Presentation is loading. Please wait.

Presentation is loading. Please wait.

TOPIC 3 RISK MANAGEMENT.

Published bySara Mosley Modified over 6 years ago

Similar presentations

Presentation on theme: "TOPIC 3 RISK MANAGEMENT."— Presentation transcript:

1 TOPIC 3 RISK MANAGEMENT

2 WHAT IS RISK? In information security risk is defined as “the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization”.[wikipedia] Examples Operational Loss or inaccessibility of facility, student protests/lack of participation Technology Computer hardware failures or computer theft, critical software unavailable (client server or web), etc

3 Risk Management InfoSec (HK):
The process of determining the maximum acceptable level of overall risk to and from a proposed activity Using risk assessment techniques to determine the initial level of risk Developing strategy to control individual risks to an acceptable level Two basic steps: Risk Assessment (Analysis) Risk Control (Treatment) InfoSec (HK):

4 Risk Assessment Activities carried out to discover, analyze, and describe risks. May be qualitative, quantitative or a combination. Qualitative risk assessment Relative measure of risk based on ranking or descriptive categories such as Low, medium, high Not important, important, very important A scale from 1 to 10 Quantitative risk assessment Measuring risk in terms of monetary values and frequency

5 STANDARD PATTERN OF RISK ASSESSMENT
Identify and Assign Values to Assets Both quantitative and qualitative methods identify and seek to assign either specific or relative values for assets Criteria to be considered to establish the value of assets: Which asset is the most critical to the success of organization? Which asset generates the most profitability? Which asset would be the most expensive to replace or protect? Which asset causes damage to reputation if comproised?

6 Standard Pattern of Risk Assessment
Identify Exposure / Vulnerabilities, Threats and Controls Quantitative risk: Vulnerability and threats combine to determine the Exposure Factor (EF) Qualitative risk: Entire value of the asset is considered to be at risk

7 STANDARD PATTERN OF RISK ASSESSMENT
Assess Risks for each Asset Quantitative risk: Annual loss expectancy (ALE) values Qualitative risk: Risk profiles or tables of relative risk with respect to assets Create Action Plan Lead to new security policy, procedures, technical guidelines, or immediate action

8 Qualitative Risk Assessment
Identify and rate risks relative to each other Assets - Software applications, information systems, business equipment, or buildings. Activities – Carried out by an individual, group, or department. Vulnerabilities Weaknesses in design, configuration, documentation, procedure or implementation Could be exploited to gain or deny access to an asset or compromise (危害) an asset

9 Qualitative Risk Assessment
Threats – Potential activities that would exploit specific vulnerabilities. Threat probability – Likelihood that a specific threat will be carried out. Countermeasures – Actual or proposed measures that reduce the risk associated with vulnerability or threats. Relative risk Asset value x Vulnerability x Threat Threat Vulnerability Asset

10 Qualitative Risk Assessment Example
Assets Value Payroll records Medium Product design specifications High Customer lists Sales records Low Inventory and order database

11 Qualitative Risk Assessment Example
Vulnerabilities Criticality Unpatched software Medium Internet connection with no firewall High Antivirus protection missing or not updated Weak passwords Common password sharing

12 Qualitative Risk Assessment Example
Threats Probability DoS attack against the server with inventory and order database Medium Internal employee reading or modifying payroll data without authorization High Internal employee selling customer lists DoS attack against the payroll server Low External person obtaining customer lists or product designs

13 Qualitative Risk Assessment Example
Numerical values High (3), Medium (2), Low (1) Asset Inventory and order database (Medium – 2) Threat DoS attack against the server with Inventory and order database (Medium – 2) Possible vulnerability Unpatched software (Medium – 2) Risk = Assets x Vulnerabilities x Threats Risk = 2 x 2 x 2 = 6

14 Quantitative Risk Assessment
Asset value A monetary value represents the replacement cost or income derived Exposure factor (EF) Percentage of asset loss caused by identified threat Single loss expectancy (SLE) Asset value ($) x Exposure factor (%) Annualized rate of occurrence (ARO) Estimated frequency a threat will occur in a year’s time.

15 Quantitative Risk Assessment
Annual loss expectancy (ALE) ARO x SLE Cost benefit analysis (CBA) Determine if the control being evaluated is worth the associated cost incurred. CBA = ALE(prior) – ALE(post) – ACS ACS = Annualized cost of safeguard

16 Quantitative Risk Assessment Example
Suppose an executive’s notebook computer (asset) worth HK$10,000. Case 1: Threat of theft EF =100% (Entire asset’s value is lost) SLE = Asset value x EF = HK$10,000 x 100% = HK$10,000 Presume the threat of theft occurring once in 5 years ARO = 1/5 = 20% ALE = SLE x ARO = HK$10,000 x 20% = HK$2,000 Expected to lose HK$2,000 per year.

17 Quantitative Risk Assessment Example
Case 2: Threat of LCD screen damage EF = 50% (replace cost of LCD screen) SLE = Asset value x EF = HK$10,000 x 50% = HK$5,000 Assume the probability of the breaking of LCD screen is 25% ARO = 25% ALE = SLE x ARO = HK$10,000 x 25% = HK$2,500 Expected to lose HK$2,500 per year.

18 Quantitative Risk Assessment
The above cases shows that unless the protection is increased to address the vulnerability, the business is expected to lose the corresponding amount per year. This amount is then used in calculating the cost of protection to see if there is a benefit in protecting the system or not. In calculating CBA the organization should view security as an investment and not as an expense.

19 Quantitative Risk Assessment
Return on investment (ROI) should not be the only factor in evaluating security investments. Many of the security investment benefits are intangible, such as goodwill generated due to the reliability of the systems.

20 Formal Risk Assessment Methodologies
OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) FRAP (Facilitated Risk Analysis Process) Spanning Tree Analysis NIST SP Guide for Conducting Risk Assessments

21 Risk Control Manage the risks identified in the risk assessment.
Four general approaches Risk avoidance Risk reduction Risk transfer Risk acceptance Risk Avoidance Risk Reduction Risk Acceptance Risk Transfer

22 Risk Control Risk Avoidance
The associated activity that introduces the risk is discontinued. Risk Reduction (Mitigation) Use of countermeasures, removing vulnerabilities, limiting access and adding protective safeguards. Application of policies, education and training , application of technology (firewalls, IDS/IPS).

23 RISK CONTROL Risk Transfer
Shifting risk to other assets, other processes, or other organizations. Revising deployment models, purchasing insurance, outsourcing to other organizations. Risk Acceptance Cost of protecting an asset does not justify the security expenditure. Leaving things as they are and accepting the stated risks. Misuse of this approach can be very risky.

24 Vulnerability Analysis
Identifying vulnerabilities in a system and then acting to mitigate them Vulnerabilities can be discovered in one of two basic ways: Passive means - Receiving alerts of vulnerabilities from sources such as the manufacturer or independent sources such as US-CERT. Ref: Active means - Performing penetration testing scans or application vulnerability scans Ref:

25 Threat Analysis Ref: https://www. owasp. org/index
Identifying factors that may jeopardize the ongoing performance of any service or system Can be divided into human and non-human elements Human – Hackers, theft, non-technical staff, inadequately trained IT staff Non-human – Floods, viruses, fire, electrical Measured in terms of motivation and capability An internal non-technical staff may have low motivation to do something malicious but they have a high level of capability due to their of access on certain systems.

26 SECURITY MANAGEMENT CONCEPTS
Security Controls Measures to enforce security policy and reduce risk CIA Triad Core principles of information security All other concepts and activities are based on them Source:

27 SECURITY MANAGEMENT CONCEPTS
Defense in Depth A layered defense consisting of two or more protective methods Reduce the probability that a threat can act upon an asset Single Point of Failure Characteristic of a component in a system if the failure of the component will result in the failure of the entire system

28 Security Management Concepts
Benchmarking (基準) The process of seeking out and studying the best practices used in other organizations. An organization typically selects a measure (benchmark) with which it may compare itself to the other organizations in the market. Examples: Dollars spent on protection, loss in productivity hours with attacks Baselining (基線) A baseline is a value or profile of performance metric against which changes in the performance metric can be usefully compared.

29 SECURITY DOCUMENTATION
Security Polices High-level statements or plan to specify the activities that are required, limited, or forbidden in an organization Example: Information systems should be configured to require good security practices in selection and use of passwords Requirements To constrain a system or process to comply with the security policy Example: Information systems must enforce password quality standards

30 SECURITY DOCUMENTATION
Guidelines Provide information on how policy can be implemented Example: Users should choose a password that is easy for user to remember but hard for others to guess Standards Statements specify what shall be used to support security policies and guidelines. Example: Product standards, process standards, technology standards such as TCP/IP

31 SECURITY DOCUMENTATION
Procedures Instructions that specify how tasks are to be performed Ensure consistent and methodical completion of repetitive tasks How to write an information security policy

32 SECURITY DOCUMENTATION
Source: Michael E. Whitman, Principles of Information Security

33 MITIGATION PLANS Incident Response Plan
Actions an organization takes during incidents Immediate and real-time reaction Source:

34 MITIGATION PLANS Disaster Recovery Plan
Strategies to limit losses before and during disaster Short-term recovery Business Continuity Plan Steps to ensure continuation of the overall business when the scale of a disaster exceeds the DR plan’s ability to restore operations Long-term operation

35 REFERENCES Peter Gregory, CISSP Guide to Security Essentials, Course Technology, 2010 Steve Elky, An Introduction to Information System Risk Management, SANS, 2006 Ding Tan, Quantitative Risk Analysis Step-By- Step, SANS, 2002

Download ppt "TOPIC 3 RISK MANAGEMENT."

Similar presentations

Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.

Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.
Security+ All-In-One Edition Chapter 17 – Risk Management

Security+ All-In-One Edition Chapter 17 – Risk Management
Session 3: Security Risk Management Eduardo Rivadeneira IT Pro Microsoft Mexico.

Session 3: Security Risk Management Eduardo Rivadeneira IT Pro Microsoft Mexico.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 © 2002 Carnegie.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
Weakness is a better teacher than strength.

Weakness is a better teacher than strength.
Introducing Computer and Network Security

Introducing Computer and Network Security
Introduction Security is a major networking concern. 90% of the respondents to the 2004 Computer Security Institute/FBI Computer Crime and Security Survey.

Introduction Security is a major networking concern. 90% of the respondents to the 2004 Computer Security Institute/FBI Computer Crime and Security Survey.
Lecture 8: Risk Management Controlling Risk

Lecture 8: Risk Management Controlling Risk
Controlling Risk Welcome to IST-456 Topic 9 – Controlling Risk.

Controlling Risk Welcome to IST-456 Topic 9 – Controlling Risk.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Application Threat Modeling Workshop

Application Threat Modeling Workshop
Introduction to Network Defense

Introduction to Network Defense
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
An Overview of Risk Management

An Overview of Risk Management
TEL2813/IS2820 Security Management

TEL2813/IS2820 Security Management
Security Risk Assessment Applied Risk Management July 2002.

Security Risk Assessment Applied Risk Management July 2002.
1 Introduction to Security Chapter 5 Risk Management: The Foundation of Private Security.

1 Introduction to Security Chapter 5 Risk Management: The Foundation of Private Security.

Similar presentations

Ads by Google