Presentation is loading. Please wait.

Presentation is loading. Please wait.

CYSM Risk Assessment Methodology Co-funded by the Prevention, Preparedness and Consequence Management of Terrorism and other Security-related Risks Programme.

Published byHenry Taylor Modified over 8 years ago

Similar presentations

Presentation on theme: "CYSM Risk Assessment Methodology Co-funded by the Prevention, Preparedness and Consequence Management of Terrorism and other Security-related Risks Programme."— Presentation transcript:

1 CYSM Risk Assessment Methodology Co-funded by the Prevention, Preparedness and Consequence Management of Terrorism and other Security-related Risks Programme of the European Union 2nd Steering Committee Meeting Athens Greece 29th May 2014 Spyros Papastergiou University of Piraeus Research Centre

2 CYSM Risk Assessment Methodology29/05/20142 Target Group CYSM Risk Assessment Methodology is oriented: – to cover the security and safety requirements on the demanding sector of commercial ports, – to assess all the physical and cyber facilities required for the robust and uninterruptible operation of ports physical facilities such as buildings, platforms, gates, marinas, data centers, platform cyber facilities such as networks, equipment, satellites, servers, relay stations, tributary stations, information, etc.

3 CYSM Risk Assessment Methodology should satisfy: – Compatible with standards (e.g. ISO27001, and ISPS code) – Multi-scope analytic: Be able to perform risk analysis using different scopes – Collaborative: Ensures collaboration among all port users – Broad analytic: Analyses sectoral, interconnected and interdependent threats – Time and resource economical: Avoids the plethora of questionnaires and frustrating interviews with all participants – Accurate: Derives accurate results – Good Functional requirements: Needs to be clear for all actors involved, precise, and measurable – Easy to implement: Easy to implement the methodology – Well documented: All steps of the methodology can be documented in clear format with clear outcomes for each step – Responsibility centric: Methodology has to be oriented to users’ role CYSM Risk Assessment Methodology29/05/20143 CYSM Risk Assessment Methodology Requirements

4 General Approach of CYSM Methodology 29/05/20154CYSM Risk Assessment Methodology

5 Facility Cartography (Phase 1) 29/05/20145CYSM Risk Assessment Methodology

6 Step 1: Identification of the organizational structure. Step 2: Classification of the employees based on their positions. Step 3: Definition of the Risk Assessment boundary: Selection of the physical and/or ICT port facilities that will be evaluated. Step 4: Identification and categorization of the evaluated assets Step 5: Identification of the correlations between the assets (e.g. correlation between network and software assets, hardware and information assets, etc) Step 6: Identification of controls applied in each asset. 29/05/20146CYSM Risk Assessment Methodology

7 Impact Assessment (Phase 2) 7CYSM Risk Assessment Methodology29/05/2014

8 All assets are evaluated according to: – seven Impact Criteria, – various Scenarios such as: Financial Losses (Directly Financial Consequences, Indirectly ad Long-term Financial Consequences) Legal Consequences (Privacy Issues, Sensitive and Personal Data, Commercial Data, Competition Related Issues, Justice Issues, Private Agreements Issues, Non-Disclosure Agreement Issues, Intellectual Property Copyright Issues) Reputation Consequences (Public Confidentiality Issues regarding Organization, Confidentiality Issues regarding Suppliers and Shareholders for the Organization … 8CYSM Risk Assessment Methodology29/05/2014

9 Specifications of CYSM Approach & System Architecture17/10/20139 Personal Impact Assessment: Each user evaluates the assets based on the impact that this asset will have if a incident occurs. The value for each criterion is the maximum value of all scenarios for the specific criterion. The impact value of a specific asset for each participant is the maximum value of all criteria for the specific asset. Overall Impacts Assessment: The impact value of a specific asset derived from each department is calculated. The final impact of a specific asset is the maximum value of all departments

10 Threat Analysis (Phase 3) 10 Estimation of the likelihood of occurrence of each threat CYSM Risk Assessment Methodology29/05/2014

11 11 Identification of threats for each asset category – A list of threats is formulated taking into account: Internal experience from incidents and past threat assessments Threat catalogues available from industry/standardization bodies, national governments, legal bodies etc. – The identified threats are grouped into various categories: Physical Threats (e.g. Earthquake, Flood, Hurricane, Lightning) Technological Threats (e.g. Hardware Malfunction) Environmental Threats (e.g. Pollution, Chemicals) Human Threats (e.g. Network Attacks, Virus Attack, Unauthorized Access) Organized Or Deliberate Attack (e.g. Terrorist Attack - Explosive Mechanism, Sabotage, Arson) Threats Lesion Data (e.g. Malicious Data Corruption, Unauthorized Access To Data) CYSM Risk Assessment Methodology29/05/2014

12 12 Personal Threat Assessment: Each user evaluates the threats of each asset. Overall Threat Assessment : The likelihood of occurrence of each threat to a specific asset derived from each department is calculated. The Final likelihood of occurrence of each threat to a specific asset is the maximum value of all departments. CYSM Risk Assessment Methodology29/05/2014

13 Vulnerability Analysis (Phase 4) 13 Estimation of the level of exploitation of a vulnerability from a threat taking into account the applied controls CYSM Risk Assessment Methodology29/05/2014

14 14 Identification of the vulnerabilities associated with the defined threats – A list of vulnerabilities is formulated taking into account: Internal experience Previous audit controls Penetration tests Vulnerabilities catalogues available from industry/standardization bodies, national governments, legal bodies etc. CYSM Risk Assessment Methodology29/05/2014

15 15 Personal Vulnerability Assessment: Each user evaluates the vulnerabilities of each asset according to the correlated threats. Overall Vulnerability Assessment : The level of exploitation of a vulnerability from a threat derived from each department is calculated. The Final level of exploitation of a vulnerability from a threat derived from all departments is calculated. CYSM Risk Assessment Methodology29/05/2014

16 Risk Determination (Phase 5) 16 Calculation of the Risk value (R) of each asset CYSM Risk Assessment Methodology29/05/2014

17 Risk Mitigation (Phase 6) 17 Proposal a list of countermeasures required to be implemented in order to minimize the identified risks CYSM Risk Assessment Methodology29/05/2014

18 Case Study CYSM usage case : A port adopts the proposed CYSM methodology in order to assess the gaps and weaknesses of the underlying infrastructure; to measure the efficiency of their applied countermeasures and to evaluate the corresponding risks. The ports consists of three departments (Department 1, 2 and 3 (2, 3 and 5 weights respectively)) and each department has three employees (Unit Manager (weight 5), senior officer (weight 3) and junior officer (weight 2)). Scenario 1 – The Unit Manager of the department with the maximum weight (Department 3) answered differently than all the other participants. Scenario 2 – All departments’ Unit Managers gave the same answers but different ones from the employees of their departments. Scenario 3 – The Unit Manager and the employees of the department with the maximum weight (Department 3) answered differently than all the other participants. 18CYSM Risk Assessment Methodology29/05/2014

19 Observations Based on the above scenarios: – the method is able to capture the opinions, experience and expertise of the employees engaged in the risk assessment process and produce solid results; – the method is made resistant against outliers and model deviations by robust estimation of the risks; – the method is not affected by the number of the participants; – the produced results are robust to variations in model parameters – the reliability of the results is indicated by the observation that the experience and expertise of the participants are taken into consideration 19CYSM Risk Assessment Methodology29/05/2014

20 Thank you very much Spyros Papastergiou paps@unipi.gr Co-funded by the Prevention, Preparedness and Consequence Management of Terrorism and other Security-related Risks Programme of the European Union

Download ppt "CYSM Risk Assessment Methodology Co-funded by the Prevention, Preparedness and Consequence Management of Terrorism and other Security-related Risks Programme."

Similar presentations

Critical Infrastructure Protection Policy Priorities Sara Pinheiro European Commission DG Home Affairs.

Critical Infrastructure Protection Policy Priorities Sara Pinheiro European Commission DG Home Affairs.
Module 1 Evaluation Overview © Crown Copyright (2000)

Module 1 Evaluation Overview © Crown Copyright (2000)
CIRAS PROJECT OVERVIEW

CIRAS PROJECT OVERVIEW
Course: e-Governance Project Lifecycle Day 1

Course: e-Governance Project Lifecycle Day 1
OSG Computer Security Plans Irwin Gaines and Don Petravick 17-May-2006.

OSG Computer Security Plans Irwin Gaines and Don Petravick 17-May-2006.
ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.

ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.
Business Continuity Planning and Disaster Recovery Planning

Business Continuity Planning and Disaster Recovery Planning
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Risk Management a Case Study DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS.

Risk Management a Case Study DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS.
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Title slide PIPELINE QRA SEMINAR. PIPELINE RISK ASSESSMENT INTRODUCTION TO GENERAL RISK MANAGEMENT 2.

Title slide PIPELINE QRA SEMINAR. PIPELINE RISK ASSESSMENT INTRODUCTION TO GENERAL RISK MANAGEMENT 2.
The Information Systems Audit Process

The Information Systems Audit Process
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Risk Assessment Frameworks

Risk Assessment Frameworks
Session 3 – Information Security Policies

Session 3 – Information Security Policies
IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.

IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.
Fraud Prevention and Risk Management

Fraud Prevention and Risk Management
Application Threat Modeling Workshop

Application Threat Modeling Workshop

Similar presentations

Ads by Google