UNIT III SECURITY RISK MANAGEMENT

UNIT III SECURITY RISK MANAGEMENT Risk Management Life Cycle – Risk Profiling –
Risk Exposure Factors – Risk Evaluation and Mitigation Strategies– Risk Assessment
Techniques – Threat and Vulnerability Management

Risk Management Life Cycle

Life cycle management is a product management system that focuses on

reducing the environmental and socioeconomic impacts of a product throughout
its entire life cycle and value chain.

The risk management lifecycle is a structured process that involves identifying,

assessing, mitigating, monitoring, and reporting risks. It's a continuous process
that helps organizations prepare for potential risks.

Risk management lifecycle stages

 Risk identification: Recognize potential threats that could affect the

organization's objectives

 Risk analysis: Evaluate identified risks to determine their likelihood, impact,

and severity

 Risk mitigation planning: Develop strategies to reduce the impact of identified

risks

 Risk monitoring: Monitor and review the effectiveness of the risk management
plan
Risk management techniques

 Risk avoidance: Eliminate activities or processes that expose the organization

to risk

 Risk reduction: Implement controls to reduce the impact of risks

 Risk transfer: Transfer risks to others through insurance and contracts

1. Risk Identification
Risk identification is the foundational stage in the risk management lifecycle
where potential risks that could impact an organization or project are
systematically identified. This process involves:
 Documentation Review: Analyzing project documents, contracts, and
historical data to identify potential risks.
 Brainstorming Sessions: Teams gather to brainstorm potential risks based
on their expertise and experience.
 Checklists: Using standardized checklists to ensure comprehensive
coverage of potential risks.
 SWOT Analysis: Evaluating strengths, weaknesses, opportunities, and
threats to detect potential risks.
 Expert Interviews: Consulting with subject matter experts to identify risks
related to their areas of specialization.
2. Risk Assessment
Risk analysis involves evaluating identified risks to determine their likelihood,
impact, and severity. Key factors considered in this stage include:
 Probability Assessment: Determining the likelihood of each risk occurring
based on historical data, expert judgment, and statistical analysis.
 Impact Assessment: Assessing the potential consequences of each risk on
project objectives, such as quality, cost, and reputation.
 Risk Prioritization: Prioritizing risks based on their probability and impact
to focus resources on the most critical ones.
 Qualitative and Quantitative Analysis: Using qualitative techniques like
risk matrices and quantitative methods like Monte Carlo simulation to
analyze risks.
3. Risk Mitigation Planning
Risk mitigation planning involves developing strategies and tactics to reduce the
impact of identified risks. These strategies may vary depending on the nature of
the risk and the organization’s objectives. Key components of risk mitigation
strategies include:
 Risk Tolerance: Determining the level of risk that the organization is
willing to accept or tolerate.
 Risk Avoidance: Eliminating the risk by changing project scope,
requirements, or approach to prevent the risk from occurring.
 Risk Transference: Shifting risk to third parties through insurance,
contracts, or partnerships.
 Risk Mitigation: Deploying strategies to reduce the likelihood or impact of
risks, including contingency planning, redundancy, process improvements,
or other proactive actions.
 Risk Acceptance: Acknowledging the risk’s existence and its potential
consequences without taking specific action, either due to the higher cost of
mitigation compared to benefits or because the risk aligns with acceptable
tolerance levels.
4. Risk Management Implementation
Risk management implementation involves putting risk management plans into
action. This stage includes engaging stakeholders, communicating risk
information, and establishing monitoring and control mechanisms.
 Stakeholder Engagement: Involving stakeholders throughout the
implementation process to secure their buy-in and support.
 Communication Strategies: Establishing clear communication channels to
disseminate information about risks and mitigation efforts.
 Monitoring and Control: Implementing mechanisms to monitor risks and
their mitigation strategies, such as regular progress reviews and performance
indicators.
 Adaptation and Adjustment: Adjust risk management plans as needed
based on new information or changing circumstances.
5. Risk Monitoring and Review
Risk management review and monitoring involve ongoing assessment of risk
management plans to ensure their effectiveness. This stage includes:
 Regular Reviews: Conducting periodic reviews of risk management plans
to assess their alignment with project objectives and emerging risks.
 Performance Metrics: Establishing metrics to track the effectiveness of risk
mitigation efforts and identify areas for improvement.
 Risk Reporting: Providing regular reports to stakeholders on risk trends,
events, and the overall status of risk management activities.
 Lessons Learned: Capturing lessons learned from risk management
experiences to inform future projects.
 Root Cause Analysis: Examining the root causes of risk events to identify
systemic issues and prevent recurrence.

What Is a Risk Profile?

A risk profile is an analysis of the types of threats faced by both individuals

and companies. For individuals, a risk profile outlines the amount of risk one is
inclined to take with their investment portfolio. A company's risk profile refers
to the internal and external risks that may pose a threat to the business's
stability or profitability, and how those risks can be reduced.

KEY TAKEAWAYS
  An individual’s risk profile describes their willingness and ability to take
risks.
 An individual’s risk profile is integral in determining the asset allocation
in their investment portfolio.
 An individual’s risk profile can also indicate their inclination and
capacity to repay a debt.
 A company's risk profile consists of internal and external threats that can
affect the company's ability to conduct business.

What Does Your Own Risk Profile Mean?

An individual investment risk profile indicates how conservatively or how

speculatively an investor will allocate assets in their portfolio. Investors with a
higher risk tolerance will invest in stocks or other investment vehicles that offer
greater growth potential but less stability. Conversely, if an investor has a low
tolerance for risk, they will pursue safer companies or investment options with
a proven history, likely to provide dividends or stable value and growth.

Your risk profile, as potential lenders or creditors view it, also indicates your
likelihood of being approved for a new credit card, loan, or mortgage. If a
lender views you as a low risk, it means you have sufficient income to cover
your debts. If a company views you as a high risk due to an unsatisfactory debt-
to-income ratio or a history of late payments or defaults, you may not be able to
qualify for a new loan—or if you do, it may be for a lower amount or at a
higher interest rate.

What Is a Balanced Risk Profile?

A balanced risk profile means investing in both safer, conservative

investments, and riskier, more aggressive ones. Traditionally, a balanced
approach to investing is either equally split between stocks and bonds/fixed
income, or allocated 60% to stocks and 40% to bonds/fixed income. However,
the exact ratio is individual and may vary depending on the investor's time
horizon until retirement. For instance, an investor nearing retirement may only
have 20% of their portfolio in stocks and the other 80% in bonds or fixed
income.

What Is a Risk Profile Example?

A risk profile is developed by an investor honestly answering questions about

their investing preferences, time horizon, and financial goals. The way an
investor responds to these questions will determine the best asset allocation to
help them reach their goals.

Investing preferences indicate the amount of risk an investor is comfortable

with. If an investor has a high risk tolerance, they may be interested in
investments that offer less stability, but higher growth potential. If they are
risk-averse, they may pursue safer options, ones with greater stability and
consistency but lower returns.

An investor’s time horizon can also play a major role in determining their
overall asset allocation. Those nearing retirement are more likely to favor more
conservative investments, which help preserve the assets and provide small to
moderate growth or income. Investors who still have decades until retirement
and can weather the highs and lows of the market may seek out riskier but
potentially more rewarding investment opportunities. While the time horizon
alone doesn’t determine an investor’s propensity toward risk, it plays an
important role in their risk profile.

The Bottom Line

A risk profile for an individual refers to their willingness and ability to take on
risk in investing and helps determine the asset allocation in their portfolio.
From a lender's standpoint, an individual’s risk profile assesses their
willingness and ability to repay a debt or a loan.

A company's risk profile is formulated by assessing internal and external

threats that could negatively impact its profitability or stability or expose it to
lawsuits.
Thoroughly evaluating and addressing risks is crucial for investment success on
an individual level, as well as for business continuity on a larger, corporate, or
governmental scale.

Risk Exposure Factors

Risk exposure is the quantified potential loss from business activities currently
underway or planned. The level of exposure is usually calculated by multiplying
the probability of a risk incident occurring by the amount of its potential losses.

Sometimes, we discuss risk in terms of exposure. Risk exposure is a measure of

possible future loss (or losses) which may result from an activity or occurrence.
In business, risk exposure is often used to rank the probability of different types
of losses and to determine which losses are acceptable or unacceptable.
When engineering secure software, key risk exposure factors include: poor
coding practices, inadequate input validation, lack of security awareness among
developers, insufficient testing for vulnerabilities, complex system architecture,
reliance on third-party libraries with known vulnerabilities, improper access
controls, weak encryption, inadequate logging and monitoring, and failure to
address emerging threats; all of which can potentially expose sensitive data or
system functionality to malicious actors.
What is risk exposure in business?

Risk exposure is the quantified potential loss from business activities currently
underway or planned. The level of exposure is usually calculated by multiplying
the probability of a risk incident occurring by the amount of its potential losses.

Risk exposure in business is often used to rank the probability of different types
of losses and to determine which losses are acceptable or unacceptable. Losses
may include legal liability, property loss or damage, unexpected employee
turnover, changes in demand, payment of ransom to cybercriminals, or other
activity that could result in either a profit or a loss for the business.

The objective of the risk exposure calculation is to help determine the overall
level of risk the organization can tolerate based on the benefits and costs
involved. The level of risk an organization is prepared to accept to achieve its
goals is called its risk appetite.

What are the different categories and types of risk exposure?

There are two primary categories of risk exposure: pure risk and speculative
risk.

Pure risk exposure is a risk that cannot be wholly foreseen or controlled, such as
a natural disaster or global pandemic that impacts an organization's workforce.
Most organizations are exposed to at least some pure risks, and preemptive
controls and processes can be created that minimize loss, to some degree, in
these pure risk circumstances.

What is risk management? Importance, benefits and guide

Speculative risk is a type of risk that occurs based on actions an organization

takes -- and their subsequent consequences. Examples of speculative risk might
be the choice of a software platform that is later susceptible to critical
vulnerabilities or a choice to keep all backups on-site, which are later infected
by ransomware.
There are many different types of risk exposure, but the most common include
the following:

 Brand damage. Organizations incur brand damage when the image of the
brand is undermined or made obsolete by events. These events range from
customer service failures to outages, breaches or other types of cybersecurity
issues.

 Compliance failures. Compliance risk is an organization's potential

exposure to legal penalties, financial forfeiture and material loss, resulting
from its failure to act in accordance with industry laws and regulations,
internal policies or prescribed best practices.

 Security breaches. Security breaches are significant avenues of risk

exposure, especially if sensitive stolen data is posted online for others to
access.

 Liability issues. Organizations can be liable legally for a wide range of

transgressions. These could include cybersecurity issues like breaches, data
exposure, failure to meet service-level agreements and many more.

How do you calculate risk exposure?

To calculate risk exposure, analysts often use an equation similar to this:

Risk exposure = probability of risk occurring x total loss of risk occurrence

Here is another simpler way of describing this equation:

Risk exposure = risk impact x probability

Thus, organizations must know the total loss in dollars, as well as a percentage
representing the probability of the risk occurring. For example, an organization
might have a 50% likelihood of being hit by ransomware (0.5 probability); the
impact is determined as $2 million in recovery, consulting fees and loss of
revenue (this is a complicated metric for impact). In a simple risk exposure
equation, this would work out to:

Risk exposure = risk impact ($2,000,000) x probability (0.5)

Risk exposure = $1,000,000

While this equation is admittedly simple, it could serve as a baseline indicator

for prioritizing risk in risk mitigation programs.

How do you manage risk exposure?

The following techniques and tactics are commonly used by organizations to

manage risk exposure:

 Risk avoidance. Organizations can alter choices and decisions to avoid

risky activities.

 Risk mitigation. Controls and processes can be implemented that

help mitigate and minimize risk in many different areas.

 Risk transfer. Through insurance and third-party service arrangements,

organizations can transfer some risk to outside parties.

 Risk retention. Organizations can always choose to accept risk and

accommodate it as part of ongoing operations.

Risk Evaluation and Mitigation Strategies

 "Risk Evaluation and Mitigation Strategies" in secure software engineering refers
to the process of identifying potential security threats within a software system,
analyzing their likelihood and potential impact, and then implementing proactive
measures to minimize or eliminate those risks, essentially ensuring the software is
built with robust security features to prevent vulnerabilities and attacks.

Key components of Risk Evaluation and Mitigation Strategies in secure

software engineering:

 Risk Identification:

 Analyzing the software architecture, codebase, and external dependencies to

pinpoint potential vulnerabilities like insecure input validation, buffer overflows,
SQL injection points, etc.

 Considering threat actors and their potential attack vectors.

 Risk Assessment:

 Evaluating the likelihood of each identified risk occurring based on factors like
system complexity, user behavior, and threat landscape.

 Assessing the potential impact of a vulnerability if exploited, including data

breaches, system disruption, or privacy violations.
 Risk Prioritization:

 Ranking risks based on their severity and likelihood to guide mitigation efforts,
focusing on the most critical issues first.
 Mitigation Strategies:
 Code Reviews: Thoroughly examining code for security flaws and implementing
best practices like secure coding standards.

 Input Validation: Sanitizing user input to prevent malicious data injection.

 Access Control: Implementing proper user authentication and authorization

mechanisms to restrict access to sensitive data.

 Encryption: Encrypting sensitive data at rest and in transit to protect against

unauthorized access.
 Vulnerability Management: Regularly scanning for known vulnerabilities and
applying patches promptly.

 Security Testing: Conducting penetration testing and fuzzing to identify

exploitable vulnerabilities.

 Secure Architecture Design: Implementing security principles like least

privilege, defense-in-depth, and separation of concerns throughout the system
architecture.
Example mitigation strategies for specific software security risks:

 Cross-Site Scripting (XSS): Input validation, encoding user-supplied data, and

using secure output mechanisms.

 SQL Injection: Parameterized queries, input validation, and using prepared

statements.

 Cross-Site Request Forgery (CSRF): Implementing anti-CSRF tokens and

validating request origins.

 Buffer Overflow: Using bounds checking and secure memory allocation

techniques.
Important considerations for effective risk mitigation:

 Continuous Monitoring: Regularly reviewing security posture and updating

mitigation strategies as threats evolve.

 Collaboration: Involving security experts throughout the software development

lifecycle.

 Awareness Training: Educating developers and users about security best

practices to minimize human error.
Risk Evaluation and Mitigation Strategies

1. Introduction to Risk Evaluation

 Risk evaluation identifies security threats, vulnerabilities, and their

potential impact.
 It helps prioritize security measures based on severity and likelihood.

2. Risk Assessment Process

 Asset Identification: Determine valuable system components.

 Threat Identification: Recognize potential security threats.
 Vulnerability Assessment: Analyze system weaknesses.
 Impact Analysis: Evaluate the consequences of security breaches.

3. Risk Mitigation Strategies

1. Risk Avoidance: Modify system design to eliminate risks.

2. Risk Reduction: Implement security controls (e.g., firewalls,
encryption).
 3. Risk Transfer: Shift risk through insurance or third-party security
services.
4. Risk Acceptance: Acknowledge residual risk when mitigation is
impractical.

4. Secure Software Development Practices

 Threat Modeling: STRIDE, DREAD methodologies.

 Secure Coding Guidelines: OWASP Top 10 best practices.
 Automated Security Testing: SAST, DAST, IAST tools.

5. Compliance and Governance

 Follow regulations like GDPR, HIPAA, ISO 27001, and NIST for
security compliance.

6. Incident Response and Recovery

 Implement Security Information and Event Management (SIEM) for

threat monitoring.
 Develop a Disaster Recovery Plan (DRP) and Business Continuity
Plan (BCP).

Risk assessment techniques

Risk assessment techniques include risk analysis, fault tree analysis, and
quantitative risk assessment. These techniques help identify potential risks and
hazards, and develop strategies to mitigate them.

Risk assessment techniques

 Risk analysis: Analyzes the technical, administrative, operational, physical, and

personnel variables that impact a situation

 Fault tree analysis: Used to identify potential causes and pathways to a failure

 Quantitative risk assessment: Measures risk by assigning a numerical value to

it
 Asset identification: Involves making a complete inventory of all assets, both
physical and non-physical

 Risk likelihood and impact: Involves analyzing the likelihood and impact of
risks

 Cost of solutions: Involves analyzing the cost of solutions to mitigate risks

 Classify risk acceptability: Involves sorting and ranking risks according to

their severity
Benefits of risk assessment

 Helps identify hazards and potential risks

 Helps develop strategies to mitigate or eliminate threats

 Promotes a safe and secure workplace

 Helps organizations adopt a tailored approach that best fits their operational
scope

 Helps organizations enhance their ability to mitigate potential threats effectively

How to Perform Risk Assessment in 5 Steps

Below are the 5 steps on how to efficiently perform risk assessments:

1. Identify hazards

Survey the workplace and look at what could reasonably be expected to cause
harm. Identify common workplace hazards. Check the manufacturer’s or
suppliers’ instructions or data sheets for any obvious hazards. Review previous
accident and near-miss reports.

2. Evaluate the risks

Risk evaluation helps determine the probability of a risk and the severity of its
potential consequences. To evaluate a hazard’s risk, you have to consider how,
where, how much, and how long individuals are typically exposed to a potential
hazard. Assign a risk rating to your hazards with the help of a risk matrix.

3. Decide on control measures to implement

After assigning a risk rating to an identified hazard, it’s time to come up with
effective controls to protect workers, properties, civilians, and/or the
environment. Follow the hierarchy of controls in prioritizing implementation of
controls.

4. Document your findings

It is important to keep a formal record of risk assessments. Documentation may

include a detailed description of the process in assessing the risk, an outline of
evaluations, and detailed explanations on how conclusions were made.

5. Review your assessment and update if necessary

Follow up with your assessments and see if your recommended controls have
been put in place. If the conditions in which your risk assessment was based
 change significantly, use your best judgment to determine if a new risk
assessment is necessary.

Threat and Vulnerability Management

In threat and vulnerability management, risk assessment techniques

involve identifying potential threats, analyzing vulnerabilities within an
organization's systems, and evaluating the likelihood and impact of those threats
exploiting vulnerabilities, allowing for prioritization of risks and the
development of mitigation strategies; key techniques include asset
categorization, threat identification, vulnerability assessment, qualitative and
quantitative risk analysis, and risk scoring to determine the most

Key components of risk assessment techniques:

 Asset Identification:

Identifying all critical assets within an organization, including systems, data,

applications, and infrastructure, to understand their value and potential impact
if compromised.

 Threat Identification:Recognizing potential threats that could target the

identified assets, including internal and external actors like malicious actors,
natural disasters, or accidental errors.

 Vulnerability Assessment:
 Analyzing the weaknesses or flaws in systems, applications, and
configurations that could be exploited by identified threats.

 Likelihood Analysis:

Assessing the probability of a particular threat exploiting a specific

vulnerability based on factors like attacker capability, historical data, and
security controls.

 Impact Analysis:
Evaluating the potential consequences of a successful attack, including
financial loss, data breach, reputational damage, operational disruption, and
legal implications.
Common Risk Assessment Techniques:

 Qualitative Risk Assessment:

Using subjective judgment to evaluate the likelihood and impact of risks based
on expert opinions and experience, often categorized as high, medium, or low.

 Quantitative Risk Assessment:

Applying numerical values to the likelihood and impact of risks, allowing for
more precise risk calculations and prioritization.

 Scenario Analysis:

Simulating potential attack scenarios to understand the potential consequences

and identify critical vulnerabilities.

 Penetration Testing:

Actively attempting to exploit vulnerabilities in a system to assess the

effectiveness of security controls and identify potential attack vectors.

 Vulnerability Scanning:
Utilizing automated tools to scan systems for known vulnerabilities and
identify areas needing remediation.
 Risk Prioritization:

 Risk Scoring:

Assigning a numerical value to each risk based on its likelihood and impact to
prioritize mitigation efforts.

 Risk Matrix:
Visual representation of risks based on their likelihood and impact, enabling
quick identification of high-priority risks.
Important Considerations:

 Regular Review:

Risk assessments should be regularly updated to reflect changes in the threat

landscape, system modifications, and organizational priorities.

 Communication and Collaboration:

Effective risk management requires clear communication of risks to

stakeholders and collaboration across different departments to implement
mitigation strategies.

 Compliance Requirements:
Risk assessments should consider relevant industry regulations and
compliance standards when determining the appropriate level of security
controls.