ch07 managing risk
DESCRIPTION
TRANSCRIPT
Lesson 7-Managing Risk
Overview
Defining risk.
Identifying the risk to an organization.
Measuring risk.
Defining Risk
Risk is the potential for loss that requires protection.
Risk management provides a basis for valuing an
organization’s information assets.
Risk is the measure of vulnerabilities and threats.
Defining Risk
Vulnerability
Threats
Vulnerability
Vulnerabilities make computer systems and networks prone
to technical, non-technical, or social engineering attacks.
It is characterized by the difficulty and the level of technical
skill that is required to exploit it.
The result of such exploitation must also be considered.
Threat
A threat is an action or event that violates the security of
an information system environment.
It can have multiple targets.
The components of threat are targets, agents, and events.
Targets
The targets of threat or attack are security services such as:
Confidentiality - Disclosure of classified information to
unauthorized individuals.
Integrity - Tampering of information.
Availability - Denial-of-service attack.
Accountability - Prevents organization from reconstructing past
events.
Agents (1/2)
The characteristics of agents who are the people who may wish to
harm the organization are:
Access - An agent must have direct or indirect access to system,
network, facility, or information.
Knowledge - An agent must have some knowledge about the
target. More familiar an agent is with the target, more likely the
agent will know about the vulnerabilities.
Motivation - An agent may tamper with information as a
challenge, greed to gain something, or purely with a malicious
intent.
Agents (2/2)
A threat occurs when an agent with access and knowledge gains
motivation to take action. Such agents could be:
Employees having necessary access and knowledge to systems.
Ex-employees having any grudges.
Hackers, terrorists, and criminals with a malicious intent to
harm the organization.
Commercial rivals who are interested in classified business
information of the organization.
Events
Events are the ways in which an agent of threat may cause
harm to an organization.
It is the extent of harm that could possibly be done if the
agent gained access.
Risk and How to Identify the Risk to an Organization
Risk is the combination of
threat and vulnerability.
Risks can be categorized as low,
medium, or high-risk.
Identifying Vulnerabilities
To identify specific vulnerabilities:
Locate all the entry points (electronic and physical) to the
organization.
Identify system configurations.
Identify which information and systems are accessible.
Include any known vulnerabilities in operating systems and
applications.
Identifying Real Threats
Real or targeted threats may not show themselves until an
event has occurred.
All targeted threats are time-consuming and difficult.
Examining Countermeasures
Countermeasures for each access point within an
organization must be identified.
Some of the countermeasures include firewalls, anti-virus
software, access control mechanisms, and biometrics.
Identifying Risk
Identify specific risks to the organization.
Identify what possible harm can be done through each
access point.
Rate each risk as high risk, medium risk, or low risk. The
same vulnerability may pose different levels of risk based
on the access point.
Measuring Risk
Risks can be measured in terms
of:
Money.
Time.
Resources.
Reputation and lost
business.
Money
The cost for managing risks include:
Lost productivity.
Stolen equipment or money.
Cost of an investigation.
Cost to repair or replace systems.
Cost of experts to assist.
Employee overtime.
Time
The amount of time taken to manage risks may include:
The time a technical staff member is unavailable to perform
normal tasks due to a security event.
The downtime of a key system.
Delay in product delivery or service.
Resources
Includes people, systems, communication lines,
applications, or access as resources.
Computes the monetary cost of using a resource to
troubleshoot.
Reputation and Lost Business
Data compromise can affect the
organization’s reputation.
Future business is in jeopardy
as people lose faith in the brand
name.
Losses due to system failures
and production delay cannot be
ruled out.
Measuring Risk
To measure risk:
Identify the extent of risk – best case, worst case, or most
likely case.
Identify the damage in terms of money, time, resources,
reputation, and lost business.
Identify the cost of restoration.
Examine the potential results in each risk measurement area.
Develop appropriate risk management approaches.
Summary
Security is managing risk.
To identify risks, identify vulnerabilities, and threats.
Examine countermeasures for each risk.
Identify the extent of risk.
Measure risk in terms of money, time, resources, reputation,
and lost business.