Lesson 7-Managing Risk. Overview Defining risk. Identifying the risk to an organization. Measuring risk.

Lesson 7-Managing Risk

Overview

Defining risk.

Identifying the risk to an organization.

Measuring risk.

Defining Risk

Risk is the potential for loss that requires protection.

Risk management provides a basis for valuing an

organization’s information assets.

Risk is the measure of vulnerabilities and threats.

Defining Risk

Vulnerability

Threats

Vulnerability

Vulnerabilities make computer systems and networks prone

to technical, non-technical, or social engineering attacks.

It is characterized by the difficulty and the level of technical

skill that is required to exploit it.

The result of such exploitation must also be considered.

Vulnerability

The relationship between vulnerability and threat

Threat

A threat is an action or event that violates the security of

an information system environment.

It can have multiple targets.

The components of threat are targets, agents, and events.

Targets

The targets of threat or attack are security services such as:

Confidentiality - Disclosure of classified information to

unauthorized individuals.

Integrity - Tampering of information.

Availability - Denial-of-service attack.

Accountability - Prevents organization from reconstructing past

events.

Agents

The characteristics of agents who are the people who may

wish to harm the organization are:

Access - An agent must have direct or indirect access to

system, network, facility, or information.

Knowledge - An agent must have some knowledge about

the target. More familiar an agent is with the target, more

likely the agent will know about the vulnerabilities.

Agents

The characteristics of agents who are the people who may

wish to harm the organization are (continued):

Motivation - An agent may tamper with information as a

challenge, greed to gain something, or purely with a

malicious intent.

Agents

A threat occurs when an agent with access and knowledge gains

motivation to take action. Such agents could be:

Employees having necessary access and knowledge to systems.

Ex-employees having any grudges.

Hackers, terrorists, and criminals with a malicious intent to harm

the organization.

Commercial rivals who are interested in classified business

information of the organization.

Events

Events are the ways in which an agent of threat may cause

harm to an organization.

It is the extent of harm that could possibly be done if the

agent gained access.

Risk

Risk is the combination of threat and vulnerability.

Risks can be categorized as low, medium, or high-risk.

Identifying the Risk to an Organization

Components of an organizational risk assessment

Identifying the Risk to an Organization

Identifying vulnerabilities.

Identifying real threats.

Examining countermeasures.

Identifying risk.

Identifying Vulnerabilities

To identify specific vulnerabilities:

Locate all the entry points (electronic and physical) to the

organization.

Identify system configurations.

Identify which information and systems are accessible.

Include any known vulnerabilities in operating systems and

applications.

Identifying Real Threats

Real or targeted threats may not show themselves until an

event has occurred.

All targeted threats are time-consuming and difficult.

Examining Countermeasures

Countermeasures for each access point within an

organization must be identified.

Some of the countermeasures include firewalls, anti-virus

software, access control mechanisms, and biometrics.

Identifying Risk

Identify specific risks to the organization.

Identify what possible harm can be done through each

access point.

Rate each risk as high risk, medium risk, or low risk. The

same vulnerability may pose different levels of risk based

on the access point.

Measuring Risk

Measuring risk

Measuring Risk

Risks can be measured in terms of:

Money.

Time.

Resources.

Reputation and lost business.

Money

The cost for managing risks include:

Lost productivity.

Stolen equipment or money.

Cost of an investigation.

Cost to repair or replace systems.

Cost of experts to assist.

Employee overtime.

Time

The amount of time taken to manage risks may include:

The time a technical staff member is unavailable to perform

normal tasks due to a security event.

The downtime of a key system.

Delay in product delivery or service.

Resources

Includes people, systems, communication lines,

applications, or access as resources.

Computes the monetary cost of using a resource to

troubleshoot.

Reputation and Lost Business

Data compromise can affect the organization’s reputation.

Future business is in jeopardy as people lose faith in the

brand name.

Losses due to system failures and production delay cannot

be ruled out.

Measuring Risk

To measure risk:

Identify the extent of risk – best case, worst case, or most

likely case.

Identify the damage in terms of money, time, resources,

reputation, and lost business.

Identify the cost of restoration.

Examine the potential results in each risk measurement area.

Develop appropriate risk management approaches.

Summary

Security is managing risk.

To identify risks, identify vulnerabilities, and threats.

Examine countermeasures for each risk.

Identify the extent of risk.

Measure risk in terms of money, time, resources,

reputation, and lost business.