1 Figure 11-3: Risk Analysis Financially Sensible Protections  Risk analysis: Balance risks and countermeasture costs Enumeration of Assets  Assets:

Slides:

Advertisements

Similar presentations

Project Selection (Ch 4)

Advertisements

Investment Appraisal: The decision making process Corporate Finance 7.

Capital Budgeting Last Update Copyright Kenneth M. Chipps Ph.D

Daylight Savings Time Transition Planning. The Daylight Savings Operational Risks Affect on transaction cash flow? Affect on service delivery? Affect.

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

1 By the name of the god Risk management Dr. Lo ’ ai Tawalbeh DONE BY: AMNA ISMAIL RASHAN.

The State of Security Management By Jim Reavis January 2003.

Introducing Computer and Network Security

By: Ashwin Vignesh Madhu

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Chapter Extension 22 Managing Computer Security Risk © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.

Introduction to Network Defense

1 BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING Reducing your Risk Profile MIDWEST DATA RECOVERY INC.

ROLE OF THE IT FUNCTION: COSTS, ANALYSIS, DEVELOPMENT Based on materials by David Schuff.

1 Security Risk Management Liping Cai 02/01/2006.

Secure Software Development Chapter 2 Rasool Jalili & M.S. Dousti Dept. of Computer Engineering Fall 2010.

Visual 3. 1 Lesson 3 Risk Assessment and Risk Mitigation.

1 Deployment of Computer Security in an Organization CE-408 Sir Syed University of Engineering & Technology 99-CE-282, 257 & 260.

Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.

Discussing “Risk Analysis in Software Design” 1 FEB Joe Combs.

Risk Analysis vs Security Controls. Security Controls Risk assessment is a flawed safeguard selection method. There is a tendency to confuse security.

1 Oppliger: Ch. 15 Risk Management. 2 Outline Introduction Formal risk analysis Alternative risk analysis approaches/technologies –Security scanning –Intrusion.

Security Risk Management

1 Figure 1-17: Security Management Security is a Primarily a Management Issue, not a Technology Issue Top-to-Bottom Commitment  Top-management commitment.

CAIRA is a quantitative vulnerability assessment tool for examining the physical security of energy systems (electrical, natural gas, steam and water)

Software Project Management

INFORMATION SECURITY & RISK MANAGEMENT SZABIST – Spring 2012.

Alter – Information Systems © 2002 Prentice Hall 1 The Process of Information System Planning.

Road to Retirement Course. Introduction to Investing “When you’re making money doing what you love, you are already retired.” “Many describe the new retirement.

IT Strategy for Business © Oxford University Press 2008 All rights reserved Chapter 12 IT Security Strategies.

©Donna Fitzgerald. Business Case Analysis: Tips and Techniques for Project Managers Donna Fitzgerald.

AGEC 407 Investment Analysis Time value of money –$1 received today is worth more than $1 received in the future Why? –Earning potential –Risk –Inflation.

Introduction to Information Security

1 Managing the Security Function Chapter Figure 11-1: Organizational Issues Top Management Support  Top-Management security awareness briefing.

Chap 8: Administering Security.  Security is a combination Technical – covered in chap 1 Administrative Physical controls SE571 Security in Computing.

Information Security Governance and Risk Chapter 2 Part 2 Pages 69 to 100.

CST 481/598 Many thanks to Jeni Li.  Risk matrix or cube  Cost effectiveness analysis  Annualized Loss Expectancy  Multi-Attribute Risk Assessment.

INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.

Needles Powers Crosson Financial and Managerial Accounting 10e Capital Investment Analysis 24 C H A P T E R © human/iStockphoto ©2014 Cengage Learning.

TEL2813/IS2820 Security Management Cost-Benefit Analysis Net Present Value Model, Internal Rate of Return Model Return on Investment (Based on Book by.

Select Phase Pertemuan Matakuliah: A0774/Information Technology Capital Budgeting Tahun: 2009.

Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.

Risk Assessment and Risk Management James Taylor COSC 316 Spring 2008.

RISK MANAGEMENT: CONTROLLING RISK IN INFORMATION SECURITY By Collin Donaldson.

INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.

Chapter 8 : Management of Security Lecture #1-Week 13 Dr.Khalid Dr. Mohannad Information Security CIT 460 Information Security Dr.Khalid Dr. Mohannad 1.

ON “SOFTWARE ENGINEERING” SUBJECT TOPIC “RISK ANALYSIS AND MANAGEMENT” MASTER OF COMPUTER APPLICATION (5th Semester) Presented by: ANOOP GANGWAR SRMSCET,

By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.

Principles of Information Security, Fourth Edition Risk Management Ch4 Part I.

Dr. Gerry Firmansyah CID Business Continuity and Disaster Recovery Planning for IT (W-XIV)

A. Define the term risk. Business Risk – the potential for loss or failure.

Headquarters U.S. Air Force

Risk management.

How to do Cash Flow Statements

Grid Security Risks Mike Surridge

Compliance with hardening standards

TOPIC 3 RISK MANAGEMENT.

Air Carrier Continuing Analysis and Surveillance System (CASS)

RISK ASSESSMENT TOOL PREVIEW

Security Threats Severity Analysis

The University of Adelaide, School of Computer Science

Cybersecurity in Elections Infrastructure: Risks and Mitigations

Chapter 7: RISK ASSESSMENT, SECURITY SURVEYS, AND PLANNING

Must cost less than possible Impact

Risk Management CSCE 489/689 (Software Security) Fall 2018

Information Security Risks; All-in-One Terminology

Figuring out CyberSecurity Return On Investment

Presentation transcript:

1 Figure 11-3: Risk Analysis Financially Sensible Protections  Risk analysis: Balance risks and countermeasture costs Enumeration of Assets  Assets: Things to be protected (hosts, data, etc.)  Up-to-date asset lists must be created first (can be very difficult)  Asset responsibilities: Each asset should have someone accountable for it

2 Figure 11-3: Risk Analysis Asset Classification  Business continuity asset classifications Scope and degree of disruption: How many things, how bad the damage Financial impacts of a slowdown or shutdown  Cost of repairs asset classification

3 Figure 11-3: Risk Analysis Threat Assessment  Threat likelihood  Difficulty of estimation Responding to Risk  Risk reduction: Implement countermeasures  Risk acceptance: Do nothing; suitable for low- threat risks and expensive countermeasures  Risk transference: Get insurance. Good for low- probability risks

4 Figure 11-3: Risk Analysis Risk Analysis Calculations  Threat severity analysis (expected loss) Cost of attack if it succeeds times the probability that the attack will succeed Expressed in terms of some time period, such as a year  Value of Protection Reduction in threat severity (benefit) minus the cost of the countermeasure Invest in a countermeasure only if the value of protection is positive

5 Figure 11-3: Risk Analysis Risk Analysis Calculations  Priority Invest in countermeasures with the greatest value of protection first  Return on investment (ROI) analysis For a single-year countermeasure, value of protection divided by the cost of the countermeasure

6 Figure 11-3: Risk Analysis Risk Analysis Calculations  Return on investment (ROI) analysis For multiple-year investments, discounted cash flow analysis of multi-year values of protection and countermeasure investments  ROI allows investments of difference sizes to be compared directly  There usually is a hurdle rate of 15% to 25%, and investments that fall below the hurdle rate will not be accepted

7 Figure 11-3: Risk Analysis Qualitative Risk Analysis  Danger of business termination: Can’t be put entirely into dollar terms  Loss of reputation: Difficult to quantify but very important

8 Figure 11-4: Corporate Security Architecture Security Architectures  Technical security architecture: Countermeasures and their organization into a system  Architectural decisions: Plan broadly before installing specific systems  Start in the design phase if possible: The earlier the better  Deal with legacy security technologies

9 Figure 11-4: Corporate Security Architecture Five Principles  Defense in depth Attacker must break through several defenses to succeed Safe even if a vulnerability is discovered in one line of defense. Can fix the vulnerability without break-ins

10 Figure 11-4: Corporate Security Architecture Five Principles  Single points of vulnerability The dangers of single points of vulnerability The need for central security management consoles may require accepting a single point of vulnerability (taking over the management system)

11 Figure 11-4: Corporate Security Architecture Five Principles  Diversity of Vendors Security effectiveness: Each product will miss some things; jointly will miss less Product vulnerabilities: Each will have some; jointly will have fewer Vendor Survival: If one vendor fails, others will continue

12 Figure 11-4: Corporate Security Architecture Five Principles  Minimizing security burdens on functional departments  Implementing planning, protecting, and responding phases well

13 Figure 11-4: Corporate Security Architecture Elements of a Security Architecture  Border management: Border firewalls, etc.  Internal site management: To protect against internal threats  Management of remote connections: Remote users and outsiders are difficult  Interorganizational systems: Linking the computer systems of two organizations  Centralized management: Control from a single place where information is gathered