CompTIA Security+ SYO-401

Certification Training
9037 Learners
View Course Now!
33 Chapters +

Introduction to importance of risk Tutorial

1 Introduction to Importance of Risk-Related Concepts

We have to deal with various kinds of risks in our daily life. Such risks are not uncommon to computer security as well. Hence, we need to manage risks better to minimize their impact. There are certain controls and privacy policies for the network and for the company, which are means to protect the most valuable entity, our data. Now, let’s begin this lesson with the objectives in the next screen. After completing this lesson, you will be able: • Describe different control types and classes • Explain the steps involved in managing risks • Understand the importance of reducing risk • Judge the impact of risk on business

2 Control Types

In this topic, we will learn the different types of control. In the first lesson, we learned some of the rule-based management control types. Now, we will have a broader view of control types. Control types are different methods that are put in place to minimize the impact of risks. These help you to assess the possibility and likelihood of risks. The three control types are Technical, Management, and Operational. There is a fourth control type, Physical control, which is not always considered as a control type. Technical control types are also known as Logical controls. These are used to manage network access and software resources, and provide them with required protection. The different examples of Technical controls include: Firewalls, Encryption devices, Passwords, Biometrics, Access Control Lists, Routers, Intrusion-detection Systems, and other such entities. Additionally, the RBAC and other security measures that we discussed in Lesson 1 are all considered as control types. Technical controls are controls that are implemented using technology. They enforce Control Class type, which will be discussed later in this lesson. The management control type is administrative in nature. It involves policies, guidelines, procedures, and other practices that are implemented on paper and agreements. It helps minimize and prevent risks, and the damage these risks effect. Some examples are risk assessments, planning, system and service acquisition, certification, and security assessment. Management or administrative controls are definitions of security policies. These controls are part of the day-to-day activities, and are required to make the operations work. For example, if a disaster hits your network, or your premises, then this type decides the controls to be set for damage control. Thus, operational controls ensure the operations function every day. Some examples of operational controls are: backup, personal security, environmental protection, contingency planning, configuration management, maintenance, media protection, and incident response. Awareness and training also fall into the operational control types. Physical control types are physical in nature. These can be fences, mantraps, and other physical security controls that help alleviate possible risks or the damage effected by these risks. Can you identify physical control types around? Personnel such as security guards are examples of physical control types.

3 Control Classes

In this topic, we will study different types of control classes. Control Classes classify security controls based on their usage, and fall under the control types. Once a control type is defined, it can be further classified as per its function. Control Classes define the type of action taken by the secure control. The different control classes are deterrent, preventative, corrective, detective, and compensating. Each of these classes could be one of the four previously described control types. Let’s study each of these in detail. Deterrent Controls Deterrent controls are measures to dissuade a person from causing a risk. For example, security cameras are detective controls, but dummy cameras can act as a deterrent for fear of getting caught. This is a control that doesn’t guarantee stopping a risk, but it prevents the person from causing the risk, and less likely to execute the exploit or attack. Termination can even be deterrent, which either encourages people to follow security and IT policies or face dire consequences. Another example of deterrent control is a scarecrow in the farm. Though it doesn’t guarantee stopping birds from coming to the farm, but it creates a dummy appearance of a human that chases the birds away. Preventative Controls Preventative controls prevent security breaches or risks from every incident. For example, physical controls such as a cable lock or other types of locks that secure a machine like a laptop are Preventative Physical Controls. Preventative is similar to deterrent, but preventative is designed to actually stop the theft or risk. Whereas, deterrent controls try to prevent the risk, but they don’t actually take any action to eliminate risks. Corrective Controls Corrective controls are used to correct a security incident. These can be used to restore systems to their original state. They react after a breach has taken place and are an attempt to recover to normal working state. Backups can be considered as corrective controls. Detective Controls These controls are used as an investigative control. Security cameras can be used as detective controls. Also, audit logs or IDS are considered as detective controls of different control types. Detective controls are usually passive type controls that do not react to risks. Compensating Controls They are designed to compensate for a risk. It allows arrangement of security in recognition of risk. They act after a control is in place.

4 Risk Management

In this topic, we will learn about managing risks. False Positive Before discussing risk and risk management, we need to understand the concept of False Positive and False Negative. False positive is implemented when a control or test is run, and the expected result is failure, but the actual outcome is success or positive. False positives and negatives can be considered while using control devices such as Biometric Locks. Let’s take an example. The biometric scanners for locks are meant to allow only authorized people within the secured premises. However, if an unauthorized individual places his finger on the scanner repeatedly, there are chances the scanner may trigger a false positive, and allow the individual into the facility. It is important to note that, false positives can be a risk in themselves. You want to determine the likeliness of a device to trigger a false positive before implementing it within the network or premises. False Negative False negatives are the opposite of false positives, and are often less damaging, but it is important to consider all the aspects before implementing it within the network or premises. False negatives are implemented when a control or test is run, and the expected result is success, but the actual outcome is negative or failure. Let’s again consider the example of biometric scanner for locks. Here, an authorized individual continuously places his finger on the scanner, and gets denied several times. Finally, the scanner successfully reads the finger, and lets the individual within the premises. Most devices with the possibility of false positives and false negatives can be configured to minimize the double impact. You need to determine an acceptable level for each solution before installing the device, and ensure the device does not exceed that level of configuration. Let’s now move to risk management policies and security techniques. Risk management and security techniques involve proper implementation and use of policies that help businesses. Do you think, policies and security techniques can stop the risks? Every business has policies, and if utilized correctly, can completely negate risk or at least minimize the impact of risk on the business. Policies are used to define what can be done, with what resources, at what time, and for what reasons. Violation of policies may lead to legal consequences or termination of employment. Many policy violations attract hefty legal penalties for the offender. We all use Computers. Did you find any policies while operating them? There are logical policies that define the permissible actions for a machine or system. Similarly, every business has privacy policies. Let’s discuss them in detail. Privacy policies are internal documents that can be used when collaborating with any contractor. These define the controls required to implement and maintain the sanctity of data privacy within your network. Privacy policies are living documents. They should include a disclaimer that reads, policies would be changed with developments and time. It is important that users change with changes in the privacy policies. These policies can be implemented before accessing any servers or web pages, or when installing a software in network environment. When you install a software and click “I accept” to the privacy policy, you agree to the mentioned terms and conditions, and thereby pledge to maintain security of the accessed data. Privacy policies should be used within a company to force people to be legally liable for maintaining security of the accessed data. Acceptable Use Policies or AUPs clearly define how employees or contractors in an organization are allowed to use the business machines and resources. This includes both hardware and software. These policies also details the consequences for misuse of the resources. This policy defines the personally owned software or hardware that is allowed within the premises. Many organizations won’t allow a personal removable media to copy or store company data, as it can cause data loss, leakage, or breach. Important sections of an Acceptable Use Policy are as follows: - Acceptable Use of E-mail: It clearly defines an acceptable email; purpose of company email addresses; who can be sent an email, and how to store, delete, and manage emails. - Acceptable Use of the Internet: This policy clearly states the use of Internet web browsing, and type of browsing not allowed. Many organizations prohibit social media, peer to peer site, forums, or websites that support chats. - Acceptable Use of Laptops and Mobiles Devices: This policy clearly states the use of mobile devices and laptops for remote users, or users who work from home during abnormal hours. It is important that an acceptable use policy is mentioned, because it is hard to control the use of such devices, and at the same time ensure the data is secured in case of loss or theft.

5 Security Policy

Security policies define the security measures and controls that are in place to prevent risks. Such policies include set of steps to implement security measures, and explain different controls and control classes. One form of a security policy can be a firewall policy or a secure premises policy. Have you ever thought that vacations can be beneficial to an organization? Yes! Many people don’t realize there are security reasons for mandatory vacations. On the surface, a mandatory vacation policy requires employees to take time off work to feel refreshed, keep their morale up, and return with greater zeal. On the other hand, such a policy provides several safeguards for a company. It is a form of peer auditing. When an employee goes on a vacation, the company could ensure that if anything ever happens to the employee, then there is someone who can keep the business going without any hurdles. This also prevents an employee from covering up malicious activity such as fraud, laundering, or other illegal activities the user could cover up, if never reviewed by another employee. Job rotation is a practice, wherein it’s defined which employees must rotate positions, and at what intervals. It is similar to mandatory vacation, ensuring there are cross-trained employees to perform other job functions, so there is no major outage during an employee loss. This ensures that a single employee isn’t able to take much control of the project, or is given an opportunity to cover up malicious activities.This particular policy is intended to reduce the risk of fraud, and prevent losses within the organization. This will separate Job Roles, and require more than one person to accomplish the tasks. For instance, one who takes an order from a customer is not the same person as who performs the work. This would require an agreement between two parties to commit any sort of fraudulent activity because it creates a series of checks and balances. These checks and balances ensure that if a mistake is made, then it should be caught by the next person in line of the duties. In the banking industry, this is often done to avoid salami attacks. They are unnoticeable attacks that lead to a huge loss. For example, shaving a few cents from many accounts. Separation of Duties can be implemented by enforcing the Least Privilege Policy. We discussed that least privilege is the best practice to ensure people are granted only the essential permissions to accomplish the task at hand. Similarly, the Least Privilege Policy defines how permissions will be configured on the Operating Systems in question. The process of least privilege should always adhere to specifications defined in the Least Privilege Policy.

6 Importance of Reducing Risk

In this topic, you will learn the importance of reducing risk. Before starting with the importance of reducing risk, you should understand what is risk? Risk is defined as anything that causes a loss, a compromise, a vulnerability, or a possible exploitation of your system. Also, risk can be a system outage, or a device that is no longer working because of age. It can also be the risk of a malicious internal or external user. Disgruntled or ignorant employees can also cause risk. So, what are the steps to reduce risk? Being a Security Administrator, you have to evaluate the potential risk within your environment, and place safeguard measures to mitigate it by assessing and implementing the previously discussed controls and methods of protection. We will discuss these things in greater detail later in this lesson. For now, just understand that controls and policies are necessary to efficiently address risks. A risk turns into an incident, if the threat becomes a reality. Incident may be termed as a possible financial loss to the company. Policies are the first line of defense to ensure the whole network is streamlined. Moreover, policies see that users are educated and protected from looming risks. It is seen that risk generally comes from an accidental or disgruntled user behavior. We learnt about reducing risk. But how can we calculate it? Let’s explore procedures to calculate risk. Risk is a danger or likelihood of an incident being successful. Threats are defined as the dangers associated with a risk. But, what is the source of such potential attacks? This can be weighed against the likelihood of an attack. Vulnerability means a system is weak, flawed, or there is a loophole in the security. Single Loss Expectancy, Annualized Rate of Occurrence, and Annualized Loss Expectancy are parts of risk calculation and assessment. Risk calculation can be determined by the displayed equation. SLE x ARO = ALE We will break down this equation in the next few sections. Likelihood Some risks have a greater likelihood of occurrence. While evaluating risks, a company may accept some risks based on its likelihood, or the damage or impact it causes. ALE Annual Loss Expectancy indicates how often you expect to lose a service, product, or device in a year based on the age of an item, or its known life-expectancy. This is the monetary value that is used to measure the loss you expect in a year. Impact Impact is the effect the risk will have on your environment and on production when the risk occurs. It involves production outage and money you expect to lose. When you determine the Annual Loss Expectancy, the expected impact is also known. You have to consider the impact of a risk when you decide the way to mitigate the impact.

7 Single Loss Expectancy

Single Loss Expectancy or SLE indicates loss of monetary value one time in a year. In some scenarios, you can expect to lose a service, devices, or connection, any such risk multiple times a year. You can determine the SLE using the displayed equation. SLE = V x EF% Here, V is the value of the service, function, or item. EF is the Exposure Factor. If a threat occurs, the expected value of loss of a single item or service can be calculated as percentage. Let’s consider an example. You have a router costing $3000, and for some reason it stops functioning due to a temporary outage. This means, you would incur 2% loss on $3000. And your SLE is $60, which is 3000 multiplied by 2%. Annual Rate of Occurrence is how often you expect a risk in a year. Let’s consider the same example of a router. If we expect the router outage 5 times a year, then we multiply the value of SLE with the value of ARO. In this case, multiply 60 by 5, which equals 300. This makes Annual Loss Expectancy to be $300. Therefore, we can say, Annual Loss Expectancy is the product of Single Loss Expectancy and Annual Rate of Occurrence. There are several ways to determine the Annual Rate of Occurrence. Some vendors provide lifetime expectation documentation for their products. Also, it can be determined by network baselines or past experience. MTTR is Mean Time to Recovery. It is the average time a device takes to recover from a failure. This is important for Backup Contingency and Data Recovery. Vendors often list the average life span in their documentation, which helps in calculating the downtime due to device failure.When a device goes down, there is loss of revenue based on its impact on other devices’ functioning. This is in addition to the expenditure for replacing the device or technology. This might even result in many employees not able to learn the new technology quickly. When calculating the MTTR, you want to be accurate to get the expected down time. Shorter the down time, lesser is the impact on your company. Mean Time to Failure or MTTF is the amount of time a device is expected to last before a production failure. The manufacturer usually reports this number. You can use this information with MTBF. We will discuss this in the next screen. The primary difference between the two is that MTBF is recoverable, whereas MTTF is not. Mean Time between Failures OR MTBF is the time between two failures of a device or network. Let’s consider an example. If the device A fails at 16:00 hours, and the engineers fix the errors, it starts working again at 16:45. But the device fails again at 17:45. So, the MTBF is 1 hour and 45 minutes, which is the precise time between the two failures. This isn’t the total lifespan of the device. Some devices have both MTBF and MTTF, while others only have an MTTF. This describes how often you can expect a failure when determining the risk assessment.

8 Impact of Risk

In this topic, you will learn how to judge the impact of a risk. Qualitative and Quantitative are two methods to judge the impact of a risk. These methods put a value on a device or function within the job role to determine the impact on maintaining the continuity of business. Now let’s see the difference between the two methods. Qualitative risk analysis assigns subjective and intangible values to loss of an asset, whereas quantitative risk analysis assigns real dollar figures. Qualitative risk analysis is more scenario-based than calculator-based. It determines the risk and mitigation techniques without calculating a dollar figure. The quantitative method results in concrete probability percentages. For qualitative analysis, you create a scale and rate a threat based on numbers on the scale. According to the formula for calculating qualitative risks, risk is the product of probability and loss. For quantitative analysis, you report a value with dollar figures for levels of risk, potential loss, cost of countermeasures, and value of safeguards. There are 6 major phases in Quantitative Risk Analysis. Phase one identifies inventory assets and assigns a value. This is denoted by AV. In phase two, you perform a thorough research on every available asset, and accordingly prepare a list of possible threats looming over each asset. You also need to calculate the EF and SLE for each listed asset. In the third phase, you should perform a threat analysis and calculate the ARO. In phase four, you should calculate ALE and identify the total loss potential for every threat. In the penultimate phase, you need measures to overcome every listed threat. Once done, calculate the changes in the ARO and ALE as per the applied measures. In the final phase, you should identify the cost or benefit of applying each measure to overcome a threat for every asset. Qualitative analysis consists of the following techniques: Brainstorming – With this, you can collect instinctive reaction or ideas from your team, individual, or group of people. Delphi technique – Here, individuals in the group cast their blind vote, and the most voted method gets the nod. Storyboarding – Here, concepts and timelines are presented with pictures. Focus Groups – Here, the information on a topic is gathered by studying, researching, and posting questions in discussion groups. Surveys – With this, you widen your horizon to get information from any source. Questionnaires – This primarily consists of a series of questions. Checklists – To-do items list for every process, task, or storage. One-on-one meeting – A meeting between two individuals to discuss the subject in question. Interview – This technique involves face-to-face interaction with experts or who have experienced the event or situation. As stated earlier, vulnerability means a system is weak, flawed, or there is a loophole in the security. While doing risk assessment and threat management, it is important you identify such threats or vulnerabilities. Identifying threats and vulnerabilities allow you to measure the involved risk, and then put appropriate policies and procedures in place. Moreover, you can begin implementing countermeasures against the presented risks. To minimise vulnerabilities, ensure that you implement some factors such as system hardening, implementing physical security, applying security controls on data, and following administrative controls, such as policies and standards. Some known threats that can be exploited if there are proper countermeasures are theft, internal hacking, external hacking, hardware failures, and fraud. Not all vulnerabilities, threats, or risks are malicious in nature, but all of them can have a severe impact on your company. A threat vector is a medium through which an attacker poses a threat. A link, fake emails, an insecure computer can all be considered as threat vectors. It can be used by an attacker against you to compromise or take advantage of vulnerabilities. People can be threat vectors to organizations when attackers use social engineering to compromise the sanctity of your data. We previously discussed the likelihood of threats while reviewing how to calculate costs and qualitative ratings. Likelihood is important because it needs to be compared to the cost to secure it from threat. It helps determine the cost of loss in case a risk is compromised. If there isn’t a potential for a huge loss, and the likeliness of the threat is not large, then it may not be worth spending thousands of dollars to put controls against that threat.

9 Risk Reducing Concepts

You can perform different types of risk analysis, and every risk can be reduced using different risk-reducing concepts. These include: risk avoidance, risk transference, risk acceptance, risk mitigation, and risk deterrence. Now, let’s learn more about each risk-reducing concept. Risk Avoidance Once a risk is identified, you can decide not to engage in actions that incurs the same risk. For example, if browsing the web yields too much of risk for your company, then there is an option to not allow web browsing within your company. Risk Transference Risk transference is transferring the cost of risk on a third party. Insurance is a form of risk transference. An insurance company shares the risk with your company, and in case of a compromise, they cover the cost of the vulnerability and threat within certain guidelines. Risk Acceptance Sometimes business operations necessitates acceptance of risks. This means you function in a day-to-day business, and even with mitigation and other techniques, there is still risk involved. This means you accept the chance of a threat or vulnerability that causes an impact on the network or environment, but continue to work. Risk Mitigation Risk mitigation is accomplished when you take steps to reduce risk. This category includes installing antivirus software, firewalls, or other measures to not completely prevent access to risks, but to minimize the vulnerability or impact the risk has on the system. You still allow web browsing, but you have measures in place to protect against viruses associated with that risk, or firewalls to prevent intrusions. This does not completely prevent threats, but is a way to lock down the risk on a network. Risk Deterrence This means you know what keeps away an attacker or a person from attempting to enter the network. While this doesn’t prevent risk, it will make an attacker think twice before taking action. Often, security guards or visible cameras can be a Risk Deterrence. You need to be aware of the risks involved with cloud computing and virtualization. This must be planned carefully, with agreements and policies. You need to specifically point out what risks are your responsibilities, and what risks are the responsibility of the cloud provider. Even though the risk is their responsibility, you can still be at loss due to a threat or vulnerability acted upon. You must know what risk they cover, and how they will recover damages or loss in their responsibility area. Things to consider with cloud computing are the policies and agreements, data ownership, data backups, compliance, privacy, and user risk awareness. We will now discuss Recovery Time Objective and Recovery Point Objective. These are related to Backup Continuity and Disaster Recovery. We will review both these plans in greater detail in later lessons. They have to be determined when working with MTTF and MTBF. Recovery Time Objective indicates how much time the company has to recover its operations after the disaster. This works with RPO to know the functional state. The RPO is a measurement of loss that can be expected by the organization when a disaster occurs. Some companies expect a recovery of 100% at the point of failure. Other companies may only require to recover a week or less worth of data after a failure within 24 hours.

11 Summary

• Control types are methods to assess the possibility and likelihood of risks. • The three control types are Technical, Management, and Operational. There is a fourth control type, Physical control. • The control classes are deterrent, preventative, corrective, detective, and compensating. • Policies are used to define what can be done, with what resources, at what time, and for what reasons. • Risk calculation can be done using SLE x ARO = ALE equation. • Qualitative and Quantitative methods are two ways of judging the impact of a risk. • The different risk-reducing concepts include: risk avoidance, transference, acceptance, mitigation, and deterrence. • RTO and RPO are plans for Backup Continuity and Disaster recovery. We conclude the lesson, ’Introduction to the Importance of Risk-related Concepts.’ The next lesson is, ’Summarize the Security Implications of Integrating Systems and Data with Third Parties.’

  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.

Request more information

For individuals
For business
Phone Number*
Your Message (Optional)
We are looking into your query.
Our consultants will get in touch with you soon.

A Simplilearn representative will get back to you in one business day.

First Name*
Last Name*
Phone Number*
Job Title*