1. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative Risk Analysis  Module 1: Qualitative Risk Analysis Module 2: Determine Assets and Vulnerabilities Module 3: Determine Threats and Controls Module 4: Matrix Based Approach Module 5: Case Study Module 6: Summary

2. Module 1 Risk Analysis: Qualitative Risk Analysis

3. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 3 Students should be able to: –Recognize the difficulties associated with information security risk analysis –Identify the the two different risk analysis approaches –Understand how a qualitative risk analysis is performed. Risk Analysis Learning Objectives

4. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 4 Risk analysis involves the identification and assessment of the levels of risks calculated from the known values of assets and the levels of threats to, and vulnerabilities of, those assets. It involves the interaction of the following elements: –Assets –Vulnerabilities –Threats –Impacts –Likelihoods –Controls Risk Analysis Risk Analysis Definition

5. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 5 Risk Analysis Concept Map Source: Australian Standard Handbook of Information Security Risk Management – HB231-2000 Threats exploit system vulnerabilities which expose system assets. Security controls protect against threats by meeting security requirements established on the basis of asset values.

6. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 6 Relatively new field Lack of formal models Lack of data Evolving threats Constantly changing information systems and vulnerabilities Human factors related to security No standard of practice Risk Analysis Difficulties with Information Security Risk Analysis

7. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 7 Two Risk Analysis Approaches –Quantitative –Qualitative Risk Analysis Approaches

8. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 8 Quantitative Risk Analysis –Relating to or based on the amount or number of something, capable of being measured or expressed in numerical terms. –Quantitative Risk Analysis computes risks in terms of actual losses Risk Analysis Quantitative Approach

9. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 9 Qualitative Risk Analysis –Based on literal description of risk factors and risk is expressed in terms of its potential. Threats and vulnerabilities are identified and analyzed using subjective judgment. Uses checklists to determine if recommended controls are implemented and if different information systems or organizations are secure. Risk Analysis Qualitative Approach

10. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 10 Qualitative risk analysis methodologies involve relative comparison of risks and prioritization of controls Usually associate relationships between interrelated factors –Assets: Things of value for the organization –Threats: things that can go wrong Risk Analysis: Qualitative Methodology –Vulnerabilities: Weaknesses that make a system more prone to attack or make an attack more likely to succeed –Controls: These are the countermeasures for vulnerabilities

11. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 11 More practical since it is based on user inference and follows current processes better. It capitalizes on user experience and doesn’t resort to extensive data gathering. Allows for easier valuation of non-tangible assets. Probability data is not required and only estimated potential loss may be used Risk Analysis: Qualitative Methodology, cont’d.

12. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 12 Risk Analysis Summary Risk analysis involves assessing assets, vulnerabilities, threats, and controls, as well as the impact they have on each other in order to determine risk. Information security risk analysis is a new field and is constantly changing due to introduction of new assets, discovery of new vulnerabilities, presence of new threats, and development of new controls. Two different types of risk analysis exist: –Quantitative, which are based on actual numerical values, and –Qualitative, which involves relative values based on prioritization and expert judgment.