Thursday, August 8, 2013

Reducing Risks Through Informed Security Control Selection

Risk Management is not about the number of security controls chosen, but about the security controls well chosen.  The Joint Task Force Transformation Initiative describes a risk management process made up of four steps: frame, assess, respond, and monitor.1  This represents an effective way of making sure that due diligence is used in the risk management, and ultimately control selection process.  

The purpose of the framing portion of the risk management process is to develop a strategy that includes risk assumptions, tolerances, and organizational priorities.1  Having targeted security controls places increased emphasis on the strategy for choosing and applying those controls.  This emphasis is necessary to prevent critical business processes from being under-protected.  Unfortunately, when implementing security controls in bulk, without an appropriate strategy in place, both critical and non-critical processes end up receiving about the same level of protection.  Another downside to blanket security control implementations is that the same set of controls are not always useful for every organization. Targeted security control implementation is clearly advantageous because otherwise, organizations will accept a higher level of risk as well as waste significant monetary and personnel resources.

Risk assessment determines what the total risk environment looks like for the organization.  This includes examining threats, vulnerabilities, potential impact, and potential likelihood of occurrence.1  Understanding this total risk environment is essential for determining what security controls to implement.  The modern threat environment is dynamic and all threats that exist are not targeting every organization.  Threat intelligence for an organization is needed to determine what threats are targeting the organization, what vulnerabilities they take advantage of, what the mission impact is of their success, and how often this is likely to happen.  If an organization does not take these factors into account, they will spend time and resources protecting assets that aren’t being targeted and under-protecting assets that are, potentially resulting in detrimental losses.

The response step of the risk management process requires an identification of response options, an evaluation of these options, a decision on which ones to execute, and an implementation of the selections.1  Pursuing the implementation of a standard list of security controls may save time, but the result is that some networks will not have the most optimal set of controls applied.  During implementation of the evaluated and selected set of controls, there are fewer controls that need to be implemented, but that does not mean that less personnel or resources are required.  Significant resources are needed because implementation of controls that protect critical assets must undergo rigorous review to ensure that they are providing the protection level that is desired.  Errors during implementation can include missing assets that need to be protected or implementing controls in an insecure form.   

The last step in the risk management process is monitoring.  In this step, control implementation is verified, effectiveness is evaluated, and risks are continually examined.1  It may be deceiving, but implementing fewer controls results in more work that needs to be done in the monitoring stage.  Because these controls are fewer, and protecting critical capabilities, the importance of monitoring is greater.  One failure of a control can have significant repercussions.  Since the threat environment is continuously changing, it is imperative that organizations continue to be vigilant in evaluating both the effectiveness of controls that are implemented and determining when additional controls are warranted.  This is a critical step in the risk management process as it is the feedback mechanism that will provide essential input to follow-on organizational risk strategies.  This ensures that the organization will continue to be able to respond to the threat environment as it changes and will be able to maintain the risk appetite that is desired.2
The advantage that a tailored and dynamic security control implementation brings is that it is built to meet the risk management needs of the organization.  By following this schema, disadvantages of blanket security control implementation like increased costs, increased complexity, and reduced protection of critical assets and processes are avoided.  The best way to implement security controls that are effective in meeting the changing needs of an organization is to follow a robust risk management process.  The Joint Task Force Transformation Initiative process that includes steps to frame, assess, respond, and monitor risks is an effective method.1  This lifecycle method ensures that security control selections are based on strategy, meet the needs and constraints of the organization, are commensurate with the threats, and effectively feed back into future decisions to facilitate improvements.  Following this method will significant increase the effectiveness of security controls and decrease the risks posed to the organization.

1 Joint Task Force Transformation Initiative.  (2011).  Managing Information Security Risk:  Organization, Mission, and Information System View, Special Publication 800-39. Gaithersburg, MD: National Institute of Standards and Technology.
2 Caralli, R. (2004).  Managing for Enterprise Security. Software Engineering Institute, Carnegie-Mellon University: Pittsburgh, PA.


  1. Stephen,

    Nice job on this !!

    All the best

  2. Great article, Stephen. I'm going to share it with some peers at Dell.

  3. Thanks Kevin!

    This issue came up again this morning again in discussions regarding security controls used in the data transfer process between classified and unclassified systems. Some would argue that the risk is low that a data transfer will be the cause of a security violation (data breach) and that strengthening background check controls would be a much more effective way to mitigate breaches. I tend to agree, especially when these data transfer controls are inhibiting/slowing down operations on deployable units. Unfortunately, I think that until there is a much higher comfort level with ongoing operations and uses of our networks, there will continue to be a hesitancy to adapt the dynamic security control implementation that I argued for in my post.