Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 8: Risk Management Controlling Risk

Published byCody Ellis Modified over 9 years ago

Similar presentations

Presentation on theme: "Lecture 8: Risk Management Controlling Risk"— Presentation transcript:

1 Lecture 8: Risk Management Controlling Risk
INFORMATION SECURITY MANAGEMENT Lecture 8: Risk Management Controlling Risk You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi Berra

2 Introduction To keep up with the competition, organizations must design and create a safe environment in which business processes and procedures can function

3 Risk Control Strategies
Choose one of four basic strategies: Avoidance Transference Mitigation Acceptance

4 Avoidance The risk control strategy that attempts to prevent the exploitation of the vulnerability Examples

5 Transference The control approach that attempts to shift the risk to other assets, other processes, or other organizations Examples

6 Mitigation The control approach that attempts to reduce the damage caused by exploitation of vulnerability Types of Mitigation Plans

7 Acceptance Do nothing to protect an information asset
To accept the loss when it occurs This control, or lack of control, assumes that it may be a prudent business decision to examine the alternatives and conclude that the cost of protecting an asset does not justify the security expenditure

8 Managing Risk Risk appetite (also known as risk tolerance)

9 Managing Risk – Residual Risk
Residual Risk is a combined function of: Threats, vulnerabilities and assets, less the effects of the safeguards in place

10 Managing Risk – Residual Risk
Once a control strategy has been selected and implemented: The effectiveness of controls should be monitored and measured on an ongoing basis (remember our discussion on metrics and baselining) determines effectiveness and accuracy of the residual risk estimate

11 Managing Risk – Risk Control
Risk control involves selecting one of the four risk control strategies Should the organization ever accept the risk?

12 Risk Acceptance Figure 9-2 Risk-handling action points
Source: Course Technology/Cengage Learning

13 Feasibility and Cost-Benefit Analysis
There are a number of ways to determine the advantage or disadvantage of a specific control The primary means are based on the value of the information assets that it is designed to protect Economic feasibility Evaluating the worth of the information assets to be protected and the loss in value if those information assets are compromised

14 Cost-Benefit Analysis: Cost
Factors that affect the cost of a safeguard Cost of development or acquisition of hardware, software, and services Training fees Cost of implementation Service and maintenance costs

15 Cost-Benefit Analysis: Benefit
The value to the organization of using controls to prevent losses associated with a specific vulnerability

16 Cost-Benefit Analysis: Asset Valuation
The process of assigning financial value or worth to each information asset Involves estimation of real and perceived costs associated with the design, development, installation, maintenance, protection, recovery, and defense against loss and litigation

17 Cost-Benefit Analysis: Asset Valuation
An organization must be able to place a dollar value on each information asset it owns Potential loss is that which could occur from the exploitation of vulnerability or a threat occurrence

18 Cost-Benefit Analysis Calculation
CBA determines whether or not a control alternative is worth its associated cost CBAs may be calculated before a control or safeguard is implemented Or calculated after controls have been implemented and have been functioning for a time

19 Cost-Benefit Analysis Calculation
CBA = ALE(prior) – ALE(post) – ACS ALE (prior to control) is the annualized loss expectancy of the risk before the implementation of the control ALE (post-control) is the ALE examined after the control has been in place for a period of time ACS is the annual cost of the safeguard

20 Example of Cost-Benefit Analysis Calculation
Dropping an iPad and breaking the screen Asset value: $700 Exposure factor: 50% SLE = ? ARO = 25% chance of damaging ALE (prior) = ? Assume the ARO is reduced to 5% by using control ALE (post) = ? CBA (cost of case = $30) CBA = ALE(prior) – ALE(post) – ACS CBA = ?

21 Example of Cost-Benefit Analysis Calculation
Unprotected customer database Asset value: $200,000 Exposure factor: 50% SLE = ? ARO = 75% chance of occurring ALE (prior) = ? Assume the ARO is reduced to 5% by using control ALE (post) = ? CBA (ACS = $5,000) CBA = ALE(prior) – ALE(post) – ACS CBA = ?

22 Other Methods of Establishing Feasibility
Organizational feasibility analysis Operational feasibility Technical feasibility Political feasibility

23 Alternatives to Feasibility Analysis
Benchmarking Due care and due diligence Best business practices Gold standard Government recommendations Baseline

24 Risk Management and Employees
“Only two things are finite, the universe and human stupidity, and I’m not sure about the former.” - Albert Einstein Types of Employees and Security Knowledge Those who know Those who don’t Those who think they know but don’t

Download ppt "Lecture 8: Risk Management Controlling Risk"

Similar presentations

Security+ All-In-One Edition Chapter 17 – Risk Management

Security+ All-In-One Edition Chapter 17 – Risk Management
INFORMATION RISK MANAGEMENT

INFORMATION RISK MANAGEMENT
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 © 2002 Carnegie.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Information Security Principles & Applications

Information Security Principles & Applications
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
Weakness is a better teacher than strength.

Weakness is a better teacher than strength.
Controls Definition: Process of exercising a restraining or guiding influence over the activities of an object, organism, or system.

Controls Definition: Process of exercising a restraining or guiding influence over the activities of an object, organism, or system.
Introducing Computer and Network Security

Introducing Computer and Network Security
Risk Management: Assessing and Controlling Risk Chapter 5

Risk Management: Assessing and Controlling Risk Chapter 5
Lecture 2: Planning for Security INFORMATION SECURITY MANAGEMENT

Lecture 2: Planning for Security INFORMATION SECURITY MANAGEMENT
Principles of Information Security, 2nd Edition1 Risk Management.

Principles of Information Security, 2nd Edition1 Risk Management.
Controlling Risk Welcome to IST-456 Topic 9 – Controlling Risk.

Controlling Risk Welcome to IST-456 Topic 9 – Controlling Risk.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.
Risk Management Vs Risk avoidance William Gillette.

Risk Management Vs Risk avoidance William Gillette.
Risk Management Chapter 4.

Risk Management Chapter 4.
Introduction to Network Defense

Introduction to Network Defense
1 BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING Reducing your Risk Profile MIDWEST DATA RECOVERY INC.

1 BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING Reducing your Risk Profile MIDWEST DATA RECOVERY INC.
Learning Objectives Upon completion of this material, you should be able to:

Learning Objectives Upon completion of this material, you should be able to:
Principles of Information Security, Fifth Edition

Principles of Information Security, Fifth Edition
Risk Management - Security

Risk Management - Security

Similar presentations

Ads by Google