Presentation is loading. Please wait.

Presentation is loading. Please wait.

CST 481/598 Many thanks to Jeni Li.  Risk matrix or cube  Cost effectiveness analysis  Annualized Loss Expectancy  Multi-Attribute Risk Assessment.

Published bySheila Barton Modified over 9 years ago

Similar presentations

Presentation on theme: "CST 481/598 Many thanks to Jeni Li.  Risk matrix or cube  Cost effectiveness analysis  Annualized Loss Expectancy  Multi-Attribute Risk Assessment."— Presentation transcript:

1 CST 481/598 Many thanks to Jeni Li

2  Risk matrix or cube  Cost effectiveness analysis  Annualized Loss Expectancy  Multi-Attribute Risk Assessment  Monte Carlo analysis  … et cetera

3  Vulnerability  Threat  Impact

4  Cost of recovering lost or modified data  Business value of unrecoverable data  Lost productivity due to down time  Replacement cost of physical assets  Fines and penalties  For unauthorized disclosures or posting inaccurate information  Damage compensation to compromised customers  Fines imposed by regulatory agencies  Damage to reputation

5  (more or less)  Asset identification and valuation  Threat/vulnerability assessment  Risk calculation  Countermeasure selection

6  From Jones/Ashenden text  R = V x T x I  Useful for visuals and comparisons  Not much else

7  Combines soft and hard numbers  Can use estimates or probability tables  Examples: ROSI, CRAMM

8  ALE = SLE x ARO  SLE: Single Loss Expectancy  How much will it cost if it happens once?  ARO: Annualized Rate of Occurrence  How many times a year will it happen?  Actual losses will vary, of course  Poisson distribution, Monte Carlo analysis

9  Used to introduce “controlled randomness”  Goal: Make estimates more realistic  Often used with ALE models  Used in latest version of ROSI  Many algorithms exist  Some information for the interested  http://en.wikipedia.org/wiki/Monte_Carlo_metho d http://en.wikipedia.org/wiki/Monte_Carlo_metho d

10  Origin: UK government  Commercial software (cramm.com)  Used by UK, NATO, Dutch military, T-Mobile  Used for ISO 27001 compliance  Can be used to justify cost of controls  Based on statistical analysis of other agencies  Detailed departmental questionnaires  Or informed estimates (Express version)  Database of controls  Pre-assigned effectiveness, cost/benefit values

11  Origin and user: AU government  Freely available  http://www.gcio.nsw.gov.au/search?SearchableText=rosi http://www.gcio.nsw.gov.au/search?SearchableText=rosi  Based on Annualized Loss Expectancy and Australian Threat/Risk Assessment  User-assigned values for TRA descriptions

12  Origin: Carnegie-Mellon University  http://www.cs.cmu.edu/~shawnb/ http://www.cs.cmu.edu/~shawnb/  Based on Multi-Attribute Risk Assessment  Categorizes attributes of impact  Revenue, Reputation, Productivity, Penalties  Likelihood, impact ratings based on industry peer review  Emphasizes coverage of threats  Protect, Detect, React  Doesn’t quantify risk financially

13  Avoidance  Reduction  Retention  Transfer

14  Avoidance  Reduction  Retention  Transfer

15  Get out of (or don’t get into) the risky business  Do this when…  Probability of a loss is high  Potential impact is high  Gain from continuing the function is low

16  Protect, detect, react  This is what we usually think of in IS  Do this when…  Probability of a loss is high  Potential impact is low

17  Protect  Prevent the threat from meeting with the vulnerability  Detect  Discover and respond to a threat before it causes too much damage  React (Recover)  Minimize impact after an incident

18  “Cost of doing business”  Live with it when…  Probability of a loss is low  Potential impact is low  Gain from continuing the function is high

19  Common methods  Buy insurance  Outsource the risky function  Do this when…  Probability of a loss is low  Potential impact is high  Gain from continuing the function is high

Download ppt "CST 481/598 Many thanks to Jeni Li.  Risk matrix or cube  Cost effectiveness analysis  Annualized Loss Expectancy  Multi-Attribute Risk Assessment."

Similar presentations

Security+ All-In-One Edition Chapter 17 – Risk Management

Security+ All-In-One Edition Chapter 17 – Risk Management
Bridging the gap between software developers and auditors.

Bridging the gap between software developers and auditors.
Revision from last week  Assumptions are potential failure points in a project. They need to be monitored and managed. At the start of the project they.

Revision from last week  Assumptions are potential failure points in a project. They need to be monitored and managed. At the start of the project they.
Chapter 5: Asset Classification

Chapter 5: Asset Classification
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 © 2002 Carnegie.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
Introducing Computer and Network Security

Introducing Computer and Network Security
23 January 2003© All rights Reserved, 2002 Understanding Facilitated Risk Analysis Process (FRAP) and Security Policies for Organizations Infocomm Security.

23 January 2003© All rights Reserved, 2002 Understanding Facilitated Risk Analysis Process (FRAP) and Security Policies for Organizations Infocomm Security.
ASSESSING RISK IN IT OPERATIONS. RISK ASSESSMENT Recognizing the exposures to loss by becoming aware of the possibility of each type of loss. This is.

ASSESSING RISK IN IT OPERATIONS. RISK ASSESSMENT Recognizing the exposures to loss by becoming aware of the possibility of each type of loss. This is.
Lecture 8: Risk Management Controlling Risk

Lecture 8: Risk Management Controlling Risk
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Risk Management.

Risk Management.
Information Security Risk Management

Information Security Risk Management
Security Risk Management Paula Kiernan Ward Solutions.

Security Risk Management Paula Kiernan Ward Solutions.
1 Security Risk Management Liping Cai 02/01/2006.

1 Security Risk Management Liping Cai 02/01/2006.
An Overview of Risk Management

An Overview of Risk Management
EQAA 11th Session Jamil Kalat-Malho Jong Ho Lee

EQAA 11th Session Jamil Kalat-Malho Jong Ho Lee
Conostix S.A. Sensible defence.

Conostix S.A. Sensible defence.
Discussing “Risk Analysis in Software Design” 1 FEB 2006 - Joe Combs.

Discussing “Risk Analysis in Software Design” 1 FEB Joe Combs.

Similar presentations

Ads by Google