1. Information Systems Risk
Assessment Framework
(ISRAF)
(Addendum of NIST 800-39 information systems risk
management and revision of NIST SP 800 30 )
Prepared by
S. Periyakaruppan
(PK)

2. Need of Addendum/ Revision ?
 Ensure converged & integrated process
 Address the challenges in traditional approach
 Adaptive & Modular working model of information systems risk
assessment.
 Improve the organizations risk based decision.
 Bring in value addition to business

3. Should It get transformed ? ! Why
 To make risk management an integral part of business and project
management, IT Life cycle management.
 TO facilitate with practical approach to address risk.
 To Evolve business aligned approach.
 TO tailor down the model of domain agnostic approach.

4. Does it need a Model/Framework
??
 Evolve descriptive process and systematic thinking.
 Emerging business demand and process convergence
 Enhance communication among functional entities.
 Invoke result oriented approach
 Predict results in the systematic model
!!!!!!! ???

5. Assessing risk – What & Why
 To identify the potential opportunity of a probable consequence of an
adverse impact due to a weakness in the information systems.
 To support business with risk based decision.
 To identify external and internal threat exposures to an organization
from nation and another organization, vice versa.
 To monitor the on-going risk exposure of the organization.
 To observe the effectiveness of information security program.
 To assist with Metrics for information security program management.
???????

6. Assessing risks - When
 During architecture development –( Org,process & Information
system)
 During functional and business systems integration.
 During all phases of SDLC (Systems acquisition and development life
cycle)
 During acquisition of new security or business/function solution.
 During modification of mission critical/business critical systems.
 During third party vendor/product acquisition.
 During decommissioning of systems/functions/groups of the
organization

7. Risk framing  Model ???
 Determine the uncertainty of the risk and associated risk
constraints.
 Define the risk tolerance and priority, and tradeoffs.
 Determine the set of risk factors, assessment scale and associated
algorithm for combing factors
 Assist in precise risk communication and sketch out boundaries of
information system authorization.
 Enhance the risk decision with appropriate information.
 Incorporate de-duplication in hierarchical risk management model.
 Determine the context of the entire risk assessment
process/assessment/approach.

8. The Model/Framework
Frame
(CONTEXT)
Tier 1
Tier 2
Tier 3
The Frame work addresses comprehensive risk management
function in a hierarchical approach and leverage context centric
approach.

9. The Focus
Assess Respond Monitor
Risk Assessment is a key element of risk
management
 Risk Assessment process in modular approach.
 Preparation checklist.
 Activity checklist.
 Protocol to maintain appropriate result of risk
assessments.
 Method of communicating risk results across
organization.

10. Strategy/Approach

11. Risk – Key concepts
 Risk aggregate  consolidation of individual Tier1/Tier2/Tier3 risks
in to a cumulative risks to identify relationship among risks at various
levels.
 Threat shifting the dynamic variation on threat source in response
to the perceived countermeasures.
 Residual risk  Tolerable risk remain post the mitigation to an exten
possible to reduce the level of adverse impact to the organization.
 Adversarial risk Risk that has an adverse effect by adversarial
threats.
 Adversarial threats  Threat has an intrinsic characteristics of direc
adverse impact. – Ex., business operation interruption.
 Non-adversarial threats  Threats has no direct or immediate effect
of a threat impact. – Ex., Exposure of system errors, competitive
intelligence gathering.

12. Risk – Key Factors
 Threat Event  Possible adverse impact through a potential
circumstances/event to organization from national and
another organization, vice versa.
 Threat source The intend and the method of exploitation
or attack vector.
 Likelihood  The Probability of a threat become reality.
 Vulnerability  Flaw in an information system that can lead
to a potential threat.
 Adverse Impact  The negative consequences /damage
leads to potential impact to the business / organization/
nation by the consequences of an exercised vulnerability
 Predisposing condition  The existing and known lack of
controls/ in adequate countermeasures as part of available
solution.
 Risk  Measure/ Unit of the extent to which an entity is
threaten by a potential circumstances.

13. Assessing Risk – High Level
Process
Step -1 Step -2 Step -3 Step -4

14. Prepare for Assessment

15. Conducting Assessment
Identify Threat source and Step 1 Intent,Target,Capability
events Capability of
adversaries
Range of effects
Identify vulnerabilities and pre- Step 2 Effect of existing
disposing conditions controls
Intentional/accidental
flaw /weakness in
Determine likelihood of Step 3
system/process
Occurrence
Depends on the degree
of Step 1 and the effect
Determine Magnitude of Step 4 of Step 2
Impact
Result of BIA
Depends on effective
Step 5 BCP/DR
Determine Risk
MTTR/MTBF
RTO/RPO
Risk  Combination of Step 3 and
Step 4

16. Method of Risk Analysis
Threat oriented Vulnerability Asset/Impact
• Identify threat source oriented Oriented
and event • Identify pre-disposing • Identify
• Developing Threat conditions mission/business
scenario and model • Identify exploitable critical assets
• Identify vulnerabilities vulnerabilities • Analyze the
in context of threats • Identify threats related consequences of the
to the known/open adversarial threat
vulnerabilities event
• Identify vulnerabilities
to the threat
events/scenario of
critical assets with
severe adverse impact.

17. Method of Risk Assessments
• Objective oriented assessment
• Using non-numerical values to define risk
factors
Qualitative • Likelihood and impact with definite value based
on individual expertise
• Subjective oriented approach
• Using numerical values to define risk factors
Quantitative • Likelihood and impact with definite number
based on history of events.
• Contextual analysis and result oriented
approach
• Using Bin values (numerical range) with unique
Semi Quantitative meaning and context.
• Likelihood and impact derived with range of
numerical values with degree of unique context

18. Sample Assessment Scale
Qualitative Quantitative Semi Qualitative
Caution: The assessment scales and its descriptive meanings are subject
to vary between organization to organization and with in organization
discretion to the organizational culture and its policies and guidelines

19. Communicate Result
Communicate to the Furnish evidence
Determine the
designated comply with
appropriate method of
organizational organizational policies
communication
stakeholders & Guidelines
Format defined by Identify appropriate Capture appropriate
organization. authority. analysis data support
Executive briefings Ensure right the result.
Presenting information reach right Include applicable
Illustrative risk figures person at right time. supporting documents
Risk Assessment  Present contextual to convey the degree
Dashboards information in of results
Out sketch the accordance with risk  Identify and
organizational strategy document the source
prioritized risk of internal and external
information.

20. Maintain Risk Posture
Reconfirm the
Identify Key Risk Define Frequency
scope and
factors of revisit
assumptions
• Monitor the key • Track the risk • Get the
risk factors response as concurrence of
• Document the required scope and
variations. • Initiate the assumptions
• Re-define the assessment from appropriate
key risk factors when needed authorities
• Communicate • Document the
the results to plan of action
organizational with respect to
entities the risk
response.

21. Applications of Risk
Assessment Information Risk Strategy decisions
Contribute EA design decisions
IS Policy/Program/Guidance decisions
Common Control/Security Standards
decisions.
Help risk response –
Avoid/Accept/Mitigate/Transfer
Investment decisions – ROSI(Returns Of
Security Investments)/VAR(value at
Risk)/ALE(Annual Loss Expectancy)
Support EA(Enterprise Architecture)
integration in to SA.
Assist in business/function information
continuity decisions
Assist in business process resiliency
requirements
Contribute IS systems design decisions
Supports vendor/product decisions
Supports on-going system operations
authorizations

22. Risk Assessment in RMF life
Cycle
1
2
6
3
5
4

23. Organizational cultural effects on
Risk assessment
 Risk models differ based on priorities and tradeoffs with respect to
the pre-disposing condition of organizational culture
 Determination of risk factors and valuation of risk factors to constant
values or qualitative approach depends on organizational culture
 Determination of risk assessment approach and analysis approach
depends on organizational culture.
 Assessment and analysis approach may vary with in organization in
different tiers.