Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security Risks; All-in-One Terminology

Published byUtami Hartanto Modified over 5 years ago

Similar presentations

Presentation on theme: "Information Security Risks; All-in-One Terminology"— Presentation transcript:

1 Information Security Risks; All-in-One Terminology

2 Information Security Risk Management Lifecycle with some Basic Elements
(controls)

3 Qualitative Risk Analysis (Nitel Risk Analizi)
Generally used in Information Security Hard to make meaningful valuations and meaningful probabilities Relative ordering is faster and more important Many approaches to performing qualitative risk analysis Same basic steps as quantitative analysis Still identifying asserts, threats, vulnerabilities, and controls Just evaluating importance differently 3

4 Qual. Risk Analysis in 10 steps
Step 1: Identify Scope Bound the problem Step 2: Assemble team Include subject matter experts, management in charge of implementing, users Step 3: Identify Threats Pick from lists of known threats Brainstorm new threats Mixing threats and vulnerabilities here... 4

5 Step 4: Threat prioritization
Prioritize threats for each assert Likelihood of occurrence (note that this is likelihood because it is not a statistical probability value) Define a fixed threat rating E.g., Low(1) … High(5) Associate a rating with each threat Note: Approximation to the risk probability in quantitative approach 5

6 Step 5: Loss Impact With each threat determine loss impact
Define a fixed ranking E.g., Low(1) … High(5) Used to prioritize damage to asset from threat 6

7 Step 6: Total impact 6 3 2 Theft 10 5 Water 15 Fire Risk Factor
Example 2: Another alternative method, where the scaled qualitative values are multiplied) 6 3 2 Theft 10 5 Water 15 Fire Risk Factor Impact Priority Threat Priority Threat 7

8 Step 7: Identify Controls/Safeguards
Potentially come into the analysis with an initial set of possible controls Associate controls with each threat Starting with high priority risks Do cost-benefits and coverage analysis (Step 8) Rank controls (Step 9) 8

9 Step 8: Safeguard (Control) Evaluation
Step 9: Rank these Controls ! 9

10 Step 10: Communicate Results
Most risk analysis projects result in a written report Generally not read Make a good executive summary Beneficial to track decisions. Real communication done in meetings an presentations 10

11 Another Qualitative Inf. Sec
Another Qualitative Inf. Sec. Risk Assessment Example (by multiplying the scaled values)

12

Download ppt "Information Security Risks; All-in-One Terminology"

Similar presentations

Bridging the gap between software developers and auditors.

Bridging the gap between software developers and auditors.
Note: See the text itself for full citations. Information Technology Project Management, Seventh Edition.

Note: See the text itself for full citations. Information Technology Project Management, Seventh Edition.
Project Management Gaafar 2007 / 1 This Presentation is uses information from PMBOK Guide 2000 Project Management Risk Management* Dr. Lotfi Gaafar.

Project Management Gaafar 2007 / 1 This Presentation is uses information from PMBOK Guide 2000 Project Management Risk Management* Dr. Lotfi Gaafar.
1 By the name of the god Risk management Dr. Lo ’ ai Tawalbeh DONE BY: AMNA ISMAIL RASHAN.

1 By the name of the god Risk management Dr. Lo ’ ai Tawalbeh DONE BY: AMNA ISMAIL RASHAN.
Introducing Computer and Network Security

Introducing Computer and Network Security
COMP8130 and COMP4130 Adrian Marshall Verification and Validation Risk Management Adrian Marshall.

COMP8130 and COMP4130 Adrian Marshall Verification and Validation Risk Management Adrian Marshall.
Heuristic Evaluation IS 485, Professor Matt Thatcher.

Heuristic Evaluation IS 485, Professor Matt Thatcher.
CS498IA – Information Assurance Spring 2007

CS498IA – Information Assurance Spring 2007
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Chapter Extension 22 Managing Computer Security Risk © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.

Chapter Extension 22 Managing Computer Security Risk © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
Introduction to Network Defense

Introduction to Network Defense
1 BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING Reducing your Risk Profile MIDWEST DATA RECOVERY INC.

1 BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING Reducing your Risk Profile MIDWEST DATA RECOVERY INC.
EASTERN MICHIGAN UNIVERSITY Continuity of Operations Planning (COOP)

EASTERN MICHIGAN UNIVERSITY Continuity of Operations Planning (COOP)
1 Security Risk Management Liping Cai 02/01/2006.

1 Security Risk Management Liping Cai 02/01/2006.
PRM 702 Project Risk Management Lecture #28

PRM 702 Project Risk Management Lecture #28
Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.

Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.
Conostix S.A. Sensible defence.

Conostix S.A. Sensible defence.
1 Introduction to Security Chapter 5 Risk Management: The Foundation of Private Security.

1 Introduction to Security Chapter 5 Risk Management: The Foundation of Private Security.
WMD & Emergency Planning Steps Session 12. Emergency Planning Steps Vulnerability Assessment Mitigation Efforts Emergency Response Planning Recovery.

WMD & Emergency Planning Steps Session 12. Emergency Planning Steps Vulnerability Assessment Mitigation Efforts Emergency Response Planning Recovery.

Similar presentations

Ads by Google