Presentation is loading. Please wait.

Presentation is loading. Please wait.

INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.

Published bySilvester Simon Modified over 9 years ago

Similar presentations

Presentation on theme: "INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you."— Presentation transcript:

1 INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi Berra

2 Managing Risk (cont’d.) Source: Course Technology/Cengage Learning Figure 9-1 Residual risk

3 Managing Risk – Risk Control Risk control involves selecting one of the four risk control strategies Should the organization ever accept the risk?

4 Risk Control Cycle Source: Course Technology/Cengage Learning Figure 9-3 Risk control cycle

5 Cost Benefit – Asset Valuation Asset value: replacement cost and/or income derived through the use of an asset Exposure Factor (EF): portion of asset's value lost through a threat (also called impact) Single Loss Expectancy (SLE) = Asset ($) x EF (%)

6 Cost Benefit – Asset Valuation Annualized Rate of Occurrence (ARO) Probability of loss in a year, % Annual Loss Expectancy (ALE) = SLE x ARO

7 Example of Quantitative Risk Assesment Theft of a laptop computer, with the data encrypted Asset value: $4,000 Exposure factor ? SLE, ARO, ALE ?

8 Example of Quantitative Risk Assesment Dropping a laptop computer and breaking the screen Asset value: $4,000 Exposure factor ? SLE, ARO, ALE ?

9 Cost-Benefit Analysis Calculation CBA = ALE(prior) – ALE(post) – ACS – ALE (prior to control) is the annualized loss expectancy of the risk before the implementation of the control – ALE (post-control) is the ALE examined after the control has been in place for a period of time – ACS is the annual cost of the safeguard

10 Example of Cost-Benefit Analysis Calculation Dropping an iPad and breaking the screen Asset value: $700 Exposure factor: 50% SLE = ARO = 25% chance of damaging ALE (prior) = ALE (post) = CBA (cost of case = $30) CBA = ALE(prior) – ALE(post) – ACS CBA =

11 Example of Cost-Benefit Analysis Calculation Unprotected customer database Asset value: $200,000 Exposure factor: 50% SLE = ARO = 75% chance of occurring ALE (prior) = ALE (post) = CBA (ACS = $5,000) CBA = ALE(prior) – ALE(post) – ACS CBA =

12 Recommended Risk Control Practices Qualitative/Quantitative Approach Octave Methods Microsoft Risk Management Approach FAIR

13 Qualitative and Hybrid Measures Quantitative assessment Qualitative assessment Hybrid assessment

14 OCTAVE Method The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Method Variations of the OCTAVE method – The original OCTAVE method – OCTAVE-S – OCTAVE-Allegro www.cert.org/octave/

15 Microsoft Risk Management Approach Four phases in the Microsoft InfoSec risk management process: – Assessing risk – Conducting decision support – Implementing controls – Measuring program effectiveness www.microsoft.com/technet/security/topics/complianceandpolicies/secrisk/default.mspx

16 Figure A-1 Security Risk Management Guide Source: Course Technology/Cengage Learning Microsoft Risk Management Approach

17 Basic FAIR analysis is comprised of four stages: Stage 1 - Identify scenario components Stage 2 - Evaluate loss event frequency Stage 3 - Evaluate probable loss magnitude(PLM) Stage 4 - Derive and articulate Risk Unlike other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using scales with value ranges, for example very high to very low http://fairwiki.riskmanagementinsight.com Factor analysis of Information Risk (FAIR)

18 FAIR (cont’d.) Management of Information Security, 3rd ed. Figure 9-4 Factor analysis of information risk (FAIR) Source: Course Technology/Cengage Learning (Based on concepts from Jack A. Jones)

19 HEALTH FIRST CASE STUDY Analyzing Risk

20 Step 1: Define Assets

21 Consider Consequential Financial Loss Asset Name$ Value Direct Loss: Replaceme nt $ Value Consequenti al Financial Loss Confidentiality, Integrity, and Availability Notes Medical DBC? I? A? Daily Operation (DO) Medical Malpractice (M) HIPAA Liability (H) Notification Law Liability (NL)

22 Step 1: Define Assets Consider Consequential Financial Loss Asset Name$ Value Direct Loss: Replacement $ Value Consequential Financial Loss Confidentiality, Integrity, and Availability Notes Medical DBDO+M_H+NLC I A Daily Operation (DO) $ Medical Malpractice (M) $ HIPAA Liability (H) $ Notification Law Liability (NL) $

23 HIPAA Criminal Penalties $ PenaltyImprisonmentOffense Up to $50KUp to one yearWrongful disclosure of individually identifiable health information Up to $100KUp to 5 years…committed under false pretenses Up to $500KUp to 10 years… with intent to sell, achieve personal gain, or cause malicious harm Then consider bad press, state audit, state law penalties, civil lawsuits, lost claims, …

24 Step 2: Estimate Potential Loss for Threats Step 3: Estimate Likelihood of Exploitation Normal threats: Threats common to all organizations Inherent threats: Threats particular to your specific industry Known vulnerabilities: Previous audit reports indicate deficiencies.

25 Step 2: Estimate Potential Loss for Threats Step 3: Estimate Likelihood of Exploitation

26 Step 4: Compute Expected Loss Step 5: Treat Risk Step 4: Compute E(Loss) ALE = SLE * ARO AssetThreatSingle Loss Expecta ncy (SLE) Annuali zed Rate of Occurre nce (ARO) Annual Loss Expecta ncy (ALE) Step 5: Treat Risk Risk Acceptance: Handle attack when necessary Risk Avoidance: Stop doing risky behavior Risk Mitigation: Implement control to minimize vulnerability Risk Transference: Pay someone to assume risk for you Risk Planning: Implement a set of controls

Download ppt "INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you."

Similar presentations

Security+ All-In-One Edition Chapter 17 – Risk Management

Security+ All-In-One Edition Chapter 17 – Risk Management
Risk Assessment What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling.

Risk Assessment What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling.
Bridging the gap between software developers and auditors.

Bridging the gap between software developers and auditors.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Session 3: Security Risk Management Eduardo Rivadeneira IT Pro Microsoft Mexico.

Session 3: Security Risk Management Eduardo Rivadeneira IT Pro Microsoft Mexico.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 © 2002 Carnegie.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
Weakness is a better teacher than strength.

Weakness is a better teacher than strength.
Information Systems Security Information Security & Risk Management.

Information Systems Security Information Security & Risk Management.
Introducing Computer and Network Security

Introducing Computer and Network Security
Unit # 3: Information Security and Risk Management

Unit # 3: Information Security and Risk Management
Lecture 8: Risk Management Controlling Risk

Lecture 8: Risk Management Controlling Risk
Controlling Risk Welcome to IST-456 Topic 9 – Controlling Risk.

Controlling Risk Welcome to IST-456 Topic 9 – Controlling Risk.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.
Security Risk Management Paula Kiernan Ward Solutions.

Security Risk Management Paula Kiernan Ward Solutions.
1 Security Risk Management Liping Cai 02/01/2006.

1 Security Risk Management Liping Cai 02/01/2006.
PRM 702 Project Risk Management Lecture #28

PRM 702 Project Risk Management Lecture #28
An Overview of Risk Management

An Overview of Risk Management
TEL2813/IS2820 Security Management

TEL2813/IS2820 Security Management
Conostix S.A. Sensible defence.

Conostix S.A. Sensible defence.

Similar presentations

Ads by Google