risk assessment
DESCRIPTION
Risk Assessment. What is good about the Microsoft approach to threat modeling?. What is bad about it?. OCTAVE… Advantage: ___________ Disadvantage: ___________. OCTAVE– a brief history. 1999. OCTAVE developed by Software Engineering Institute. 2003. OCTAVE-S a streamlined version. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Risk Assessment](https://reader035.vdocuments.site/reader035/viewer/2022062721/568135c1550346895d9d2439/html5/thumbnails/1.jpg)
Risk AssessmentRisk AssessmentWhat is good about the Microsoft approach to threat modeling?
OCTAVE… Advantage: ___________
Disadvantage: ___________
What is bad about it?
![Page 2: Risk Assessment](https://reader035.vdocuments.site/reader035/viewer/2022062721/568135c1550346895d9d2439/html5/thumbnails/2.jpg)
OCTAVE– a brief history
OCTAVE– a brief history
1999OCTAVE developed by Software Engineering Institute
2003
2007
OCTAVE-S a streamlined version
OCTAVE Allegro
http://www.sei.cmu.edu/reports/07tr012.pdf
![Page 3: Risk Assessment](https://reader035.vdocuments.site/reader035/viewer/2022062721/568135c1550346895d9d2439/html5/thumbnails/3.jpg)
OCTAVE Allegro Roadmap (see reference on previous slide)
OCTAVE Allegro Roadmap (see reference on previous slide)
![Page 4: Risk Assessment](https://reader035.vdocuments.site/reader035/viewer/2022062721/568135c1550346895d9d2439/html5/thumbnails/4.jpg)
The purpose is to think about later threat ranking
Step 1: Establish Risk Mgmt CriteriaStep 1: Establish Risk Mgmt Criteria
This is concerned with things like …“organizational drivers”, “mission”,“business objectives”
![Page 5: Risk Assessment](https://reader035.vdocuments.site/reader035/viewer/2022062721/568135c1550346895d9d2439/html5/thumbnails/5.jpg)
Step 2: Develop an Info Asset ProfileStep 2: Develop an Info Asset ProfileFor a software project we need to
__________________ __________________ ___________________
Step 3: Identify Asset ContainersStep 3: Identify Asset Containers
Where are the assets ..stored? ..transported? ..processed?
![Page 6: Risk Assessment](https://reader035.vdocuments.site/reader035/viewer/2022062721/568135c1550346895d9d2439/html5/thumbnails/6.jpg)
Step 4: Identify Areas of ConcernStep 4: Identify Areas of Concern
Brainstorm possible threats
Step 5: Identify Threat ScenariosStep 5: Identify Threat Scenarios
Build threat trees
A scenario is ___________________________
![Page 7: Risk Assessment](https://reader035.vdocuments.site/reader035/viewer/2022062721/568135c1550346895d9d2439/html5/thumbnails/7.jpg)
Step 6: Identify RisksStep 6: Identify Risks
Step 7: Analyze RisksStep 7: Analyze Risks
Use formula of probability * impact
Step 8: Select Mitigation ApproachStep 8: Select Mitigation Approach
An interesting omission from the Microsoft approach
![Page 8: Risk Assessment](https://reader035.vdocuments.site/reader035/viewer/2022062721/568135c1550346895d9d2439/html5/thumbnails/8.jpg)
Ranking ExampleRanking ExampleFor a single threat/risk:
There are worksheets to help discover ranges for ranking