Humor! Personal Security Risk Assessment


This originally was supposed to be a short and funny example of a personal security risk assessment from the perspective of a security professional.  The assessment became much more involved than originally expected as do most first time security projects. Anyway this is my attempt to prove a simple point (why do a risk assessment?) by performing a somewhat comical personal security risk assessment.  I imagine law enforcement or insurance agencies probably have more complex models then the one presented below. 

Disclaimer: The names and facts of certain individuals have been changed to protect the guilty and innocent.  If anything in this is true, it was meant to be false; if anything is false, it was meant to be true.   

Assets

 As we all know the first step in any security solution should involve a risk assessment.  For this example, an asset based risk assessment will be used.  To begin, a list of assets must be defined and assigned a criticality.  You might think – what assets? – Shouldn’t there just be one asset (i.e. me).  No there are many more.  Here is the list of assets (Not to provide too much personal detail as it’s a risk).  After a good deal of time the list was reduced for simplicity too. 

Physical

Asset Criticality
Real-estate Medium
Automobile(s) Low

 

 

Financial

Asset Criticality
Career High
Cash Medium
Investments Medium
Credit Cards Low

Human / Animals (We won’t say which is an animal and which is a human)

Asset Criticality
Myself High
Immediate family High
Distant family Medium
Pets Low

 

Threats

 After identifying the assets and assigning a criticality ranking, the next step was to come up with a list of threats.  (This was getting way too personal to put on the internet.  Items needed to be skewed really quick and become more interesting).  There are several threats that affect me personally, which are represented in the table below. 

Environmental

Threat Likelihood Explanation
Fire Low Although I don’t wear a fireproof suit to work everyday the chance of being set on fire is fairly low.  Also, my house has a stove, coffee maker, and iron, but smoke detectors are installed on all floors and files are locked in a fireproof cabinet, thus the likelihood of this threat destroying anything is low.
Flood Low Hmm. My house is at the top of a mountain and I work in a high rise building so this is definitely not a big threat.
High Humidity Medium The southeast is a high humidity region of the
USA.  There is a possibility of my food going bad and mold contaminating my house, which could lead to poor health.
Tidal Wave Low Surfs up dude!  Not likely even after watching all those discovery channel movies about the super tsunami.

Human (Way too many to list!) 

Threat Likelihood Explanation
Terrorism  Low Even though
USA is a target, the likelihood of it affecting me is low at this point in time.
Robbery  Low Good luck my 9mm is attached 70% of the time in addition to my 15 years of martial arts training.  The house has an electric fence with a pair of pit bulls (Zero and Uno are their names).
Carelessness  Medium I must make at least several careless mistakes a day.  This posting is probably one of them.
Sickness  Low Fairly good health thanks to my military training and upkeep.

Enough, the point was made.  The next step was to identify the vulnerabilities.  It gets really scary thinking about all the real problems.  After a short brainstorm session I’m considering locking myself in the house and ordering delivery for the rest of my life, but based on my current paranoia level I might be afraid to answer the door for the food.  (Understand how a CEO must feel when the security consultant or CISO presents these problems for the first time).  “Well boss here is a list of our problems!” 

Vulnerabilities

Usually vulnerabilities should be broken down into categories, but that’s too much depth for this posting, therefore below is a sample list of vulnerabilities, their rating, and a brief description.   

Vulnerability Rating Description
Immediate family does not have appropriate martial arts training Medium Some immediate family has been trained with basic skills, but not all have the ability to stop a robbery. 
Mail not delivered to secure location Medium Although mail theft is a serious offence the proper safeguards to protect my regular mail are not in place because it’s delivered to a publicly accessible location.
Pit bulls have not been to obedience training Medium Pit bulls have been known to attack neighbors, visitors, pets, or family if not properly training.  This could cause serious time, damage to reputation, and have a financial impact.
Inadequate wallet protection Medium Although the wallet is buttoned in a pocket.  There is no chain protecting it from pick pockets or magicians during the regular course of a day.
Lack of sleep on a regular basis High Too many hours spent working, playing video games, and blogging.  This could affect career, family, pets, etc.
Partied too much in college Low A degree was obtained but as a result of daily partying a position in politics or at the FBI is unlikely due to past behavior at these events.
Not enough blogging Medium Blog was recently established but at the rate of 3 to 4 posts a month there is a risk losing visitor interest to the website and stagnation of career.

Calculating

To make this easy the scoring method is listed in the table below for each area.  More detail could have been provided, but the point is not to provide the scoring method.  Most of this follows the NIST guidelines anyway.  The big item not presented in the example below is the assignment of vulnerabilities and threats to each asset. 

 

Asset

Criticality
High = 100
Med = 50
Low = 10
Likelihood
High = .50
Med = .25
Low = .05
Rating
High = .50
Med = .25
Low = .05
Risk
High = 51-100
Med = 11-50
Low = 1-10
Real-estate 50 .08 .05 7
Automobile(s) 10 .05 .05 1
Career 100 .19 .31 50
Cash 50 .19 .22 21
Investments 50 .22 .01 9
Credit Cards 10 .22 .14 4
Myself 100 .50 .50 100
Immediate family 100 .50 .41 91
Distant family 50 .15 .14 15
Pets 10 .22 .01 2

Note: the top three risk assets were bolded in the above table. 

 

 

Why do a Risk Assessment?

 So what does this tell you?  Probably not much initially as most people already know that immediate family, career, and some type of financial asset are the most critical personal items.  Also, no matter how the risk assessment is conducted “Myself” will almost always be the highest risk asset.  This brings me to the point – Why do a Risk Assessment? Before answering that question let us assume I hired or obtained advice from different specialists for each asset listed above.  Here is the advice I received. 

Real-estate security specialist:  Install an alarm on all doors and windows.  Consider moving to a gated community with guard.  Install cameras by doors and sensor lights at the edge of the property that light when visitors arrive. 

Automotive security specialist: Install bullet proof glass, upgrade car alarm, and consider upgrading to a car with more air bags and higher crash test rating.

Career security specialist: Update your resume, write more security articles, write a book and consider starting your own business.

Personal security specialist: Continue martial arts training, consider taking yoga working less to reduce stress and make less mistakes.

Without performing a risk assessment I should move to a gated community, upgrade my car to a Volvo, start my own business, and take yoga in my free time.  This sounds like a great deal of change and more risk than continuing my regular course of actions.  Seem familiar!  Ever had an organization do an assessment and deliver thousands of vulnerabilities that need to be fixed?  So what should be implemented and in what order?  Does every recommendation need to be implemented?  Therein lies one point of a risk assessment.   

Putting It All Together

 A risk assessment will usually provide more strategic recommendations associated with the overall risk of each asset.  Individual specialized reports may not be able to identify these issues because specialists are not able to analyze the entire situation.   Therefore, as a result of this personal risk assessment a sample of the controls that should have been recommended are provided below in order of priority. 

Get at least 6 hours a sleep every night.

Get a PO box and have all important mail sent to this new address.

Enroll immediate family in martial arts training.

Perform regular maintenance on automobiles and ensure breaks are checked regularly. 

Maintain current job, increase 401k holdings equal to company match.

The great thing about this being my personal security risk assessment is that I decide how much risk is acceptable.  Therefore, I will try and sleep 6 hours a night, perform regular maintenance on my car, and maintain my current job while increasing my 401k holdings.  On the other hand, I choose to accept the risk of personal mail delivery to my house and unless my family really wants, they probably won’t enroll in martial arts training.  Hopefully organizations will also have a good mind of their own and take the risk based approach to security. 

 

ISO 17799 27001 Control or Standard


I recently came across an interesting article explaining the concept of ISO 17799/27001 being a control vs. a standard.   This is a good write up because it explains that the ISO documents are there as suggestions and guidance based on a risk assessment.   

Many times I talk to organizations that appear to be looking to implement the ISO controls, but there is an education gap.  In most cases these organizations are not looking to be compliant for an ISO audit but believe they are increasing the company’s security.  If you are not looking to be compliant then like all security solutions a risk assessment should be conducted to determine the controls implemented and their priority.  

Article:

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9018158&pageNumber=4

Roles & Responsibilities in Policy


Risk Assessments almost always produce one finding consistently.  The finding is lack of roles and responsibilities defined.  The ISO 17799/27001 documents provide some guidance, but in many cases organizations do not know how to define clear security roles and responsibilities.  Before writing this I went through about 20 different organization policy documents to see if any listed roles and responsibilities the same.  In most cases I noticed three solutions.

Solution 1:

This solution did not include clearly define roles and responsibilities.  These documents contained few responsibility statements that were scattered through all different areas of the main security policy or policies.

Solution 2:

Solution 2 was the most consistent across all documents reviewed.  This solution usually defined three specific roles and responsibilities.  These are information owner, information custodian, and information user.  Each of these three roles had several statements defining their responsibilities, while there were additional statements scattered through all different sections of the policy document.

Solution 3:

Solution 3 was more consistent on policy documents that are broken up into smaller documents or much shorter in overall length.  This solution usually had specific roles such as Firewall Administrator, CSO, System Administrators, Compliance Officer, Audit, etc.  In most cases each of these roles had several bulleted responsibilities listed.

What Works?

The best solution is the one that works within your organization and causes less confusion.  If risk assessments are performed regularly then make sure the roles and responsibilities are written address the risk assessment requirements.  Two methods usually work.    

The first is to combine solution 2 and 3 and write a separate roles and responsibilities document or section of the overall policy.  This way there are many roles and responsibilities defined, which are easy to find because they are listed all in one place.

The second is to use solution 2 near the beginning (or in a separate policy document) of the policy document then in each different section of the policy (or each smaller policy document) write a roles and responsibilities sub section with more detailed roles.

New Links Page – Policy and Standards


I never seem to have all my links in where I need them.  Either they are on a work computer or my home computer and never in one place.  Therefore, I have created a Links page that I will continually be updating (I may separate into separate pages if it gets too large).  For now I have added a group of policy and standards pages that I may use from time to time.

If you have any links you think should be added to the library please post a comment on the blog and I will evaluate and add if it meets the criteria.