Presentation is loading. Please wait.

Presentation is loading. Please wait.

Risk Management October 1998. What is RISK MANAGEMENT? –The process concerned with identification, measurement, control and minimization of security risks.

Published byBlaze Anderson Modified over 9 years ago

Similar presentations

Presentation on theme: "Risk Management October 1998. What is RISK MANAGEMENT? –The process concerned with identification, measurement, control and minimization of security risks."— Presentation transcript:

1 Risk Management October 1998

2 What is RISK MANAGEMENT? –The process concerned with identification, measurement, control and minimization of security risks in information systems to a level commensurate with the value of the assets protected. ( Definition from National Information Systems Security (INFOSEC) Glossary, NSTISSI No. 4009, Aug. 1997)

3 Course Objective –The student will be able to DETERMINE a risk index.

4 Introduction to Risk Management Implement Risk Management Actions Identify the Risk Areas Re-evaluate the Risks Develop Risk Management Plan Risk Management Cycle Assess the Risks Risk Assessment Risk Mitigation

5 Balance of Risk Management Risk Ignorance Risk Management Risk Avoidance

6 RISK - The likelihood that a particular threat using a specific attack, will exploit a particular vulnerability of a system that results in an undesirable consequence. (Definition from National Information Systems Security (INFOSEC) Glossary, NSTISSI No. 4009, Aug. 1997)

7 THREAT -Any circumstance or event with the potential to cause harm to an information system in the form of destruction, disclosure, adverse modification of data, and/or the denial of service. (Definition from National Information Systems Security (INFOSEC) Glossary, NSTISSI No. 4009, Aug. 1997)

8 Threat Example - Hackers

9 Threat Example - Electrical Storms

10 Definition of Likelihood –LIKELIHOOD of the threat occurring is the estimation of the probability that a threat will succeed in achieving an undesirable event.

11 Considerations in Assessing the Likelihood of Threat –Presence of threats –Tenacity of threats –Strengths of threats –Effectiveness of safeguards

12 Statistical Threat Data

13 Two Schools of Thought on Likelihood Calculation Assume Don’t Don’tAssume

14 ATTACK –An attempt to gain unauthorized access to an information system’s services, resources, or information, or the attempt to compromise an information system’s integrity, availability, or confidentiality, as applicable. (Definition from National Information Systems Security (INFOSEC) Glossary, NSTISSI No. 4009, Aug. 1997)

15 VULNERABILITY -Weakness in an information system, cryptographic system, or other components (e.g..., system security procedures, hardware design, internal controls) that could be exploited by a threat. (Definition from National Information Systems Security (INFOSEC) Glossary, NSTISSI No. 4009, Aug. 1997)

16 Vulnerability Example

17 CONSEQUENCE –A consequence is that which logically or naturally follows an action or condition.

18 RM/RA RISKMANAGEMENT RISKMITIGATION RISK ASSESSMENT

19 RISK ASSESSMENT -A process of analyzing THREATS to and VULNERABILITIES of an information system and the POTENTIAL IMPACT the loss of information or capabilities of a system would have. The resulting analysis is used as a basis for identifying appropriate and cost-effective counter-measures. (Definition from National Information Systems Security (INFOSEC) Glossary, NSTISSI No. 4009, Aug. 1997)

20 Why Risk Assessment?

21 Benefits of Risk Assessment –Increased awareness –Assets, vulnerabilities, and controls –Improved basis for decisions –Justification of expenditures

22 Risk Assessment Process –Identify assets –Determine vulnerabilities –Estimate likelihood of exploitation –Compute expected loss

23 Identify Assets –People, documentation, supplies

24 Properties of Value Analysis -Confidentiality -Integrity -Availability -Non-repudiation

25 Definition -Confidentiality: Assurance that information is not disclosed to unauthorized persons, processes, or devices. (Definition from National Information Systems Security (INFOSEC) Glossary, NSTISSI No. 4009, Aug. 1997)

26 Definition - Integrity: Quality of an information system reflecting the logical correctness and reliability of the operating system; the logical completeness of the hardware and software implementing the protection mechanisms; and the consistency of the data structures and occurrence of the stored data. (Definition from National Information Systems Security (INFOSEC) Glossary, NSTISSI No. 4009, Aug. 1997)

27 Definition -Availability: Timely, reliable access to data and information services for authorized users. (Definition from National Information Systems Security (INFOSEC) Glossary, NSTISSI No. 4009, Aug. 1997)

28 Definition -Non-repudiation: Assurance the sender of data is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the data. (Definition from National Information Systems Security (INFOSEC) Glossary, NSTISSI No. 4009, Aug. 1997)

29 Determine Vulnerabilities Open Network Open Communications Lines

30 Likelihood

31 Expected Loss

32 Risk Measure –RISK MEASURE is a description of the kinds and degrees of risk to which the organization or system is exposed.

33 Communicating Risk –To be useful, the measurement should reflect what is truly important to the organization.

34 How do we calculate risk?

35 Primary Risk Calculation Methodologies Q uantitative & Q ualitative

36 The Quantitative Method

37 The Qualitative Method

38 Qualitative Example: –“The system is weak in this area and we know that our adversary has the capability and motivation to get to the data in the system so the likelihood of this event occurring is high.”

39 Quantitative and Qualitative Merged

40 Delphi Approach

41 Probability Density Function

42 Examples of documented risk assessment systems –Aggregated Countermeasures Effectiveness (ACE) Model –Risk Assessment Tool –Information Security Risk Assessment Model (ISRAM) –Dollar-based OPSEC Risk Analysis (DORA) –Analysis of Networked Systems Security Risks (ANSSR) –Profiles –NSA ISSO INFOSEC Risk Assessment Tool

43 Formula for Risk dv + zqm/ {2a} bc = wxyz lm +op * dz = tgm\bvd 2b or n2b mkt/40 = 9j*X

44 Threat and Vulnerability Revisited The capability or intention to exploit, or any circumstance or event with the potential to cause harm such as a hacker. A weakness in a system that can be exploited.

45 Threat+ Vulnerability

46 Likelihood Vs. Consequence

47 Likelihood –The Likelihood of a successful attack is the probability that an adversary would succeed in carrying out an attack.

48 Factors influencing an attack –Level of threat –Vulnerabilities –Countermeasures applied

49 Determine Level of Threat –Criteria for evaluating the level of threat: History Capability Intention or motivation

50 Determine Vulnerabilities

51 Criteria for Evaluating the Vulnerability –Number of vulnerabilities –Nature of vulnerability –Countermeasures

52 COUNTERMEASURE –A countermeasure is an action, device, procedure, or technique used to eliminate or reduce one or more vulnerabilities.

53 Examples of Countermeasures –Procedures: security policies and procedures training personnel transfer –Hardware: doors, window bars, fences paper shredder alarms, badges –Manpower: guard force

54 CONSEQUENCE –A consequence is that which logically or naturally follows an action or condition.

55 Determination of the Consequence of the Attack –“The worse the consequence of a threat harming the system, the greater the risk” Attack Consequence Success

56 Risk Calculation Process –determine: the threat the vulnerability the likelihood of attack the consequence of an attack –apply this formula by: postulating attacks estimating the likelihood of a successful attack evaluating the consequences of those successful attacks

57 NSA ISSO Risk Assessment Methodology –Developed in the NSA Information Systems Security Organization –Used for INFOSEC Products and Systems –Can Use During Entire life Cycle –Not Widely Used Outside of DI

58 The NSA ISSO Risk Assessment Process –Understanding the system –Developing attack scenarios –Understanding the severity of the consequences –Creating a risk plane –Generating a report

59 The Risk Plane X -axis The likelihood of a successful attack Y -axis The severity of the Consequences of that successful attack.

60 Risk Index Risk Index, as defined by the “Yellow Book”, is the disparity between the minimum clearance or authorization of system users and the maximum sensitivity of data processed by a system.

61 Risk Index –Minimum User Clearance=Rmin –Maximum Data Sensitivity=Rmax –Risk Index=Rmax - Rmin

62 Rating Scale for Minimum User Clearance (Rmin)

63 Rating Scale for Maximum Data Sensitivity (Rmax)

64 Computer Security Requirements * = Security Requirements Beyond State of the Art

65 Automated Risk Assessment Tools

66 NIST Special Publication 500-174

67 LAVA L Los A Alamos V Vulnerability and Risk A Assessment Tool

68 Threats Considered by LAVA –natural and environmental hazards –accidental and intentional on-site human threats (including the authorized insider) –off-site human threats

69 RiskPAC –a knowledge-based system that uses a questionnaire metaphor to interact with the user and measure risk in government-related and other topics.

70 A.L.E. A Annualized L Loss E Exposure Calculator

71 RISKWATCH 1 2 3 4 5 6 7

72 Risk Management Research Laboratory

73 Risk Mitigation –Risk Mitigation is any step taken to reduce risk.

74 Residual Risk –Portion of risk remaining after security measures have been applied. (Definition from National Information Systems Security (INFOSEC) Glossary, NSTISSI No. 4009, Aug. 1997)

75 Residual Risk and Safeguards

76 Summary –Risk Mitigation –Risk Calculation Methods –Risk Index

77 ?

78 Sampling of General INFOSEC Resources on the Web Defense Information Systems Agency (DISA) Awareness and Training Facility: http://www.disa.mil/ciss/cissitf.html Information Security News: http://www.infosecnews.com/ Information Security Mall: http://niim.bus.utexas.edu/ National INFOSEC Education Colloquium: http://www.infosec.jmu.edu/ncisse International Information Systems Security Certification Consortium: http://www.isc2.org/ National Institute for Standards and Technology (NIST) Computer Security Clearinghouse:http://csrc.nist.gov/welcome.html National INFOSEC Telecommunications and Information Systems Security Committee(NSTISSC):http://www.nstissc.gov President’s Commission on Critical Infrastructure Protection: http://www.pccip.gov/ Security Site Links: http://www.sscs.net/resources/secsites_list.htm

79 Sampling of Web Addresses for Colleges and Universities with INFOSEC Courses, Programs, Centers Dartmouth College: http://www.dartmouth.edu/pub/security/ George Mason University Center for Secure Info Systems: http://www.isse.gmu.edu~csis/index.html Georgia Tech Information Security Center: http://www.samnunnforum.gatech.edu/web.html Harvard University: http://www.harvard.edu Idaho State University: http://bibo.isu.edu/security/security.html Indiana University: http://www.cs.indiana.edu Iowa State: http://vulcan.ee.iastate.edu James Madison University: http://www.jmu.edu/ National Defense University: http://www.ndu.edu/irmc/ North Carolina State University: http://www.ncsu.edu Purdue University: http://www.cs.purdue.edu/coast.html University of California at Davis: http://www.ucdavis.edu University of Texas, Austin: http://wwwhost.ots.utexas.edu/mac/pub-mac-virus-html Western Connecticut State University: http://www.wcsu.ctstateu.edu/mis/homepage.html

Download ppt "Risk Management October 1998. What is RISK MANAGEMENT? –The process concerned with identification, measurement, control and minimization of security risks."

Similar presentations

Security+ All-In-One Edition Chapter 17 – Risk Management

Security+ All-In-One Edition Chapter 17 – Risk Management
OCTAVESM Process 4 Create Threat Profiles

OCTAVESM Process 4 Create Threat Profiles
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 © 2002 Carnegie.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.

National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
Introducing Computer and Network Security

Introducing Computer and Network Security
Critical Infrastructure Protection (and Policy) H. Scott Matthews March 5, 2003.

Critical Infrastructure Protection (and Policy) H. Scott Matthews March 5, 2003.
Critical Infrastructure Protection (and Policy) H. Scott Matthews March 25, 2004.

Critical Infrastructure Protection (and Policy) H. Scott Matthews March 25, 2004.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
23 January 2003© All rights Reserved, 2002 Understanding Facilitated Risk Analysis Process (FRAP) and Security Policies for Organizations Infocomm Security.

23 January 2003© All rights Reserved, 2002 Understanding Facilitated Risk Analysis Process (FRAP) and Security Policies for Organizations Infocomm Security.
Stephen S. Yau CSE465 & CSE591, Fall 2006 1 Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,

Stephen S. Yau CSE465 & CSE591, Fall Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,
Randy Marchany VA Tech Computing Center

Randy Marchany VA Tech Computing Center
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Introduction to Network Defense

Introduction to Network Defense
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.

Similar presentations

Ads by Google