CHAPTER 2 RISK MANAGEMENT and security.ppt
firehiwot8
6 views
62 slides
Oct 29, 2025
Slide 1 of 62
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
About This Presentation
risk managment
Slide Content
Chapter - 2
Risk Management
CoSc-7951
Security Engineering
Elective-II
Dr. Basant Tiwari
[email protected]
School of Informatics
Hawassa University Campus, Awassa
Risk Management
CoSc-7951
Security Engineering
Elective-II
Dr. Basant Tiwari
[email protected]
School of Informatics
Hawassa University Campus, Awassa
Upon completion of this material, you should be
able to:
Define risk management and its role in an
organization.
Use risk management techniques to identify and
prioritize risk factors for information assets.
Asses risk based on the likelihood of adverse events
and the effect on information assets when events
occur .
Document the results of risk identification.
Learning Objectives
able to:
Define risk management and its role in an
organization.
Use risk management techniques to identify and
prioritize risk factors for information assets.
Asses risk based on the likelihood of adverse events
and the effect on information assets when events
occur .
Document the results of risk identification.
Learning Objectives
A company suffered a catastrophic loss one night when its
office burned to the ground.
As the employees gathered around the charred remains the
next morning, the president asked the secretary if
she had been performing the daily computer backups. To his
relief she replied that yes, each day before she went home she
backed up all of the financial information, invoices, orders ...
The president then asked the secretary to retrieve the backup
so they could begin to determine their current financial status.
“Well”, the secretary said, “I guess I cannot do that.You see,
I put those backups in the desk drawer next to the computer in
the office.”
A true story …
office burned to the ground.
As the employees gathered around the charred remains the
next morning, the president asked the secretary if
she had been performing the daily computer backups. To his
relief she replied that yes, each day before she went home she
backed up all of the financial information, invoices, orders ...
The president then asked the secretary to retrieve the backup
so they could begin to determine their current financial status.
“Well”, the secretary said, “I guess I cannot do that.You see,
I put those backups in the desk drawer next to the computer in
the office.”
A true story …
Introduction
“Investing in stocks carries a risk …”
“Bad hand hygiene carries a risk …”
“Carspeedingcarriesarisk…”
“An outdate anti-virus software carries
a risk …”
“Investing in stocks carries a risk …”
“Bad hand hygiene carries a risk …”
“Carspeedingcarriesarisk…”
“An outdate anti-virus software carries
a risk …”
Risk – likelihood that a chosen action or
activity (including the choice of inaction) will
lead to a loss (un undesired outcome)
Risk Management – identification,
assessment, and prioritization of risks
followed by coordinated use of resources to
monitor,control or minimize the impact
of risk-related events or to maximize the
gains.
examples: finances, industrial processes, public
health and safety, insurance, etc.
one of the key responsibilities of every manager
within an organization
Introduction (cont.)
activity (including the choice of inaction) will
lead to a loss (un undesired outcome)
Risk Management – identification,
assessment, and prioritization of risks
followed by coordinated use of resources to
monitor,control or minimize the impact
of risk-related events or to maximize the
gains.
examples: finances, industrial processes, public
health and safety, insurance, etc.
one of the key responsibilities of every manager
within an organization
Introduction (cont.)
Risks in Info. Security – risks which arise from
an organization’s use of info. technology (IT)
related concepts: asset, vulnerability, threat
Risk in Information Security
an organization’s use of info. technology (IT)
related concepts: asset, vulnerability, threat
Risk in Information Security
Asset – anything that needs to be protected because
it has value and contributes to the successful
achievement of the organization’s objectives
Threat – any circumstance or event with the potential
to cause harm to an asset and result in harm to
organization
Vulnerability – the weakness in an asset that can
be exploited by threat
Risk – probability of a threat acting upon a
vulnerability causing harm to an asset
Risk in Information Security (cont.)
it has value and contributes to the successful
achievement of the organization’s objectives
Threat – any circumstance or event with the potential
to cause harm to an asset and result in harm to
organization
Vulnerability – the weakness in an asset that can
be exploited by threat
Risk – probability of a threat acting upon a
vulnerability causing harm to an asset
Risk in Information Security (cont.)
Asset, Threat, Vulnerability & Risk in Info. Sec.
Risk in Information Security (cont.)
Risk in Information Security (cont.)
Interplay between Risk & other Info. Sec. Concepts
Risk in Information Security (cont.)
Risk in Information Security (cont.)
Security Risk Management – process of identifying
vulnerabilities in an organization’s info. system
and taking steps to protect the CIA of all of its
components.
two major sub-
processes:
Implement Risk
Management
Actions
Re-evaluate
the Risks
Identify
the
Risk
Areas
Assess the
Risks
Develop Risk
Management
Plan
Risk
Management
Cycle
Risk Identification &
Assessment
Risk Control (Mitigation)
11
Security Risk Management
vulnerabilities in an organization’s info. system
and taking steps to protect the CIA of all of its
components.
two major sub-
processes:
Implement Risk
Management
Actions
Re-evaluate
the Risks
Identify
the
Risk
Areas
Assess the
Risks
Develop Risk
Management
Plan
Risk
Management
Cycle
Risk Identification &
Assessment
Risk Control (Mitigation)
11
Security Risk Management
Risk Management
Risk Identification Risk Control
Identify & Prioritize Assets
Control
Transfer
Avoi
d
Accept
Cost-Benefit
Analysis
Identify & Prioritize Threats
Identify Vulnerabilities
between Assets and
Threats (Vulnerability
Analysis)
Risk Assessment
Calculate Relative Risk
of Each Vulnerability
Mitigate
Security Risk Management
Risk Identification Risk Control
Identify & Prioritize Assets
Control
Transfer
Avoi
d
Accept
Cost-Benefit
Analysis
Identify & Prioritize Threats
Identify Vulnerabilities
between Assets and
Threats (Vulnerability
Analysis)
Risk Assessment
Calculate Relative Risk
of Each Vulnerability
Mitigate
Security Risk Management
Risk Identification
Components of Risk Identification
Risk Identification
Risk Identification
Risk Identification (cont.)
AssetInventory
AssetInventory
Risk identification begins with identification of
information assets, including:
No prejudging of
asset values should
be done at this stage
– values are assigned
later!
Risk Identification: Asset Inventory
information assets, including:
No prejudging of
asset values should
be done at this stage
– values are assigned
later!
Risk Identification: Asset Inventory
Risk Identification: Asset Inventory (cont.)
Identifying Hardware, Software and Networking
Assets
Can be done automatically (using specialized software)
or manually.
Needs certain planning – e.g. which attributes of each
asset should be tracked, such as:
name – tip: naming should not convey critical info to potential
attackers
asset tag – unique number assigned during acquisition process
IP address
MAC address
software version
serial number
manufacturer name
manufacturer model or part number
Identifying Hardware, Software and Networking
Assets
Can be done automatically (using specialized software)
or manually.
Needs certain planning – e.g. which attributes of each
asset should be tracked, such as:
name – tip: naming should not convey critical info to potential
attackers
asset tag – unique number assigned during acquisition process
IP address
MAC address
software version
serial number
manufacturer name
manufacturer model or part number
Risk Identification: Asset Inventory (cont.)
Identifying People, Procedures and Data Assets
Not as readily identifiable as other assets – require
that experience and judgment be used.
Possible attributes:
people – avoid personal names, as they may change, use:
position name
position number/ID
computer/network access privileges
procedures
description
intended purpose
software/hardware/networking elements to which it is tied
location of reference-document, …
data
owner
creator
manager
location, …
Identifying People, Procedures and Data Assets
Not as readily identifiable as other assets – require
that experience and judgment be used.
Possible attributes:
people – avoid personal names, as they may change, use:
position name
position number/ID
computer/network access privileges
procedures
description
intended purpose
software/hardware/networking elements to which it is tied
location of reference-document, …
data
owner
creator
manager
location, …
AssetRanking / Prioritization
Risk Identification: Asset Ranking
Assets should be ranked so that most valuable
assets get highest priority when managing risks
Questions to consider when determining asset value /
rank:
•Which info. asset is most critical to overall success of
organization?
Example: Amazon’s ranking assets
Amazon’s network consists of regular desktops and web servers.
Web servers that advertise company’s products and receive orders
24/7 - critical.
Desktops used by customer service department – not so critical.
Assets should be ranked so that most valuable
assets get highest priority when managing risks
Questions to consider when determining asset value /
rank:
•Which info. asset is most critical to overall success of
organization?
Example: Amazon’s ranking assets
Amazon’s network consists of regular desktops and web servers.
Web servers that advertise company’s products and receive orders
24/7 - critical.
Desktops used by customer service department – not so critical.
Risk Identification: Asset Ranking (cont.)
2)Which info. asset generates most revenue?
3)Which info. asset generates highest profitability?
Example: Amazon’s ranking assets
At Amazon.com, some servers support book sales
(resulting in highest revenue), while others support
sales of beauty products (resulting in highest profit).
4)Which info. asset is most expensive to replace?
5)Which info. asset’s loss or compromise would be
most embarrassing or cause greatest liability?
2)Which info. asset generates most revenue?
3)Which info. asset generates highest profitability?
Example: Amazon’s ranking assets
At Amazon.com, some servers support book sales
(resulting in highest revenue), while others support
sales of beauty products (resulting in highest profit).
4)Which info. asset is most expensive to replace?
5)Which info. asset’s loss or compromise would be
most embarrassing or cause greatest liability?
Risk Identification: Asset Ranking (cont.)
Example: Weighted asset ranking
Not all asset ranking questions/categories may be equally
important to the company.
A weighting scheme could be used to account for this …
Data asset / information
transmitted:
Each criteria is assigned a weight (0 – 100), must total 100!
Each asset is
assigned a score
(0.1-1.0) for
each critical
factor.
Example: Weighted asset ranking
Not all asset ranking questions/categories may be equally
important to the company.
A weighting scheme could be used to account for this …
Data asset / information
transmitted:
Each criteria is assigned a weight (0 – 100), must total 100!
Each asset is
assigned a score
(0.1-1.0) for
each critical
factor.
Risk Identification:
ThreatIdentification
& Prioritization
ThreatIdentification
& Prioritization
Risk Identification: Threat Identification
Any organization faces a wide variety of threats.
To keep risk management ‘manageable’ …
realistic threats must be identified and further
investigated, while unimportant threats should be set
aside
Example: CSI/FBI survey of types of threats/attacks
Any organization faces a wide variety of threats.
To keep risk management ‘manageable’ …
realistic threats must be identified and further
investigated, while unimportant threats should be set
aside
Example: CSI/FBI survey of types of threats/attacks
Risk Identification: Threat Identification (cont.)
Threat Modeling/Assessment – practice of building
an abstract model of how an attack may proceed
and cause damage
Attacker-centric – starts from attackers, evaluates their
motivations and goals, and how they might achieve them
through attack tree.
Threat Modeling/Assessment – practice of building
an abstract model of how an attack may proceed
and cause damage
Attacker-centric – starts from attackers, evaluates their
motivations and goals, and how they might achieve them
through attack tree.
Threat Modeling/Assessment
System-centric – starts from model of system, and
attempts to follow model dynamics and logic, looking
for types of attacks against each element of the model.
Risk Identification: Threat Identification (cont.)
http://www.uio.no/studier/emner/matnat/ifi/INF3510/v12/learningdocs/INF3510-2012-
L03.pdf
System-centric – starts from model of system, and
attempts to follow model dynamics and logic, looking
for types of attacks against each element of the model.
Risk Identification: Threat Identification (cont.)
http://www.uio.no/studier/emner/matnat/ifi/INF3510/v12/learningdocs/INF3510-2012-
L03.pdf
Threat Modeling/Assessment
Asset-centric – starts from assets entrusted to a
system, such as a collection of sensitive personal
information, and attempts to identify how CIA security
breaches can happen.
Risk Identification: Threat Identification (cont.)
Asset-centric – starts from assets entrusted to a
system, such as a collection of sensitive personal
information, and attempts to identify how CIA security
breaches can happen.
Risk Identification: Threat Identification (cont.)
Questions used to prioritize threats:
Which threats present a danger to organization’s
assets in its current environment? ( ‘pre-step’ )
Goal: reduce the risk management’s scope and cost.
Examine each category from CSI/FBI list, or as identified through
threat assessment process, and eliminate any that do not apply to
your organization.
Which threats represent the most danger … ?
Goal: provide a rough assessment of each threat’s potential impact
given current level of organization’s preparedness.
‘Danger’ might be a measured of:
•severity, i.e. overall damage that the threat could create
•probability of the threat attacking this particular organization
Risk Identification: Threat Prioritization
Which threats present a danger to organization’s
assets in its current environment? ( ‘pre-step’ )
Goal: reduce the risk management’s scope and cost.
Examine each category from CSI/FBI list, or as identified through
threat assessment process, and eliminate any that do not apply to
your organization.
Which threats represent the most danger … ?
Goal: provide a rough assessment of each threat’s potential impact
given current level of organization’s preparedness.
‘Danger’ might be a measured of:
•severity, i.e. overall damage that the threat could create
•probability of the threat attacking this particular organization
Risk Identification: Threat Prioritization
Other questions used to assess/prioritize
threats:
How much would it cost to recover from a successful
attack?
Which threats would require greatest expenditure to
prevent?
Risk Identification: Threat Prioritization (cont.)
Threat ranking can be quantitative or qualitative.
Once threats are prioritized, each asset should be
reviewed against each threat to create a specific
list of vulnerabilities.
threats:
How much would it cost to recover from a successful
attack?
Which threats would require greatest expenditure to
prevent?
Risk Identification: Threat Prioritization (cont.)
Threat ranking can be quantitative or qualitative.
Once threats are prioritized, each asset should be
reviewed against each threat to create a specific
list of vulnerabilities.
Risk Identification:
VulnerabilityAnalysis
VulnerabilityAnalysis
Vulnerability Analysis
Vulnerability
–
flaw or weakness in an info. asset,
its design, control or security
procedure that can be exploited
accidentally or deliberately
sheer existence of a vulnerability
does not mean harm WILL be caused –
threat agent is required
vulnerabilities are characterized by the
level of tech. skill required to exploit
them
vulnerability that is easy to exploit is often a
high-danger vulnerability
Vulnerability ThreatAsset
Vulnerability
–
flaw or weakness in an info. asset,
its design, control or security
procedure that can be exploited
accidentally or deliberately
sheer existence of a vulnerability
does not mean harm WILL be caused –
threat agent is required
vulnerabilities are characterized by the
level of tech. skill required to exploit
them
vulnerability that is easy to exploit is often a
high-danger vulnerability
Vulnerability ThreatAsset
Vulnerability Analysis (cont.)
Example: Vulnerability assessment of critical files
Deliberate
Software
Attack –
Virus Attack
people open
suspicious e-mail
attachments
[procedural / control
weakness]
antivirus software not
up-to-date &
file copying off USBs
allowed
[procedural / control
weakness]
desktop (files)
Asset Vulnerability Threat
Example: Vulnerability assessment of critical files
Deliberate
Software
Attack –
Virus Attack
people open
suspicious e-mail
attachments
[procedural / control
weakness]
antivirus software not
up-to-date &
file copying off USBs
allowed
[procedural / control
weakness]
desktop (files)
Asset Vulnerability Threat
Vulnerability Analysis (cont.)
Example: Vulnerability assessment of critical files
NIC can support data- rates of up to 50
Mbps
[design weakness]
DDoS
Attack
server
CPU ‘freezes’ at
10,000 packets/sec
[design/
implementation flaw]
Asset Vulnerability Threat
Example: Vulnerability assessment of critical files
NIC can support data- rates of up to 50
Mbps
[design weakness]
DDoS
Attack
server
CPU ‘freezes’ at
10,000 packets/sec
[design/
implementation flaw]
Asset Vulnerability Threat
Vulnerability Analysis (cont.)
Example: Vulnerability assessment of a router
Act of Human
Error or
Failure
temperature control in
router/server room is
not adequate router
overheats and
shuts downs
[control weakness,
design flaw]
net. administrator
allows access to
unauthor. user
unauthor. user uploads a
virus, router crashes
[control / procedural
weakness]
router
Asset Vulnerability Threat
Example: Vulnerability assessment of a router
Act of Human
Error or
Failure
temperature control in
router/server room is
not adequate router
overheats and
shuts downs
[control weakness,
design flaw]
net. administrator
allows access to
unauthor. user
unauthor. user uploads a
virus, router crashes
[control / procedural
weakness]
router
Asset Vulnerability Threat
TVA Worksheet – at the end of risk identification
procedure, organization should derive threats-
vulnerabilities- assets (TVA) worksheet
this worksheet is a starting point for risk assessment
phase
TVA worksheet combines prioritized lists of assets and
threats
prioritized list of assets is placed along
x-axis, with most important assets on
the left
prioritized list of threats is placed along
y-axis, with most dangerous threats at
the top
resulting grid enables a simplistic
vulnerability assessment
Vulnerability Analysis (cont.)
procedure, organization should derive threats-
vulnerabilities- assets (TVA) worksheet
this worksheet is a starting point for risk assessment
phase
TVA worksheet combines prioritized lists of assets and
threats
prioritized list of assets is placed along
x-axis, with most important assets on
the left
prioritized list of threats is placed along
y-axis, with most dangerous threats at
the top
resulting grid enables a simplistic
vulnerability assessment
Vulnerability Analysis (cont.)
If one or more vulnerabilities exist between T1 and A1, they can be categorized as: T1V1A1
– Vulnerability 1 that exists between Threat 1 and Asset 1
T1V2A1 – Vulnerability 2 that exists between Threat 1 and Asset 1, …
If intersection
between T2 and
A2 has no
vulnerability, the
risk
assessment team
simply crosses out
that box.
Vulnerability Analysis (cont.)
– Vulnerability 1 that exists between Threat 1 and Asset 1
T1V2A1 – Vulnerability 2 that exists between Threat 1 and Asset 1, …
If intersection
between T2 and
A2 has no
vulnerability, the
risk
assessment team
simply crosses out
that box.
Vulnerability Analysis (cont.)
Risk Assessment
Threat
Vulnerabilit
y
Asset
People
Procedure
Data
Software
Hardware
Networking
Act of human error or failure
Deliberate act of trespass
Deliberate act of extortion
Deliberate act of sabotage
Deliberate software attacks
Technical software failures
Technical hardware
failures Forces of nature
Etc.
flaw or
weakness in
asset’s design,
implementation,
control or
security procedure
exploit
cause
damage
(loss)
Risk Assessment
Summary of Vulnerability Analysis
Vulnerabilit
y
Asset
People
Procedure
Data
Software
Hardware
Networking
Act of human error or failure
Deliberate act of trespass
Deliberate act of extortion
Deliberate act of sabotage
Deliberate software attacks
Technical software failures
Technical hardware
failures Forces of nature
Etc.
flaw or
weakness in
asset’s design,
implementation,
control or
security procedure
exploit
cause
damage
(loss)
Risk Assessment
Summary of Vulnerability Analysis
Risk Assessment – provides relative numerical
risk ratings (scores) to each specific vulnerability
in risk management, it is not the presence of a
vulnerability that really matters, but the associated risk!
(Security) Risk – quantifies: 1) possibility that a
threat successfully acts upon a vulnerability and
2) how severe the consequences would be
P = probability of risk-event
occurrence
V = value lost / cost to organization
R = P * V
Risk Assessment (cont.)
risk ratings (scores) to each specific vulnerability
in risk management, it is not the presence of a
vulnerability that really matters, but the associated risk!
(Security) Risk – quantifies: 1) possibility that a
threat successfully acts upon a vulnerability and
2) how severe the consequences would be
P = probability of risk-event
occurrence
V = value lost / cost to organization
R = P * V
Risk Assessment (cont.)
Risk Assessment (cont.)
Weighted score
indicating the
relative
importance
(associated
loss) of the
given asset.
Should be used
if concrete
$ amounts are
not available.
Weighted score
indicating the
relative
importance
(associated
loss) of the
given asset.
Should be used
if concrete
$ amounts are
not available.
Risk Assessment (cont.)
Extended Risk Formula v.1.
R = P
a P
s V
P
P
a = probability that an attack/threat
(against a vulnerability) takes place
P
s = probability that the attack
successfully exploits the vulnerability
V = value lost by exploiting the
vulnerability
Vulnerability
ThreatAsset
Extended Risk Formula v.1.
R = P
a P
s V
P
P
a = probability that an attack/threat
(against a vulnerability) takes place
P
s = probability that the attack
successfully exploits the vulnerability
V = value lost by exploiting the
vulnerability
Vulnerability
ThreatAsset
Risk Assessment (cont.)
Extended Risk Formula v.2.
P
s
P
e = probability that the
system’s security measures effectively
protect against the attack
(reflection of system’s security effectiveness)
R = P
a (1-P
e) V
P
s
= probability
that the attack is
successfully
executed
P
e
= probability
that the attack
is NOT successfully
executed, i.e.
system defences are
effective
Extended Risk Formula v.2.
P
s
P
e = probability that the
system’s security measures effectively
protect against the attack
(reflection of system’s security effectiveness)
R = P
a (1-P
e) V
P
s
= probability
that the attack is
successfully
executed
P
e
= probability
that the attack
is NOT successfully
executed, i.e.
system defences are
effective
Risk Assessment (cont.)
Extended Whitman’s Risk Formula *
R = P V– CC [%] + UK [%]
LE = Loss Expectancy
(i.e. Potential Loss)
P = probability that certain vulnerability (affecting a
particular asset) get successfully exploited
V = value of information asset [1, 100]
CC = current control = percentage of risk already
mitigated by current control
UK = uncertainty of knowledge = uncertainty of current
knowledge of the vulnerability (i.e. overall risk)
* One of many risk models. http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.211.7952
Extended Whitman’s Risk Formula *
R = P V– CC [%] + UK [%]
LE = Loss Expectancy
(i.e. Potential Loss)
P = probability that certain vulnerability (affecting a
particular asset) get successfully exploited
V = value of information asset [1, 100]
CC = current control = percentage of risk already
mitigated by current control
UK = uncertainty of knowledge = uncertainty of current
knowledge of the vulnerability (i.e. overall risk)
* One of many risk models. http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.211.7952
Extended Whitman’s Risk Formula
(cont.)
CC = current control = fraction of risk already
mitigated by current control
UK = uncertainty of knowledge = fraction of
risk that is not fully known
Risk Assessment (cont.)
R = P V– CC (P V) + UK (P V) =
= P V [ 1 – CC + UK ]
Mathematically more sound expression!
(cont.)
CC = current control = fraction of risk already
mitigated by current control
UK = uncertainty of knowledge = fraction of
risk that is not fully known
Risk Assessment (cont.)
R = P V– CC (P V) + UK (P V) =
= P V [ 1 – CC + UK ]
Mathematically more sound expression!
Extended Whitman’s Risk Formula (cont.)
R = P * V – CC [%] + UK [%]
Risk Assessment (cont.)
If a vulnerability is fully managed by an
existing control, it can be set aside.
(In this case, R0.)
It is not possible to know everything about a vulnerability,
respective threat, or how great an impact a successful attack
would have.
A factor that accounts for uncertainty of estimating the given
risk should always be added to the equation.
For many vulnerabilities respective
probabilities areknown. E.g. the likelihood
that any given email will contain a virus or
worm and those get ‘activated’ by the user.
R = P * V – CC [%] + UK [%]
Risk Assessment (cont.)
If a vulnerability is fully managed by an
existing control, it can be set aside.
(In this case, R0.)
It is not possible to know everything about a vulnerability,
respective threat, or how great an impact a successful attack
would have.
A factor that accounts for uncertainty of estimating the given
risk should always be added to the equation.
For many vulnerabilities respective
probabilities areknown. E.g. the likelihood
that any given email will contain a virus or
worm and those get ‘activated’ by the user.
Risk Assessment (cont.)
Example: Risk determination
Asset A
Has a value of 50.
Has one vulnerability, with a likelihood of 1.0.
No current control for this vulnerability.
Your assumptions and data are 90% accurate.
Asset B
Has a value of 100. Has two vulnerabilities:
* vulnerability #2 with a likelihood of 0.5, and
a current control that addresses 50% of its risk;
* vulnerability #3 with a likelihood of 0.1 and no
current controls.
Your assumptions and data are 80% accurate.
Which asset/vulnerability should be dealt with first ?!
A
B
V = 50
P = 1
P = 0.5P = 0.1
V = 100
Example: Risk determination
Asset A
Has a value of 50.
Has one vulnerability, with a likelihood of 1.0.
No current control for this vulnerability.
Your assumptions and data are 90% accurate.
Asset B
Has a value of 100. Has two vulnerabilities:
* vulnerability #2 with a likelihood of 0.5, and
a current control that addresses 50% of its risk;
* vulnerability #3 with a likelihood of 0.1 and no
current controls.
Your assumptions and data are 80% accurate.
Which asset/vulnerability should be dealt with first ?!
A
B
V = 50
P = 1
P = 0.5P = 0.1
V = 100
Risk Assessment (cont.)
Example: Risk determination (cont.)
The resulting ranked list of risk ratings for the three
vulnerabilities is as follows:
Asset A:
Vulnerability 1 rated as 55 = (50×1.0) – 100*0 + 100*0.1
Asset B:
Vulnerability 2 rated as 35 = (100×0.5) – 50*0.5 + 50*0.2
Asset B:
Vulnerability 3 rated as 12 = (100×0.1) – 10*0 + 10*0.2
Example: Risk determination (cont.)
The resulting ranked list of risk ratings for the three
vulnerabilities is as follows:
Asset A:
Vulnerability 1 rated as 55 = (50×1.0) – 100*0 + 100*0.1
Asset B:
Vulnerability 2 rated as 35 = (100×0.5) – 50*0.5 + 50*0.2
Asset B:
Vulnerability 3 rated as 12 = (100×0.1) – 10*0 + 10*0.2
Risk Assessment (cont.)
Documenting Results
–
Of Risk Assessment
5 types of documents
ideally created
1)Information asset classification worksheet
2)Weighted asset worksheet
3)Weighted threat worksheet
4)TVA worksheet
5) Ranked vulnerability risk worksheet
extension of TVA worksheet, showing only the
assets and relevant vulnerabilities
assigns a risk-rating ranked value for each
uncontrolled asset-vulnerability pair
Documenting Results
–
Of Risk Assessment
5 types of documents
ideally created
1)Information asset classification worksheet
2)Weighted asset worksheet
3)Weighted threat worksheet
4)TVA worksheet
5) Ranked vulnerability risk worksheet
extension of TVA worksheet, showing only the
assets and relevant vulnerabilities
assigns a risk-rating ranked value for each
uncontrolled asset-vulnerability pair
Risk Assessment (cont.)
A: vulnerable
assets
AI: weighted
asset value
V: each asset’s
vulnerability
VL: likelihood
of vulnerability
realization
AI x VL
Customer service email
has relatively low value
but represents most
pressing issue due to
high vulnerability
likelihood.
A: vulnerable
assets
AI: weighted
asset value
V: each asset’s
vulnerability
VL: likelihood
of vulnerability
realization
AI x VL
Customer service email
has relatively low value
but represents most
pressing issue due to
high vulnerability
likelihood.
Risk Assessment (cont.)
At the end of risk assessment process, the TVA
and/or ranked-vulnerability worksheets should
be used to develop a prioritized list of tasks.
At the end of risk assessment process, the TVA
and/or ranked-vulnerability worksheets should
be used to develop a prioritized list of tasks.
Risk Control
Risk Control Strategies
Once all vulnerabilities/risks are evaluated, the company has to
decide on the ‘course of action’ – often influenced by $$$ …
risk low, cost high
risk high, cost low
Once all vulnerabilities/risks are evaluated, the company has to
decide on the ‘course of action’ – often influenced by $$$ …
risk low, cost high
risk high, cost low
Basic Strategies to Control Risks
Avoidance
do not proceed with the activity or system that creates this risk
Reduced Likelihood (Control)
by implementing suitable controls, lower the chances of the
vulnerability being exploited
Transference
share responsibility for the risk with a third party
Mitigation
reduce impact should an attack still exploit the vulnerability
Acceptance
understand consequences and acknowledge risks without any
attempt to control or mitigate
Risk Control Strategies (cont.)
Avoidance
do not proceed with the activity or system that creates this risk
Reduced Likelihood (Control)
by implementing suitable controls, lower the chances of the
vulnerability being exploited
Transference
share responsibility for the risk with a third party
Mitigation
reduce impact should an attack still exploit the vulnerability
Acceptance
understand consequences and acknowledge risks without any
attempt to control or mitigate
Risk Control Strategies (cont.)
Risk Control Strategies (cont.)
Avoidance– strategy that results in complete
abandonment of activities or
systems due to overly excessive risk
usually results in loss of convenience or
ability to preform some function that is
useful to the organization
the loss of this capacity is traded off
against the reduced risk profile
Recommended for vulnerabilities with
very high risk factor
that are very costly to fix.
Avoidance– strategy that results in complete
abandonment of activities or
systems due to overly excessive risk
usually results in loss of convenience or
ability to preform some function that is
useful to the organization
the loss of this capacity is traded off
against the reduced risk profile
Recommended for vulnerabilities with
very high risk factor
that are very costly to fix.
Risk Control Strategies (cont.)
Reduced
–
Likelihood
risk control strategy that attempts
to prevent exploitation of vulnerability
by means of following techniques:
application of technology
implementation of security controls and safeguards,
such as:anti-virus software, firewall, secure HTTP and
FTP servers, etc.
policy
e.g. insisting on safe procedures
training and education
change in technology and policy must be coupled
with employee’s training and education
Recommended for vulnerabilities with
high risk factor that are moderately costly to fix.
Reduced
–
Likelihood
risk control strategy that attempts
to prevent exploitation of vulnerability
by means of following techniques:
application of technology
implementation of security controls and safeguards,
such as:anti-virus software, firewall, secure HTTP and
FTP servers, etc.
policy
e.g. insisting on safe procedures
training and education
change in technology and policy must be coupled
with employee’s training and education
Recommended for vulnerabilities with
high risk factor that are moderately costly to fix.
Risk Control Strategies (cont.)
Transference – risk control strategy that attempts
to shift risk to other assets, other processes or other
organizations
if organization does not have adequate security
experience, hire individuals or firms that provide
expertise
‘stick to your knitting’!
e.g., by hiring a Web consulting firm, risk
associated with domain name
registration, Web presence, Web service, …
are passed onto organization with more
experience
Recommended for vulnerabilities with
high risk factor that are moderately costly to fix
if employing outside require expertise.
Transference – risk control strategy that attempts
to shift risk to other assets, other processes or other
organizations
if organization does not have adequate security
experience, hire individuals or firms that provide
expertise
‘stick to your knitting’!
e.g., by hiring a Web consulting firm, risk
associated with domain name
registration, Web presence, Web service, …
are passed onto organization with more
experience
Recommended for vulnerabilities with
high risk factor that are moderately costly to fix
if employing outside require expertise.
Risk Control Strategies (cont.)
Mitigation – risk control strategy that
attempts to reduce the likelihood or
impact caused by a vulnerability –
includes 3 plans:
(1)
(2)
(3)
Mitigation – risk control strategy that
attempts to reduce the likelihood or
impact caused by a vulnerability –
includes 3 plans:
(1)
(2)
(3)
Risk Control Strategies (cont.)
Acceptance – strategy that assumes NO action
towards protecting an information asset –
instead, accept outcome …
should be used only after doing all of
the following
assess the probability of attack and likelihood
of successful exploitation of a vulnerability
approximate annual occurrence of such an
attack
estimate potential loss that could result from
attacks
perform a thorough cost-benefit analysis
assuming various protection techniques
determine that particular asset did not justify
the cost of protection!
steps
to be
discussed
Acceptance – strategy that assumes NO action
towards protecting an information asset –
instead, accept outcome …
should be used only after doing all of
the following
assess the probability of attack and likelihood
of successful exploitation of a vulnerability
approximate annual occurrence of such an
attack
estimate potential loss that could result from
attacks
perform a thorough cost-benefit analysis
assuming various protection techniques
determine that particular asset did not justify
the cost of protection!
steps
to be
discussed
How do we know whether risk control techniques
gave worked / are sufficient?!
Example: Risk tolerance vs. residual risk
Risk
Company’s Risk Tolerance
Risk Control Strategies (cont.)
Time
vulnerability risk
before controls
vulnerability risk
after controls
Residual Risk
gave worked / are sufficient?!
Example: Risk tolerance vs. residual risk
Risk
Company’s Risk Tolerance
Risk Control Strategies (cont.)
Time
vulnerability risk
before controls
vulnerability risk
after controls
Residual Risk
Risk Tolerance – risk that organization is willing
to accept after implementing risk-mitigation
controls
Residual Risk – risk that has not been completely
removed, reduced or planned for, after (initial) risk-
mitigation controls have been employed
goal of information security is not to bring residual risk
to 0, but to bring it in line with companies risk tolerance
risk-mitigation controls may (have to) be reinforced until
residual risk falls within tolerance
Risk Control Strategies (cont.)
to accept after implementing risk-mitigation
controls
Residual Risk – risk that has not been completely
removed, reduced or planned for, after (initial) risk-
mitigation controls have been employed
goal of information security is not to bring residual risk
to 0, but to bring it in line with companies risk tolerance
risk-mitigation controls may (have to) be reinforced until
residual risk falls within tolerance
Risk Control Strategies (cont.)
Risk Handling
–
Decision Process
helps choose one among four
risk control strategies
Is system Is vulnerability
risk tolerance
Attacker not
likely to attack.
Initial estimated risk
below risk tolerance.
acceptance
Risk Control Strategies (cont.)
–
Decision Process
helps choose one among four
risk control strategies
Is system Is vulnerability
risk tolerance
Attacker not
likely to attack.
Initial estimated risk
below risk tolerance.
acceptance
Risk Control Strategies (cont.)
Risk Control – after control has been selected &
implemented, control should be
monitored and (if needed) adjusted
on an on-going basis
Cycle
Risk Control Strategies (cont.)
implemented, control should be
monitored and (if needed) adjusted
on an on-going basis
Cycle
Risk Control Strategies (cont.)
Risk Control Strategies (cont.)
Four groups that bear responsibility for effective
management of security risks, each with unique
roles:
Information Security Management – group with
leadership role – most knowledgeable about causes of
security risks (security threats and attacks)
IT Community / Management – group that helps build
secure systems and ensure their safe operation
General Management – must ensure that sufficient
resources (money & personnel) are allocated to IT and info.
security groups to meet organizational security needs
Users – (when properly trained) group that plays critical
part in prevention, detection and defence against security
threats/attacks
Four groups that bear responsibility for effective
management of security risks, each with unique
roles:
Information Security Management – group with
leadership role – most knowledgeable about causes of
security risks (security threats and attacks)
IT Community / Management – group that helps build
secure systems and ensure their safe operation
General Management – must ensure that sufficient
resources (money & personnel) are allocated to IT and info.
security groups to meet organizational security needs
Users – (when properly trained) group that plays critical
part in prevention, detection and defence against security
threats/attacks
Tags
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 6
- Slides 62
- Age 40 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
59 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
55 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
43 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
42 views
21
Know for Certain
DaveSinNM
26 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
30 views