Risk Management

University of Technology, Jamaica

• Introduction
• Risk Management
• Risk Management Basics
• Risk Management Process
• Types of Risk Analysis
• Qualitative Risk Analysis
• Risk Matrix
• Quantitative Risk Analysis

Presentation Overview
• Risk Management is a critical component in the security
posture of any organization.
• Threats to each asset in the organization must be known
and strategies developed to handle the likelihood of a
negative event occurring.
• Risk Management is a proactive and important feature of
an organization because you may be spending $1 mil to
protect an asset that’s worth $20,000.

Introduction
Risk management
• Is the process of identifying, assessing and controlling
threats to an organization's capital and earnings.
• These threats, or risks, could stem from a wide variety of
sources including;
• Financial uncertainty
• Legal liabilities
• Hardware / Software configuration errors
• Accidents and natural disasters.

Risk Management
• Asset – A resource that a business needs to function
Ex. – Physical Building, Web Server, Firewall, Data / Information
• Vulnerability – A weakness in the configuration of hardware and
software
Ex. - Unpatched Systems, Outdated Virus Scan , Poorly configured applications
• Threat – An even that can cause harm
Ex. Social Engineering attacks, DDoS, Botnet, Malware, SQL injection
• Risk - The potential for loss, damage or destruction of an asset as a
result of a threat exploiting a vulnerability
Ex. – Financial Loss, Reputational Damage, Legal Sanctions
• Threat Vector – A tool, mechanism, the hacker uses to exploit a
weakness on a system
Ex. – RATs, Email Attachments, Malicious Links / Websites,
Phishing

Risk Management Basics

Risk Management Basics
The Risk Management Process consists of the following six(6)
steps;
1. Identify Assets – ex. Hardware / Software, Information, Inventory,
Website, System Services
2. Identify Threats for each asset – Ex. Buffer Overflow Attack,
SQL injection on a website, hard drive failure, theft
3. Analyze Impact – Loss of revenue or business opportunity, loss of
money and time due to cost to fix, loss of production
4. Prioritize (Triage) Threats – Threats must be prioritized based
on impact and probability of occurring so that the more serious threats
are dealt with first.
5. Identify Mitigation Techniques - Ex. Firewall, RAID, Server
Clustering, Encryption Access Control
6. Evaluate Residual Risks – Re-evaluate the assets and identify
any threats that may still be present

Risk Management Process

There are two types of Risk Analysis namely;
1. Qualitative – Involves assigning a value based on a
scale to the threat to ascertain its likelihood and
consequence i.e. uses a scale to determine the
seriousness of a given threat
2. Quantitative – Involves calculating the dollar figure
associated with each risk

Types of Risk Analysis

• With Qualitative Risk Analysis the risk and mitigation
techniques are determined without calculating the dollar
value of the loss.

Risk = Probability (Likelihood)* Loss (Impact)

Advantages of Qualitative Risk Analysis

1. Its quicker to determine the loss due to a threat
2. Saves time because we don’t have to know the dollar
figure of the asset

Qualitative Risk Analysis

• Create table for both Probability

Qualitative Risk Analysis

• Create a table of the Impact

Qualitative Risk Analysis

Qualitative Risk Analysis
Risk Matrix
• With Quantitative Risk Analysis we need to calculate the
dollar amounts for each risk and determine what the
impact of the threat will be to the asset.
• Its often difficult to convince management using
Qualitative Risk Management Technique because they
want to know the dollar figure.
Scenario: You tell management that threat is going to
cost US$1500 per year , so we should purchase a firewall
solution that will cost US $ 5000 per year for the next
three(3) years. Imagine you were in management what
would you say?

Quantitative Risk Analysis

Calculating Risk
• Exposure Factor (EF) – percentage of the asset’s value
that you expect to lose if the threat occurs.
• Single Loss Expectancy (SLE) – How much money the
company will lose each time the threat occurs.
SLE = Value ($) * Exposure Factor (EF)
Annual Rate of Occurrence (ARO) – How many time per
year the loss will occur
Annual Loss Expectancy (ALE) – A measure of how much
money the company will lose per year with each threat.
ALE = SLE * ARO

Quantitative Risk Analysis

Example
• AN ecommerce website has a value of $200,00 and each time the
web server has a hard drive failure, you lose 8% of the asset value.
What would be the single loss expectancy? What would be the
Annual loss expectancy if this threat occurs three(3) times a year?
What if the hard drive fails once every five(5) years, what would be
the annual loss expectancy?
SLE = Value * EF(%)
= $200,000 * 0.08
= $16,000

ALE = SLE * ARO

= $16000 * 3 = $48,000

Once every five years;

ALE = $16,000 * 1/5
= $3200

Quantitative Risk Analysis

• Risk Mitigation
• Accept the Risk
• Transfer the Risk
• Avoid the Risk
• Deter the Risk

Risk Mitigation Strategies