Assessing Your Needs
Introduction to Risk Assessment
| ||It can be a risky world
out there-a single mistake can get a principal sued, a school board to
forbid the exchange of vital education records, or the local legislature
to deny technology funding.
||What would the damage be
to an educational institution if confidential student aptitude information
for which it was responsible was lost or misplaced? Would it cost
the organization $2,000 to rekey the information? $20,000 to readminister
the tests? Perhaps $200,000 in settling legal suits? How about
$2,000,000 in technology funding from wary lawmakers who become fearful
of entrusting private information about their constituents' children to
presumably unsafe record systems? Estimating the actual dollar
figure for every school building, campus, district, and state education
agency is well beyond the scope of a single document but it is not outside
the realm of issues responsible administrators should be considering in
their own organizations. After all, if the public and its representative
governing bodies were to lose confidence in an education organization's
ability to protect confidential information, even the most severe
estimates of the consequences might not be all that implausible--and a $2,000,000
issue deserves attention.
So, what could cause a multimillion
dollar information leak? An intruder, a negligent operator, or a
disgruntled employee? How about a technological snafu? Or even
a tornado? A tornado, you ask? It's possible. If those
ominous winds were to blow in while your guidance staff was reviewing printed
copies of confidential files, you could never be quite sure where
those records might end up.
can such a catastrophe be prevented? In the case of a tornado, it
probably can't. But like other potential troubles, even the devastating
effects of a tornado can be minimized through a well-conceived and
properly implemented security policy. The first phase in more effectively
securing your information and equipment begins with a process referred
to as risk assessment. Put simply, risk assessment involves identifying:
Performing a risk assessment
is a lot like the early stages of buying insurance- you shouldn't spend
your money on protection unless you know exactly what your needs are.
Assets your organization
to those assets
Points in your organization
where you may have vulnerabilities to those threats
Probabilities of threats striking
an organizational vulnerability
Cost estimates of losses should
a potential threat be realized
Such an endeavor may seem
complicated on the surface, but it doesn't have to be. Risk assessment
is a straight-forward process and a most necessary step in decision-making.
By evaluating risk, you are determining your needs so that you don't
spend valuable resources on unnecessary safeguards while, at the same time,
you don't leave yourself exposed to unprotected loss.
Risk assessment forces an organization to consider the range of potential threats and vulnerabilities it faces.
What will your risk assessment
tell you? Well, since risk assessment is a process and not a product,
it depends on your specific situation. As stated above, it should
identify your organization's assets, threats, vulnerabilities, probabilities
of incursion, and associated costs. How can that help you plan security?
It tells you what you have, what it's worth, what to worry about, where
you're weak, and why you should be concerned in the first place.
Say, for example, that you
realize that the old building in which you store your staff records (an
asset) was not constructed with fire-resistant materials in the
way you would require for a newly built structure (a vulnerability)-and
you also realize that it's conceivable that a fire (a threat) could
strike the site (a probability that, while low, is real, and could
therefore be estimated). The question becomes whether you
should introduce countermeasures to protect your staff records from
Knowing what you do about
the asset, vulnerability, threat, and probability, the answer then depends
upon the cost of replacing that lost asset. If you are in a very
small school, it might be feasible to resurvey your staff to gather lost
information at relatively little cost; therefore you could afford to risk
the loss of staff records.
In contrast, however, while
it might also be possible to resurvey staff in a large state system as
well, the associated costs would be much greater-so much so that despite
the low probability of a fire damaging your asset (the records),
you wouldn't want to accept the risk because it would be far too costly
to assume should the threat (the fire) actually strike. Thus,
a small school could theoretically accept the threat of a fire while a
large state system should rebuild to meet fire-resistant standards.
Right? Not so fast-that's not quite the answer.
While it may seem like a
valid conclusion given the information presented, other issues must also
be considered. One influencing factor might be that the building
in question stores not only staff records, but also student and fiscal
records as well, all of which are maintained on a state-of-the-art computer
system. Suddenly the low cost of resurveying a few teachers doesn't
seem like an adequate solution because of the other costs you would likely
incur should a fire occur at your site.
Serious discussions of
security issues include terms like threats, vulnerabilities, penetrations,
and countermeasures because of their precise meanings. While such
terminology may seem somewhat out of place in an education publication,
it's included in this document all the same in an effort to be consistent
with accepted security conventions.
Such an analysis of alternative
countermeasures illustrates the importance of working from exhaustive lists
of assets, threats, and vulnerabilities
Yet another consideration
when evaluating the merit of protection plans is the option of alternative
solutions. Yes, rebuilding would be an effective way of protecting
your records in the example above, but so might be installing a sprinkler
system or training staff to use fire extinguishers. There is also
the option of keeping multiple copies of the information in different locations
(known in the technical world as "off-site backups"). That
way, the only chance you have of losing your information would be if there
was a combination of highly improbable fires that destroyed both the primary
site and each backup site. Supplement this with an insurance
policy to replace your equipment, and you have yet another effective but
less expensive security alternative to rebuilding.|
It is precisely these types
of thoughts that the risk-assessment process should elicit. In fact,
a properly executed risk assessment provides decision-makers with a methodical
approach to determining security strategies-not based on a sales pitch
or gut instinct, but on the concrete, context-specific findings of cost/benefit
In a world of limited
budgets, risk assessment provides an organization with the information
it requires to accurately prioritize its needs. Options for meeting
those needs can then be considered, ranked accordingly, and funded to reflect
Commonly Asked Questions
Q. Where do I begin
to protect information and equipment?
A. The answer to
that question can be very straightforward if you know the answers to two
related questions: (1) What information and equipment do you want to protect?
and (2) What do you want to protect it from? Drawing conclusions
about these important issues can be accomplished most effectively by a
systematic approach to determining your assets, threats, and vulnerabilities-a
process referred to here as risk assessment. Risk assessment is a
collaborative effort to identify potential threats to your organization's
assets, estimate the likelihood of those threats being realized,
and quantify the costs attributable to potential losses.
Q. Why should I worry
about all these details when I have far-reaching insurance policies to
cover my losses?
A. First of all,
many insurance policies cover only tangible assets (e.g., equipment).
As is emphasized throughout this document, however, information is often
more valuable than the equipment that is used to access it. After
performing a risk assessment, you will be in a better position to inquire
about additional insurance policies to cover your information as well.
You can then make sure that you have insured yourself against reasonably
probable, high-cost losses because risk assessment will have helped you
determine what they are more likely to be. Remember, as an educational
administrator, you are the expert on your organization, not an insurance
agent. It is your job to know where and why you need insurance coverage-so
review all policies after performing your risk assessment. Don't
pay for insurance you don't need and make sure that you have those policies
you do need.
Q. Even if my risk assessment
identifies real threats and vulnerabilities, how can I possibly deal with
them with such a small staff (not to mention budget)?
A. The fewer the
resources you have to put into protecting your organization, the more vital
the risk assessment process becomes. Think about it. If you
have unlimited security funding, then you may have enough resources to
protect yourself against the entire spectrum of threats. Having said
that, however, it should be noted that even the wealthiest organizations
should perform a risk assessment to be sure that they have considered all
of their potential threats. On the other hand, if funds are scarce,
you need to perform a risk assessment to accurately prioritize your needs
before allotting your limited resources. In this way, risk assessment
provides you with the information needed to address your most pressing
needs first and increase the effectiveness of those resources that are
at your disposal, whatever they may be.
Components of Risk
What is a risk? For
the purpose of information security and this document, a risk is any hazard
or danger to which your information or equipment is subject. Storing
an expensive computer within reach of an open window is risky. Allowing
students to have access to computerized grade books might also be considered
risky. But even if you now know what a risk is, the question of what
is at risk still remains-and the answer is your assets.
An asset is often defined
as real property. This being the case, it's quite probable that your
organization's computer equipment is prominently listed on the balance
sheets as an asset-a fitting designation, especially considering the large
amounts of money that the equipment surely cost. But recall that
the only reason all those dollars were spent on technology in the first
place was so that you could manipulate your organization's information
more efficiently-information like student academic data, special support
service files, staff health records, and organizational financial figures.
The equipment is important only because it is the mechanism by which you
access the files that are so essential to the operation of the educational
enterprise. Information is the real asset.
Equipment is, of
course, very valuable, but never forget that the real asset is the information.
Although there appears
to be more threats that come from outside of the organization, internal
threats (e.g., authorized users who are either accident-prone, negligent,
or criminal) are far more likely to breach system security than external
It is estimated that as much
as 67 percent of networked computers are infected with one form
of a virus or another in a given year.3
for the growing prevalence of virus threats, more than half of all reported
system damage is caused by unintentional employee action-in most cases,
simple negligence. Any such action, actor, or event that contributes
to risk is referred to as a threat.
|Examples of Threats to an Organization's Assets
Time (Aging Media)
|Manmade Threats (Intentional)
Manmade Threats (Unintentional)
Lost Encryption Keys
Air Conditioning Ducts
As you consider types of
potential threats, notice the secondary distinction that becomes relevant
in the manmade category between intentional and unintentional threats.
Intentional manmade threats are a source of particular resentment for many
people. After all, why should an organization have to spend its valuable
resources on keeping users from willfully causing damage? The same
question can be asked about the need for uninsured motorist insurance,
but the results will be the same. You have to be able to account
for people who are unwilling to play by the rules!
|Deliberate unauthorized assaults on a system can make sense to potential intruders when two conditions are met:4
The message is clear:
- The intruder can benefit substantially
from the act (i.e., something of value can be gained).
The act requires relatively
little effort in comparison with the potential gains.
Know the potential
value of your information and make penetration more difficult than it's worth.
Threats and vulnerabilities
exist whether you are aware of them or not-risk assessment helps
to inform decision-makers of their presence.||
Vulnerabilities refer to
points within a system that are open to attack or damage.
What type of attack? That depends on the threat. Vulnerabilities
are the mechanisms by which threats access your system. Think of
a thief (a threat), for example, who is ready to strike your building (which
houses your assets). An open back window through which that thief
might enter the premises is a vulnerability.
A countermeasure is a step
planned and taken in opposition to another act or potential act.
While ultimately aimed at rebuffing threats, countermeasures are often
deployed strategically at points of vulnerability, as is the case when
a lock (a countermeasure) is installed on a back window through which a
thief may try to enter your building (see vulnerabilities above).
Countermeasures are often designed to serve one of the following functions:5
by initiating backup procedures, threats are prevented from damaging
your lone copy of information in a single event.
by training users about the legal consequences of unacceptable use, potential
threats who might otherwise consider destructive activities may be deterred.
For example, by segmenting each separate type of information in your
system, even active threats can be limited to the record areas they can
find and enter.
by reviewing records of user activity, commonly referred to as audit
trails, unwelcome activity can be uncovered.
by preparing and testing a contingency plan, "lost" systems and
"damaged" information can be salvaged (or at least losses and damage can
Dealing with Risk
Options for dealing with
- Counter it (an
- Accept it (also
an informed decision)
- Ignore it (an
uninformed decision and a poor strategy)
Creating a risk-free environment
is unrealistic, but instituting a "trusted system" (i.e., one that
while not perfect is trustworthy) is possible.6 The reason
for this limitation is that you simply cannot counter all risk. In
actuality, countering risk is only one of three potential ways in which
to deal with threats and vulnerabilities. Although it may seem counter-intuitive
based on the stated purpose of this document, risk can also be accepted
(sometimes a very stable strategy) or ignored (not a good plan under any
Under what conditions could
accepting risk make sense? Well, it is theoretically possible that
an asteroid could smash into the earth and land, of all places, on your
office. The risk is real, albeit small, and can be estimated as such.
Should you, therefore, endeavor to build a concrete vault two miles beneath
the surface of the earth to store backup files of your records, or should
you accept the risk of an asteroid strike and figure that your system will
be the last of your worries should the event actually occur? Your
risk assessment (see Steps 1-8 below) and common sense will probably tell
you that you can safely afford to accept the residual risk of asteroid
strikes. That's right, you don't have to counter any and every risk
conceivable, only those it makes sense to address based on the results
of your risk assessment.
On the other hand, ignoring
risk is not a stable strategy (although it is an all too common practice).
Risks are everywhere. If you choose not to perform a risk assessment
and, instead, simply choose to ignore your risks, they are still there
all the same-you just won't be prepared for them. Thus, despite the
fact that it is possible to handle risk in any of the three ways-counter
it, accept it, or ignore it--only the first two are stable strategies,
and both depend on the results of an accurate risk assessment.
While potential risks
should never be ignored, it only makes sense for an organization to focus
its attention on those risks that are most likely to affect the system.
Guidelines for Risk Assessment
||You don't want to put a
50-dollar lock on a 20-dollar hammer-unless you're a carpenter and you
would lose more than 50-dollars' worth of business in the time it took
to replace that 20-dollar tool.
A properly conceived and implemented
risk assessment should:7
- Provide the basis for deciding
whether countermeasures are needed
- Ensure that additional countermeasures
counter actual risk
- Save money that might have been
wasted on unnecessary countermeasures
Determine whether residual risk
(that risk which remains after countermeasures have been introduced) is
|Risk Assessment Outline
The Players: It's
a Team Effort
Timing: First Things
Take Stock in What You
Have and What It's Worth
|Step 1 - Identify
Sensitive Information and Critical Systems
Step 2 - Estimate
the Value of System Components
Identify Your Potential
Threats and Vulnerabilities|
Step 3 - Identify
Step 4 - Identify
Step 5 - Estimate
the Likelihood of a Potential Penetration Becoming an Actual Penetration
|Think Through Your Defensive
|Step 6 - Identify
Countermeasures Against Perceived Threats and Vulnerabilities
Step 7 - Estimate
Costs of Implementing Countermeasures
Make Informed Decisions
Step 8 - Select Suitable
Countermeasures for Implementation|
If top educational administrators
in an organization don't actively participate in, and outwardly demonstrate
their commitment to, the security effort, no one else in the organization
The Players: It's a Team
The process of risk assessment
should be initiated and led by the top educational administrators in an
organization. But although the endeavor is captained by chief administrators,
feedback from all levels and job categories is required. At a minimum,
information collectors, data providers, data entry staff, and data processors
and managers should be involved in the early stages of risk assessment.
In short, more people involved in the brainstorming process results in
more ideas being generated.
It Really Happens!
A large and technologically
sophisticated school district was having difficulties with the good practice
of backing up its networked computer files each night. It seemed
that despite the data manager's best efforts to verify that all of the
computer equipment used in the copying process was working properly, one
portion or another of the tapes would invariably fail to copy every night-namely,
there would always be a "blank spot" on the backup file where nothing had
actually been copied. To make matters more perplexing, the data manager,
well-trained in her field, had finally decided to try running the backup
procedures in the middle of the work day just to test the equipment.
Surprisingly, after repeated failures in the evenings, the process worked
perfectly. Now thoroughly frustrated by the situation, she decided
to stay several hours after work so that she could observe the backup system
in action first hand. Three hours after everyone but the cleaning
staff had left for the day, the tapes began the automatic copying process
without a hitch. The data manager monitored the tape speed, the cabling
between the computers, and even the room temperature. In fact, she
was so totally engrossed with her inspection of the system that she barely
noticed the custodian when he walked into the room and said hello.
The focused woman, somewhat startled by the man, looked up to reply to
the greeting-only to see him pulling the backup computer's power cord from
the outlet in order to plug in his vacuum cleaner. "So," she said
to herself ironically, "that's why we have such a clean computer room."
While it is never too late
to do the right thing, postponing risk assessment invites undue peril and
Timing: First Things First
Risk Assessment is a prerequisite
for any serious attempt to implement a security policy within an organization.
It's a step that simply cannot be ignored. After all, unless the
organization's needs are first accurately assessed, there is no way of
knowing whether financial and staff resources are being wisely invested
in security initiatives.
Take Stock of What You
Have and What It's Worth
Only careful and collaborative
efforts will yield worthwhile results. Be inclusive, exhaustive,
and realistic when documenting your assets.
Step 1 - Identify sensitive
information and critical systems: The goal here is to make a
distinction between general information and systems (i.e., that
information and those systems that are helpful to your organization as
it carries out its mission) and sensitive information and critical
systems (i.e., that information and those systems that are private and/or
vital to your organization as it carries out its mission).
For example, the computer
that houses the "HELP" file for your organization's word processing software
is a "general" support component. While it is most helpful to have
access to user HELP when facing a word processing problem, the files themselves
are not vital to running a school or school system. Conversely, the
new software that manages a school system's substitute teacher scheduling
is vital to the teaching mission. If it isn't available and working
properly, principals could potentially find themselves with classrooms
full of students who have no teacher. And that makes the system "critical"
if ever there was one.
is that information which if lost or compromised might negatively affect
the owner of the information or require substantial resources to recreate.
Critical systems are
those systems or system components (hardware or software) that if lost
or compromised would jeopardize the ability of the system to continue processing.
An example of sensitive information
would be personal student or staff records.
An example of a critical
system might be the cabling that links your administrative and instructional
Don't allow yourself to feel
restricted when brainstorming-among other pitfalls, avoid working within
the paradigm of conventional technical definitions if you feel that they
might limit your ability to construct an exhaustive list of your assets.
For instance, when considering critical systems, don't restrict yourself
to physical systems, which traditionally require actual hardware
connections. In your organization and information system, perhaps
two stand-alone computers in the same room constitute a single system.
Remember, the primary consequence of Step 1 is that all equipment and information
identified as being either sensitive or critical needs to be given strong
consideration as high priorities on the list of concerns that demand security.
To leave out a component because you didn't think broadly enough leaves
the organization vulnerable.
| ||It must be acknowledged that while even a well-reasoned estimate is little more than an educated guess, it is still a better gauge of reality than wild speculation or, even worse, blatant disregard.
Step 2 - Estimate the
value of system components: Estimating the value of your information
system is not always simple, but the task is made more manageable by focusing
on the word "estimate." After all, it may very well be impossible,
or at least impractical, to try to derive a precise dollar value for some
assets (especially information assets). Instead, try to calculate
a reasonable approximation of the replacement value of each component of
the system-both equipment and information. Be sure to consider the
following factors when deriving your estimation:
Again, keep in mind that while
the costs of hardware and software tend to be more readily measurable,
information costs are very real as well. You may not be able to call
a vendor and say "What is my information worth?" the way you can call your
equipment salesperson, but you still have to ask yourself "What is it worth
to my organization?" Estimates of these costs, no matter how rough, give
you a more accurate sense of the true value of important information assets.
Direct replacement costs of
hardware, software, and peripherals (Would there be installation
costs? Consultant fees? Necessary upgrades?)
Replacement costs of stored
information (Would rekeying be necessary? Resurveying?)
Costs associated with the disruption
of service or other activities (Would you have to pay staff overtime during
the recovery period? What about extra school days at the end of the
year to make up for missed time?)
Indirect but real costs associated
with a loss of public confidence (Would it impede current or future data
collection efforts? What would be the effect on legislative initiatives?)
Remember that people often
rely on information in their school records for their entire lives-to get
jobs, to apply to schools, and to verify age and credentials. Dollars
and cents may be a poor measure of the value of such information.
One common mistake in this
process that can lead to serious flaws in assessment results is when you
focus on only the sensitive and critical segments (as identified in Step
1) when estimating the value of an information system. While identifying
sensitive information and critical systems is necessary for setting priorities,
all information has value and requires attention in this step. If
it doesn't, the information's overall utility should be reconsidered.
After all, if it isn't valuable enough to recover or rekey upon being damaged
(which requires a cost that can be estimated), what purpose could it possibly
If information isn't valuable
enough to warrant consideration of its protection and recovery, can it
be valuable enough to warrant precious disk space in the first place?
||Identify Your Potential
Threats and Vulnerabilities
How do you identify threats
and vulnerabilities? In a word: Brainstorm! No idea about potential
threats or vulnerabilities is unimportant. However, keep in mind
that management has a very limited perspective on information and system
use. Maximize the resources at your disposal by including representatives
from all organizational levels and duty types in the brainstorming effort.
After all, you don't want that cleaning staff left out when they might
be the only people on duty to protect equipment and information after hours.
Nor do you want to exclude those library assistants who oversee the computers
your students use to log on to the Internet. Always keep an open
mind to what your users have to say.
Step 3 - Identify
threats: What actors, actions, or events threaten your system?
Refer to the examples on page 15 before creating an exhaustive list through
a collaborative brainstorming process. Be sure to consider the following
types of threats:
Natural (e.g., fire, flood,
lightning, and humidity)
- Manmade unintentional
(e.g., negligence and accidents)
- Manmade intentional (e.g.,
hackers and viruses)
Step 4 - Identify
vulnerabilities: Where is your system susceptible? Consider
vulnerabilities to natural threats and both intentional and unintentional
manmade threats as identified in Step 3. Also look at other examples
of threats, as listed on page 15, to see if any new ideas are triggered.
After this initial brainstorming, organize the list of vulnerabilities
you've generated into categories such as the following and then once again
see if additional thoughts come to mind:
- Physical concerns (e.g.,
room access, building construction, and climate)
- Hardware- and software-related
issues (e.g., equipment, programs, and compatibility)
- Media liabilities (e.g.,
disks, tapes, hard drives, and print copies)
- Communications (e.g.,
access points and encryption)
- Human concerns (e.g.,
personnel and office behavior)
|Where Is Your Office Vulnerable?
The following happens in the typical office quite frequently:
- A door is propped open and doesn't have a lock (see Chapter 5).
- A cup of coffee is set on a computer case (see Chapter 5).
- A computer monitor sits within plain sight and easy reach of a window (see Chapter 5).
- Wiring is in the way of foot traffic (see Chapter 5).
- Equipment is plugged into wall sockets without a surge protector (see Chapter 5).
- Outlets are overloaded (see Chapter 5).
- Backup files are stored in the same room as the original files (see Chapter 6).
- Floppy disks are shared haphazardly and are not labeled (see Chapter 6).
- Someone's password is written and posted on their monitor (see Chapter 8).
- A computer is logged on but has been left unattended (see Chapter 8).
|Is any of this happening in your office?
If it is, your system is vulnerable!
Step 5 - Estimate
the likelihood of a potential penetration becoming an actual penetration:
What is the probability of a threat capitalizing on a vulnerability?
As difficult as answering such a question might appear to be, you don't
have to be able to predict the future in order to generate reasonable probabilities
of future events. Use logic, as possible, to support your estimates.
For example, for an institution located along the Mississippi River, earthquakes
and floods are threats that are within the realm of possibility, but logic
will tell you that the site is probably much more susceptible to floods.
Using flood histories, the likelihood of the next 100-year flood can be
estimated. Similarly, by researching earthquake data, you can estimate
the likelihood of earthquakes as well.
Think Through Your Defensive
options, see Chapter
Chapter 6 (Information
Chapter 7 (Software
Security), Chapter 8
(User Security), and
Chapter 9 (Network
Step 6 - Identify
countermeasures against perceived threats and vulnerabilities: This
step parallels Steps 3 and 4 in that its purpose is to generate an exhaustive
list of ideas-this time potential solutions to the concerns caused by your
identified threats and vulnerabilities. When considering options,
be sure to keep in mind that many threats and vulnerabilities can be addressed
by more than one countermeasure. A potential thief, for example,
could be thwarted by better locks, video cameras and other electronic surveillance,
or even trained security patrol officers. Step 6 focuses on generating
a list of such options for each perceived threat and vulnerability, not
in selecting what appears to be the preferred option. That is attempted
only after an exhaustive list is finalized and costs/benefits are considered.
Issues to consider when brainstorming potential countermeasures include:
- Physical security equipment
and procedures-location and environmental strategies such as climate monitors,
required building specifications, and regulations governing room access
and food and beverage use
- Information security practices-storage
and use regulations such as labeling and write-protecting files
- Software security techniques-purchasing
and programming concerns such as copyright infringements and proper documentation
- User access controls-data
and system access issues, including log-in and password protection
- Networking security initiatives-connectivity
issues like firewalls and encryption strategies
A big screen television
is nice, but not if it's in a room that is 8 feet wide by 9 feet long.
So, too, must countermeasure solutions be compatible with an organization's
environment in order to be effective.
account for both
Step 7 - Estimate
costs of implementing countermeasures: This step entails determining
the costs associated with countermeasures identified in Step 6. Remember
that the vast majority of costs are twofold: initial and ongoing.
Be certain to consider all of the following factors:
- Both money and time for
research, development, procurement, installation, and maintenance of security
- Staff training time-the
costs are real and absolutely necessary
- Altered productivity (e.g.,
having each employee spend one minute using a virus scanner three times
each day may amount to only three minutes of work time per day, but when
calculated for the entire organization and compounded by a host of other
possible security activities, such seemingly insignificant costs can add
- Countermeasures already
available to the organization that may require less investment to institute
(e.g., if your accounting office currently uses certain security procedures,
there may be fewer training costs because you already have a core of people
who can share their expertise)
It Really Happens!
The local elementary school decided to purchase five new computers for its media center--no small investment
considering its limited technology budget. Mr. Watkins, the librarian, would supervise their use and was
in charge of the acquisition. He went down to the computer store to inspect the merchandise one last time
before making a final commitment. While he was there, he bumped into the salesperson who had so ably
advised him throughout the selection process. As they chatted, Mr. Watkins mentioned that he was very excited
about the purchase, but also a bit nervous. "I've never had to run a computer lab before," he admitted. "In
truth, I bet that the students know more about these computers than I do." The salesperson, with the best of
intentions, mentioned that the store offered a service package that provided on-site maintenance on equipment
they sold for only $100 per piece per year. Mr. Watkins immediately agreed to order the package, deciding that
it was a waste to spend all that money on the equipment in the first place if he was not properly trained to
keep the machines up-and-running. Privately, he absolutely dreaded the thought of having kids running through-out
the lab with nothing to do as he tried to tinker with the complicated equipment in vain.
Two months later, after the new computers had been purchased and installed, Mr. Watkins noticed that one
of the monitors wouldn't turn on properly. Not wanting to push a panic button, he called the building custodian
to check the outlet. "Nah, it's not the power," the custodian reported. "We'd better get the guys from central
office down here." Mr. Watkins looked at him with surprise, "Why would we bother them when I have a service
contract from the store where I bought the monitor?" At that point, two months after an extra $500 had
been spent on maintenance contracts, Mr. Watkins finally found out that the school district serviced instructional
equipment at no cost to the schools. "Wow," he thought as he looked with despair at the service contract he
had purchased without much consideration, "what a waste of money!"
| ||Recognize that because
of the gray areas
estimating the value of
information and the
likelihood of threat
assessment is not an
exact science- don't be
afraid to leave yourself
some room to adjust
your findings so that
you can accommodate
||Make Informed Decisions
Step 8 - Select suitable
countermeasures for implementation: In Step 8, it's finally time
to decide which countermeasures make the most sense to implement.
Remember that there will probably be more than one countermeasure that
can protect your system from any given threat or vulnerability, so you
have some choices. Your job is to determine which strategy makes
the most sense from a cost/benefit perspective. This can be accomplished
by comparing your estimated costs of potential losses for a given period
of time (Steps 2-5) with actual security costs that would be incurred when
preventing such a loss for the same period of time (Step 7).
A desired level of risk
reduction is achieved when further reduction would cost more than the benefits
One way to decrease your
actual security costs is to keep in mind that a single countermeasure can
actually serve as a solution to multiple threats and vulnerabilities.
An example of this is when security officers who protect your most sensitive
areas serve as a countermeasure to both external intruders and potentially
misguided staff. Such a compromise solution is really no compromise
at all-two potential threats are being countered for the price of one.
In effect, you're getting twice the protection for the cost of a single
Closing Thoughts on Risk
Once you determine your
needs and priorities through the above eight steps, you can then make security
decisions based on concrete information. Sales pitches from vendors
and gut instinct on the part of well-intentioned, but perhaps uninformed,
staff need no longer serve as reasons for making security policy when competent
administrators are armed with the information required to make rational,
It should be emphasized
that decision-makers must be involved in the entire process of risk assessment.
Should, instead, they rely simply upon cost/benefit analysis without being
aware of other important factors that might have been uncovered in the
process, they might not make a completely informed decision. A good
example of this would be if it was determined in Step 1 that some of the
student information on a computer was actually sensitive. As discussed
throughout this document, those confidential records would need to be protected
regardless of cost/benefit analysis because of the various laws in place
that mandate protection of student and family education records.
Not knowing this important fact could, in such an instance, lead to disastrous
results for the organization and its students!
An exception to the
rule: Failure to introduce risk reduction cannot be justified by cost/benefit
analysis if there are compelling non-financial reasons for mandating it
(e.g., privacy or appropriate use laws).
Risk Assessment Checklist
While it may be tempting to simply refer to the following checklist as your
security plan, to do so would limit the effectiveness of the recom-mendations.
They are most useful when initiated as part of a larger plan to
develop and implement security policy throughout an organization. Other
chapters in this document also address ways to customize policy to meet an
organization's specific needs- a concept that should not be ignored if you
want to maximize the effectiveness of any given guideline.
Security Checklist for Chapter 2
The brevity of a checklist can be helpful, but it in no way makes up for the detail of the text.
for Risk Assessment
Is the process of risk assessment being championed by a top-level
- Is feedback being elicited from representatives of all user types?
- Have sensitive information and critical systems been identified (Step 1)?
- Has the value of all system components (not just sensitive information
and critical systems) been estimated (Step 2)?
- Has an exhaustive list of potential threats been generated (Step 3)?
- Has an exhaustive list of vulnerabilities been generated (Step 4)?
- Has the likelihood of a potential penetration becoming an actual
penetration been estimated (Step 5)?
- Has an exhaustive list of countermeasures to identified threats and
vulnerabilities been generated (Step 6)?
- Have the costs of implementing identified countermeasures been
estimated (Step 7)?
- Have suitable countermeasures been selected for implementation