INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.

Slides:



Advertisements
Similar presentations
Security+ All-In-One Edition Chapter 17 – Risk Management
Advertisements

INFORMATION RISK MANAGEMENT
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Information Security Principles & Applications
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
Weakness is a better teacher than strength.
Information Systems Security Information Security & Risk Management.
Introducing Computer and Network Security
Risk Management: Assessing and Controlling Risk Chapter 5
Dipartimento di Scienze - 19 giugno Pamela Peretti Dottorato di ricerca in Scienze XXI° ciclo scrutinio annuale a.a 2007/2008 Dipartimento di Scienze.
Principles of Information Security, 2nd Edition1 Risk Management.
Lecture 8: Risk Management Controlling Risk
Controlling Risk Welcome to IST-456 Topic 9 – Controlling Risk.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.
Risk Management Vs Risk avoidance William Gillette.
Risk Management Chapter 4.
Introduction to Network Defense
Learning Objectives Upon completion of this material, you should be able to:
Principles of Information Security, Fifth Edition
Risk Management - Security
Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.
An Overview of Risk Management
Chapter 11: Project Risk Management
TEL2813/IS2820 Security Management
Principals of Information Security, Fourth Edition
EQAA 11th Session Jamil Kalat-Malho Jong Ho Lee
Conostix S.A. Sensible defence.
Risk Management and Risk Control
Information Systems Risk Management
Information Security Rabie A. Ramadan GUC, Cairo Room C Lecture 2.
Lecture 32 Risk Management (Cont’d)
Chapter 11: Project Risk Management
1 TenStep Project Management Process ™ PM00.7 PM00.7 Project Management Preparation for Success * Manage Risk *
Risk Management: Controlling Risk
CE 3031 Risk Management II Slides based on Whitman, M. and Mattord, H., Principles of Information Security; Thomson Course Technology 2003.
INFORMATION SECURITY MANAGEMENT L ECTURE 7: R ISK M ANAGEMENT I DENTIFYING AND A SSESSING R ISK You got to be careful if you don’t know where you’re going,
MANAGEMENT of INFORMATION SECURITY Second Edition.
Alaa Mubaied Risk Management Alaa Mubaied
Risk Management CS5493. Risk Management The process of ● identifying, ● assessing, ● prioritizing, and ● mitigating risks.
Project Risk Management Planning Stage
INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.
Information Security Governance and Risk Chapter 2 Part 2 Pages 69 to 100.
INFORMATION SECURITY MANAGEMENT L ECTURE 7: R ISK M ANAGEMENT I DENTIFYING AND A SSESSING R ISK You got to be careful if you don’t know where you’re going,
Chapter 2: Personnel Security and Risk Management Concepts
Chapter 3: Business Continuity Planning. Planning for Business Continuity Assess risks to business processes Minimize impact from disruptions Maintain.
CST 481/598 Many thanks to Jeni Li.  Risk matrix or cube  Cost effectiveness analysis  Annualized Loss Expectancy  Multi-Attribute Risk Assessment.
INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.
RISK MANAGEMENT: CONTROLLING RISK IN INFORMATION SECURITY By Collin Donaldson.
Principles of Information Security, Fourth Edition Risk Management Ch4 Part II.
Principles of Information Security, Fourth Edition
ON “SOFTWARE ENGINEERING” SUBJECT TOPIC “RISK ANALYSIS AND MANAGEMENT” MASTER OF COMPUTER APPLICATION (5th Semester) Presented by: ANOOP GANGWAR SRMSCET,
Dr. Gerry Firmansyah CID Business Continuity and Disaster Recovery Planning for IT (W-XIV)
MANAGEMENT of INFORMATION SECURITY Third Edition C HAPTER 9 R ISK M ANAGEMENT : C ONTROLLING R ISK Weakness is a better teacher than strength. Weakness.
Risk management «Once we know our weaknesses, they cease to do us any harm.» G.C. Lichtenberg.
Identifying and Assessing Risk
Principles of Information Security, Fifth Edition
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
Risk management.
MANAGEMENT of INFORMATION SECURITY Second Edition.
INFORMATION RISK MANAGEMENT
Identifying and Assessing Risk
TOPIC 3 RISK MANAGEMENT.
OSG Computer Security Plans
CHAPTER11 Project Risk Management
Air Carrier Continuing Analysis and Surveillance System (CASS)
The Importance of Project Risk Management
Principles of Information Security, Fifth Edition
Cybersecurity Threat Assessment
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
Presentation transcript:

INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi Berra

Introduction To keep up with the competition, organizations must design and create a safe environment in which business processes and procedures can function

Qualitative Risk Analysis Evaluate opinions, feelings, ideas Scenarios Brainstorming Delphi technique Storyboarding Focus groups Surveys, questionnaires, checklists One-on-one meetings, interviews

Qualitative Risk Assessment For a given scope of assets, identify:  Vulnerabilities  Threats  Threat probability (Low / medium / high)  Impact (Low / medium / high)  Countermeasures

Example of Qualitative Risk Assessment ThreatImpactInitial Probability Counter- measure Residual Probability Flood damageHLWater alarmsL TheftHLKey cards, surveillance, guards L Logical intrusion HMIntrusion prevention system L

Quantitative Risk Assessment Extension of a qualitative risk assessment. Metrics for each risk are:  Asset value: replacement cost and/or income derived through the use of an asset  Exposure Factor (EF): portion of asset's value lost through a threat (also called impact )  Single Loss Expectancy (SLE) = Asset ($) x EF (%)  Annualized Rate of Occurrence (ARO) Probability of loss in a year, %  Annual Loss Expectancy (ALE) = SLE x ARO

Example of Quantitative Risk Assesment Theft of a laptop computer, with the data encrypted Asset value: $4,000 Exposure factor ? SLE, ARO, ALE ?

Example of Quantitative Risk Assesment Dropping a laptop computer and breaking the screen Asset value: $4,000 Exposure factor ? SLE, ARO, ALE ?

Qualitative vs. Quantitative

Documenting the Results of Risk Assessment Goals of the risk management process – To identify information assets and their vulnerabilities – To rank them according to the need for protection In preparing this list, a wealth of factual information about the assets and the threats they face is collected The final summarized document is the ranked vulnerability risk worksheet

Risk Control Strategies Choose one of four basic strategies:  Avoidance  Transference  Mitigation  Acceptance

Avoidance The risk control strategy that attempts to prevent the exploitation of the vulnerability Examples

Transference The control approach that attempts to shift the risk to other assets, other processes, or other organizations Examples

Mitigation The control approach that attempts to reduce the damage caused by exploitation of vulnerability Types of Mitigation Plans

Acceptance Do nothing to protect an information asset – To accept the loss when it occurs

Managing Risk Risk appetite (also known as risk tolerance)

Managing Risk – Residual Risk Residual Risk is a combined function of: – Threats, vulnerabilities and assets, less the effects of the safeguards in place

Managing Risk – Residual Risk Once a control strategy has been selected and implemented: – The effectiveness of controls should be monitored and measured on an ongoing basis ( remember our discussion on metrics and baselining ) determines effectiveness and accuracy of the residual risk estimate

Managing Risk – Risk Control Risk control involves selecting one of the four risk control strategies Should the organization ever accept the risk?

Risk Acceptance Source: Course Technology/Cengage Learning Figure 9-2 Risk-handling action points

Feasibility and Cost-Benefit Analysis There are a number of ways to determine the advantage or disadvantage of a specific control The primary means are based on the value of the information assets that it is designed to protect Economic feasibility – Evaluating the worth of the information assets to be protected and the loss in value if those information assets are compromised

Cost-Benefit Analysis: Cost Factors that affect the cost of a safeguard – Cost of development or acquisition of hardware, software, and services – Training fees – Cost of implementation – Service and maintenance costs

Cost-Benefit Analysis: Benefit The value to the organization of using controls to prevent losses associated with a specific vulnerability

Cost-Benefit Analysis: Asset Valuation The process of assigning financial value or worth to each information asset Involves estimation of real and perceived costs associated with the design, development, installation, maintenance, protection, recovery, and defense against loss and litigation

An organization must be able to place a dollar value on each information asset it owns Potential loss is that which could occur from the exploitation of vulnerability or a threat occurrence Cost-Benefit Analysis: Asset Valuation

Cost-Benefit Analysis Calculation CBA determines whether or not a control alternative is worth its associated cost CBAs may be calculated before a control or safeguard is implemented Or calculated after controls have been implemented and have been functioning for a time

Cost-Benefit Analysis Calculation CBA = ALE(prior) – ALE(post) – ACS – ALE (prior to control) is the annualized loss expectancy of the risk before the implementation of the control – ALE (post-control) is the ALE examined after the control has been in place for a period of time – ACS is the annual cost of the safeguard

Example of Cost-Benefit Analysis Calculation Dropping an iPad and breaking the screen Asset value: $700  Exposure factor: 50%  SLE = ?  ARO = 25% chance of damaging  ALE (prior) = ?  Assume the ARO is reduced to 5% by using control  ALE (post) = ? CBA (cost of case = $30)  CBA = ALE(prior) – ALE(post) – ACS  CBA = ?

Example of Cost-Benefit Analysis Calculation Unprotected customer database Asset value: $200,000  Exposure factor: 50%  SLE = ?  ARO = 75% chance of occurring  ALE (prior) = ?  Assume the ARO is reduced to 5% by using control  ALE (post) = ? CBA (ACS = $5,000)  CBA = ALE(prior) – ALE(post) – ACS  CBA = ?

Other Methods of Establishing Feasibility Organizational feasibility analysis Operational feasibility Technical feasibility Political feasibility

Alternatives to Feasibility Analysis Benchmarking Due care and due diligence Best business practices Gold standard Government recommendations Baseline

Risk Management and Employees “Only two things are infinite, the universe and human stupidity, and I’m not sure about the former.” - Albert Einstein Types of Employees and Security Knowledge  Those who know  Those who don’t  Those who think they know but don’t