Lesson 7-Managing Risk. Overview Defining risk. Identifying the risk to an organization. Measuring risk.

Slides:



Advertisements
Similar presentations
Chapter ADCS CS262/0898/V1 Chapter 1 An Introduction To Computer Security TOPICS Introduction Threats to Computer Systems –Threats, Vulnerabilities.
Advertisements

OSG Computer Security Plans Irwin Gaines and Don Petravick 17-May-2006.
PII Breach Management and Risk Assessment
Is There a Security Problem in Computing? Network Security / G. Steffen1.
11 ASSESSING THE NEED FOR SECURITY Chapter 1. Chapter 1: Assessing the Need for Security2 ASSESSING THE NEED FOR SECURITY  Security design concepts 
Lecture 1: Overview modified from slides of Lawrie Brown.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
CSA 223 network and web security Chapter one
Course ILT Security overview Unit objectives Discuss network security Discuss security threat trends and their ramifications Determine the factors involved.
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
1 An Overview of Computer Security computer security.
Introducing Computer and Network Security
Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.
Lecture 11 Reliability and Security in IT infrastructure.
Lesson 1-What Is Information Security?. Overview History of security. Security as a process.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Threats and Attacks Principles of Information Security, 2nd Edition
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
CPSC 6126 Computer Security Information Assurance.
IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Storage Security and Management: Security Framework
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
GCSE ICT Viruses, Security & Hacking. Introduction to Viruses – what is a virus? Computer virus definition - Malicious code of computer programming How.
Security Risk Assessment Applied Risk Management July 2002.
BUSINESS B1 Information Security.
Discussing “Risk Analysis in Software Design” 1 FEB Joe Combs.
Risk Management Company name Prepared By Mahmoud elmadhoun Supervised By Ms : eman elagrami.
Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.
By Hafez Barghouthi. Agenda Today Attack. Security policy. Measuring Security. Standard. Assest. Vulnerability. Threat. Risk and Risk Mitigation.
What does “secure” mean? Protecting Valuables
Prepared by: Dinesh Bajracharya Nepal Security and Control.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 1 – Overview.
Computer Security: Principles and Practice
Security Architecture
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
Risk Management Dr.Talal Alkharobi. 2 Risk Management Without an understanding of the security risks to an organization's information assets, too many.
Security Awareness Challenges of Securing Information No single simple solution to protecting computers and securing information Different types of attacks.
What does secure mean? You have been assigned a task of finding a cloud provider who can provide a secure environment for the launch of a new web application.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
Information Security What is Information Security?
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.
McGraw-Hill/Irwin © 2013 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 11 Computer Crime and Information Technology Security.
Chap1: Is there a Security Problem in Computing?.
Csci5233 computer security & integrity 1 An Overview of Computer Security.
Visual 1. 1 Lesson 1 Overview and and Risk Management Terminology.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
Computer Security By Duncan Hall.
Information Security Governance and Risk Chapter 2 Part 2 Pages 69 to 100.
INTRODUCTION TO COMPUTER & NETWORK SECURITY INSTRUCTOR: DANIA ALOMAR.
Security Mindset Lesson Introduction Why is cyber security important?
Computer threats, Attacks and Assets upasana pandit T.E comp.
C OMPUTER THREATS, ATTACKS AND ASSETS DONE BY NISHANT NARVEKAR TE COMP
IT Security CS5493(74293). IT Security Q: Why do you need security? A: To protect assets.
The Need for Information Security(1) Lecture 2. Slide 2 Business Needs First, Technology Needs Last Information security performs four important functions.
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
Cyber Security – Client View Peter Gibbons | Head of Cyber Security, Group Business Services Suppliers’ Summer Conference 15/07/2015.
Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.
Advanced System Security Dr. Wayne Summers Department of Computer Science Columbus State University
By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
Database Security Threats. Database An essential corporate resource Data is a valuable resource Must be strictly controlled, managed and secured May have.
Headquarters U.S. Air Force
LO1 - Know about aspects of cyber security
Chapter 1 Key Security Terms.
Cyber Security For Civil Engineering
Presentation transcript:

Lesson 7-Managing Risk

Overview Defining risk. Identifying the risk to an organization. Measuring risk.

Defining Risk Risk is the potential for loss that requires protection. Risk management provides a basis for valuing an organization’s information assets. Risk is the measure of vulnerabilities and threats.

Defining Risk Vulnerability Threats

Vulnerability Vulnerabilities make computer systems and networks prone to technical, non-technical, or social engineering attacks. It is characterized by the difficulty and the level of technical skill that is required to exploit it. The result of such exploitation must also be considered.

Vulnerability The relationship between vulnerability and threat

Threat A threat is an action or event that violates the security of an information system environment. It can have multiple targets. The components of threat are targets, agents, and events.

Targets The targets of threat or attack are security services such as: Confidentiality - Disclosure of classified information to unauthorized individuals. Integrity - Tampering of information. Availability - Denial-of-service attack. Accountability - Prevents organization from reconstructing past events.

Agents The characteristics of agents who are the people who may wish to harm the organization are: Access - An agent must have direct or indirect access to system, network, facility, or information. Knowledge - An agent must have some knowledge about the target. More familiar an agent is with the target, more likely the agent will know about the vulnerabilities.

Agents The characteristics of agents who are the people who may wish to harm the organization are (continued): Motivation - An agent may tamper with information as a challenge, greed to gain something, or purely with a malicious intent.

Agents A threat occurs when an agent with access and knowledge gains motivation to take action. Such agents could be: Employees having necessary access and knowledge to systems. Ex-employees having any grudges. Hackers, terrorists, and criminals with a malicious intent to harm the organization. Commercial rivals who are interested in classified business information of the organization.

Events Events are the ways in which an agent of threat may cause harm to an organization. It is the extent of harm that could possibly be done if the agent gained access.

Risk Risk is the combination of threat and vulnerability. Risks can be categorized as low, medium, or high-risk.

Identifying the Risk to an Organization Components of an organizational risk assessment

Identifying the Risk to an Organization Identifying vulnerabilities. Identifying real threats. Examining countermeasures. Identifying risk.

Identifying Vulnerabilities To identify specific vulnerabilities: Locate all the entry points (electronic and physical) to the organization. Identify system configurations. Identify which information and systems are accessible. Include any known vulnerabilities in operating systems and applications.

Identifying Real Threats Real or targeted threats may not show themselves until an event has occurred. All targeted threats are time-consuming and difficult.

Examining Countermeasures Countermeasures for each access point within an organization must be identified. Some of the countermeasures include firewalls, anti-virus software, access control mechanisms, and biometrics.

Identifying Risk Identify specific risks to the organization. Identify what possible harm can be done through each access point. Rate each risk as high risk, medium risk, or low risk. The same vulnerability may pose different levels of risk based on the access point.

Measuring Risk Measuring risk

Measuring Risk Risks can be measured in terms of: Money. Time. Resources. Reputation and lost business.

Money The cost for managing risks include: Lost productivity. Stolen equipment or money. Cost of an investigation. Cost to repair or replace systems. Cost of experts to assist. Employee overtime.

Time The amount of time taken to manage risks may include: The time a technical staff member is unavailable to perform normal tasks due to a security event. The downtime of a key system. Delay in product delivery or service.

Resources Includes people, systems, communication lines, applications, or access as resources. Computes the monetary cost of using a resource to troubleshoot.

Reputation and Lost Business Data compromise can affect the organization’s reputation. Future business is in jeopardy as people lose faith in the brand name. Losses due to system failures and production delay cannot be ruled out.

Measuring Risk To measure risk: Identify the extent of risk – best case, worst case, or most likely case. Identify the damage in terms of money, time, resources, reputation, and lost business. Identify the cost of restoration. Examine the potential results in each risk measurement area. Develop appropriate risk management approaches.

Summary Security is managing risk. To identify risks, identify vulnerabilities, and threats. Examine countermeasures for each risk. Identify the extent of risk. Measure risk in terms of money, time, resources, reputation, and lost business.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.