Strategic Information Risk Analysis
Evaluator Report Sample
Evaluator toolkit (https://evaluator.tidyrisk.org)
Summary
This report is based on 56,000 iterations performed over 56 risk scenarios and 63 capabilities on 2020-04-15 20:25:03+0000.
Total yearly losses are estimated to exceed the organization’s major risk threshold of $50,000,000 0% of the time.
The following table shows the maximum, 95th percentile Value at Risk (VaR), mean, and minimum annual losses.
| Value at Risk | Maximum Loss | Mean Loss | Minimum Loss |
|---|---|---|---|
| $22,282,758 | $42,171,518 | $13,820,108 | $5,166,501 |
Loss Exceedance Curve
The following loss exceedance curve is a common way to review the expected losses in a year. This figure shows how often total losses exceed any particular level during a given year. The 80% line shows that a loss of at least $4,223,248 occurs every four out of five years when outlier scenarios are excluded, or at least $10,142,053 when the outliers are included.
Loss Exceedance Curve
Risk Exposure By Domain
The top three information security program domains with the largest likely losses are Information Security Incident Management, Physical and Environmental Security, and Compliance. The losses associated with each domain of the program are described in the following table.
| Domain | Value at Risk | Maximum | Mean (Average) | Minimum | Standard Deviation |
|---|---|---|---|---|---|
| Information Security Incident Management | $6,691,612 | $9,367,780 | $4,465,097 | $1,513,809 | $1,302,761 |
| Physical and Environmental Security | $4,644,610 | $11,578,463 | $430,896 | $0 | $1,759,657 |
| Compliance | $4,077,983 | $6,145,570 | $2,598,394 | $743,762 | $869,087 |
| Information Security Management Program | $3,963,943 | $5,468,451 | $2,474,047 | $663,743 | $807,195 |
| Organization of Information Security | $3,237,394 | $5,326,646 | $1,907,368 | $280,905 | $758,155 |
| Human Resources Security | $1,120,515 | $1,855,731 | $622,980 | $44,730 | $275,654 |
| Access Control | $1,083,095 | $1,450,198 | $599,813 | $15,054 | $266,695 |
| Communications and Operations Management | $533,819 | $1,151,143 | $251,152 | $43,936 | $148,927 |
| Privacy Practices | $436,371 | $786,643 | $159,156 | $0 | $147,745 |
| Asset Management | $58,655 | $321,407 | $27,463 | $1,138 | $32,002 |
| Risk Management | $15,102 | $321,986 | $5,762 | $0 | $30,204 |
| Information Systems Acquisition, Development, and Maintenance | $0 | $304,163 | $4,741 | $0 | $27,386 |
| Business Continuity Management | $0 | $12,660,540 | $273,071 | $0 | $1,414,699 |
| Security Policy | $0 | $8,246 | $169 | $0 | $937 |
Simulation Outcomes by Domain
Each scenario generates a number of threat contact events where the threat community has the opportunity to act against the organization’s assets and result in a loss. Whenever the threat community acts and the organization’s capabilities prevent the attack, no loss occurs and a contained event is recorded in the simulation. Each threat community action that is not prevented by the organization’s capabilities is recorded as a loss event. The distribution of loss vs. contained events, and the average amount of control strength gap/surplus is displayed below.
Top Risk Scenarios
All of the scenarios are ranked against one another based upon their value at risk. The top five scenarios are:
| Scenario ID | Scenario | Median Annual Loss | Value at Risk |
|---|---|---|---|
| PHY - RS-42 | Damage to or loss of physical facility through natural disaster. | $0 | $4,500,548 |
| IM - RS-50 | Inadequate response results in inappropriate internal use of data. | $2,500,580 | $4,073,422 |
| ISMP - RS-54 | Key areas of the security program are not managed. | $2,410,077 | $3,963,943 |
| COMP - RS-11 | External attackers locate previously unknown weaknesses in the information security program not revealed through internal controls. | $2,314,387 | $3,874,253 |
| IM - RS-22 | Undetected and unremediated security incidents result in unmitigated access. | $1,173,944 | $2,157,974 |
A list of all evaluated risk scenarios is in Appendix A.
Key Capability Weaknesses
Threats most frequently overcome the control capabilities, resulting in losses, in the domains of Access Control, Information Systems Acquisition, Development, and Maintenance, and Asset Management.
| Domain | Succesful Threat Events | Control Gap | Surplus Control Strength |
|---|---|---|---|
| Access Control | 98.97% | 34.472% | 25.15% |
| Information Systems Acquisition, Development, and Maintenance | 67.19% | 11.386% | 6.02% |
| Asset Management | 99.66% | 36.666% | 4.15% |
| Business Continuity Management | 0.68% | 11.904% | 50.78% |
| Compliance | 45.14% | 16.681% | 16.21% |
| Human Resources Security | 50.18% | 30.727% | 15.16% |
| Information Security Incident Management | 57.80% | 15.263% | 13.17% |
| Information Security Management Program | 95.84% | 11.790% | 2.15% |
| Communications and Operations Management | 47.66% | 46.837% | 22.29% |
| Organization of Information Security | 33.34% | 3.757% | 6.37% |
| Physical and Environmental Security | 2.49% | 20.461% | 32.62% |
| Security Policy | 0.13% | 6.471% | 29.18% |
| Privacy Practices | 4.85% | 3.803% | 32.89% |
| Risk Management | 0.42% | 13.514% | 46.71% |
Focus Risk Scenarios
The focus section allows in depth coverage of any scenarios that are of particular leadership interest. By highlighting those scenarios of particular interest to your decission makers (e.g. ransomware), you can address hot topics of interest without losing sight of the overall risk environment. You can delete this section if there are no particular areas of focus.
Key Scenario A
Scenario: Unauthorized access to or use of information and systems.
| Value at Risk | $1,083,095 |
| Vulnerability (% of events resulting in loss) | 100% |
| Mean Control Gap | 34% |
| Maximum Annual Loss | $1,450,198 |
| Median Annual Loss | $579,625 |
| Maximum Single Loss | $440,835 |
| Median Single Loss | $80,786 |
Key Scenario B
Scenario: External auditors find compliance issues with regulations and standards not identified via internal processes.
| Value at Risk | $0 |
| Vulnerability (% of events resulting in loss) | 8% |
| Mean Control Gap | 2% |
| Maximum Annual Loss | $152,703 |
| Median Annual Loss | $0 |
| Maximum Single Loss | $152,703 |
| Median Single Loss | $0 |
Outliers
Some scenarios have values at risk that are significantly higher than the population mean of $497,503. These scenarios are outliers. When viewed next to non-outlier scenarios, the rest of the risk scenarios may be lost. Portions of this report exclude outliers to avoid distorting the results. Graphs and tables are clearly noted when they display filtered data. The outlier scenarios are:
| Scenario ID | Description | Value at Risk | Median | Maximum |
|---|---|---|---|---|
| PHY - RS-42 | Damage to or loss of physical facility through natural disaster. | $4,500,548 | $0 | $11,437,634 |
| IM - RS-50 | Inadequate response results in inappropriate internal use of data. | $4,073,422 | $2,500,580 | $5,572,632 |
| ISMP - RS-54 | Key areas of the security program are not managed. | $3,963,943 | $2,410,077 | $5,468,451 |
| COMP - RS-11 | External attackers locate previously unknown weaknesses in the information security program not revealed through internal controls. | $3,874,253 | $2,314,387 | $5,432,649 |
Methodology
The security strategic risk assessment process implemented by the Evaluator toolkit is based upon the industry standard OpenFAIR methodology. Expert opinion is polled on the threats, capabilities, and probable loss magnitudes associated with key risk scenarios. The Evaluator toolkit implements a Monte Carlo model on this information to generating a dollar-quantified exposure for each scenario.
Risks are ranked by the economic Value at Risk (VaR). VaR is a summary statistic (the 95 percentile) and should only be used to rank items at a similar level of granularity. The VaR totals for domains should not be looked at directly with the VaR total for the individual simulations that make up those domains.
Domains
The organization categorizes its security program into 14 domains in order to systematically review risk. These domains are:
| Domain ID | Domain |
|---|---|
| AC | Access Control |
| ASSET | Asset Management |
| BC | Business Continuity Management |
| OPS | Communications and Operations Management |
| COMP | Compliance |
| HR | Human Resources Security |
| IM | Information Security Incident Management |
| ISMP | Information Security Management Program |
| ADM | Information Systems Acquisition, Development, and Maintenance |
| ORG | Organization of Information Security |
| PHY | Physical and Environmental Security |
| PRI | Privacy Practices |
| RISK | Risk Management |
| POL | Security Policy |
Capabilities
The security team and key subject matter experts formed a consensus opinion on the maturity level of the 63 capabilities which make up the 14 security program domains. The group assessed each capability against a five-level capability maturity model (patterned after the CMMI model), ranging from initial (level 1) through optimizing (level 5). These capability ratings are used to create a distribution of simulated capability effectiveness over the course of a year, ranging from 100% (completely effective) to 0% (completely ineffective).
The full capabilities catalog is included as Appendix B.
Risk Scenarios
Each domain of the security program has one or more risk scenarios addressed by that portion of the program. These scenarios are made up of:
- The threat community (e.g. internal workforce members, nature, partners) performing the action.
- The action taken by the threat community.
- The program capabilities that resist harm by the threat community’s action.
- The consequences of the action, should it overcome the capabilities.
Working through the scenario list, the security team assigned qualitative ratings to each of these frequency, strength, and loss elements.
Simulation
Each of the qualitative labels is mapped to a set of parameters describing a beta pert distribution. These distributions are used to run simulations over each risk scenario. Within a given iteration, a scenario is evaluated for potential losses using:
- The number of times the threat community acts against the organization.
- The force of the threat community applies against the organization.
- The difficulty the relevant controls present to the threat community. For scenarios which have multiple controls applied, difficulty is the arithmetic mean of all the applicable controls.
This process generates several outputs:
- Threat Events: The number of times per year the threat presents itself
- Loss Events: The number of times the threat results in a loss (the threat community overcomes the controls)
- Single Loss Expected (SLE): The size range of individual losses from each loss event
- Annual Loss Expected (ALE): The annualized sum of all individual losses.
Total risk is the sum of annual expected losses across all 56 scenarios within an iteration.
Recommendations
Recommendations are left for the analyst to complete. Include security improvement (increasing the strength of controls) and analysis improvement projects (increase data input quality) projects.
Project Recommendation
Document the approved or proposed key risk management projects for the coming planning period (typically yearly). These projects should address the findings from the simulated scenarios by improving controls, reducing loss impact, or transferring risk. Describe each project in terms of its cost versus the expected amount of reduced loss exposure.
- FOO
- Description
- Cost
- Expected Loss Reduction
- BAR
- Description
- Cost
- Expected Loss Reduction
- BAZ
- Description
- Cost
- Expected Loss Reduction
- QUX
- Description
- Cost
- Expected Loss Reduction
- UIER
- Description
- Cost
- Expected Loss Reduction
Analysis Improvement Opportunities
The objective of a risk analysis is to provide better information and to reduce uncertainty in making strategic resource allocation decisions. As part of this decision process, consider if additional information is needed to perform a better risk analysis. Additional data or higher confidence data may reduce the variability in your projections.
Typical areas for additional data include:
- Control Effectiveness Refinement - Can we benchmark our controls against other organizations or otherwise better understand the maturity of our capabilities?
- Scenario Refinement - Have we clearly identified the threat communities, their capabilities and their frequency of action?
- Loss Magnitude Refinement - Can we leverage either our own incident data or data publicly (such as the VCDB) or semi-publicly (industry CIRTs) to better understand our potential economic losses?
Supplemental Analysis
Scenarios should be treated based upon size of the value at risk (VaR) calculation. Ranking scenarios by VaR creates a prioritized list of scenarios to address.
The following figure shows each scenario’s mean single loss size plotted a gainst the median number of loss events. The size of the circle represents the median annual loss total for that scenario.
Loss Frequency
Overall frequency of loss events is displayed at the domain and at the scenario level.
Domain-Level Loss Frequency
The number of loss events associated with a domain is the sum of the loss that occur for each scenario within the domain. To calculate domain-level loss frequency, events are summed across a single iteration/scenario pairing, then re-summarized at the domain level.
Full descriptive statistics are shown on a domain-level summary of loss events.
| Domain | Mean | Sd | Median | Min | Max | Range | Skew | Kurtosis |
|---|---|---|---|---|---|---|---|---|
| AC | 6.12 | 2.09 | 6 | 1 | 12 | 11 | 0.13 | -0.55 |
| ADM | 0.04 | 0.2 | 0 | 0 | 1 | 1 | 4.5 | 18.26 |
| ASSET | 6.23 | 2.14 | 6 | 1 | 13 | 12 | 0.14 | -0.53 |
| BC | 0.04 | 0.2 | 0 | 0 | 1 | 1 | 4.56 | 18.81 |
| COMP | 26.46 | 7.95 | 26 | 10 | 52 | 42 | 0.42 | -0.33 |
| HR | 12.29 | 4.21 | 12 | 2 | 24 | 22 | 0.15 | -0.52 |
| IM | 63.31 | 16.55 | 62 | 26 | 118 | 92 | 0.32 | -0.42 |
| ISMP | 25.13 | 7.44 | 24 | 10 | 48 | 38 | 0.38 | -0.44 |
| OPS | 33.84 | 8.2 | 33 | 15 | 58 | 43 | 0.37 | -0.26 |
| ORG | 23.61 | 7.27 | 23 | 5 | 49 | 44 | 0.33 | -0.19 |
| PHY | 0.16 | 0.61 | 0 | 0 | 3 | 3 | 3.81 | 13.2 |
| POL | 0.04 | 0.2 | 0 | 0 | 1 | 1 | 4.56 | 18.81 |
| PRI | 1.57 | 1.23 | 1 | 0 | 8 | 8 | 0.75 | 0.62 |
| RISK | 0.05 | 0.22 | 0 | 0 | 1 | 1 | 4.03 | 14.25 |
The following figure shows the kernel density of annualized loss events by domain. This graph may be used to view the relative concentration of loss events at a domain level. All domains are skewed positively, indicating loss events are clustered to the lower ranges.
Loss Frequency by Domain
Scenario-Level Loss Frequency
Scenarios with significantly higher loss events than average may be worth additional review. A z-score is calculated for each mean loss frequency. Scenarios with a z-score greater than two experience more loss events than average.
The mean (average) loss frequency and the associated z-scores are shown for all scenarios which have an average loss frequency greater than one event every two years.
| Scenario ID | Scenario | Mean Loss Events | Z-Score |
|---|---|---|---|
| OPS - RS-28 | Unknown attack intelligence results in undetected events. | 26.0 | 3.3 |
| IM - RS-50 | Inadequate response results in inappropriate internal use of data. | 26.0 | 3.29 |
| ISMP - RS-54 | Key areas of the security program are not managed. | 25.0 | 3.14 |
| COMP - RS-11 | External attackers locate previously unknown weaknesses in the information security program not revealed through internal controls. | 25.0 | 3.05 |
| IM - RS-22 | Undetected and unremediated security incidents result in unmitigated access. | 12.0 | 1.3 |
| IM - RS-39 | External attackers breach technical controls and gain unauthorized access to systems and networks. | 12.0 | 1.3 |
| ORG - RS-01 | Inadequate human resources are available to execute the informaton security strategic security plan. | 7.0 | 0.57 |
| ORG - RS-02 | Budget does not adequately support the information security strategic plan. | 7.0 | 0.57 |
| HR - RS-25 | Through insufficient training, workforce members cannot identify (or fail to report) potential information security incidents, resulting in loss from undetected attacks. | 6.0 | 0.37 |
| OPS - RS-29 | Unknown incidence of security breach | 6.0 | 0.37 |
| ASSET - RS-45 | Loss of information assets due to misclassification and non-classification. | 6.0 | 0.37 |
| AC - RS-51 | Unauthorized access to or use of information and systems. | 6.0 | 0.37 |
| IM - RS-19 | Organizational security team cannot identify nor correct root cause of information breach, resulting in rework. | 6.0 | 0.37 |
| HR - RS-24 | Changing cultural norms on the use of data combined with insufficient education results in privacy violations. | 6.0 | 0.37 |
| ORG - RS-05 | The information security function implements a strategy that has unanticipated consequences on the insitution, interfering with other stated business objectives. | 4.0 | 0.1 |
| IM - RS-21 | Failure to address security incidents results in reputation loss. | 3.0 | -0.09 |
| IM - RS-40 | Unintended consequence of implemented information security controls on workforce or connected devices. | 3.0 | -0.09 |
| ORG - RS-04 | Increased negligence by workforce members due to lack of appropriate delegated authority and security support. | 3.0 | -0.12 |
| COMP - RS-10 | Internal workforce members execute financial fraud, embezzlement, or information theft made possible through lack of internal controls. | 2.0 | -0.24 |
| ORG - RS-03 | Competing priorities within the institution results in inability to execute the information security strategic security plan. | 2.0 | -0.27 |
| PRI - RS-18 | Systemic noncompliance with privacy laws, regulations, and contractual agreements. | 2.0 | -0.3 |
| OPS - RS-30 | Lack of monitoring demonstrates failure to take due care, resulting in non-compliance with associated laws and regulations. | 1.0 | -0.33 |
Higher than average number of loss events does not imply high risk. Even with more numerous loss events, the total size of losses – the key element for ranking risk – may be small. The size of losses is explored in the loss magnitude section. The following figure displays density diagrams of loss events for each individual scenario. This chart can be used to identify scenarios with a high probability of occurring more frequently than others.
Loss Frequency by Scenario
Loss Scenario Distributions
This figure shows the range of expected annual losses (ALE) for all cases where losses occur.
Annual Loss Range by Scenario
Overall Risk
This section provides additional analysis into the organization’s security risk profile.
Domain Level Risk Concentration
Heatmap of Value at Risk by domain.
Domain VaR Heatmap
This figure shows the range of expected annual losses by domain.
Risk by Domain
There are four domains (COMP and PHY and IM and ISMP) with annual loss ranges which far exceed the other scenarios. The domains that contain these scenarios are plotted separately to identify the outlying scenarios.
Risk for Outliers
Risk by Domain without Outliers
Repeating the above plot across all the scenarios with the outliers removed allows examination of the remaining scenarios without distortion.
Annual Loss Excluding Outliers
Alternative Risk Measures
Risk is reported as the 95th percentile Value at Risk measure across all of the simulated scenarios (sum of scenario ALEs). While this is generally the best representation of an organization’s risk exposure, alternative measures are possible. The following graph shows a histogram for all non-zero loss events with an overlaid density plot for both the standard VaR and the median ALE measure as an alternative.
VaR vs. Median
Special Considerations
Fragile Scenarios
Fragile scenarios are scenarios where a single control protects against loss. While the single control may be effective against the threat community, these scenarios should be reviewed to see if additional controls are warranted.
| Domain | Scenario ID | Scenario |
|---|---|---|
| Information Security Incident Management (IM) | RS-52 | Inability to respond to litgation holds. |
| Information Security Incident Management (IM) | RS-53 | Inability to respond to HR investigations results in avoidable adverse judgements. |
Appendicies
Supplemental details are included as appendices.
Appendix A
| Scenario ID | Scenario |
|---|---|
| AC - RS-48 | Unauthorized access to or use of information and systems results in inappropriate use by internal users. |
| AC - RS-51 | Unauthorized access to or use of information and systems. |
| ADM - RS-56 | Malfunction of business application and system software. |
| ASSET - RS-45 | Loss of information assets due to misclassification and non-classification. |
| ASSET - RS-46 | Misclassification due to data aggregation. |
| ASSET - RS-47 | Lack of accountability for critical information and systems results in inappropriate control and inventory. |
| BC - RS-31 | Business disruption and non-recovery of data. |
| BC - RS-55 | Damage to or loss of information system due to natural disaster at physical facility. |
| COMP - RS-09 | New or changing privacy regulations are not implemented in organizational IT systems. |
| COMP - RS-10 | Internal workforce members execute financial fraud, embezzlement, or information theft made possible through lack of internal controls. |
| COMP - RS-11 | External attackers locate previously unknown weaknesses in the information security program not revealed through internal controls. |
| COMP - RS-12 | External auditors find compliance issues with regulations and standards not identified via internal processes. |
| HR - RS-24 | Changing cultural norms on the use of data combined with insufficient education results in privacy violations. |
| HR - RS-25 | Through insufficient training, workforce members cannot identify (or fail to report) potential information security incidents, resulting in loss from undetected attacks. |
| HR - RS-26 | Misuse of information assets or user errors (data entry errors, omissions, inadvertent acts or carelessness). |
| HR - RS-27 | Successful social engineering attacks result in information or financial loss. |
| IM - RS-19 | Organizational security team cannot identify nor correct root cause of information breach, resulting in rework. |
| IM - RS-20 | Lack of incident handling results in noncompliance with laws, regulations, and contractual agreements. |
| IM - RS-21 | Failure to address security incidents results in reputation loss. |
| IM - RS-22 | Undetected and unremediated security incidents result in unmitigated access. |
| IM - RS-23 | Inadequate investigation results in inappropriate notifications. |
| IM - RS-37 | Destruction, misuse, or modification of information assets through breach of technical controls. |
| IM - RS-38 | Eroding network boundaries result in lack of defenses on systems. |
| IM - RS-39 | External attackers breach technical controls and gain unauthorized access to systems and networks. |
| IM - RS-40 | Unintended consequence of implemented information security controls on workforce or connected devices. |
| IM - RS-50 | Inadequate response results in inappropriate internal use of data. |
| IM - RS-52 | Inability to respond to litgation holds. |
| IM - RS-53 | Inability to respond to HR investigations results in avoidable adverse judgements. |
| ISMP - RS-54 | Key areas of the security program are not managed. |
| OPS - RS-28 | Unknown attack intelligence results in undetected events. |
| OPS - RS-29 | Unknown incidence of security breach |
| OPS - RS-30 | Lack of monitoring demonstrates failure to take due care, resulting in non-compliance with associated laws and regulations. |
| OPS - RS-32 | Changing or adding software without authorization results in system performance or data disclosure. |
| OPS - RS-33 | Malfunction of business application and system software. |
| OPS - RS-34 | Lack of ability to respond to targeted malware (Trojan horse, spyware, BOTS, worms, and viruses) results in compromise of data assets. |
| OPS - RS-35 | Breach through technical controls results in reportable significant unauthorized disclosure of data. |
| OPS - RS-36 | Unforeseen effect of changes to software, computer, and communications equipment. |
| ORG - RS-01 | Inadequate human resources are available to execute the informaton security strategic security plan. |
| ORG - RS-02 | Budget does not adequately support the information security strategic plan. |
| ORG - RS-03 | Competing priorities within the institution results in inability to execute the information security strategic security plan. |
| ORG - RS-04 | Increased negligence by workforce members due to lack of appropriate delegated authority and security support. |
| ORG - RS-05 | The information security function implements a strategy that has unanticipated consequences on the insitution, interfering with other stated business objectives. |
| PHY - RS-41 | Damage to or loss of information systems and network services through terror-related physical attack. |
| PHY - RS-42 | Damage to or loss of physical facility through natural disaster. |
| PHY - RS-43 | Inappropriate release of information assets through physical disclosure. |
| PHY - RS-44 | Theft or loss of physical assets. |
| POL - RS-06 | Inconsistent interpretation or insecure actions by workforce. |
| POL - RS-07 | Misuse of information assets. |
| POL - RS-08 | Noncompliance with laws, regulations, and contractual agreements. |
| PRI - RS-17 | Internal user inappropriate use or misuse of information. |
| PRI - RS-18 | Systemic noncompliance with privacy laws, regulations, and contractual agreements. |
| PRI - RS-49 | Uncontrolled aggregation, proliferation, and use of data. |
| RISK - RS-13 | Inability to accurately forecast the consequences of adopted technologies or innovations. |
| RISK - RS-14 | Lack of risk management at leadership level results in inability to adjust strategic and tactical plans to changing external threat environment. |
| RISK - RS-15 | Inability to understand specific threats related to attackers. |
| RISK - RS-16 | Security failure or instability of providers or partners results in disclosure of organizational data. |
Appendix B
| Domain | Scenario | Median Annual Loss | Value at Risk |
|---|---|---|---|
| IM - RS-50 | Inadequate response results in inappropriate internal use of data. | $2,500,580 | $4,073,422 |
| ISMP - RS-54 | Key areas of the security program are not managed. | $2,410,077 | $3,963,943 |
| COMP - RS-11 | External attackers locate previously unknown weaknesses in the information security program not revealed through internal controls. | $2,314,387 | $3,874,253 |
| IM - RS-22 | Undetected and unremediated security incidents result in unmitigated access. | $1,173,944 | $2,157,974 |
| ORG - RS-01 | Inadequate human resources are available to execute the informaton security strategic security plan. | $682,568 | $1,334,763 |
| ORG - RS-02 | Budget does not adequately support the information security strategic plan. | $682,568 | $1,334,763 |
| AC - RS-51 | Unauthorized access to or use of information and systems. | $579,625 | $1,083,095 |
| HR - RS-25 | Through insufficient training, workforce members cannot identify (or fail to report) potential information security incidents, resulting in loss from undetected attacks. | $567,272 | $1,070,680 |
| IM - RS-21 | Failure to address security incidents results in reputation loss. | $254,523 | $643,016 |
| IM - RS-40 | Unintended consequence of implemented information security controls on workforce or connected devices. | $254,523 | $643,016 |
| ORG - RS-04 | Increased negligence by workforce members due to lack of appropriate delegated authority and security support. | $240,205 | $627,974 |
| COMP - RS-10 | Internal workforce members execute financial fraud, embezzlement, or information theft made possible through lack of internal controls. | $144,906 | $494,427 |
| ORG - RS-03 | Competing priorities within the institution results in inability to execute the information security strategic security plan. | $134,067 | $484,572 |
| PRI - RS-18 | Systemic noncompliance with privacy laws, regulations, and contractual agreements. | $125,748 | $422,796 |
| OPS - RS-30 | Lack of monitoring demonstrates failure to take due care, resulting in non-compliance with associated laws and regulations. | $96,838 | $410,892 |
| OPS - RS-28 | Unknown attack intelligence results in undetected events. | $87,318 | $141,476 |
| IM - RS-39 | External attackers breach technical controls and gain unauthorized access to systems and networks. | $40,830 | $72,629 |
| ASSET - RS-45 | Loss of information assets due to misclassification and non-classification. | $20,405 | $37,777 |
| OPS - RS-29 | Unknown incidence of security breach | $20,211 | $36,438 |
| IM - RS-19 | Organizational security team cannot identify nor correct root cause of information breach, resulting in rework. | $20,094 | $37,509 |
| HR - RS-24 | Changing cultural norms on the use of data combined with insufficient education results in privacy violations. | $19,921 | $37,475 |
| ORG - RS-05 | The information security function implements a strategy that has unanticipated consequences on the insitution, interfering with other stated business objectives. | $13,369 | $29,239 |
| PHY - RS-42 | Damage to or loss of physical facility through natural disaster. | $0 | $4,500,548 |
| OPS - RS-34 | Lack of ability to respond to targeted malware (Trojan horse, spyware, BOTS, worms, and viruses) results in compromise of data assets. | $0 | $50,437 |
| PRI - RS-17 | Internal user inappropriate use or misuse of information. | $0 | $48,745 |
| PHY - RS-43 | Inappropriate release of information assets through physical disclosure. | $0 | $48,745 |
| IM - RS-20 | Lack of incident handling results in noncompliance with laws, regulations, and contractual agreements. | $0 | $47,602 |
| IM - RS-37 | Destruction, misuse, or modification of information assets through breach of technical controls. | $0 | $47,602 |
| IM - RS-38 | Eroding network boundaries result in lack of defenses on systems. | $0 | $47,602 |
| ASSET - RS-47 | Lack of accountability for critical information and systems results in inappropriate control and inventory. | $0 | $38,939 |
| RISK - RS-14 | Lack of risk management at leadership level results in inability to adjust strategic and tactical plans to changing external threat environment. | $0 | $15,102 |
| OPS - RS-33 | Malfunction of business application and system software. | $0 | $1,752 |
| OPS - RS-35 | Breach through technical controls results in reportable significant unauthorized disclosure of data. | $0 | $938 |
| POL - RS-06 | Inconsistent interpretation or insecure actions by workforce. | $0 | $0 |
| POL - RS-07 | Misuse of information assets. | $0 | $0 |
| POL - RS-08 | Noncompliance with laws, regulations, and contractual agreements. | $0 | $0 |
| COMP - RS-09 | New or changing privacy regulations are not implemented in organizational IT systems. | $0 | $0 |
| COMP - RS-12 | External auditors find compliance issues with regulations and standards not identified via internal processes. | $0 | $0 |
| RISK - RS-13 | Inability to accurately forecast the consequences of adopted technologies or innovations. | $0 | $0 |
| RISK - RS-15 | Inability to understand specific threats related to attackers. | $0 | $0 |
| RISK - RS-16 | Security failure or instability of providers or partners results in disclosure of organizational data. | $0 | $0 |
| IM - RS-23 | Inadequate investigation results in inappropriate notifications. | $0 | $0 |
| HR - RS-26 | Misuse of information assets or user errors (data entry errors, omissions, inadvertent acts or carelessness). | $0 | $0 |
| HR - RS-27 | Successful social engineering attacks result in information or financial loss. | $0 | $0 |
| BC - RS-31 | Business disruption and non-recovery of data. | $0 | $0 |
| OPS - RS-32 | Changing or adding software without authorization results in system performance or data disclosure. | $0 | $0 |
| OPS - RS-36 | Unforeseen effect of changes to software, computer, and communications equipment. | $0 | $0 |
| PHY - RS-41 | Damage to or loss of information systems and network services through terror-related physical attack. | $0 | $0 |
| PHY - RS-44 | Theft or loss of physical assets. | $0 | $0 |
| ASSET - RS-46 | Misclassification due to data aggregation. | $0 | $0 |
| AC - RS-48 | Unauthorized access to or use of information and systems results in inappropriate use by internal users. | $0 | $0 |
| PRI - RS-49 | Uncontrolled aggregation, proliferation, and use of data. | $0 | $0 |
| IM - RS-52 | Inability to respond to litgation holds. | $0 | $0 |
| IM - RS-53 | Inability to respond to HR investigations results in avoidable adverse judgements. | $0 | $0 |
| BC - RS-55 | Damage to or loss of information system due to natural disaster at physical facility. | $0 | $0 |
| ADM - RS-56 | Malfunction of business application and system software. | $0 | $0 |
Appendix C
| Domain ID | Capability |
|---|---|
| AC | An identity and eligibility verification and registration process is defined, implemented, and maintained. |
| AC | An user and system account life cycle management process is defined, implemented, and maintained. |
| ADM | A flaw remediation process is defined, implemented, and maintained. |
| ADM | Secure application development life cycle or system development life cycle process is defined, implemented, and maintained. |
| ASSET | A media & device handling and destruction process is defined, implemented, and maintained. |
| ASSET | A process to identify, inventory, assign ownership, and classify institutional information and information systems is defined, implemented, and maintained. |
| BC | Business disaster recovery and continuity plans are defined, implemented, and maintained. |
| BC | Systematic backup process for critical information and software is defined, implemented, and maintained. |
| COMP | The information security program supports the privacy and information security compliance efforts, and business requirements. |
| COMP | Security compliance for all critical systems and networks is reviewed on a periodic basis. |
| HR | Provide community outreach and collaborate with other organizations. |
| HR | Provide content and support for an information security and privacy awareness and education program for workforce members. |
| HR | Provide content review and support education efforts for all associated information security policies, including employee roles and responsibilities. |
| HR | Ensure workforce member security responsibilities are defined acording to security policy and communicated. |
| IM | An incident management process is defined, implemented, and maintained. |
| IM | Working relationships are established with third party contracted services, counter-intelligence experts, regional organizations, and researchers working in the field of incident response. |
| IM | Forensic investigation capabilities are established and available for incident response. |
| IM | Information security incidents are identified, responded to, mitigated, and documented. |
| IM | A process exists and is implemented for performing litigation holds. |
| ISMP | An information security framework is established to guide the implementation of the information security program. |
| ISMP | Information security activities are supported by trained information security professionals. |
| ISMP | Roles and responsibilities are established and clearly defined for all information security positions. |
| OPS | Baseline measurement processes for application, system, and network activity are defined, implemented, and maintained. |
| OPS | Intrusion detection mechanism is defined, implemented, and maintained. |
| OPS | Logging process of network, systems, and applications is defined, implemented, and maintained. |
| OPS | Monitoring capability of critical systems is defined, implemented, and maintained. |
| OPS | A change and configuration management process is defined, implemented, and maintained. |
| OPS | A flaw remediation process is defined, implemented, and maintained. |
| OPS | A media & device handling and destruction process is defined, implemented, and maintained. |
| OPS | An acceptable use standard is defined, implemented, and maintained. |
| OPS | Business disaster recovery and continuity plans are defined, implemented, and maintained. |
| OPS | Institutional hardware, software, system build, and maintenance standards are defined, implemented, and maintained. |
| OPS | Privacy and information security technical architecture standards are defined, implemented, and maintained. |
| OPS | A cryptographic process and data protection standard is defined, implemented, and maintained. |
| OPS | A remote and external access process is defined, implemented, and maintained. |
| OPS | An access authorization process for all authorized users and information systems is defined, implemented, and maintained. |
| OPS | An authentication mechanism for all authorized users and information systems is defined, implemented, and maintained. |
| OPS | Network, system, and application level protection measures are defined, implemented, and maintained. |
| OPS | A data destruction or disposal process is defined, implemented, and maintained. |
| ORG | A senior-level committee provides dedicated oversight for privacy and information security activities. |
| ORG | Delegated authority is established for incident response. |
| ORG | Information security activities between departments are coordinated. |
| ORG | Senior management’s strategy and direction for the information security program is established and commitment is demonstrated. |
| ORG | Self-assessment of the information security program operations, activities, and strategic plan effectiveness is completed and reported on a periodic basis. |
| ORG | Verification of reasonable and appropriate information security controls are completed on a periodic basis. |
| ORG | Verification of reasonable and appropriate information security controls from third parties that have access to confidential information is completed on a periodic basis. |
| ORG | An active intelligence gathering program is defined, implemented, and maintained. |
| PHY | Physical access process for buildings that house critical IT facilities is defined, implemented, and maintained. |
| PHY | Physical protection process for buildings that house critical IT facilities is defined, implemented, and maintained. |
| PHY | Physical protection process for critical information systems and institutional information is defined, implemented, and maintained. |
| PHY | The physical security plan is defined, implemented, and maintained. |
| POL | A designated group is set up to act as ombudsman for disputes and complaints regarding enterprise wide information security policies and standards. |
| POL | External authorities and industry trends are monitored for potential policy implications. |
| POL | Policy compliance issues are documented, acknowledged, and periodically reviewed. |
| POL | The information security policies are defined, implemented, maintained, and support the business requirements and relevant regulations and laws. |
| PRI | Online privacy policy and terms of use statements are defined, implemented, and maintained. |
| PRI | Security controls and responsibility for information privacy are defined, implemented, and maintained. |
| PRI | Storage and transmission of confidential information is limited to minimum necessary, de-identified when possible, and deleted when no longer needed. |
| PRI | The privacy program and policies are defined, implemented, and maintained in cooperation with the Privacy Officer and support the business requirements and relevant regulations and laws. |
| RISK | An appropriate risk identification and treatment program related to the access and use of confidential information is defined, implemented, and maintained. |
| RISK | Results of risk assessments, including any residual risks exposures, are acknowledged by the risk owners. |
| RISK | Risk assessments are completed on all critical applications, systems, and networks on a periodic basis. |
| RISK | Summary risk conditions of the enterprise information security program are provided to senior management. |