fips191_34
FIPS PUB 191
The relationship between risk acceptance testing and safeguard selection can be iterative.
Initially, the organization needs to order the different risk levels that were determined during the
risk assessment. Along with this the organization needs to decide the amount of residual risk that
it will be willing to accept after the selected safeguards are implemented. These initial risk
acceptance decisions can be factored into the safeguard selection equation. When the properties
of the candidate safeguards are known, the organization can reexamine the risk acceptance test
measures and determine if the residual risk is achieved, or alter the risk acceptance decisions to
reflect the known properties of the safeguards. For example there may be risks that are
determined to be too high. However after reviewing the available safeguards, it may be realized
that the currently offered solutions are very costly and cannot be easily implemented into the
current configuration and network software. This may force the organization into either
expending the resources to reduce the risk, or deciding through risk acceptance that the risk will
have to be accepted because it is currently too costly to mitigate.
Many sources exist that can provide information on potential safeguards (See the Reference and
Further Reading Sections). The methodology discussed here defines safeguards in terms of
security services and mechanisms. A security service is the sum of mechanisms, procedures,
etc. that are implemented on the LAN to provide protection. The security services (and
mechanisms) provided in Section 2 can be used as a starting point. The security services should
Figure 3.7 - Comparing Risk and Cost
To calculate risk/cost relationships use the risk
measure and the cost measure associated with each
threat/mechanism relationship and create a ratio of
the risk to the cost (i.e., risk/cost). A ratio that is
less than 1 will indicate that the cost of the
mechanism is greater than the risk associated with
the threat. This is generally not an acceptable
situation (and may be hard to justify) but should not
be automatically dismissed. Consider that the risk
value is a function of both the loss measure and the
likelihood measure. One or both of these may
represent something so critical about the asset that
the costly mechanism is justified. This situation
may occur when using simple methodologies such as
this one.
be related to the threats defined in the risk assessment.
In most cases the need for a specific service
should be readily apparent.
If
the risk
acceptance results indicate that a risk is
acceptable,
(i.e., existing mechanisms are
adequate) then there is no need to apply
additional mechanisms to the service that
already exists.
After the needed security services are
determined, consider the list of security
mechanisms for each service.
For each
security service selected, determine the
candidate mechanisms that would best provide
t h a t
s e r v i c e .
U s i n g
t h e
threat/vulnerability/risk
relationships
developed in the previous processes, choose
those mechanisms that could potentially
reduce or eliminate the vulnerability and thus reduce the risk of the threat. In many cases, a
threat/vulnerability relationship will yield more than one candidate mechanism. For example the
vulnerability of using weak passwords could be reduced by using a password generator
mechanism, by using a token based mechanism, etc. Choosing the candidate mechanisms is a
36