Presentation is loading. Please wait.

Presentation is loading. Please wait.

Visual 3. 1 Lesson 3 Risk Assessment and Risk Mitigation.

Published byOscar Stafford Modified over 9 years ago

Similar presentations

Presentation on theme: "Visual 3. 1 Lesson 3 Risk Assessment and Risk Mitigation."— Presentation transcript:

1 Visual 3. 1 Lesson 3 Risk Assessment and Risk Mitigation

2 Visual 3. 2 Objective 4 n At the end of Lesson 3, you will be able to describe: –several approaches to risk assessment, –considerations in developing and selecting countermeasures, –the importance of the management decision, and –reasons why risk management is really an art instead of a science

3 Visual 3. 3 The Variable Nature of the Elements of Risk

4 Visual 3. 4 Risk is Commonplace

5 Visual 3. 5 Qualitative Data n Description of –qualities, –elements, or –ingredients of a variable This is not a nice day

6 Visual 3. 6 Quantitative Data n Allows the variable to be measured n Numerical values may be assigned based on measured observations Temp 75 F Humid 45% Bar 29.35" o

7 Visual 3. 7 Purpose of Risk Assessment (Bottom Line) n Permit managers to make reasoned decisions regarding risk to the organization’s mission

8 Visual 3. 8 Using Risk Management Terms - The Catcher at Risk

9 Visual 3. 9 Risk Assessment - Questions to Be Answered n What is the relationship of the system to the customer’s mission? n What are all of the undesirable events that could happen and affect the mission? n How could they happen? n Realistically, what are the chances of them happening? n Suppose such an event happens, how much damage could be done?

10 Visual 3. 10 Performing a Risk Assessment n Define the purpose of the assessment n Identify the product or system n Select assessment approach n Gather information n Develop attack scenarios n Estimate risk parameters n Produce assessment report

11 Visual 3. 11 Define the Purpose of the Assessment n What is the general situation? n What decisions are to be made as a result of the risk assessment? n Who will make the decisions?

12 Visual 3. 12 Identify and Bound the Product or System - Decide on Scope or Depth of Assessment

13 Visual 3. 13 Organize for the Assessment n Individual n Individuals n Group or team of individuals n Groups

14 Visual 3. 14 Define Relationships n How will individuals, groups, etc., work together performing the tasks of: –data collection –analysis –synthesis –conclusions –recommendations

15 Visual 3. 15 What do Analysts do? n Identify threats and their characteristics n Gather and exchange information n Develop attack scenarios –Confidentiality –Integrity –Availability n Postulate potential consequences –Impact on organization's mission n Estimate risk parameters

16 Visual 3. 16 Information Sources n Knowledge of Individual Members n Computer Emergency Response Team Coordination Center, etc. n Outside Experts n Systems Administrators, Manager, etc. n Users n Threat Assessments and other Reports

17 Visual 3. 17 Threat Characteristics Conditional Likelihood An Adversary Can Succeed Capability Motivation Willingness Likelihood of Attack (Given Capable) Likelihood of Success (Threat Value) (Given Attempted and Capable)

18 Visual 3. 18 Threat Sources n Nature - Historical n Unintentional human error - Historical n Technological failure - Historical n Adversarial - Threat Assessment

19 Visual 3. 19 Adversarial Threat Characteristics n Objectives - As opposed to ours n Intentions n Motivation to act n Willingness to accept risk n Willingness to accept cost n Technical capability n Resources

20 Visual 3. 20 Gather and Exchange Information n Define What the System Does n Define the Environment n Determine Data Sensitivity n Identify System Users n Identify vulnerabilities

21 Visual 3. 21 Gather Information n How does the system support the mission?

22 Visual 3. 22 Gather Information n Define the Environment

23 Visual 3. 23 Gather Information n Determine Data Sensitivity –including its value to an adversary and –value to the mission

24 Visual 3. 24 Gather Information n Identify System Users –and their need for the system and its information

25 Visual 3. 25 Gather Information n Identify Potential Vulnerabilities

26 Visual 3. 26 Develop Attack Scenarios n THREAT AGENTS - Adversarial - Adversarial - Nature - Nature - Human error - Human error - Technological failure - Technological failure n TARGETS - Confidentiality - Integrity - Availability - Others

27 Visual 3. 27 Avenues of Attack ConfidentialityIntegrityAvailability Network ConnectPublic Switch Public Power Application SWCommunicationsLocal Power FirewallUPS Remote Access Physical Access InsidersCryptoTEMPEST

28 Visual 3. 28 Determine Potential Consequences n Impact on information system, n resulting in impact on organization's mission

29 Visual 3. 29 Estimate Risk Parameters n Likelihood of Success –that a credible threat exists, –with capability to attack, and –the willingness and intention to do so n Consequences –the degree of damage resulting from an attack

30 Visual 3. 30 Assessing Risk CONSEQUENCECONSEQUENCECONSEQUENCECONSEQUENCE L I K E L I H O O D of SUCCESS

31 Visual 3. 31 Attack Scenario No. 1 Coalition Force IS U.S. Forces IS Coalition Force ISs heavily dependent upon Internet, few security features, lack procedural discipline.

32 Visual 3. 32 Estimate of Risk Attack Scenario #1 CONSEQUENCECONSEQUENCECONSEQUENCECONSEQUENCE LIKELIHOOD OF SUCCESS Y- X- LoMedHi Lo Med Hi o A-1

33 Visual 3. 33 o Estimate of Risk Attacks # 1 thru 8 CONSEQUENCECONSEQUENCECONSEQUENCECONSEQUENCE LIKELIHOOD OF SUCCESS Y- X- LoMedHi Lo Med Hi o A-1/3/4 o o o o o o A-5 A-2/7 A-6 A-8

34 Visual 3. 34 Rating Overlay LoMedHi Lo Med Hi HH HM M M M M L

35 Visual 3. 35 o Likelihood of Success Attack Scenario #1 CONSEQUENCECONSEQUENCECONSEQUENCECONSEQUENCE LIKELIHOOD OF SUCCESS Y- X- LoMedHi Lo Med Hi o A-1/3/4 o o o o o o A-5 A-2/7 A-6 A-8 HH HM M M M M L

36 Visual 3. 36 Risk Assessment Methodology n Aids Decision Makers n Promotes Discussion n Focus on Most Serious Problems n Early Identification of Risk n Highlights Recurring Problems n Aids Concurrent Engineering

37 Visual 3. 37 Risk Mitigation COUNTERMEASURE MGR RISK

38 Visual 3. 38 Countermeasure Considerations n What is the cost Vs. benefit? n Are we creating another vulnerability? n Are people involved? If so, will they participate? n How long is the countermeasure needed? n How long will the countermeasure be effective?

39 Visual 3. 39 Cost Vs.. Benefit n Cost in –dollars –time to implement –impact on operations Results

40 Visual 3. 40 The Catcher at Risk

41 Visual 3. 41 Risk Mitigation - At What Cost?

42 Visual 3. 42 Creating New Vulnerabilities n Law of unanticipated consequences New Vulnerability Risk Analyst

43 Visual 3. 43 People Considerations n Are people involved? Will they participate in the solution? COUNTERMEASURE USER

44 Visual 3. 44 Time Consideration n How long is the countermeasure needed?

45 Visual 3. 45 Time Consideration n How long will the countermeasure be effective?

46 Visual 3. 46 Risk Assessment Reality n Are we sure of the threat? n Have we identified all vulnerabilities? n Have we considered all possible attacks? n Is our estimate of consequence correct? n Is all of this art or science?

47 Visual 3. 47 Never Ending Cycle RISK ASSESSING MITIGATING

Download ppt "Visual 3. 1 Lesson 3 Risk Assessment and Risk Mitigation."

Similar presentations

DS-01 Disaster Risk Reduction and Early Warning Definition

DS-01 Disaster Risk Reduction and Early Warning Definition
Risk Analysis Fundamentals and Application Robert L. Griffin International Plant Protection Convention Food and Agriculture Organization of the UN.

Risk Analysis Fundamentals and Application Robert L. Griffin International Plant Protection Convention Food and Agriculture Organization of the UN.
PROJECT RISK MANAGEMENT

PROJECT RISK MANAGEMENT
Project Management Gaafar 2007 / 1 This Presentation is uses information from PMBOK Guide 2000 Project Management Risk Management* Dr. Lotfi Gaafar.

Project Management Gaafar 2007 / 1 This Presentation is uses information from PMBOK Guide 2000 Project Management Risk Management* Dr. Lotfi Gaafar.
Chapter 10 Schedule Your Schedule. Copyright 2004 by Pearson Education, Inc. Identifying And Scheduling Tasks The schedule from the Software Development.

Chapter 10 Schedule Your Schedule. Copyright 2004 by Pearson Education, Inc. Identifying And Scheduling Tasks The schedule from the Software Development.
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational Issues Human Issues Computer.

Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational Issues Human Issues Computer.
Introducing Computer and Network Security

Introducing Computer and Network Security
Problem Analysis Intelligence Step 2 - Problem Analysis Developing solutions to complex population nutrition problems (such as obesity or food insecurity)

Problem Analysis Intelligence Step 2 - Problem Analysis Developing solutions to complex population nutrition problems (such as obesity or food insecurity)
SQM - 1DCS - ANULECTURE 11-2005 Software Quality Management Software Quality Management Processes V & V of Critical Software & Systems Ian Hirst.

SQM - 1DCS - ANULECTURE Software Quality Management Software Quality Management Processes V & V of Critical Software & Systems Ian Hirst.
By: Ashwin Vignesh Madhu

By: Ashwin Vignesh Madhu
Chapter 8 Risk Analysis Management of Computer System Performance.

Chapter 8 Risk Analysis Management of Computer System Performance.
Managing Project Risk.

Managing Project Risk.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Marketing Research Unit 7.

Marketing Research Unit 7.
VIRTUAL BUSINESS RETAILING

VIRTUAL BUSINESS RETAILING
Module 8: Risk Management, Monitoring and Project Control We would like to acknowledge the support of the Project Management Institute and the International.

Module 8: Risk Management, Monitoring and Project Control We would like to acknowledge the support of the Project Management Institute and the International.
BIS310: Structured Analysis and Design Introduction and Systems Planning Week 1.

BIS310: Structured Analysis and Design Introduction and Systems Planning Week 1.
Margaret J. Cox King’s College London

Margaret J. Cox King’s College London
Chapter 11: Project Risk Management

Chapter 11: Project Risk Management

Similar presentations

Ads by Google