Visual 3. 1 Lesson 3 Risk Assessment and Risk Mitigation.

Slides:



Advertisements
Similar presentations
DS-01 Disaster Risk Reduction and Early Warning Definition
Advertisements

Risk Analysis Fundamentals and Application Robert L. Griffin International Plant Protection Convention Food and Agriculture Organization of the UN.
PROJECT RISK MANAGEMENT
Project Management Gaafar 2007 / 1 This Presentation is uses information from PMBOK Guide 2000 Project Management Risk Management* Dr. Lotfi Gaafar.
Chapter 10 Schedule Your Schedule. Copyright 2004 by Pearson Education, Inc. Identifying And Scheduling Tasks The schedule from the Software Development.
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational Issues Human Issues Computer.
Introducing Computer and Network Security
Problem Analysis Intelligence Step 2 - Problem Analysis Developing solutions to complex population nutrition problems (such as obesity or food insecurity)
SQM - 1DCS - ANULECTURE Software Quality Management Software Quality Management Processes V & V of Critical Software & Systems Ian Hirst.
By: Ashwin Vignesh Madhu
Chapter 8 Risk Analysis Management of Computer System Performance.
Managing Project Risk.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Marketing Research Unit 7.
VIRTUAL BUSINESS RETAILING
Module 8: Risk Management, Monitoring and Project Control We would like to acknowledge the support of the Project Management Institute and the International.
BIS310: Structured Analysis and Design Introduction and Systems Planning Week 1.
Margaret J. Cox King’s College London
Chapter 11: Project Risk Management
Operations Security (OPSEC) Introduction  Standard  Application  Objectives  Regulations and Guidance  OPSEC Definition  Indicators.
Security Risk Management
Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.
1 Figure 1-17: Security Management Security is a Primarily a Management Issue, not a Technology Issue Top-to-Bottom Commitment  Top-management commitment.
Risk Management - the process of identifying and controlling hazards to protect the force.  It’s five steps represent a logical thought process from.
Information Systems Analysis and Design
Introduction Time Quality Cost Project Constraints Success Introduction.
Centro de Estudos e Sistemas Avançados do Recife PMBOK - Chapter 11 Project Risk Management.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
A COMPETENCY APPROACH TO HUMAN RESOURCE MANAGEMENT
Risk Assessment and Management. Objective To enable an organisation mission accomplishment, by better securing the IT systems that store, process, or.
Chapter 7: A Summary of Tools Focus: This chapter outlines all the customer-driven project management tools and techniques and provides recommendations.
Lesson 7-Managing Risk. Overview Defining risk. Identifying the risk to an organization. Measuring risk.
Lecture 7: Requirements Engineering
Copyright 2012 Delmar, a part of Cengage Learning. All Rights Reserved. Chapter 9 Improving Quality in Health Care Organizations.
Ch 10 - Risk Management Learning Objectives You should be able to: List and describe risk management processes, inputs, outputs, and tools List and describe.
Search Engine Optimization © HiTech Institute. All rights reserved. Slide 1 What is Solution Assessment & Validation?
Screen 1 of 20 Vulnerability Vulnerability Assessment LEARNING OBJECTIVES Define the purpose and scope of vulnerability assessment. Understand how vulnerability.
HIPAA Security A Quantitative and Qualitative Risk Assessment Rosemary B. Abell Director, National Healthcare Vertical Keane, Inc. HIPAA Summit VII September.
1 Figure 11-3: Risk Analysis Financially Sensible Protections  Risk analysis: Balance risks and countermeasture costs Enumeration of Assets  Assets:
Visual 1. 1 Lesson 1 Overview and and Risk Management Terminology.
RISK MANAGEMENT YULVI. Introduction Time Quality Cost Project Constraints Success Introduction.
Stand Up Comedy Project/Product Management
Introduction to Project Management Chapter 9 Managing Project Risk
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
Chap 8: Administering Security.  Security is a combination Technical – covered in chap 1 Administrative Physical controls SE571 Security in Computing.
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #1-1 Risk Management Process Frame = context, strategies Assess = determine.
Information Security Governance and Risk Chapter 2 Part 2 Pages 69 to 100.
Prepared By: Razif Razali 1 TMK 264: COMPUTER SECURITY CHAPTER SIX : ADMINISTERING SECURITY.
1 Certification and Accreditation CS Unit 4:RISK MANAGEMENT Jesus Gonzalez Kalpana Bahunoothula Jocelyne Farah.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
ON “SOFTWARE ENGINEERING” SUBJECT TOPIC “RISK ANALYSIS AND MANAGEMENT” MASTER OF COMPUTER APPLICATION (5th Semester) Presented by: ANOOP GANGWAR SRMSCET,
Dr. Gerry Firmansyah CID Business Continuity and Disaster Recovery Planning for IT (W-XIV)
 Define and recognize risk  Define the contents of a risk management plan  Conduct a risk identification and prioritization process  Define.
Risks and Hazards to Consider Unit 3. Visual 3.1 Unit 3 Overview This unit describes:  The importance of identifying and analyzing possible hazards that.
Headquarters U.S. Air Force
Headquarters U.S. Air Force
CompTIA Security+ Study Guide (SY0-401)
Security SIG in MTS 05th November 2013 DEG/MTS RISK-BASED SECURITY TESTING Fraunhofer FOKUS.
Project Integration Management
Introduction to System Analysis and Design
CHAPTER11 Project Risk Management
CASE STUDY BY: JESSICA PATRON.
Conduction of a simulation considering cascading effects
HIPAA Security A Quantitative and Qualitative Risk Assessment
Chapter#8:Project Risk Management Planning
TECHNOLOGY ASSESSMENT
Lesson 2 Risk Management Issues.
Effective Risk Management in Decision Making Process
Chapter#8:Project Risk Management Planning
Presentation transcript:

Visual 3. 1 Lesson 3 Risk Assessment and Risk Mitigation

Visual 3. 2 Objective 4 n At the end of Lesson 3, you will be able to describe: –several approaches to risk assessment, –considerations in developing and selecting countermeasures, –the importance of the management decision, and –reasons why risk management is really an art instead of a science

Visual 3. 3 The Variable Nature of the Elements of Risk

Visual 3. 4 Risk is Commonplace

Visual 3. 5 Qualitative Data n Description of –qualities, –elements, or –ingredients of a variable This is not a nice day

Visual 3. 6 Quantitative Data n Allows the variable to be measured n Numerical values may be assigned based on measured observations Temp 75 F Humid 45% Bar 29.35" o

Visual 3. 7 Purpose of Risk Assessment (Bottom Line) n Permit managers to make reasoned decisions regarding risk to the organization’s mission

Visual 3. 8 Using Risk Management Terms - The Catcher at Risk

Visual 3. 9 Risk Assessment - Questions to Be Answered n What is the relationship of the system to the customer’s mission? n What are all of the undesirable events that could happen and affect the mission? n How could they happen? n Realistically, what are the chances of them happening? n Suppose such an event happens, how much damage could be done?

Visual Performing a Risk Assessment n Define the purpose of the assessment n Identify the product or system n Select assessment approach n Gather information n Develop attack scenarios n Estimate risk parameters n Produce assessment report

Visual Define the Purpose of the Assessment n What is the general situation? n What decisions are to be made as a result of the risk assessment? n Who will make the decisions?

Visual Identify and Bound the Product or System - Decide on Scope or Depth of Assessment

Visual Organize for the Assessment n Individual n Individuals n Group or team of individuals n Groups

Visual Define Relationships n How will individuals, groups, etc., work together performing the tasks of: –data collection –analysis –synthesis –conclusions –recommendations

Visual What do Analysts do? n Identify threats and their characteristics n Gather and exchange information n Develop attack scenarios –Confidentiality –Integrity –Availability n Postulate potential consequences –Impact on organization's mission n Estimate risk parameters

Visual Information Sources n Knowledge of Individual Members n Computer Emergency Response Team Coordination Center, etc. n Outside Experts n Systems Administrators, Manager, etc. n Users n Threat Assessments and other Reports

Visual Threat Characteristics Conditional Likelihood An Adversary Can Succeed Capability Motivation Willingness Likelihood of Attack (Given Capable) Likelihood of Success (Threat Value) (Given Attempted and Capable)

Visual Threat Sources n Nature - Historical n Unintentional human error - Historical n Technological failure - Historical n Adversarial - Threat Assessment

Visual Adversarial Threat Characteristics n Objectives - As opposed to ours n Intentions n Motivation to act n Willingness to accept risk n Willingness to accept cost n Technical capability n Resources

Visual Gather and Exchange Information n Define What the System Does n Define the Environment n Determine Data Sensitivity n Identify System Users n Identify vulnerabilities

Visual Gather Information n How does the system support the mission?

Visual Gather Information n Define the Environment

Visual Gather Information n Determine Data Sensitivity –including its value to an adversary and –value to the mission

Visual Gather Information n Identify System Users –and their need for the system and its information

Visual Gather Information n Identify Potential Vulnerabilities

Visual Develop Attack Scenarios n THREAT AGENTS - Adversarial - Adversarial - Nature - Nature - Human error - Human error - Technological failure - Technological failure n TARGETS - Confidentiality - Integrity - Availability - Others

Visual Avenues of Attack ConfidentialityIntegrityAvailability Network ConnectPublic Switch Public Power Application SWCommunicationsLocal Power FirewallUPS Remote Access Physical Access InsidersCryptoTEMPEST

Visual Determine Potential Consequences n Impact on information system, n resulting in impact on organization's mission

Visual Estimate Risk Parameters n Likelihood of Success –that a credible threat exists, –with capability to attack, and –the willingness and intention to do so n Consequences –the degree of damage resulting from an attack

Visual Assessing Risk CONSEQUENCECONSEQUENCECONSEQUENCECONSEQUENCE L I K E L I H O O D of SUCCESS

Visual Attack Scenario No. 1 Coalition Force IS U.S. Forces IS Coalition Force ISs heavily dependent upon Internet, few security features, lack procedural discipline.

Visual Estimate of Risk Attack Scenario #1 CONSEQUENCECONSEQUENCECONSEQUENCECONSEQUENCE LIKELIHOOD OF SUCCESS Y- X- LoMedHi Lo Med Hi o A-1

Visual o Estimate of Risk Attacks # 1 thru 8 CONSEQUENCECONSEQUENCECONSEQUENCECONSEQUENCE LIKELIHOOD OF SUCCESS Y- X- LoMedHi Lo Med Hi o A-1/3/4 o o o o o o A-5 A-2/7 A-6 A-8

Visual Rating Overlay LoMedHi Lo Med Hi HH HM M M M M L

Visual o Likelihood of Success Attack Scenario #1 CONSEQUENCECONSEQUENCECONSEQUENCECONSEQUENCE LIKELIHOOD OF SUCCESS Y- X- LoMedHi Lo Med Hi o A-1/3/4 o o o o o o A-5 A-2/7 A-6 A-8 HH HM M M M M L

Visual Risk Assessment Methodology n Aids Decision Makers n Promotes Discussion n Focus on Most Serious Problems n Early Identification of Risk n Highlights Recurring Problems n Aids Concurrent Engineering

Visual Risk Mitigation COUNTERMEASURE MGR RISK

Visual Countermeasure Considerations n What is the cost Vs. benefit? n Are we creating another vulnerability? n Are people involved? If so, will they participate? n How long is the countermeasure needed? n How long will the countermeasure be effective?

Visual Cost Vs.. Benefit n Cost in –dollars –time to implement –impact on operations Results

Visual The Catcher at Risk

Visual Risk Mitigation - At What Cost?

Visual Creating New Vulnerabilities n Law of unanticipated consequences New Vulnerability Risk Analyst

Visual People Considerations n Are people involved? Will they participate in the solution? COUNTERMEASURE USER

Visual Time Consideration n How long is the countermeasure needed?

Visual Time Consideration n How long will the countermeasure be effective?

Visual Risk Assessment Reality n Are we sure of the threat? n Have we identified all vulnerabilities? n Have we considered all possible attacks? n Is our estimate of consequence correct? n Is all of this art or science?

Visual Never Ending Cycle RISK ASSESSING MITIGATING

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.