M1. Security Risk Management using the Security Engineering Risk Analysis (SERA) Method

M1. Security Risk Management using the Security Engineering Risk Analysis (SERA) Method

[This is a full day session.]

Security risk analysis can be employed to reduce design weaknesses in software-reliant systems. During the acquisition and development of software-reliant systems, the focus is primarily on meeting functional requirements within cost and schedule constraints, often deferring security to later life-cycle activities. Operational security vulnerabilities generally have three main causes: (1) design weaknesses, (2) implementation/coding vulnerabilities, and (3) system configuration errors. Addressing design weaknesses as soon as possible is especially important because these weaknesses are not corrected easily after a system has been deployed. Remediation normally requires extensive redesign of the system, which is costly and often proves to be impractical. Determining the importance of a security risk requires connecting it to mission impact. The SERA method provides systems engineers with a structure to connect desired system functionality with the underlying software to evaluate the sufficiency of requirements for software security and the potential operational security risks based on mission impact.

This method was used to develop security guidelines for the implementation of the Wireless Emergency Alerting (WEA) capability in April 2013.  This approach has also been applied to meet the NIST Risk Management Framework requirements as described in NIST 800-37 and the US Department of Defense Program Protection Plan requirements.

Upon completion of this course, students will

• understand basic risk management concepts in a software assurance context (focusing primarily on security risk)
• understand why it is important to address security risk early in the life cycle
• understanding how to connect security risk to operational mission impact
• understand the importance of looking at security risk from a system-of-systems perspective
• understand the core elements of a security risk
• understand how to incorporate the elements of security risk in complex risk scenarios
• understand the four tasks of the SERA method

Prerequisites. Attendees of this course will need some background or knowledge of security and software to understand the content and examples provided for this course.

1. Introduction. This module helps students to understand basic risk management concepts in a software assurance context. The importance of considering mission impact when technology fails will be illustrated with examples.  This module establishes the value proposition for the SERA method. The primary focus of this module is security risk and its impact on mission success. Students are also provided a brief introduction to the SERA method and its four tasks. Students will be introduced to the Wireless Emergency Alerting system launched by the Department of Homeland Security in April 2014 which will be used as an example for class exercises in modules 2-5. Topics: Program Risks. Mission Impact of Technology Failures. Early Life-Cycle Security Value Proposition. Risk Management Concepts. Overview of the SERA Method.
2. Establish Operational Context (Task 1). This module provides an overview of Task 1 of the SERA method. The emphasis of Task 1 is on establishing the operational context for the system being analyzed. Topics: Task 1 Overview. Critical Asset Identification. (Group Exercise).
3. Identify Risk (Task 2). This module provides an overview of Task 2 of the SERA method. The basic elements of risk are introduced in module 1 of this course; module 3 builds on this foundation by presenting the concept of a risk scenario. Topics: Task 2 Overview. Risk Identification. (Group Exercise)
4. Analyze Risk (Task 3). This module provides an overview of Task 3 of the SERA method. Here, the risk scenarios identified during Task 2 are prioritized based on their probability and impact values. Topics: Task 3 Overview. Qualitative evaluation of probability, impact, and risk exposure. Example of evaluated risks.
5. Develop Control Plan (Task 4). This module provides an overview of Task 4 of the SERA method. A control plan is defined and documented for all cybersecurity risks that are not accepted. Risk-mitigation plans typically include actions from the following categories: (1) recognize and respond, (2) resist, and (3) recover. Topics: Task 4 Overview. Control Planning. (Group Exercise).
6. Examples of SERA in use: This module will review in depth SERA examples drawn from a range of organizations including commercial mobile service providers. U.S. Department of Defense, and electrical utility providers. Topics: Patterns of threats that cross domains, consistency with NIST Risk Management Framework and steps to link SERA to NIST 800-53 controls
7. Summary. This module summarizes key concepts presented in the course, shows how well the course met students' expectations, and answers any final questions the students might have.

About the Instructor:

Dr. Carol Woody has been a senior member of the technical staff at the Software Engineering Institute since 2001. Currently she is the technical manager of the CERT Cybersecurity Engineering team which addresses security and survivability throughout the development and acquisition lifecycles, especially in the early stages.  Her work focuses on building capabilities for measuring, managing, and sustaining secure software for highly complex networked systems and systems of systems.  Dr. Woody holds a B.S. in mathematics from the College of William & Mary, an M.B.A. from Wake Forest University, and a Ph.D. in information systems from NOVA Southeastern University.