Presentation is loading. Please wait.

Presentation is loading. Please wait.

Conostix S.A. Sensible defence.

Published byLisa Waters Modified over 8 years ago

Similar presentations

Presentation on theme: "Conostix S.A. Sensible defence."— Presentation transcript:

1 Conostix S.A. koen@conostix.com Sensible defence

2 Conostix S.A. koen@conostix.com CIA and prevention/dectection/response Risk management and its pitfalls Economic incentives Liability/regulation/compliance Due care and due dilligence Technology Awareness Conclusion Introduction

3 Conostix S.A. koen@conostix.com To ensure the CIA triad we use: Detection Prevention Response How security works

4 Conostix S.A. koen@conostix.com Identification Identify the actual threat Impact factor The possible consequences of an attack Frequency The probable frequency of the occurrence of a threat Probability The extent of how confident we are a threat will happen Today’s risk management Identification of a threat

5 Conostix S.A. koen@conostix.com Identification of the current risks The cost/benefit justification of the countermeasures Influences the decision making process on hardware, etc Focus on security resources where they are needed most Today’s risk management Risk analysis goals

6 Conostix S.A. koen@conostix.com Threat Asset Vulnerability Safeguard Asset value (AV) Exposure factor (EF), value in percentage Single loss expectancy (SLE), dollar figure (EFxAV) Annualized rate of occurrence Annualized loss expectancy (ALE= SLExARO) Today’s risk management Risk analysis – key terms

7 Conostix S.A. koen@conostix.com Aims to assign tangible values Relies on qualitative data Process Estimate potential losses to the assets Analyze potential threats to the assets Define impact and frequency levels Define the ALE Today’s risk management Risk analysis – Quantitative

8 Conostix S.A. koen@conostix.com Scenario oriented approach Rank threats on a scale to evaluate their risks, costs and outcome In contrast to quantitative analysis a purely qualitative analysis is always possible High guess rating Today’s risk management Risk analysis – Qualitative

9 Conostix S.A. koen@conostix.com Misunderstanding between risk and certainty A risk is the anticipated frequency of losses Certainties are occurring with high frequency Reliance on probability, impact and frequency The unknown, controls the probability, frequency and the impact of a future incident. Today’s risk management Pitfalls

10 Conostix S.A. koen@conostix.com Benefits vs costs Economic pressure Sensible defence Economic incentives

11 Conostix S.A. koen@conostix.com Laws push standards Liability creates awareness Regulatory bodies motivate Sensible defence Liability, regulation, compliance

12 Conostix S.A. koen@conostix.com Due care is using reasonable care to protect the interests of an organization Due diligence is practicing the activities to maintain the due care efforts. Common sense security framework Sensible defence Due care and due diligence

13 Conostix S.A. koen@conostix.com Functionality vs security User friendly does not mean insecure Ease-of-Use + Common Sense = Security Privacy vs security Sacrifice privacy for security? Should security protect privacy or ignore it to enhance security? Sensible defence Technology

14 Conostix S.A. koen@conostix.com Human intelligence most important Reduce risk without technology Limit damage in case of an incident Give users insight in values of company assets and the usage of information systems Sensible defence Awareness

15 Conostix S.A. koen@conostix.com Sensible defence is balanced security Balance cost vs economic gain Balance liberty vs privacy Balance functionality vs security Liability, legislation and regulation Sensible defence security is a trade-off

16 Conostix S.A. koen@conostix.com Q & A Thanks to: My colleagues Donn Parker Bruce Schneier Rebecca Herolds Sensible defence Questions?

Download ppt "Conostix S.A. Sensible defence."

Similar presentations

Security+ All-In-One Edition Chapter 17 – Risk Management

Security+ All-In-One Edition Chapter 17 – Risk Management
Elements for Integrating Early Warning into Disaster Preparedness and Management Policies A Contribution of the EWC-II Advisory Group to the High level.

Elements for Integrating Early Warning into Disaster Preparedness and Management Policies A Contribution of the EWC-II Advisory Group to the High level.
Bridging the gap between software developers and auditors.

Bridging the gap between software developers and auditors.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 © 2002 Carnegie.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information Security) Certified COBIT 5 Assessor /Certified.

A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information Security) Certified COBIT 5 Assessor /Certified.
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
Weakness is a better teacher than strength.

Weakness is a better teacher than strength.
Information Systems Security Information Security & Risk Management.

Information Systems Security Information Security & Risk Management.
Introducing Computer and Network Security

Introducing Computer and Network Security
Security Risk Analysis Prepared By: Ahmed Alkhamaiseh Supervised By: Dr. Lo’a i Tawalbeh Arab Academy for Banking & Financial Sciences (AABFS) 2007.

Security Risk Analysis Prepared By: Ahmed Alkhamaiseh Supervised By: Dr. Lo’a i Tawalbeh Arab Academy for Banking & Financial Sciences (AABFS) 2007.
Dipartimento di Scienze - 19 giugno 2015 1 Pamela Peretti Dottorato di ricerca in Scienze XXI° ciclo scrutinio annuale a.a 2007/2008 Dipartimento di Scienze.

Dipartimento di Scienze - 19 giugno Pamela Peretti Dottorato di ricerca in Scienze XXI° ciclo scrutinio annuale a.a 2007/2008 Dipartimento di Scienze.
23 January 2003© All rights Reserved, 2002 Understanding Facilitated Risk Analysis Process (FRAP) and Security Policies for Organizations Infocomm Security.

23 January 2003© All rights Reserved, 2002 Understanding Facilitated Risk Analysis Process (FRAP) and Security Policies for Organizations Infocomm Security.
Information Security Governance and Risk Chapter 2 Part 1 Pages 21 to 69.

Information Security Governance and Risk Chapter 2 Part 1 Pages 21 to 69.
Lecture 8: Risk Management Controlling Risk

Lecture 8: Risk Management Controlling Risk
Controlling Risk Welcome to IST-456 Topic 9 – Controlling Risk.

Controlling Risk Welcome to IST-456 Topic 9 – Controlling Risk.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.
Chapter Extension 22 Managing Computer Security Risk © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.

Chapter Extension 22 Managing Computer Security Risk © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
Security Risk Management Paula Kiernan Ward Solutions.

Security Risk Management Paula Kiernan Ward Solutions.
Introduction to Network Defense

Introduction to Network Defense

Similar presentations

Ads by Google