System design and implementation information technology question
jackr.0035
Lecture19-RiskAssessment.pptxLecture 19 – risk assessment & Management
1
definitions
Risk Identification – analyzes the organization’s assets, threats, and vulnerabilities
Risk Assessment – measures the risk likelihood and impact
Risk Control – develops safeguards that reduce risks and their impact
2
Risk management
3
Risk identification
First step in risk identification is to list and classify corporate assets
Asset:
Company hardware
Software
People
Networks
Procedures
Ask the class, why procedures?
4
Assets threats
For each asset, you have to rate the impact of an attack and analyze possible threats
Threat: internal or external entity that could endanger an asset
5
Categories of threats
6
Vulnerabilities and exploits
Next, the manager must identify vulnerabilities & how they may be exploited
A vulnerability is a security weakness or soft spot
Exploit is an attack that takes advantage of that vulnerability
To identify vulnerabilities, a risk manager might ask questions like these:
Could hackers break through the proxy server?
Could employees retrieve sensitive files without proper authorization?
Could people enter the computer room and sabotage our servers?
Each vulnerability is rated and assigned a value
Output of risk identification is a list of assets, vulnerabilities, and ratings
7
Risk assessment
Risk: is the impact of an attack multiplied x likelihood of a vulnerability exploited
One method:
An impact value of 2 and a vulnerability rating of 10 would produce a rating of 20
Impact value of 5 and vulnerability rating of 5 would produce a risk of 25
When risks are calculated and prioritized, critical risks will head the list
Although ratings can be subjective, the overall process provides a constant approach and framework
8
Risk control
After risks are identified and assessed, they must be controlled
Control measures might include the following examples:
We could place a firewall on the proxy server
We could assign permissions to sensitive files
We could install biometric devices to guard the computer room
Management usually chooses one of four risk control strategies:
Avoidance, mitigation, transference, acceptance
Ask students for some control measures
9
The strategies
Avoidance: eliminates risk by adding protective safeguards
Mitigation: reduces impact of a risk by careful planning and preparation
Transference: shifts risk to another asset or party
Acceptance: means nothing is done
Companies usually only accept a risk only when the protection clearly is not worth the expense
Ask the class for an example of each
10
The process
Is usually iterative
Risks are constantly identified, assessed, and controlled
To be effective, risk managers need a combination of business knowledge, IT skills, and experience with security tools and techniques
11
Attacker profiles and attacks
Attack is a hostile act that targets the system, or the company itself
Thus a disgruntled employee or hacker who is 6,000 miles away, might launch an attack
Attackers break into a system and cause damage, steal info, or gain recognition, among the reasons
Attackers can be grouped into categories
12
Types of attackers
13
Types of attacks and examples
14
More attacks and examples
15
And even more examples
16
Quantitative vs qualitative
Quantitative – using metrics to calculate a $$ value, and comparing from that
Qualitative – comparing probabilities, percentages
17
How we calculate - quantitative
Terms:
Single loss expectancy (SLE): Total loss expected from a single incident
Annual rate of occurrence (ARO): Number of times an incident is expected to occur in a year
Annual loss expectancy (ALE): Expected loss for a year
Safeguard or control value: Cost of a safeguard or control
18
How we calculate - quantitative
XYZ Company provides high-end smartphones to several employees. The value of each smartphone is $500, and approximately 1,000 employees have these company-owned devices. In the past year, employees have lost or damaged 75 smartphones.
XYZ is considering buying insurance for each smartphone. Use the ALE to determine the usefulness of this safeguard. For example, XYZ could purchase insurance for each device for $25 per year. The safeguard value is $25 X 1,000 devices, or $25,000. It is estimated that if the insurance is purchased, the ARO will decrease to 5. Should the company purchase the insurance?
| SLE | $500 |
| ARO | $75 |
| ALE | $37,500 |
19
How we calculate - quantitative
| Current ALE | $37,500 |
| ARO with control | 5 |
| ALE with control | $2,500 |
| Savings with control (current ALE - ALE with control) | $35,000 |
| Safeguard value (cost of control) | $25,000 |
| Realized savings (savings with control - safeguard value) | $10,000 |
Should XYZ purchase the insurance?
20
How we calculate - qualitative
Probability: The likelihood that a threat will exploit a vulnerability. Probability can use a scale of low, medium, and high, assigning percentage values to each.
Impact: The negative result if a risk occurs. You can use low, medium, or high to describe the impact.
You can calculate the risk level using the following formula:
Risk Level = Probability X Impact
21
How we calculate - qualitative
XYZ is concerned about the security of its customer data. Management has determined that the three primary risks the company faces in protecting the data are as follows:
Unauthorized access by an external party
Sabotage by an internal employee
Hardware failures
XYZ has created scales for the probability and impact of risks as follows:
Probability: Low = 10%, Medium = 50%, and High = 100%
Impact: Low = 10, Medium = 50, and High = 100
22
Qualitative
| Category | Probability | Impact | Risk Level |
| Unauthorized access by an external party | 25 | 50 | 12.5 |
| Sabotage by an internal employee | 75 | 100 | 75 |
| Hardware failures | 30 | 25 | 7.5 |
Probability – remember, it’s a percentage
So how do you prioritize these?
23
Graphically depicting it
24
