Presentation is loading. Please wait.

Presentation is loading. Please wait.

Risk Assessment and Risk Management James Taylor COSC 316 Spring 2008.

Published byMartina Pitts Modified over 8 years ago

Similar presentations

Presentation on theme: "Risk Assessment and Risk Management James Taylor COSC 316 Spring 2008."— Presentation transcript:

1 Risk Assessment and Risk Management James Taylor COSC 316 Spring 2008

2 Summary Of Objectives Explain the meaning of risk assessment and management. The Various Steps Reviewing the Risks. Summary. Questions.

3 What is Risk Assessment and Management? Risk assessment is a common first step in a risk management process and in most UNIX system a first step in improving security. Risk assessment is the determination of quantitative or qualitative value of risk related to a concrete situation and a recognized threat. In most Unix system it basically asking yourself as to the following What am I trying to protect and how much is it worth to me? What do I need to protect against? How much time, effort and money am I willing to expend to obtain adequate protection?

4 Steps in Risk Assessment and Management Identifying assets and their value Identifying threats Calculating risks

5 Step 1. Identifying Assets. To identify assets one has to draw up a list of items you will need to protect the system and usually all based on your business plan and common sense. These will include tangible and intangible items. The list should include everything you consider to be of value. In this case Tangible items like; Computers, proprietary data, backups and archives, manual, printouts, commercial software, commercial equipments, personnel records and audit records will be listed. –And Intangibles such as: Safety and health of personnel, privacy of users, personnel passwords, public image and reputation, customer, processing availability and configuration information will be listed.

6 Step 2. Identifying Threats This is definitely the right thing to do after identifying the assets of the company, this is by threats to your assets. These threats could be environmental, threats from personnel or outsiders or might include rare but possible events such as structural failures, below are list of some examples; Environmental threats includes: flooding, lightening strikes Personnel and outside threat includes: Illness of key people in the company, simultaneous illness of many personnel (e.g.. Flu epidemic), loss of phone/network services, loss of utilities (phone, water, electricity) for a short time, loss or resignation of key personnel, theft of disks or tapes

7 Step 3. Calculating Risks Calculating risk involves using a cost –benefit analysis, a process of assigning cost to each possible loss, determining the cost of defending against it, determining the probability that the loss will occur and then determining if the cost of defending against the risk outweighs the benefits. This will help list the following; The cost of loss The probability of loss The cost of prevention

8 1. The cost of loss It is usually very difficult to determine the cost of loss, in that one could use a simple cost calculation to consider the cost of repairing or replacing a particular item or a more sophisticated cost calculation to consider the cost of out of service equipments, costs of added training, the cost to a company’s reputation and even the cost to a company’s clients. Normally assigning a cost range to each item is sufficient. For instance, the loss of a dozen blank diskettes may be classed as under $500 while a destructive fire in your computer room might be classed as over $1000000.

9 2. The Probability of a Loss This is important because after identifying the threats it is important to also estimate the probability or likelihood of each occurring so it better to usually estimate on year to year basis. Quantifying the threat of a risk is hard work but one can obtain estimates from third parties such as insurance companies, if the events happens on a regular basis, you can estimate it based on your records. Industry organizations may have collected statistics or published reports.

10 3. Cost of Prevention Now finally you need to calculate the cost of prevention each kind of loss. For instance; The cost to recover from a momentary power failure is probably only that of personnel downtime and the time necessary to reboot. However, the cost of prevention may be that of buying and installing UPS. Deriving these costs may reveal secondary costs and credits that should also be factored in. For instance, installing a better fire- suppression system may result in yearly decrease in your fire insurance premiums and give you a tax benefit for capital depreciation.

11 Reviewing Your Risks Risk assessment should not be done only once and then forgotten. Instead, you should update your assessment periodically. In addition, the threat assessment portion should be redone whenever you have a significant change in operation or structure. Thus id you recognize, move to a new building, switch vendors, or undergo other major changes, you should reassess the threats and potential losses.

12 Summary In a null shell practical security is often a question of management and administration than it is one of technical skill but consequently security must be a priority of your organization’s management.

13 References: Practical Unix and Internet security Author: O Reilly http://www.wikibon.org/Calculating_business_benefits http://www.usc.edu/hsc/info/pr/ccr/03winter/risks.html http://www.pubmedcentral.nih.gov/articlerender.fcgi?artid=1124077

14 Questions

Download ppt "Risk Assessment and Risk Management James Taylor COSC 316 Spring 2008."

Similar presentations

Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.

Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.
Museum Presentation Intermuseum Conservation Association.

Museum Presentation Intermuseum Conservation Association.
Practical Preparations Planning for Safety and Emergencies.

Practical Preparations Planning for Safety and Emergencies.
RISK ANALYSIS.  Almost all of the things that we do involve risk of some kind, but it can sometimes be challenging to identify risk, let alone to prepare.

RISK ANALYSIS.  Almost all of the things that we do involve risk of some kind, but it can sometimes be challenging to identify risk, let alone to prepare.
 After the 7 transactions, the ledger looks like Page 105 Figure 4.5. (Show On the White board)  There are 10 accounts in the ledger.  How do you calculate.

 After the 7 transactions, the ledger looks like Page 105 Figure 4.5. (Show On the White board)  There are 10 accounts in the ledger.  How do you calculate.
Revision from last week  Assumptions are potential failure points in a project. They need to be monitored and managed. At the start of the project they.

Revision from last week  Assumptions are potential failure points in a project. They need to be monitored and managed. At the start of the project they.
Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.

Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.
DISASTER CENTER Study Case DEMIRBANK ROMANIA “Piata Financiara” ConferenceJanuary 29, 2002 C 2002.

DISASTER CENTER Study Case DEMIRBANK ROMANIA “Piata Financiara” ConferenceJanuary 29, 2002 C 2002.
Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.

Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.
INTRODUCTION AS 91381 (3.3) Apply business knowledge to address a complex problem in a given global business context.

INTRODUCTION AS (3.3) Apply business knowledge to address a complex problem in a given global business context.
ICASAS305A Provide Advice to Clients

ICASAS305A Provide Advice to Clients
ECONOMIC EVALUATION OF POLLUTION PREVENTION PROJECTS CHAPTER 11.

ECONOMIC EVALUATION OF POLLUTION PREVENTION PROJECTS CHAPTER 11.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Policies.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Policies.
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
Reporting and Interpreting Property, Plant and Equipment; Natural Resources; and Intangibles Chapter 8 McGraw-Hill/Irwin © 2009 The McGraw-Hill Companies,

Reporting and Interpreting Property, Plant and Equipment; Natural Resources; and Intangibles Chapter 8 McGraw-Hill/Irwin © 2009 The McGraw-Hill Companies,
1 Pertemuan 23 Contingency Planning Matakuliah:A0334/Pengendalian Lingkungan Online Tahun: 2005 Versi: 1/1.

1 Pertemuan 23 Contingency Planning Matakuliah:A0334/Pengendalian Lingkungan Online Tahun: 2005 Versi: 1/1.
Introducing Computer and Network Security

Introducing Computer and Network Security
Introduction Security is a major networking concern. 90% of the respondents to the 2004 Computer Security Institute/FBI Computer Crime and Security Survey.

Introduction Security is a major networking concern. 90% of the respondents to the 2004 Computer Security Institute/FBI Computer Crime and Security Survey.
Recall The Team Skills 1. Analyzing the Problem 2. Understanding User and Stakeholder Needs 3. Defining the System 4. Managing Scope 5. Refining the System.

Recall The Team Skills 1. Analyzing the Problem 2. Understanding User and Stakeholder Needs 3. Defining the System 4. Managing Scope 5. Refining the System.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.

Similar presentations

Ads by Google