Contents
Overview 1
Lesson: Introduction to Risk Management 2
Lesson: Creating a Risk Management Plan 9
Lab A: Analyzing Security Risks 19

Module 4: Analyzing
Security Risks



Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no
part of this document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.

 2002 Microsoft Corporation. All rights reserved.

Microsoft, MS-DOS, Windows, Windows NT, Active Directory, ActiveX, BizTalk, PowerPoint, Visio,
and Windows Media
are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.


Module 4: Analyzing Security Risks iii


Instructor Notes
This module teaches students how to determine the resources in their
organization that require protection and how to prioritize those resources based
on value. Students will then learn how to develop a risk management plan,
based on the Microsoft Operations Framework (MOF) risk model. They will
also learn to identify and analyze risks proactively and to determine an
appropriate level of protection for each resource.
After completing this module, students will be able to:

Explain the purpose and operation of risk management.

Draft the elements of a risk management plan.

To teach this module, you need Microsoft
®

PowerPoint
®
file 2830A_04.ppt.

It is recommended that you use PowerPoint version 2002 or later to
display the slides for this course. If you use PowerPoint Viewer or an earlier
version of PowerPoint, all of the features of the slides may not be displayed
correctly.

To prepare for this module:

Read all of the materials for this module.

Complete the practices.

Complete the lab and practice discussing the answers.

Read the additional reading for this module, located under Additional
Reading on the Web page on the Student Materials CD.

Visit the Web links that are referenced in the module.

Presentation:
45 minutes

Lab:
45 minutes
Required materials
Important
Preparation tasks

iv Module 4: Analyzing Security Risks


How to Teach This Module
This section contains information that will help you to teach this module.
Lesson: Introduction to Risk Management
This module, and Module 3, “Identifying Threats to Network Security,”
combine to give students the information that they will use to justify to upper
management the need to allocate time and resources on security. Risk
management in particular enables IT professionals to document realistic needs
based on threats and the likelihood and impact of those threats occurring.
Students will likely debate the categories of the examples provided in the slide.
Explain that the categories are relative and are intended as a starting point for
beginning to prioritize the vast collection of assets on a typical network.
Emphasize that business decision-makers often require financial justification
for expenditures. Calculating asset values and performing quantitative risk
analysis are two ways to use numbers to estimate risk. Acknowledge that the
calculations are only as good as the original numbers used, so ensure that
students do not rely too heavily on the numbers. Explain the term exposure in
the context of this page; it is simply part of a more precise measurement of
probability. The following lesson describes probability and impact in greater
detail.
Use the practices as an opportunity for discussion.
Lesson: Creating a Risk Management Plan
Be sure to read the white paper, MOF Risk Management, under Additional
Reading on the Web page on the Student Materials CD, before teaching this
module. Explain that risk statements are a useful way to state clearly what is at
risk and why.
Risk analysis can become complicated. This page lists examples of both
qualitative and quantitative risk analysis. Explain the similarities between the

two. Also emphasize that quantitative analysis can be performed in many
different ways, and that the method shown on this page is intended as a very
basic example.
Students may confuse avoidance and mitigation. Avoidance seeks to remove
the cause of the threat, sometimes by drastically restricting business operations.
Mitigation seeks to minimize probability and impact through proactive efforts.
In this context, avoidance is a form of severe mitigation. When discussing
answers to lab and review questions, remember the distinction and allow for
class discussion on the topic.
Use the practices as an opportunity for discussion.
Assessment
There are assessments for each lesson, located on the Student Materials
compact disc. You can use them as pre-assessments to help students identify
areas of difficulty, or you can use them as post-assessments to validate learning.
How to Categorize
Assets
How to Calculate the
Value of Assets
Practice: Categorizing
Assets
How to Identify Risks to
Assets
How to Analyze Risks to
Assets
How to Plan for the
Mana
gement of Risks
Practice: Analyzing a
Risk Mana
gement Plan

Module 4: Analyzing Security Risks v


Lab A: Analyzing Security Threats
To begin the lab, open Microsoft Internet Explorer and click the name of the
lab. Play the video interviews for students, and then instruct students to begin
the lab with their lab partners. Give students approximately 20 minutes to
complete this lab, and spend about 10 minutes discussing the lab answers as a
class.
In this lab, students must perform both qualitative and quantitative risk analysis.
The qualitative analysis is comprised of a list of risk statements regarding
portable computers and a threat model of the portable computers. Have students
use the risk statements to enter probability and impact values in the threat
model spreadsheet in order to calculate the relative risks involved. Explain to
students that portable computers include laptops, and for the purpose of the
labs, are synonymous.

For the qualitative risk analysis in this lab, students open a
Microsoft Excel spreadsheet named R&D Portable Computer Threat Model.xls
and add information to it. They may use this spreadsheet in a subsequent lab.
Ensure that students rename the file and save the spreadsheet to the Lab
Answers folder on their desktops for discussion.

When discussing the qualitative answers, we included best estimates. If the
numbers prove too confusing during lab discussion, use a low-medium-high
range of ranking. Use discrepancies or disagreements among students to
generate discussion. If some students believe that everything is a risk, play the
part of a manager and respond by saying something like, “All of the risks may
be important, but I can only afford to protect against five of them. Which ones
are most important?”


The answers to the qualitative risk analysis are located in the
spreadsheet Lab 4 R&D Portable Computer Threat Model_Suggested
Answers.xls, located in the Answers folder under Webfiles on the Student
Materials CD. Be sure to print the answers out and study them before you
conduct the lab.

For the qualitative risk analysis, students use the values in the e-mails from
Helmut Hornig to calculate the potential savings gained by each of the security
measures listed. Ensure that students do not become hindered by the vagueness
of the scenario. Acknowledge that several details, such as annual asset
depreciation, and the value of the data on the laptops, have been omitted for the
sake of brevity, and tell students to use the information provided to guide their
efforts.
For general lab suggestions, see the Instructor Notes in Module 2, “Creating a
Plan for Network Security.” Those notes contain detailed suggestions for
facilitating the lab environment used in this course.
Important
Important
General lab suggestions
vi Module 4: Analyzing Security Risks


Customization Information
This section identifies the lab setup requirements for a module and the
configuration changes that occur on student computers during the labs. This
information is provided to assist you in replicating or customizing Microsoft
Official Curriculum (MOC) courseware.
This module includes only computer-based interactive lab exercises, and as a
result, there are no lab setup requirements or configuration changes that affect

replication or customization.

The lab in this module is also dependent on the classroom
configuration that is specified in the Customization Information section at the
end of the Automated Classroom Setup Guide for Course 2830A, Designing
Security for Microsoft Networks.

Lab Setup
There are no lab setup requirements that affect replication or customization.
Lab Results
There are no configuration changes on student computers that affect replication
or customization.
Important
Module 4: Analyzing Security Risks 1


Overview

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
In this module, you will learn how to determine what resources in your
organization require protection and how to prioritize those resources based on
their value. You will then develop a risk management plan, based on the
Microsoft Operations Framework (MOF) risk model, to identify and analyze
risks proactively and to determine an appropriate level of protection for each
resource.
After completing this module, you will be able to:


Explain the purpose and operation of risk management.

Draft the elements of a risk management plan.

Introduction
Ob
jectives
2 Module 4: Analyzing Security Risks


Lesson: Introduction to Risk Management

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Risk management is the act of examining the relative value of your assets and
then allocating your security resources based on the likelihood of the risk
occurring and the value of the asset. Risk management helps you prioritize your
efforts and spending to secure your network.
After completing this lesson, you will be able to:

Describe the different elements of risk management.

Explain why risk management is important.

Identify common assets to protect.


Categorize assets according to type.

Calculate the value of an asset.

Introduction
Lesson ob
jectives
Module 4: Analyzing Security Risks 3


Elements of Risk Management

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
A risk is the possibility of suffering a loss, and the impact or extent of damage
that would result if the loss occurs. Risk management is the process of
identifying risks, analyzing the risks, and creating a plan to manage the risks.
There are two types of risk analysis:

Qualitative. Ranks risks according to their relative impact on business
operations. Qualitative analysis often requires you to estimate the
probability of a threat and the impact of the threat occurring on a scale of
1 to 10. You then multiply the two numbers for the probability and impact
and use the product to rank the risk relative to other risks.

Quantitative. Places actual values on the probability and impact of threats to
determine how to allocate security resources. Although quantitative risk

analysis uses advanced financial accounting skills, it remains an inexact
science.


Neither qualitative nor quantitative risk analysis is necessarily superior to
the other. Both are essential parts of a risk management strategy.

For more information about managing risk, see:

Risk Management Guide for Information Systems, from the National
Institute of Standards and Technology (NIST), at


The Microsoft white paper, Risk Model for Operations, under Additional
Reading on the Web page on the Student Materials CD.
Key points
Note
Additional reading
4 Module 4: Analyzing Security Risks


Why Risk Management Is Important

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Risk management helps ensure that your security plan is rational and that you
apply your resources to maximize results. By assessing risks and creating a risk

management plan, you can:

Prioritize security risks. You can rank security risks to your organization
relative to other risks. This helps your organization determine how to
allocate resources to secure the network.

Determine the appropriate amount of security. You can discover the point at
which incremental improvements to security become inefficient and costly.

Justify costs. You can use a quantitative risk analysis to justify the expense
of security personnel, hardware, and software.

Document all potential security issues. Risk management requires a
thorough assessment of threats to your network and their potential impacts.
An organization that chooses to respond to security threats randomly may
overlook critical security issues on its network.

Create metrics. Risk management uses metrics that help you judge the
success of your security plan. You can also use metrics to prepare
compensation plans for executives and security personnel.

For more information about risk management, watch the 25-minute
presentation, Building a Business Case for IT Investments using REJ, at:

mmcdisplay.asp?lang=en&product=103346&task=100006.
Also see the white paper, Rapid Economic Justification, at:

Key points
Additional readin
g

Module 4: Analyzing Security Risks 5


Common Assets to Protect

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
In addition to protecting physical assets listed in the table, a large part of the
role of security is protecting public confidence and the trust of business
partners. In Generally Accepted Accounting Practices (GAAP), this type of
asset is known as goodwill, which can be placed on financial statements when a
company is sold.
Consider, for example, that an attacker defaced your organization’s Web site.
You notify customers that the attacker has stolen the private information of the
Web site’s users, including their addresses and credit card numbers. In addition
to incurring direct financial losses from lost business, your organization also
suffers a loss of goodwill because the company’s image is tarnished.
Key points