Successful attacks and adverse events result from a combination of threats, vulnerabilities, and AIS assets. When a threat takes advantage of a vulnerability and does harm to your AIS assets, a successful attack or adverse event has occurred. Successful attacks and adverse events may be roughly grouped as losses or abuses. You can lose hardware, software, and data. You can lose documentation and supplies. You can lose key staff personnel. Losses often result in denial of service, preventing access to information when it is

Figure 4-1.-AIS assets.

Figure 4-2.-Threats to AIS assets.

needed. Abuse relates to unauthorized access to service, unwanted destruction or alteration of data and software, and unauthorized disclosure of classified information.

We have an adverse event with every fire and with every flood caused by a broken pipe in a computer room. We have a successful attack with every bowling score, recipe, or school paper stored online, and with every computer hacker that plays crash-the-computer or scramble-the-data. Likelihood and Risk

Likelihood and risk relate to successful attacks and adverse events. Likelihood relates to chance-what is the likelihood (probability) that a successful attack or an adverse event will occur? Risk has to do with money; it tells us about the cost of loss or abuse from an adverse event overtime. We first ask, "What is the value of the AIS asset that will be abused or that we will lose if a given successful attack or adverse event occurs?" Then we ask, "How often can we expect that particular attack or event to occur?" Remember, the successful attack or adverse event results from a particular threat exploiting a particular vulnerability. It is very specific reasoning. The greater the value of the AIS asset and the more likely the successfid attack or adverse event, the greater the risk. Figure 4-3 shows this risk analysis concept. Risks are usually expressed in terms of dollars per year, the annual loss expectancy.

Countermeasures

Once the threats and vulnerabilities are known and the likelihood and risk of a successful attack or an adverse event are determined, a plan is developed to set up countermeasures (controls) to lessen or eliminate the vulnerabilities. If you have a countermeasure, you have a protected vulnerability. If you have an unprotected vulnerability, you do not have a countermeasure. Some countermeasures help us prevent adverse events, whereas others detect adverse events. We have measures to minimize the effects of successful attacks or adverse events. We also have measures, called contingency plans, to recover from a successful attack or an adverse event. Figure 4-4 gives an example of each type of security measure strategy as it relates to fire loss. Figure 4-5 shows threats, vulnerabilities, and countermeasures to our assets.

Another way to categorize countermeasures is by type: physical, technical, administrative, and managerial (figure 4-6).

PHYSICAL CONTROLS.- We usually think of physical control first. They include the locked computer room door, physical layout, fire extinguishers, access barriers, air conditioners, moisture detectors, and alarms.

Figure 4-3.-AIS security risk analysis.

TECHNICAL CONTROLS.- Technical controls are embedded in hardware, software, and telecommunications equipment. They are diagnostic circuitry, component redundancies, and memory protect features. They are controls built into the operating system. They include log-on IDs and passwords to enable only authorized users access to the computer system. They are accounting routines, encryption coding, and audit trails.

ADMINISTRATIVE CONTROLS.- Administrative controls concern people and procedures. They include who is authorized to do what, methods to keep track of who enters a sensitive area, who receives a delivery, and who requests a sensitive report. The operating procedures you follow will sometimes include security requirements. You are responsible for adhering to the procedures to ensure AIS requirements are met.