Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Risk Assessment Applied Risk Management July 2002.

Published byCaroline Grant Modified over 8 years ago

Similar presentations

Presentation on theme: "Security Risk Assessment Applied Risk Management July 2002."— Presentation transcript:

1 Security Risk Assessment Applied Risk Management July 2002

2 What is Risk? Risk is: Something that creates a hazard A cost of doing business Risk can never be eliminated, merely reduced to an acceptable level

3 Risk Management Allocation of resources based upon informed choice To manage risk you must: Understand what must be protected Understand the hostile environment Understand the limits of your control Understand the consequences Risk can then be quantified, prioritized, and lowered to an acceptable level

4 The Elements of Risk Risk includes the following three elements: Asset: the entity requiring protection Threat: the event creating the hostile environment Vulnerability: a deficiency creating the hazard ( Assets may have multiple threats and vulnerabilities ) Threats exploit vulnerabilities to harm an asset

5 The Security Domain The security domain defines limits to organizational control The Security Domain: Is defined by physical and logical perimeter boundaries – Physical walls and fences – External router/firewall interfaces Includes assets that are by definition controllable Establishes scope of Threat Analysis

6 Risk Strategies Risk may be: Mitigated by the deployment of countermeasures Transferred via insurance or assignment Accepted when the cost of protection exceeds harm Strategy selection is based upon Cost Benefit Analysis

7 The Security Risk Assessment Applied Risk Management The Security Risk Assessment is: A method to identify and understand limits to organizational control (scope) A tool to identify organizational assets, threats, and vulnerabilities (threat analysis) A process to quantify hazards based upon probability and harm (risk prioritization) A means to justify risk management strategies and allocation of assets (cost benefit analysis)

8 Risk Assessment Process Define Security Domain Identify assets Identify threats Identify vulnerabilities Determine probability Determine harm Calculate risk Risk may now be managed

9 Assets That which is of value to the organization Tangible Assets Buildings Employees Data processing equipment Intangible Assets Intellectual property Goodwill

10 Threats Realistic events with potential harm Natural Threats Acts of God Accidental Threats Worker Illness Equipment Failure Intentional Threats Asset Theft Asset Tampering

11 Vulnerabilities The chinks in the armor Vulnerabilities may be found in: Location Skills Continuity planning Access controls Network monitoring

12 Probability Frequency in which threat will exploit vulnerability independent of harm Probability of each asset/threat/vulnerability combination should be quantified ProbabilityDefinitionScale NegligibleUnlikely to occur0 Very Low2-3 times every 5 years1 Low<= once per year2 Medium<= once every 6 months3 High<= once per month4 Very High=> once per month5 Extreme=> once per day6

13 Harm Impact if threat exploits vulnerability independent of probability Harm of each asset/threat/vulnerability combination should be quantified HarmDefinitionScale InsignificantNo impact0 MinorNo extra effort required to repair1 SignificantTangible harm / extra effort required to repair2 DamagingSignificant expenditure of resources required Damage to reputation and confidence 3 SeriousExtended outage and / or loss of connectivity Compromise of large amounts of data or service 4 GravePermanent shutdown Complete compromise 5

14 Risk = Probability X Harm Quantification based on both frequency and impact Risk of each asset/threat/vulnerability combination should be calculated ScaleDefinition 0NIL 1-3Low 4-7Medium 8-14High 15-19Critical 20-30Extreme

15 Example Matrix AssetThreatVulnerabilityProbHarmRiskControl Data CenterfloodProximity to river 05NILNot in 100 year flood plain System Administrator AbsenceLack of cross training 42HIGHNo funding. Risk accepted Web ServerDisk crashInsufficient backup 23MEDIUMDaily data backup. Spare hardware onsite Research work theftCommunication channel security 14MEDIUMData Protection Standard requires encryption for external communications. Organization Reputation Server unavailability External internet interfaces 54EXTREMEDDoS filters enabled on all external interfaces

16 Benefits The Security Risk Assessment will: Clarify the limits of control Quantify the threat environment Prioritize and justify business decisions Document due diligence

Download ppt "Security Risk Assessment Applied Risk Management July 2002."

Similar presentations

Security+ All-In-One Edition Chapter 17 – Risk Management

Security+ All-In-One Edition Chapter 17 – Risk Management
Risk Analysis Fundamentals and Application Robert L. Griffin International Plant Protection Convention Food and Agriculture Organization of the UN.

Risk Analysis Fundamentals and Application Robert L. Griffin International Plant Protection Convention Food and Agriculture Organization of the UN.
Service Design – Section 4.5 Service Continuity Management.

Service Design – Section 4.5 Service Continuity Management.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 © 2002 Carnegie.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
Introducing Computer and Network Security

Introducing Computer and Network Security
IT Governance: Simultaneously Empowers and Controls Source: IT Governance, Chapter 1.

IT Governance: Simultaneously Empowers and Controls Source: IT Governance, Chapter 1.
Stephen S. Yau CSE465-591, Fall 2006 1 Risk Management.

Stephen S. Yau CSE , Fall Risk Management.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Managing Risk in Information Systems Strategies for Mitigating Risk

Managing Risk in Information Systems Strategies for Mitigating Risk
Risk Assessment Frameworks

Risk Assessment Frameworks
Operational Risk Management

Operational Risk Management
Risk Management. RISK RISK = the probability and severity of loss linked to hazards. RISK = the probability and severity of loss linked to hazards. The.

Risk Management. RISK RISK = the probability and severity of loss linked to hazards. RISK = the probability and severity of loss linked to hazards. The.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t ITIL and Business Continuity (Service Perspective) Hepix 2012 Conference Prague, 23-27.

CERN IT Department CH-1211 Genève 23 Switzerland t ITIL and Business Continuity (Service Perspective) Hepix 2012 Conference Prague,
Session 16: Distribution of Geospatial Data 1 Distribution of Geospatial Data in the Public Environment Hazard Mapping and Modeling.

Session 16: Distribution of Geospatial Data 1 Distribution of Geospatial Data in the Public Environment Hazard Mapping and Modeling.
PRM 702 Project Risk Management Lecture #28

PRM 702 Project Risk Management Lecture #28
Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.

Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.

Similar presentations

Ads by Google