A Risk Management Viewpoint
Risk management is based on the concept of identifying risks and deciding
how to deal with them. [Cohen97-3]
In terms of identifying risks, there is a widespread
belief that risks stem from the combination of dependencies,
vulnerabilities, and threats.
- Dependencies: Business function dependencies drive the
need for and application of information and information technology and thus
the reauirements to protect those business functions by protecting
- Vulnerabilities: All systems have vulnerabilities, and to the
extent reasonably feasible, identifying these vulnerabilities is key to
understanding what mitigation may be required. Known classes of vulnerabilities are listed
- Threats: A vulnerability has to be realized in order to
present risk. Threat profiles associate causes of risks with the
vulnerabilities those threats are likely to exploit, thus providing the link
between vulnerabilities and risks.
A list of typical current threat sources are listed here.
Dealing with Risks:
There are many ways that people deal with risks. here are some of
the ways that are often used when it comes to information technology.
- Taking Risks: Risks are inherent in the nature of any human
venture. The old saying nothing ventured nothing gained often
applies in information protection.
- Insuring Against Risks: Insurance can sometimes be purchased
to mitigate the potential for loss associated with risks that are too
consequential to be otherwise managed.
- Risk Avoidance: Many risks can be avoided by selecting what to
do and how to do it, by good relations with potential threat profile
members, and by selection of location, materials, components, and other
design and implementation decisions.
- Risk Mitigation: Risks can be mitigated by putting safeguards
in place and by using well-known and widely published protective
techniques. Known classes of protective
measures are listed here.
- Strategy and Tactics: Strategic and tactical decision-making
about which threats apply, which vulnerabilities are likely to be exploited
by the applicable threats, changing dependencies, protective methods, and
costs must be made by management. This implies strategic planning and tactical response.
Prevention, Detection, and Reaction
A common way of looking at the information protection process is as
a cycle in which we prevent some things, detect others, limit damage where
appropriate, and respond when we encounter attacks. [Cohen97-5]
Each of these dimensions of protection is quite complex, but when they
interact with each other, the complexity climbs still higher. No technical
or mathematical solutions exist for telling us how to mix prevention,
detection, and reaction. At present, we don't even have an economic model
for how to analyze the tradeoffs. What we do have is some notions of what
works from a strategic and tactical standpoint.
- Prevention: Preventive methods act
to keep harm from hapenning. Prevention is sometimes split into deterence
and safeguards. Deterence includes things like public prosecutions of
violators, fences that look hard-to-penetrate, and other things that tend to
keep people from even trying. Safeguards include things like network
firewalls, good computer security practices, and adequate training and
- Detection: Unless we detect attacks,
we cannot hope to respond to them. Historically, network-based detection has
been poor. For example, according to several published sources, in the
Internet less than 1 in 100 attacks are detected by those without a strong
detection capability. Similarly, computer viruses are most commonly detected
for the first time by people noticing system misbehavior. There are several
reasons that detection has been poor.
- Reaction: Because we can't be certain
that all detected intrusions are actually attacks, we must be careful about
our reactions. But because attacks can be so highly automated that tens of
thousands of attacks per hour can occur against one system, we cannot spend
a lot of time on each activity. Thus we are faced with the dilemma of
automating a reaction that is effective against real attacks and does not
create side problems for false positives.