RISKS IN INFORMATION SYSTEM

PREPARED BY: MANOJ KUMAR ATTRI 23-MBA-2011

RISK
Risk is the potential that a chosen action or activity (including the choice of inaction) will lead to a loss (an undesirable outcome).

In information system, risk is defined as "the potential that a given threat will exploit value of an asset or group of assets and thereby cause harm to the organization"

Risk factors
Risk factors are factors whose presence increases the probability of negative outcomes. Risk factors may include individual factors such as size of project, new software, or malicious employees. Some studies combine risk factors from various sources such as task, technology, or actors

Risk in workplace
In the workplace, incidental and inherent risks exist. Incidental risks are those that occur naturally in the business but are not part of the core of the business. Inherent risks have a negative effect on the operating profit of the business.

Types of risk
Project risk (projects that cannot be completed within budget, schedule and/or quality constraints). functionality risk (projects that fail to deliver functionality). political risk (systems that change power relationships with suppliers). security risk (systems that are insecure).

Causes of risk
Inadequate information quality. Inadequate information accessibility. Inadequate information presentation. Inadequate information security. Inadequate performance in terms of productivity, consistency, cycle time, activity rate, or other measures.

causes
Bandwidth usage The accidental or intentional use of communications bandwidth for other then intended purposes

System configuration error

An accidental configuration error during the initial installation or upgrade of hardware, software, communication equipment or operational environment.

Acts of nature

All types of natural occurrences (e.g., earthquakes, hurricanes, tornadoes) that may damage or affect the system/application. Any of these potential threats could lead to a partial or total outage, thus affecting availability

Accidental disclosure

The unauthorized or accidental release of classified, personal, or sensitive information

Risk management
Risk management is the identification & assessment of risks followed by coordinated and economical application of resources to Minimize , monitor, and control the probability and impact of unfortunate events or to maximize the realization of opportunities.

Why it is important to manage risk?

The principle reason for managing risk in an organization is to protect the mission and assets of the organization. The fact is that all organizations have limited resources and risk can never be reduced to zero. So, understanding risk, especially the magnitude of the risk, allows organizations to prioritize scarce resources.

Questions in risk management

What is risk with respect to information systems? Why is it important to understand risk? How is risk managed? What are some common risk management methodologies and tools?

PROCEDURE
Planning how risk will be managed in the particular project. Plans should include risk management tasks, responsibilities, activities and budget. Assigning a risk officer - a team member other than a project manager who is responsible for foreseeing potential project problems.

 Maintaining live project risk database. Each risk should have the following attributes: opening date, title, short description, probability and importance.
Creating anonymous risk reporting channel. Each team member should have the possibility to report risks that he/she foresees in the project.

 Preparing mitigation plans for risks that are chosen to be mitigated. The purpose of the mitigation plan is to describe how this particular risk will be handled what, when, by who and how will it be done to avoid it or to minimize its consequences.
Making Summary of plan to be used and faced risks, effectiveness of mitigation activities, and effort spent for the risk management

Risk managing

Quantitative Risk Assessment

Quantitative risk assessment draws upon methodologies used by financial institutions and insurance companies. By assigning values to information, systems, business processes, recovery costs, etc., impact, and therefore risk, can be measured in terms of direct and indirect costs. ALE: It is the expected monetary loss that can be expected for an asset due to a risk being realized over a one-year period.

Quantitative Risk Assessment

ALE = SLE * ARO Where: ALE: annual loss expectancy SLE (Single Loss Expectancy) is the value of a single loss of the asset. This may or may not be the entire asset. ARO (Annualized Rate of Occurrence) is how often the loss occurs.

Risk Management Methodologies and Tools

National Institute of Standards & Technology (NIST) Methodology OCTAVE FRAP COBRA Risk Watch

National Institute of Standards & Technology (NIST) Methodology

Risk Management Guide for Information Technology Systems is the US Federal Governments standard. This methodology is primarily designed to be qualitative and is based upon skilled security analysts to thoroughly identify, evaluate and manage risk in IT systems.

The NIST methodology consists of 8 steps: Step 1: System Characterization Step 2: Threat Identification Step 3: Vulnerability Identification Step 4: Control Analysis Step 5: Impact Analysis Step 6: Risk Determination Step 7: Control Recommendations Step 8: Results Documentation

OCTAVE
The Software Engineering Institute (SEI) at Carnegie Mellon University developed the Operationally Critical, Threat, Asset and Vulnerability Evaluation (OCTAVE) process. The main goal in developing OCTAVE is to help organizations improve their ability to manage and protect themselves from information security risks

The outputs of the OCTAVE process are: Protection Strategy Mitigation Plan Action List

FRAP
The Facilitated Risk Assessment Process (FRAP) is the creation of Thomas Peltier. It is based upon implementing risk management techniques in a highly cost-effective way. FRAP uses formal qualitative risk analysis methodologies using Impact Analysis, Threat Analysis and Questionnaires.

COBRA
The Consultative, Objective and Bi-functional Risk Analysis (COBRA) process was originally created by C & A Systems Security Ltd. in 1991. It takes the approach that risk assessment is a business issue rather than a technical issue. It consists of tools that can be purchased and then utilized to perform selfassessments of risk.

The primary knowledge bases are: IT Security Operational Risk 'Quick Risk' or 'high level risk' e-Security Risk Consultant can create reports and make recommendations by using these knowledge bases.

Risk watch
Risk Watch is another tool that uses an expert knowledge database to walk the user through a risk assessment and provide reports on compliance as well as advice on managing the risks. Risk Watch includes statistical information to support quantitative risk assessment, allowing the user to show various strategies. Risk Watch has several products, each focused along different compliance needs.

Thanks,,,,,,,,,,,