information security risk management
Post on 29-May-2015
866 Views
Preview:
DESCRIPTION
TRANSCRIPT
Onur YÜKSEKTEPELİBilgi Güvenliği Danışmanıwww.onuryuksektepeli.comtwitter.com/oyuksektepelifacebook.com/onuryuksektepeli
Risk Analysis and Management
Risk Management – Principles and GuidelinesISO 31000:2009
Unique Terms and Definitions
Annualized Loss Expectancy - The Cost of loss due to a Risk over a yearThreat – A Potentially negative occurenceVulnerability – A Weakness in a SystemRisk – A Matched Threat and VulnerabilitySafeguard – A Measure taken to Reduce RiskTotal Cost of Ownership – The Cost of a SafequardReturn of Investment – Money Saved by deploying a Safeguard
What is Risk?
Risk = Threat x Vulnerability
Example: Earthquake Disaster Risk Index
San Francisco – Near the Pasicific OceanBoston - Northeast
San Francisco Threat, 4San Francisco vulnerability, 2San Francisco risk = 4 x 2 = 8
Boston Threat, 2Boston Vulnerability, 4Boston Risk = 2 x 4= 8
Rachel Davidson Earthquake Disaster Risk Indexhttp://www.sciencedaily.com/releases/1997/08/970821233648.htm
IMPACT
Severity of the Damage
Risk = Threat x Vulnerability x Impact
Empty Building Risk = 2 (threat) x 4 (vulnerability) x 2 (impact) = 16Full Building Risk = 2 (threat) x 4 (vulnerability) x 5 = 40
Risk Analysis Matrix
Calculating Annualized Loss Expectancy
Calculating Annualized Loss Expectancy
ALE = Annual Cost of a loss due to risk
Asset Value= Value of the asset you are trying to protect
Stolen Computer Example:Hardware Cost = 2500$Data Cost = 22.500$
Asset Value = 25000$
Asset Value Market Approach Income Approach Cost Approach
Calculating Annualized Loss Expectancy
Exposure FactorThe Percentage of value an asset lost due to an incident.Exposure Factor of Stolen Computer = %100
Singel Loss Expectancy (SLE)The Cost of a single loss.
SLE = Asset Value (25000$) x Exposure Factor(%100) = 25000$
Annual Rate of Occurrence (ARO)Number of losses you suffer per year.ARO = 11
Annualized Loss ExpectancyALE = SLE (25000) x ARO (11) = 275000$
Total Cost of Ownership
Total Cost of Ownership (TCO) is the total cost of a mitigating safequard.
Total Cost of Ownership must contain;
• One – Time capital expense• Annual Cost• Staff Hours• Ventor Maintenance fees• Software Subscriptions etc.
Total Cost of Ownership
1000 Laptops
Software = $100/laptop = 100000$Annual Support Fee = %10 Annually 10000$
4000 Staff Hours$50 / hour $20 / hour$70/ hour x 4000 = 280000$
3 Years Technology Refresh Cycle
Software Cost = $1000003 Years of Vendor Support = $10000 x 3 = $30000Hourly Staff Cost = $280000TCO for 3 Years = $410000TCO per Year = $410000 / 3 = 136,667/year
Return of Investment
The Amount of Money saved by implementing a safeguard.
TCO < ALE – Postive ROI, Good ChoiceTCO > ALE – Negative ROI, Poor Choice
TCO = $136,667ALE = $275,000
After Encryption Implement Asset Value = $25000 - $22500 = 25000
Exposure Factor = %10
$275000 * %10 = $27,5000
By Making Investment
You Save;Old ALE ($275,000) – New ALE ($27,500) = $247,500
Your ROI = $247,500 - $136,667 = $110,833
Risk Choice
Accept the Risk
Mitigate the Risk
Transfer the Risk
Risk Avoidance
Onur YÜKSEKTEPELİBilgi Güvenliği Danışmanıwww.onuryuksektepeli.comtwitter.com/oyuksektepelifacebook.com/onuryuksektepeli
top related