1. Risk Management CS5493

2. Risk Management The process of ● identifying, ● assessing, ● prioritizing, and ● mitigating risks

3. Risk Management ● An ongoing process that has a life-cycle – (sustainability cycle)

4. Risk Management ● Minimize the effects of negative risks ● Maximize the effects of positive risks

5. Risk Management ● Asset – anything of value

6. Risk Management ● threat – anything that can exploit, obtain, damage or destroy an asset via a vulnerability intentionally or accidentally. A threat is what you wish to protect against.

7. Risk Management ● Vulnerability – weaknesses exploited by threats that compromise assets. A vulnerability is a weakness

8. Define a Risk Equation ● Risk = Threats x Vulnerabilities – Threats = frequency of an adverse event – Vulnerability = the probability that a threat will succeed. – Risk = the risk probability

9. Risk Management ● The exposure cost is the product of the risk- probability value times the loss (of the asset) in dollars. Cost = RiskProbability * AssetLoss

10. Example (annual) ● Probability of a fire in the data center resulting in a loss: 0.75% ● Probability of the fire destroying all assets in the data center: 15% ● Risk Probability =.0075*.15 =.001125

11. Example (annual) ● Replacement value of the data center: $750,000. ● Estimated annual loss due to fire = $843.75 (risk probability * value of the asset)

12. Risk Identification ● The process of determining the risks to assets. ● Create the “risk register”

13. Risk Register ● Creation: – Brainstorming meeting to identify the risks – Surveys – Other events to collect information.

14. Risk Register ● Content – A description of each identified risk – Probability of the risk event occurring – Steps to mitigate – Rank each risk in the register – Describe the impact if the risk-event actually occurs and include the cost.

15. Risk Register ● Ranking risks – Limited budget will require dropping some perceived risks. – Concentrate on the most important issues.

16. Risk Analysis ● Qualitative ● Quantitative

17. Risk Analysis ● Qualitative – Risk classification ● High ● Medium ● Low – risk impact : how would it impact the overall business.

18. Risk Analysis ● Quantitative – Use math

19. Risk Analysis ● Quantitative – EF = Exposure Factor – SLE = Single Loss Expectancy ● SLE = Asset Value x EF – ARO = annual rate of occurrence – ALE = annual loss expectancy ● ALE = SLE x ARO

20. Quantitative Risk Table ResourceRiskValueEFSLEAROALE BuildingFire$700,000.000.6$420,000.000.2$84,000.00 File Serverdisk crash$50,000.000.5$25,000.000.2$5,000.00 Datatheft$200,000.000.9$180,000.000.7$126,000.00

21. Risk Response Planning ● Negative Risks ● Positive Risks

22. Risk Response Planning ● Responses to negative risks – Eliminate – Transfer – Mitigate – Accept

23. Negative Risk Response ● Eliminate – implies that the threat has been eliminated (probability of zero). ● Transfer – insurance is used to transfer risk ● Mitigate – reduce the probability of the event from occurring by taking some action. ● Accept – take no additional action.

24. Risk Response Planning ● Response to positive risks – Exploit – Share – Enhance – Accept

25. Positive Risk Response ● Exploit – S-A-P is packaged and sold. ● Share – finding a partner to purchase in bulk and capture a lower price. ● Enhance – meeting a deadline ahead of schedule and collecting a bonus ● Accept – take no action

26. BIA ● Business Impact Analysis, BIA – A formal analysis separating an organization's functions into critical and non-critical categories

27. BIA RPO ● RPO - Recovery Point Objective, – Determine the amount of asset loss that is acceptable

28. BIA RTO ● RTO - Recovery Time Objective, – The maximum allowable time to recover from asset loss.

29. Risk Management BIA- Business Impact Analysis BCP- Business Continuity Plan DRP - Disaster Recovery Plan

30. BIA ● Business Impact Analysis, – Classifying business functions and activities into critical or non-critical categories. – Determining the prerequisites to support each function/activity. – Determine the maximum amount of time each function/activity can be unavailable.

31. BCP ● BCP – Business Continuity Plan – A response plan to interruptions of critical functions ● An interruption is an event that lasts for a short period and while it will result in measurable loss, is not fatal. ● Creation of an IT intrusion response team

32. DRP ● DRP – Disaster Recovery Plan – A plan for responding to losses and interruptions critical to the sustainability of the enterprise. – Creation of an IT disaster response team

33. DRP ● DRP – Disaster Recovery Plan – Fire – Flood – Hurricane – Tornado – Earthquake

34. DRP Requirements ● Contact list of critical personnel ● Complete inventory of physical assets ● Inventory of IT software applications for critical business functions. ● Data/system backups ● Alternate or redundant facility planning