1. Risk management
«Once we know our weaknesses, they cease to do us any harm.»
G.C. Lichtenberg

2. Risk management and Sun Tzu…
“If you know the enemy and know yourself, you need not fear the result of a hundred battles.
If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.
If you know neither the enemy nor yourself, you will succumb in every battle.”
Sun Tzu
Know Yourself
Know the Enemy

3. What is risk management?
Risk Management consist of identifying and controlling the risks facing an organization
Risk Management
Risk Identification
Risk Control
Risk Assessment
Selecting Strategy
Inventory Assets
Justifying Controls
Classifying Assets
Identifying Threats

4. Outline
1. Risk Identification
2. Risk Assessment
3. Risk Control Strategies

5. Risk Identification Plan and organize the process
2) - Asset Identification
- Information Asset Classification
Categorize system components
3) - Information Asset Valuation
- Listing Assets in Order of Importance
- Data Classification and Management
Inventory/ Categorize assets
Identify threats
Specify vulnerable assets
4) - Identify and Prioritize Threats
5) - Vulnerability Identification

6. Risk Assessment Risk estimation Factors of risk:
Assess a risk: to assign a risk rating or score to each information asset
Risk estimation
Factors of risk:
Dico: to mitigate= atténuer
Uncertainty of current knowledge of the vulnerability
Likelihood of the occurrence of vulnerabilities
Value of information asset
Percentage of risk mitigated by current controls + *

7. Risk Assessment Example of risk estimation 1 50 10% 0,5 100 50% 20%
Asset A vulnerability is rated at 55
55= (50*1)-[(50*1)*0]+[(50*1)*0,1]
Asset B vulnerability is rated at 35
likelihood
Value
Current Control
Uncertainty
ASSET A 1 50
10%
ASSET B
0,5
100
50%
20%

8. Documenting the Results of Risk Management
Risk Assessment
Documenting the Results of Risk Management
Ranked vulnerability risk worksheet

9. Risk Control Stategies
Avoidance
Transference
Mitigation
Incident Response Plan
Disaster Response Plan
Business Continuity Plan
Acceptance

10. Selecting a Risk Control Strategy
selecting one of the four risk control strategies for each vulnerability
the level of threat and the value of the asset play a major role in strategy selection
Once a control strategy has been implemented, it should be monitored and measured  a cyclical process to ensure that risk are controlled.

11. Feasibility Studies & CBA (Cost Benefit Analysis) (1)
Aim: used to determine the costs associated with protecting an asset
An organization should not spend more to protect an asset then the asset is worth
Items that affect the cost of a control
- Cost of development & acquisition of software, hardware and services
- Training fees
- Cost of implementation (install, configure, test)
- Service costs (maintenance & upgrade)

12. Feasibility Studies & CBA (Cost Benefit Analysis) (2)
Benefit = the value that an organization realizes by using controls to prevent losses associated with a specific vulnerability.
Asset valuation = the process of assigning financial value or worth to each information asset.
E.g.1: cost to replace a network switch – simple to determine
E.g.2: the dollar value of the loss in market share if information on new product offerings is released prematurely

13. Risk Assessment & CBA Single Loss Expectancy
SLE = Asset Value x Exposure Factor
Website value: euros , Exposure factor = 10%
SLE= euros
Annualized Loss Expectancy
ALE = SLE x ARO
ARO= 0.5 ALE= x 0.5 = euros
Cost Benefit Analysis (CBA)
CBA= ALE(prior)- ALE(post) - ACS

14. Benchmarking
alternative method to the economic feasibility analysis that seeks out and studies the practices used in other organizations that produce the results desired in an organization.
Measures to compare practices:
metric-based: comparisons based on numerical standards
process-based : less focused on numbers and more strategic
Two categories of benchmarks are used in InfoSec:
standards of due care & due diligence
best practices

15. Applying Best Practices & Benchmarking
Does the organization resemble the identified target organization with the best practice under consideration?
Does the organization face similar challenges as the target?
Is its organizational structure similar to the target’s?
Are the resources the organization can expend similar to those identified with the best practice?
No two organizations are identical;
Best practices are a moving target;
Security is a managerial problem, not a technical one.

16. Delphi Technique
What?
- Technique for accurately estimating scales and values
How?
By a group who rates or ranks a set of information.
Responses are complied and returned for a new iteration
Final: entire group is satisfies with the result
Quantitative assessment – actual values or estimates
Qualitative assessment – no numeric values, scales (A-Z, 0-10, low, medium, high, very high)

17. Conclusion
“Security is an investment, not an expense. Investing in computer and network security measures that meet changing business requirements and risks makes it possible to satisfy changing business requirements without hurting the business viability.”
(F. Avolio, “Best Practices in Network Security”)