Professional Documents
Culture Documents
Risk Management
Information risk management (IRM)
is the process of identifying and
assessing risk, reducing it to an
acceptable level, and implementing
the right mechanisms to maintain
that level.
There is no such thing as a 100%
secure environment.
Types of Risk
Page 71
Physical damage
Human interaction
Equipment malfunction
Inside and outside attacks
Misuse of data
Loss of data
Application error
Understanding Risk
Management
Businesses operate to make money
Risks threaten the bottom line
There is a finite amount of money to
address an almost infinite number of
vulnerabilities
Risk Assessment
Method of identifying vulnerabilities
and threats and assessing the impact
to determine whether to implement
security controls.
Table 2-5 on page 78
Risk Analysis
Cost/benefit
Integrate security program with
companys business objectives
Must be supported and directed by
senior management to be successful
Risk Analysis
1. What events could occur (threats)
2. What could be the potential impact
(risk)
3. How often could this happen
(frequency)
4. What is the level of confidence do
we have in the answers of the first
three questions (certainty)
Value of an Asset
Risk
Probability of a threat agent
exploiting a vulnerability to cause
harm to an asset and the resulting
business impact.
Risk Assessment
Methodologies
Identify Vulnerabilities, associate
threats, calculate risk values
NIST SP 800-30
FRAP
OCTAVE
NIST SP 800-30
U.S Federal Government Standard
Figure 2-9 on page 80
FRAP
Facilitated Risk Analysis Process
Data is gathered and threats to
business operations are prioritized
based on their criticality.
Documents controls that need to put
in place to reduce identified risk
OCTAVE
Carnegie Mellon University Software
Engineering Institute
People inside the organization
manage and direct the risk
evaluation
Qualitative
Red, Yellow, Green
Quantitative
SLE Single loss expectancy
EF Exposure Factor (percentage of
loss on an asset)
SLE = Asset Value * EF
SLE =$150,000*25% = $37,500
Quantitative
ARO annual rate of occurrence (0 to
1 or more, 0.1 = once in ten years)
ALE Annual loss expectancy
ALE = SLE * ARO
ALE = $37,500 * 0.1 = $3,750
See Table on page 88
Qualitative
Page 90 Figure 2-11
Page 90 Table 2-8
Delphi Technique
Each member give anonymous
opinion of a threat
Results are compiled and distributed
to members
Members comment anonymously
Result are compiled and distributed
to members
Process continues until there is a
consensus
Cost/Benefit of Safeguard
Value of Safeguard to the company =
ALE (before safeguard) ALE (after
safeguard) annual cost of
safeguard
Example page 93
Value = $12,000 - $3,000 - $650 =
$8,350
Cost of Countermeasure
Page 93
Page 94 cost of IDS
Residual Risk
Conceptual formulas
Threats*vulnerability*asset value =
total risk
Total risk * control gaps = residual
risk
Total risk countermeasures =
residual risk
Handling Risk
Transfer risk
Insurance
Avoid risk
Dont do it
Mitigate risk
Reduce by controls
Accept risk
Live with it. Cost of controls exceed
benefits
Key Terms
Pages 98-99
Outsourcing
Cloud
Software creation
Reducing the risk
Page 100