Presentation is loading. Please wait.

Presentation is loading. Please wait.

Headquarters U.S. Air Force

Published byGinger Stevenson Modified over 6 years ago

Similar presentations

Presentation on theme: "Headquarters U.S. Air Force"— Presentation transcript:

1 Headquarters U.S. Air Force
I n t e g r i t y - S e r v i c e - E x c e l l e n c e EPRM Implementation Workshop Session 2: Risk Terminology

2 Session Objectives Learning Objective: To be able to define the key terms associated with risk management as it pertains to the Air Force Security Enterprise Enabling Learning Objectives: The student will be able to: Define risk Differentiate risk analysis from risk management Define the components of risk: Asset Threat source and threat method Vulnerability Describe the relationship between vulnerability and countermeasures Understand the risk management process

3 Overview Risk Terms

4 “The possibility of sustaining loss”
What is risk? “The possibility of sustaining loss” The potential for loss of, or damage to, an asset. It is measured based upon the criticality of the asset in relation to the threats and vulnerabilities associated with it. – AFI An event that has a potentially negative impact and the possibility that such an event will occur and adversely affect an entity’s assets, activities, and operations. – Government Accountability Office (Report #GAO-06-91, Dec 2005) This isn’t a class on risk analysis per se, but this definition does give us the basic elements that we need to collect and use in an automated methodology. Purpose is to identify by deconstruction the methodology being used what values are required Assets with some understanding of their value. Threats and their relationship to assets And, of course, some understanding of the vulnerability of the asset, usually based upon some weighted function of countermeasures that are in-place to mitigate each vulnerability. So, let’s start with these three and see what we would do with them..

5 Risk Assessment & Management
What is Risk Assessment? An analytical process designed to provide an understanding of vulnerabilities and how potential threats may exploit those vulnerabilities to impact assets The process includes the quantification of the likelihoods and expected consequences for identified risks to assist in prioritization What is Risk Management? Risk Analysis Risk analysis is a process. It quantifies vulnerabilities, risk, and loss, presenting an objective representation of a systems security posture. Risk analysis is a continuous process. Threat environments and countermeasures are constantly changing. Any risk analysis needs to be constantly updated to reflect the changing environment. The process of identifying and prioritizing risks followed by decisions to either accept or mitigate them Risk analysis is the first part of risk management

6 Risk Assessment Purpose
The assessment process should provide the information necessary to calculate risk by relating: Criticality of the assets being protected Threat characterizations Quantification of vulnerabilities that the threats exploit Risk = Criticality of impacted asset * Likelihood of loss or damage to the asset Or Risk = Criticality of impacted asset * (Vulnerability * Threat) Risk assessment is a process within the risk management process. It generally occurs as the last step in the risk management process.

7 Assets Anything of value to the organization and worth protecting or preserving. People, information, equipment, facilities, activities/operations that have an impact on the mission Must have quantified (or qualified) value to the unit / organization

8 Assets Informational Asset lists based on content from OPSEC module / AF working groups Asset Criticality (0-100 scale) based on AFI User response input across four metrics: Criticality to Mission Criticality to National Defense Replacement (time, LOE) Relative Value (monetary, classification, etc.)

9 Threats Threat is any circumstance or event with the potential to cause the loss of or damage to an asset. Threats are generally considered in terms of a threat source (sentient actor or natural hazard) and a threat tactic (threat method). Frequency: Once we know that a threat is applicable, it is important to determine how likely it is to happen Anticipate loss for the year and if the threat occurs ten times, the loss we suffer from that threat each time is going to be multiplied by how often it will occur that year. It is useful to starting thinking about what threats are real for you and your organization.

10 Threat Sources Any individual, group, organization, or government that conducts activities, or has the intention and capability to conduct activities detrimental to operations or valued assets Any naturally occurring event that has a rate of periodicity and a capability to negatively affect operations or valued assets. Examples of Threat Sources: Non-State Actors (Terrorist) State Sponsored Actors Criminals Protestors Insider Natural Hazards

11 Threats Tactics or Methods
Threat lists include the categories of information collection activities Threat assessment (0-1 scale) based on AFI metrics and includes baseline recommendations from NASIC based on location

12 Vulnerability Any weakness that can be exploited by an adversary to gain access to an asset. Vulnerabilities can result from, but are not limited to the following: building characteristics equipment properties personal behavior locations of people, equipment and buildings operational procedures and personnel practices Quite simply put, if we didn’t have vulnerabilities, we wouldn’t be concerned about threats or our security posture.

13 Vulnerability Examples
Typically expressed in relation to a threat tactic. Such as Vulnerability to... HUMINT SIGINT IMINT MASINT OSINT IED CBRN contamination Arson Hurricane IP Vulnerabilities Physical Vulnerabilities Once you have determined the possible threats, you next need to examine what is your susceptibility to that threat. How likely is this threat to impact, disrupt or shut down your ability to function? What are the set of circumstances that allows a threat to take advantage of you? As you will learn later, a threat can take advantage of more than one vulnerability. For example, if lightning is the threat, what are some areas of vulnerability it would be able to exploit?

14 Vulnerability Quantification
Vulnerability levels are calculated based on the presence or absence of countermeasures. Countermeasures decrease vulnerability to one or more tactics The more countermeasures in-place that mitigate a particular tactic, the lower the vulnerability A ‘zero-level’ of vulnerability is not practical

15 Countermeasures A countermeasure is an action or device that is intended to stop or prevent something bad or dangerous. Administrative Preventive Corrective Detective Technical Preventive Corrective Detective

16 Countermeasure Examples
Evacuation procedures Background checks Contingency plan Container Inspections Virus software Training Backup procedures Access controls CCTV Guards These are some examples of countermeasures. Can you name any that are not on this list?

17 Countermeasures Arranged by protection area
Deconstructed into Y / N / NA formats

18 The Risk Management Process
Step : Assess Threats 3 Step : Assess Vulnerabilities 4 Step : Assess Assets 2 Step : Define the Scope 1 Step : Analyze Risk and Create Reports 5 Step : Evaluate Effectiveness and Reassess 7 Step : Manage Risk 6

19 Cost-Benefit Analysis
Part of the management decision-making process in which the costs and benefits of each alternative are compared and the most appropriate alternative is selected Typically expressed as risk reduction per dollar in EPRM Since you will only be collecting the information, you will not need to input cost information for the analysis module.

20 Session Objectives What is risk?
What is the difference between risk analysis and risk management? Define the components of risk What is the relationship between vulnerability and countermeasures? What are the steps in the risk management process?

Download ppt "Headquarters U.S. Air Force"

Similar presentations

Systems Security Engineering An Updated Paradigm INCOSE Enchantment Chapter November 8, 2006 John W. Wirsbinski.

Systems Security Engineering An Updated Paradigm INCOSE Enchantment Chapter November 8, 2006 John W. Wirsbinski.
Module 1 Evaluation Overview © Crown Copyright (2000)

Module 1 Evaluation Overview © Crown Copyright (2000)
Marine Corps Artillery Detachment, Fort Sill Veterans Day 2008 ORM.

Marine Corps Artillery Detachment, Fort Sill Veterans Day 2008 ORM.
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
Introducing Computer and Network Security

Introducing Computer and Network Security
Randy Marchany VA Tech Computing Center

Randy Marchany VA Tech Computing Center
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Risk Management at a Glance. Terms Hazard Hazard Risk Risk Probability Probability Severity Severity Estimating Estimating Exposure Exposure Risk Assessment.

Risk Management at a Glance. Terms Hazard Hazard Risk Risk Probability Probability Severity Severity Estimating Estimating Exposure Exposure Risk Assessment.
Visual 3. 1 Lesson 3 Risk Assessment and Risk Mitigation.

Visual 3. 1 Lesson 3 Risk Assessment and Risk Mitigation.
PRM 702 Project Risk Management Lecture #28

PRM 702 Project Risk Management Lecture #28
Module 3 Develop the Plan Planning for Emergencies – For Small Business –

Module 3 Develop the Plan Planning for Emergencies – For Small Business –
Chapter 11: Project Risk Management

Chapter 11: Project Risk Management
Security Risk Assessment Applied Risk Management July 2002.

Security Risk Assessment Applied Risk Management July 2002.
Operations Security (OPSEC) 301-371-1050. Introduction  Standard  Application  Objectives  Regulations and Guidance  OPSEC Definition  Indicators.

Operations Security (OPSEC) Introduction  Standard  Application  Objectives  Regulations and Guidance  OPSEC Definition  Indicators.
CAIRA is a quantitative vulnerability assessment tool for examining the physical security of energy systems (electrical, natural gas, steam and water)

CAIRA is a quantitative vulnerability assessment tool for examining the physical security of energy systems (electrical, natural gas, steam and water)
Risk Management - the process of identifying and controlling hazards to protect the force.  It’s five steps represent a logical thought process from.

Risk Management - the process of identifying and controlling hazards to protect the force.  It’s five steps represent a logical thought process from.
Risk Management for Technology Projects Geography 463 : GIS Workshop May 5 2005.

Risk Management for Technology Projects Geography 463 : GIS Workshop May
Risk Management Project Management Digital Media Department Unit Credit Value : 4 Essential Learning time : 120 hours.

Risk Management Project Management Digital Media Department Unit Credit Value : 4 Essential Learning time : 120 hours.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.

Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
Risk Assessment and Management. Objective To enable an organisation mission accomplishment, by better securing the IT systems that store, process, or.

Risk Assessment and Management. Objective To enable an organisation mission accomplishment, by better securing the IT systems that store, process, or.

Similar presentations

Ads by Google