Presentation is loading. Please wait.

Presentation is loading. Please wait.

CST 481/598 Many thanks to Jeni Li.  Risk matrix or cube  Cost effectiveness analysis  Annualized Loss Expectancy  Multi-Attribute Risk Assessment.

Similar presentations


Presentation on theme: "CST 481/598 Many thanks to Jeni Li.  Risk matrix or cube  Cost effectiveness analysis  Annualized Loss Expectancy  Multi-Attribute Risk Assessment."— Presentation transcript:

1 CST 481/598 Many thanks to Jeni Li

2  Risk matrix or cube  Cost effectiveness analysis  Annualized Loss Expectancy  Multi-Attribute Risk Assessment  Monte Carlo analysis  … et cetera

3  Vulnerability  Threat  Impact

4  Cost of recovering lost or modified data  Business value of unrecoverable data  Lost productivity due to down time  Replacement cost of physical assets  Fines and penalties  For unauthorized disclosures or posting inaccurate information  Damage compensation to compromised customers  Fines imposed by regulatory agencies  Damage to reputation

5  (more or less)  Asset identification and valuation  Threat/vulnerability assessment  Risk calculation  Countermeasure selection

6  From Jones/Ashenden text  R = V x T x I  Useful for visuals and comparisons  Not much else

7  Combines soft and hard numbers  Can use estimates or probability tables  Examples: ROSI, CRAMM

8  ALE = SLE x ARO  SLE: Single Loss Expectancy  How much will it cost if it happens once?  ARO: Annualized Rate of Occurrence  How many times a year will it happen?  Actual losses will vary, of course  Poisson distribution, Monte Carlo analysis

9  Used to introduce “controlled randomness”  Goal: Make estimates more realistic  Often used with ALE models  Used in latest version of ROSI  Many algorithms exist  Some information for the interested  http://en.wikipedia.org/wiki/Monte_Carlo_metho d http://en.wikipedia.org/wiki/Monte_Carlo_metho d

10  Origin: UK government  Commercial software (cramm.com)  Used by UK, NATO, Dutch military, T-Mobile  Used for ISO 27001 compliance  Can be used to justify cost of controls  Based on statistical analysis of other agencies  Detailed departmental questionnaires  Or informed estimates (Express version)  Database of controls  Pre-assigned effectiveness, cost/benefit values

11  Origin and user: AU government  Freely available  http://www.gcio.nsw.gov.au/search?SearchableText=rosi http://www.gcio.nsw.gov.au/search?SearchableText=rosi  Based on Annualized Loss Expectancy and Australian Threat/Risk Assessment  User-assigned values for TRA descriptions

12  Origin: Carnegie-Mellon University  http://www.cs.cmu.edu/~shawnb/ http://www.cs.cmu.edu/~shawnb/  Based on Multi-Attribute Risk Assessment  Categorizes attributes of impact  Revenue, Reputation, Productivity, Penalties  Likelihood, impact ratings based on industry peer review  Emphasizes coverage of threats  Protect, Detect, React  Doesn’t quantify risk financially

13  Avoidance  Reduction  Retention  Transfer

14  Avoidance  Reduction  Retention  Transfer

15  Get out of (or don’t get into) the risky business  Do this when…  Probability of a loss is high  Potential impact is high  Gain from continuing the function is low

16  Protect, detect, react  This is what we usually think of in IS  Do this when…  Probability of a loss is high  Potential impact is low

17  Protect  Prevent the threat from meeting with the vulnerability  Detect  Discover and respond to a threat before it causes too much damage  React (Recover)  Minimize impact after an incident

18  “Cost of doing business”  Live with it when…  Probability of a loss is low  Potential impact is low  Gain from continuing the function is high

19  Common methods  Buy insurance  Outsource the risky function  Do this when…  Probability of a loss is low  Potential impact is high  Gain from continuing the function is high


Download ppt "CST 481/598 Many thanks to Jeni Li.  Risk matrix or cube  Cost effectiveness analysis  Annualized Loss Expectancy  Multi-Attribute Risk Assessment."

Similar presentations


Ads by Google