How to perform qualitative & quantitative security risk analysis
This article describes two type of risk analysis (quantitative and qualitative) and presents five practical examples of calculating annualized loss expectancy (ALE). Finally, it also describes risk handling and countermeasures.
The CIA triad of information security
Confidentiality, integrity and availability, or the CIA triad, is a model designed to guide policies for information security within an organization.
- Confidentiality: Confidentiality is roughly equivalent to privacy. Access must be restricted to those authorized only to view the data in question
- Integrity: Integrity involves maintaining data consistency; data must not be changed in transit and should be consistent throughout its entire lifecycle.
- Availability: Availability is making sure that the system is up and running and there isn’t any wear and tear due to hardware or software failure.
How to perform a qualitative risk analysis using DREAD
Five major factors guide qualitative risk analysis:
- Damage: How bad would an attack be?
- Reproducibility: How easy is it to reproduce the attack?
- Exploitability: How much work is it to launch the attack?
- Affected users: How many people will be impacted?
- Discoverability: How easy is it to discover the threat?
Together, this is known as a DREAD model and is reasonably based on opinion. It uses rating values to evaluate the risk level. The threat is rated by answering the questions and assigning rating values for every item.
Example of qualitative security risk analysis using DREAD
Buffer overflow in the software allows an attacker to execute arbitrary code on the system.
Let’s analyze the ratings for the specifics of the DREAD model:
The rating values represent severity and are expressed as numbers (3-high, 2-medium, 1-low). Let’s add all ratings to get the risk rating. The sum is 13 (risk rating: high).
The risk rating is obtained by adding rating values for all items and comparing the results with the following table:
Explanation of rating:
- Damage potential can be rated as high since successful exploitation of this issue can cause remote code execution on the system.
- The issue is not often reproducible unless there a reliable exploit code (like a Metasploit framework), sometimes attacker can just get a crash
- Once exploited, this issue can affect all the users on a given system.
- The vulnerability can be quickly discovered and exploited with the advance modern day fuzzers.
How to perform a qualitative security risk analysis using CVSS
Another approach used for qualitative risk analysis is the Common Vulnerability Scoring System (CVSS). It is composed of three metric groups:
- Base metric: Used to describe exploitability and impact
- Temporal metric: Used to describe characteristics that evolve over the lifetime of vulnerability
- Environmental metric: Used to describe vulnerabilities that depend on implementation or environment
Example of qualitative security risk analysis using CVSS
Buffer overflow in the software allows an attacker to execute arbitrary code on the system.
Base Score Metrics
AV:L/AC:M/Au:N/C:C/I:C/A:C = Base score 6.9
Explanation of base score
- In most of the cases, buffer overflows are exploited locally.
- Access complexity involved is always medium unless exploit code is available in that case it becomes low
- CIA is always complete in case of an overflow, which leads to code execution.
How to perform a quantitative security risk analysis
Quantitative analysis is about assigning monetary values to risk components. The key variables and equations used for conducting a quantitative risk analysis are shown below.
- Exposure Factor (EF): Percentage of asset loss caused by identified threat. It ranges from 0% to 100%.
- Single Loss Expectancy (SLE): Asset Value ✕ Exposure factor.
- Annualized Rate of Occurrence (ARO): Estimated frequency a threat will occur within a year and is characterized on an annual basis. A threat occurring one time every 10 years has an ARO of 0.1. A threat occurring 10 times in a year has an ARO of 10.
- Annualized Loss Expectancy (ALE): Single Loss Expectancy ✕ Annualized Rate of Occurrence.
Example 1
The concept can be summarized by analyzing the example of a stolen corporate laptop to understand better how it works. Let’s first describe the threat, vulnerability and risk:
- Threat: Stolen corporate laptop
- Vulnerability: Backup rarely performed
- Risk: Loss of data
Data is the asset. We assess the value of the asset (AV) first: $100,000.
Next, let’s address the single loss expectancy (SLE). It contains information about the potential loss when a threat occurs. SLE = AV ✕ EF, where EF is exposure factor. Exposure factor describes the loss that will happen to the asset because of the threat. SLE is $30,000 in our example when EF is estimated to be 0.3.
Let’s continue this case. The annualized rate of occurrence (ARO) is described as an estimated frequency of the threat occurring in one year. ARO is used to calculate ALE (annualized loss expectancy). ALE is calculated as follows: ALE = SLE ✕ ARO. ALE is $15,000 ($30,000 ✕ 0.5), when ARO is estimated to be 0.5 (once in two years).
As we can see, the risk is about the impact of the vulnerability on the business and the probability of the vulnerability to be exploited.
Example 2
Again, we must first describe the threat, vulnerability and risk:
- Threat: Power failure
- Vulnerability: There isn’t any proper power backup
- Risk: Services are not available during the power failure causes business impact
The asset is the unavailability of services for the certain time period. AV is $20,000
SLE is $5000 in this example. Hence the EF, which is calculated at 0.25 (EF = SLE/AV).
Let’s continue this case. The annualized rate of occurrence (ARO) is described as an estimated frequency of the threat occurring in one year. ARO is used to calculate ALE (annualized loss expectancy). ALE is calculated as follows: ALE = SLE ✕ ARO. ALE is $10,000 ($5,000 ✕ 2) when ARO is estimated to be 2 (four times in two years, considering power backup is not properly handled).
What is security risk handling?
Risk handling can be described in four ways:
- Risk reduction: Risk is reduced to an acceptable level
- Risk avoidance: Stopping activity leading to the risk
- Risk transfer: The risk is transferred to the insurance company
- Risk acceptance: Accepting the cost of potential loss
How can security risks be countered?
Countermeasures can be broadly grouped into three categories.
- Administrative: A countermeasure should be implemented at the administrative level by making security awareness training compulsory for all employees on a quarterly basis. This is because people are the weakest point in the security chain.
- Technical: The proper firewall should be implemented. Internal networks should be guarded with proper firewalls and rules should be updated and verified on a regular basis. Also, firmware should be updated on a monthly basis for any known vulnerabilities.
- Physical: Despite taking all the above measures, attackers can still sneak through the company’s network via physical access. Hence, server rooms should not be access by any employees other than concerned authorities
We implement countermeasures to reduce risk. However, perfect security does not exist, and there is some risk left despite countermeasures. This is called residual risk.
Summary
This article introduced quantitative risk analysis and qualitative risk analysis. Single loss expectancy (SLE), an exposure factor (EF), the annualized rate of occurrence (ARO) and annualized loss expectancy (ALE) were described. Finally, risk handling and types of countermeasures were also discussed.
Sources
- Risk Management, Wikipedia
- Common Vulnerability Scoring System, Wikipedia
- Threat Modeling, Microsoft
- Threat Risk Modeling, OWASP
- DREAD, Wikipedia