CST 481/598 Many thanks to Jeni Li.  Risk matrix or cube  Cost effectiveness analysis  Annualized Loss Expectancy  Multi-Attribute Risk Assessment.

Slides:



Advertisements
Similar presentations
Security+ All-In-One Edition Chapter 17 – Risk Management
Advertisements

Bridging the gap between software developers and auditors.
Revision from last week  Assumptions are potential failure points in a project. They need to be monitored and managed. At the start of the project they.
Chapter 5: Asset Classification
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
Introducing Computer and Network Security
23 January 2003© All rights Reserved, 2002 Understanding Facilitated Risk Analysis Process (FRAP) and Security Policies for Organizations Infocomm Security.
ASSESSING RISK IN IT OPERATIONS. RISK ASSESSMENT Recognizing the exposures to loss by becoming aware of the possibility of each type of loss. This is.
Lecture 8: Risk Management Controlling Risk
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Risk Management.
Information Security Risk Management
Security Risk Management Paula Kiernan Ward Solutions.
1 Security Risk Management Liping Cai 02/01/2006.
An Overview of Risk Management
EQAA 11th Session Jamil Kalat-Malho Jong Ho Lee
Conostix S.A. Sensible defence.
Discussing “Risk Analysis in Software Design” 1 FEB Joe Combs.
Chapter 8 Administering Security
HIT241 - RISK MANAGEMENT Introduction
Information Systems Risk Management
Information Security Rabie A. Ramadan GUC, Cairo Room C Lecture 2.
Security Risk Management
Risk Analysis in Software Design Author: Verdon, D. and McGraw, G. Presenter: Chris Hundersmarck.
Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.
INTRODUCTION Why AIS threats are increasing
1 Chapter Three IT Risks and Controls. 2 The Risk Management Process Identify IT Risks Assess IT Risks Identify IT Controls Document IT Controls Monitor.
Risk Management Project Management Digital Media Department Unit Credit Value : 4 Essential Learning time : 120 hours.
IT Project Management, Third Edition Chapter 11 1 Chapter 6: Project Risk Management.
INFORMATION SECURITY MANAGEMENT L ECTURE 7: R ISK M ANAGEMENT I DENTIFYING AND A SSESSING R ISK You got to be careful if you don’t know where you’re going,
Chapter 10 An Overview of Risk Management. Contents 1. What is Risk? 2. Risk and Economic Decisions 3. The Risk-Management Process 4. The Three Dimensions.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
Question Four: Project Risk Management PMBOK definition of Project Risk Project risk management is the art and science of identifying, analyzing, and responding.
.  Define risk and risk management  Describe the components of risk management  List and describe vulnerability scanning tools  Define penetration.
Risk Management CS5493. Risk Management The process of ● identifying, ● assessing, ● prioritizing, and ● mitigating risks.
INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.
1 Figure 11-3: Risk Analysis Financially Sensible Protections  Risk analysis: Balance risks and countermeasture costs Enumeration of Assets  Assets:
Chap 8: Administering Security.  Security is a combination Technical – covered in chap 1 Administrative Physical controls SE571 Security in Computing.
Information Security Governance and Risk Chapter 2 Part 2 Pages 69 to 100.
IT Security CS5493(74293). IT Security Q: Why do you need security? A: To protect assets.
Chapter 2: Personnel Security and Risk Management Concepts
COST BENEFITS OF IMPLEMENTING CREDIT CARD DATABASE TOKENIZATION USING FAIR CASE STUDY SHARED COURTESY OF RISKLENS CONFIDENTIAL - FAIR INSTITUTE
INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.
Chapter 8 Risk Management Plans 8 Risk Management Plans C H A P T E R.
RISK MANAGEMENT. CONTENTS  DEFINITION  WHAT IS RISK  TYPES OF RISK  RISK MANAGEMENT PROCESS  APPROACHES TO RISK MANAGEMENT.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
Risk Management For Project Management. What is Risk? Risk (noun): possibility of loss or injury (Merriam-Webster Dictionary)
RISK MANAGEMENT: CONTROLLING RISK IN INFORMATION SECURITY By Collin Donaldson.
INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.
Business Continuity Planning 101
ON “SOFTWARE ENGINEERING” SUBJECT TOPIC “RISK ANALYSIS AND MANAGEMENT” MASTER OF COMPUTER APPLICATION (5th Semester) Presented by: ANOOP GANGWAR SRMSCET,
Dr. Gerry Firmansyah CID Business Continuity and Disaster Recovery Planning for IT (W-XIV)
Risk management «Once we know our weaknesses, they cease to do us any harm.» G.C. Lichtenberg.
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
Risk management.
Security Risk Analysis & Management
TOPIC 3 RISK MANAGEMENT.
Errors, Fraud, Risk Management, and Internal Controls
Chapter Three Objectives
Figure 3: TSN Analysis Methodology
Security Management Practices
COST BENEFIT ANALYSIS OF IMPROVED PATCHING WINDOW USING FAIR
Information Security based on International Standard ISO 27001
Project Management for Software Engineers (Summer 2017)
I have many checklists: how do I get started with cyber security?
Security Threats Severity Analysis
Business Impact Analysis 101
Presentation transcript:

CST 481/598 Many thanks to Jeni Li

 Risk matrix or cube  Cost effectiveness analysis  Annualized Loss Expectancy  Multi-Attribute Risk Assessment  Monte Carlo analysis  … et cetera

 Vulnerability  Threat  Impact

 Cost of recovering lost or modified data  Business value of unrecoverable data  Lost productivity due to down time  Replacement cost of physical assets  Fines and penalties  For unauthorized disclosures or posting inaccurate information  Damage compensation to compromised customers  Fines imposed by regulatory agencies  Damage to reputation

 (more or less)  Asset identification and valuation  Threat/vulnerability assessment  Risk calculation  Countermeasure selection

 From Jones/Ashenden text  R = V x T x I  Useful for visuals and comparisons  Not much else

 Combines soft and hard numbers  Can use estimates or probability tables  Examples: ROSI, CRAMM

 ALE = SLE x ARO  SLE: Single Loss Expectancy  How much will it cost if it happens once?  ARO: Annualized Rate of Occurrence  How many times a year will it happen?  Actual losses will vary, of course  Poisson distribution, Monte Carlo analysis

 Used to introduce “controlled randomness”  Goal: Make estimates more realistic  Often used with ALE models  Used in latest version of ROSI  Many algorithms exist  Some information for the interested  d d

 Origin: UK government  Commercial software (cramm.com)  Used by UK, NATO, Dutch military, T-Mobile  Used for ISO compliance  Can be used to justify cost of controls  Based on statistical analysis of other agencies  Detailed departmental questionnaires  Or informed estimates (Express version)  Database of controls  Pre-assigned effectiveness, cost/benefit values

 Origin and user: AU government  Freely available   Based on Annualized Loss Expectancy and Australian Threat/Risk Assessment  User-assigned values for TRA descriptions

 Origin: Carnegie-Mellon University   Based on Multi-Attribute Risk Assessment  Categorizes attributes of impact  Revenue, Reputation, Productivity, Penalties  Likelihood, impact ratings based on industry peer review  Emphasizes coverage of threats  Protect, Detect, React  Doesn’t quantify risk financially

 Avoidance  Reduction  Retention  Transfer

 Avoidance  Reduction  Retention  Transfer

 Get out of (or don’t get into) the risky business  Do this when…  Probability of a loss is high  Potential impact is high  Gain from continuing the function is low

 Protect, detect, react  This is what we usually think of in IS  Do this when…  Probability of a loss is high  Potential impact is low

 Protect  Prevent the threat from meeting with the vulnerability  Detect  Discover and respond to a threat before it causes too much damage  React (Recover)  Minimize impact after an incident

 “Cost of doing business”  Live with it when…  Probability of a loss is low  Potential impact is low  Gain from continuing the function is high

 Common methods  Buy insurance  Outsource the risky function  Do this when…  Probability of a loss is low  Potential impact is high  Gain from continuing the function is high

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.