Presentation is loading. Please wait.

Presentation is loading. Please wait.

INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.

Similar presentations


Presentation on theme: "INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you."— Presentation transcript:

1 INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi Berra

2 Managing Risk (cont’d.) Source: Course Technology/Cengage Learning Figure 9-1 Residual risk

3 Managing Risk – Risk Control Risk control involves selecting one of the four risk control strategies Should the organization ever accept the risk?

4 Risk Control Cycle Source: Course Technology/Cengage Learning Figure 9-3 Risk control cycle

5 Cost Benefit – Asset Valuation Asset value: replacement cost and/or income derived through the use of an asset Exposure Factor (EF): portion of asset's value lost through a threat (also called impact) Single Loss Expectancy (SLE) = Asset ($) x EF (%)

6 Cost Benefit – Asset Valuation Annualized Rate of Occurrence (ARO) Probability of loss in a year, % Annual Loss Expectancy (ALE) = SLE x ARO

7 Example of Quantitative Risk Assesment Theft of a laptop computer, with the data encrypted Asset value: $4,000 Exposure factor ? SLE, ARO, ALE ?

8 Example of Quantitative Risk Assesment Dropping a laptop computer and breaking the screen Asset value: $4,000 Exposure factor ? SLE, ARO, ALE ?

9 Cost-Benefit Analysis Calculation CBA = ALE(prior) – ALE(post) – ACS – ALE (prior to control) is the annualized loss expectancy of the risk before the implementation of the control – ALE (post-control) is the ALE examined after the control has been in place for a period of time – ACS is the annual cost of the safeguard

10 Example of Cost-Benefit Analysis Calculation Dropping an iPad and breaking the screen Asset value: $700 Exposure factor: 50% SLE = ARO = 25% chance of damaging ALE (prior) = ALE (post) = CBA (cost of case = $30) CBA = ALE(prior) – ALE(post) – ACS CBA =

11 Example of Cost-Benefit Analysis Calculation Unprotected customer database Asset value: $200,000 Exposure factor: 50% SLE = ARO = 75% chance of occurring ALE (prior) = ALE (post) = CBA (ACS = $5,000) CBA = ALE(prior) – ALE(post) – ACS CBA =

12 Recommended Risk Control Practices Qualitative/Quantitative Approach Octave Methods Microsoft Risk Management Approach FAIR

13 Qualitative and Hybrid Measures Quantitative assessment Qualitative assessment Hybrid assessment

14 OCTAVE Method The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Method Variations of the OCTAVE method – The original OCTAVE method – OCTAVE-S – OCTAVE-Allegro www.cert.org/octave/

15 Microsoft Risk Management Approach Four phases in the Microsoft InfoSec risk management process: – Assessing risk – Conducting decision support – Implementing controls – Measuring program effectiveness www.microsoft.com/technet/security/topics/complianceandpolicies/secrisk/default.mspx

16 Figure A-1 Security Risk Management Guide Source: Course Technology/Cengage Learning Microsoft Risk Management Approach

17 Basic FAIR analysis is comprised of four stages: Stage 1 - Identify scenario components Stage 2 - Evaluate loss event frequency Stage 3 - Evaluate probable loss magnitude(PLM) Stage 4 - Derive and articulate Risk Unlike other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using scales with value ranges, for example very high to very low http://fairwiki.riskmanagementinsight.com Factor analysis of Information Risk (FAIR)

18 FAIR (cont’d.) Management of Information Security, 3rd ed. Figure 9-4 Factor analysis of information risk (FAIR) Source: Course Technology/Cengage Learning (Based on concepts from Jack A. Jones)

19 HEALTH FIRST CASE STUDY Analyzing Risk

20 Step 1: Define Assets

21 Consider Consequential Financial Loss Asset Name$ Value Direct Loss: Replaceme nt $ Value Consequenti al Financial Loss Confidentiality, Integrity, and Availability Notes Medical DBC? I? A? Daily Operation (DO) Medical Malpractice (M) HIPAA Liability (H) Notification Law Liability (NL)

22 Step 1: Define Assets Consider Consequential Financial Loss Asset Name$ Value Direct Loss: Replacement $ Value Consequential Financial Loss Confidentiality, Integrity, and Availability Notes Medical DBDO+M_H+NLC I A Daily Operation (DO) $ Medical Malpractice (M) $ HIPAA Liability (H) $ Notification Law Liability (NL) $

23 HIPAA Criminal Penalties $ PenaltyImprisonmentOffense Up to $50KUp to one yearWrongful disclosure of individually identifiable health information Up to $100KUp to 5 years…committed under false pretenses Up to $500KUp to 10 years… with intent to sell, achieve personal gain, or cause malicious harm Then consider bad press, state audit, state law penalties, civil lawsuits, lost claims, …

24 Step 2: Estimate Potential Loss for Threats Step 3: Estimate Likelihood of Exploitation Normal threats: Threats common to all organizations Inherent threats: Threats particular to your specific industry Known vulnerabilities: Previous audit reports indicate deficiencies.

25 Step 2: Estimate Potential Loss for Threats Step 3: Estimate Likelihood of Exploitation

26 Step 4: Compute Expected Loss Step 5: Treat Risk Step 4: Compute E(Loss) ALE = SLE * ARO AssetThreatSingle Loss Expecta ncy (SLE) Annuali zed Rate of Occurre nce (ARO) Annual Loss Expecta ncy (ALE) Step 5: Treat Risk Risk Acceptance: Handle attack when necessary Risk Avoidance: Stop doing risky behavior Risk Mitigation: Implement control to minimize vulnerability Risk Transference: Pay someone to assume risk for you Risk Planning: Implement a set of controls


Download ppt "INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you."

Similar presentations


Ads by Google