Download presentation
Presentation is loading. Please wait.
Published bySheila Barton Modified over 9 years ago
1
CST 481/598 Many thanks to Jeni Li
2
Risk matrix or cube Cost effectiveness analysis Annualized Loss Expectancy Multi-Attribute Risk Assessment Monte Carlo analysis … et cetera
3
Vulnerability Threat Impact
4
Cost of recovering lost or modified data Business value of unrecoverable data Lost productivity due to down time Replacement cost of physical assets Fines and penalties For unauthorized disclosures or posting inaccurate information Damage compensation to compromised customers Fines imposed by regulatory agencies Damage to reputation
5
(more or less) Asset identification and valuation Threat/vulnerability assessment Risk calculation Countermeasure selection
6
From Jones/Ashenden text R = V x T x I Useful for visuals and comparisons Not much else
7
Combines soft and hard numbers Can use estimates or probability tables Examples: ROSI, CRAMM
8
ALE = SLE x ARO SLE: Single Loss Expectancy How much will it cost if it happens once? ARO: Annualized Rate of Occurrence How many times a year will it happen? Actual losses will vary, of course Poisson distribution, Monte Carlo analysis
9
Used to introduce “controlled randomness” Goal: Make estimates more realistic Often used with ALE models Used in latest version of ROSI Many algorithms exist Some information for the interested http://en.wikipedia.org/wiki/Monte_Carlo_metho d http://en.wikipedia.org/wiki/Monte_Carlo_metho d
10
Origin: UK government Commercial software (cramm.com) Used by UK, NATO, Dutch military, T-Mobile Used for ISO 27001 compliance Can be used to justify cost of controls Based on statistical analysis of other agencies Detailed departmental questionnaires Or informed estimates (Express version) Database of controls Pre-assigned effectiveness, cost/benefit values
11
Origin and user: AU government Freely available http://www.gcio.nsw.gov.au/search?SearchableText=rosi http://www.gcio.nsw.gov.au/search?SearchableText=rosi Based on Annualized Loss Expectancy and Australian Threat/Risk Assessment User-assigned values for TRA descriptions
12
Origin: Carnegie-Mellon University http://www.cs.cmu.edu/~shawnb/ http://www.cs.cmu.edu/~shawnb/ Based on Multi-Attribute Risk Assessment Categorizes attributes of impact Revenue, Reputation, Productivity, Penalties Likelihood, impact ratings based on industry peer review Emphasizes coverage of threats Protect, Detect, React Doesn’t quantify risk financially
13
Avoidance Reduction Retention Transfer
14
Avoidance Reduction Retention Transfer
15
Get out of (or don’t get into) the risky business Do this when… Probability of a loss is high Potential impact is high Gain from continuing the function is low
16
Protect, detect, react This is what we usually think of in IS Do this when… Probability of a loss is high Potential impact is low
17
Protect Prevent the threat from meeting with the vulnerability Detect Discover and respond to a threat before it causes too much damage React (Recover) Minimize impact after an incident
18
“Cost of doing business” Live with it when… Probability of a loss is low Potential impact is low Gain from continuing the function is high
19
Common methods Buy insurance Outsource the risky function Do this when… Probability of a loss is low Potential impact is high Gain from continuing the function is high
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.