (Special Publication 800-30), 2002
25. Rodrigues, Alexandre G. (2001) “Managing and Modelling Project Risk Dynamics A System Dynamics-based Framework”, Presented at the Fourth European Project Management Conference, PMI Europe 2001, London
26. Ryan, P. and Schneider, S. (2001) “Modelling and Analysis of Security Protocols”. Addison-Wesley London, UK
27. SANS (2005) “GIAC ISO 17799 Training Notes”, SANS GIAC 2005, Sydney AU
28. Sherif, M. H. (2000) “Protocols for Secure Electronic Commerce”. CRC Press
29. Stallings, William. (2002) “Cryptography and Network Security”, Third Edition, Prentice Hall,
30. Stallings, W. (1995) “Network and Internetwork Security: principles and practice.” Englewood Cliffs, N.J: Prentice Hall New York: IEEE
31. Stein, L. D. (1998) “Web Security”, Addison-Wesley
32. Viega and McGraw. (2002) "Risk Analysis: Attack Trees and Other Tricks", Software Development, Vol. 10(8), pp. 30-36.
33. Winfield Treese, G. and Stewart, L. C. (2002) “Designing Systems for Internet Commerce”. 2nd Edition, Addison-Wesley
34. Zwicky, E. D., Cooper, S., Chapman, D. B. and Russell, D. (2000) “Building Internet Firewalls”. 2nd Edition, O'Reilly, UK

No comments: