RISK EVALUATION AND LOSS ANALYSIS IN THE BANKS
Rosen Kirilov
BULGARIAN ACADEMY OF SCIENCES
CYBERNETICS AND INFORMATION TECHNOLOGIES
Volume 6, No 2
Sofia 2006
one of the chapters of Article "EFFECTIVENESS OF THE INFORMATION SECURITY IN THE BANKS" (p. 80 - 85)
CYBERNETICS AND INFORMATION TECHNOLOGIES
Volume 6, No 2
Sofia 2006
one of the chapters of Article "EFFECTIVENESS OF THE INFORMATION SECURITY IN THE BANKS" (p. 80 - 85)
      This chapter covers security risk evaluation and loss analysis in a business context. We consider a range of security threats, their potential origin and action, and consider the severity of their effects on our day-to-day operations. We outline the cornerstones of a sound security policy and explain the basic principles of loss analysis, should a real security incident take place.
      All businesses, whether they are large or small, are operating in an increasingly
global environment. Advances in communications and transportation networks in the
last century have brought customers and markets closer together and it is now possible, at relatively minimal cost, to ship products to buyers in all corners of the world. In
this international context, executive and managers must consider the range of threats
to their enterprises. Since the late 1990s, there has been an increase in violent attacks
all over the world, including the World Trade Center attack in 2001. In response,
there has been a heightened awareness of physical security needs the need to police
the space around buildings, to control access to buildings, to design sound policies
for evacuation in the event of a disaster, and to develop stronger points of contact
with the local and federal authorities. On the technological front, there is a
corresponding need to survey the threats to computing equipment (hardware), the
applications and databases that reside on that equipment (software), and the networks
that connect groups, both internally and with the outside world. In a business
environment, raw data such as customer records or credit card information are valuable
to competitors and computer criminals and require special attention. In addition, for
more advanced enterprises, intellectual property including scientific research or unique
business processes have high value and also require special security measures. As the
world becomes an increasingly competitive place, the theft of both raw data and
intellectual property assets via computer is on the rise. A combination of preventive
maintenance supported in attitude and investment by the executive team, employee
training and vigilance, and clear communications throughout the organization will
help reduce the threats of physical and cyber security breaches.
      The information needed to answer these questions will be found through conversations with employees (especially the IT staff), managers, and executives of the company. It will be useful to evaluate customer and supplier feedback on other issues as this may lead to revelations on security issues. Finally, the team gathering the information should be familiar with media reports about the company. Public perceptions may also be instructive, especially if the company is involved in a controversial industry, is located near a hot spot of activity, or has appeared in prominent publications on a regul
      The first step in improving the security of your system is to answer these basic questions:
- What am I trying to protect and how much is it worth to me?
- What do I need to protect against?
- How much time, effort, and money am I willing to expend to obtain adequate protection?
     These questions form the basis of the process known as risk assessment. Risk assessment is a very important part of the computer security process. You cannot formulate protections if you do not know what you are protecting and what you are protecting those things against! After you know your risks, you can then plan the policies and techniques that you need to implement to reduce those risks. For example, if there is a risk of a power failure and if availability of your equipment is important to you, you can reduce this risk by installing an uninterruptible power supply (UPS).
      Risk assessments involves three key steps:
- identifying assets and their value;
- identifying threats;
- calculating risks.
      There are many ways to go about this process. One method with which we have had great success is a series of in-house workshops. Invite a broad cross-section of knowledgeable users, managers, and executives from throughout your organization.
      Over the course of a series of meetings, compose your lists of assets and threats. Not only does this process help to build a more complete set of lists, it also helps to increase awareness of security in everyone who attends. An actuarial approach is more complex than necessary for protecting a home computer system or very small company. Likewise, the procedures that we present here are insufficient for a large company, a government agency, or a major university. In cases such as these, many companies turn to outside consulting firm with expertise in risk assessment, some of which use specialized software to do assessments.
      1. Identifying assets
      Draw up a list of items you need to protect. This list should be based on your business plan and common sense. The process may require knowledge of applicable law, a complete understanding of your facilities, and knowledge of your insurance coverage. Items to protect include tangibles (disk drives, monitors, network cables, backup media, manuals) and intangibles (ability to continue processing, your customer list, public image, reputation in your industry, access to your computer, your system’s root password). The list should include everything that you consider of value. To determine if something is valuable, consider what the loss or damage of the item might be in terms of lost revenue, lost time, or the cost of repair or replacement.
      2.Identifying threats
      The next step is to determine a list of threats to your assets. Some of these threats will be environmental, and include fire, earthquake, explosion, and flood. They should also include very rare but possible events such as building structural failure, or discovery of asbestos in your computer room that requires you to vacate the building for a prolonged time. Other threats come from personnel, and from outsiders.
      3. Review risks
      Risk assessment should not be done only once and then forgotten. Instead, you should update your assessment periodically, at least once a year, and any time there is a major change in personnel, systems, or the operating environment.53 In addition, the threat assessment portion should be redone whenever you have a significant change in operation or structure. Thus, if you reorganize, move to a new building, switch vendors, or undergo other major changes, you should reassess the threats and potential losses.
      4. Loss analysis
      Determining the cost of losses can be very difficult. A simple cost calculation considers the cost of repairing or replacing a particular item. A more sophisticated cost calculation can consider the cost of having equipment out of service, the cost of added training, the cost of additional procedures resulting from a loss, the cost to a company’s reputation, and even the cost to a company’s clients. Generally speaking, including more factors in your cost calculation will increase your effort, but will also increase the accuracy of your calculations. For most purposes, you do not need to assign an exact value to each possible risk. Normally, assigning a cost range to each item is sufficient. Some items may actually fall into the category irreparable or irreplaceable; these could include loss of your entire accounts-due database, or the death of a key employee. You may want to assign these costs based on a finer scale of loss than simply “lost/not lost.” For instance, you might want to assign separate costs for each of the following categories:
- non-availability over a short term (< 7-10 days);
- non-availability over a medium term (1-2 weeks);
- non-availability over a long term (more than 2 weeks);
- permanent loss or destruction;
- accidental partial loss or damage;
- deliberate partial loss or damage;
- unauthorized disclosure within the organization;
- unauthorized disclosure to some outsiders;
- unauthorized full disclosure to outsiders, competitors, and the press;
- replacement or recovery cost.
      5. The probability of a loss
      After you have identified the threats, you need to estimate the likelihood of each occurring. These threats may be easiest to estimate on a year-by-year basis. Quantifying the threat of a risk is hard work. You can obtain some estimates from third parties, such as insurance companies. If the event happens on a regular basis, you can estimate it based on your records. Industry organizations may have collected statistics or published reports. You can also base your estimates on educated guesses extrapolated from past experience.
      6. The cost of prevention
      Finally, you need to calculate the cost of preventing each kind of loss. For instance, the cost to recover from a momentary power failure is probably only that of personnel “downtime” and the time necessary to reboot. However, the cost of prevention may be that of buying and installing a UPS system. Costs need to be amortized over the expected lifetime of your approaches, as appropriate. Deriving these costs may reveal secondary costs and credits that should also be factored in. For instance, installing a better fire-suppression system may result in a yearly decrease in your fire insurance premiums and give you a tax benefit for capital depreciation. But spending money on a fire-suppression system means that the money is not available for other purposes, such as increased employee training or even investments.
      7. Adding up the numbers
      At the conclusion of this exercise, you should have a multidimensional table consisting of assets, risks, and possible losses. For each loss, you should know its probability, the predicted loss, and the amount of money required to defend against the loss. If you are very precise, you will also have a probability that your defense will prove inadequate. The process of determining if each defense should or should not be employed is now straightforward. You do this by multiplying each expected loss by the probability of its occurring as a result of each threat. Sort these in descending order, and compare each cost of occurrence to its cost of defense. This comparison results in a prioritized list of things you should address. The list may be surprising. Your goal should be to avoid expensive, probable losses, before worrying about less likely, low-damage threats. In many environments, fire and loss of key personnel are much more likely to occur, and are more damaging than a break in over the network. Surprisingly, however, it is break-ins that seem to occupy the attention and budget of most managers. This practice is simply not cost-effective, nor does it provide the highest levels of trust in your overall system. To figure out what you should do, take the figures that you have gathered for avoidance and recovery to determine how best to address your high-priority items. The way to do this is to add the cost of recovery to the expected average loss, and multiply that by the probability of occurrence. Then, compare the final product with the yearly cost of avoidance. If the cost of avoidance is lower than the risk you are defending against, you would be advised to invest in the avoidance strategy if you have sufficient financial resources. If the cost of avoidance is higher than the risk that you are defending against, then consider doing nothing until after other threats have been dealt with.
     
-       References
- 1. Guerra, Robert. The Right to Communicate. Ottawa, 2003. [Electronic resource]. URL: http://www.undp.org
- 2. FIL-69-2001. Authentication in an Electronic Banking Environment. 2001. [Electronic resource]. URL: http://www.worldbank.org
- 3. Thacker, K. IT Security Evaluation, CESG – United Kingdom, 2003. [Electronic resource]. URL: http://www.cesg.gov.uk/
- 4. Yusuf Musaji. A Definition of IT Security. ISACA, 2006.[Electronic resource]. URL: http://www.isaca.org/cobit.htm