Risk Management Fundamentals

Unit 1

Mukesh Patel School of Technology Management and Engineering Rejo Mathew, Asst Prof, IT
www.nmims.edu/Engineering
 Outline
 Introduction
 Threats, Vulnerabilities and Impact
 Risk Management Lifecycle
 Risk Identification techniques
 Risk Management techniques

Mukesh Patel School of Technology Management and Engineering Rejo Mathew, Asst Prof, IT
www.nmims.edu/Engineering
 Introduction
 Risk is defined as the effect of uncertainty on objectives (whether positive
or negative).
 Risk management - the process of identifying vulnerabilities and threats
to an organization’s resources and assets and deciding what
countermeasures, if any, to take to reduce the level of risk to an
acceptable level based on the value of the asset to an organization.
 Risk is likelihood that a loss will occur
 Minor problems are classified as Flaw/Faults and major ones as Failure
 Business losses are based on
 Compromise on Business Functions
 Compromise on Business Assets
 Driver of Business Costs

Mukesh Patel School of Technology Management and Engineering Rejo Mathew, Asst Prof, IT
www.nmims.edu/Engineering
 Threat, Vulnerability & Risk
 A Threat is a set of external circumstances that may allow a vulnerability to be
exploited.
e.g. the existence of a particular virus represents a threat to a system.

 A Vulnerability is a weakness in a system that may be exploited to degrade or

bypass standard security mechanisms.
e.g. a system does not have antivirus software would constitute vulnerability.

 A Risk occurs when a threat and a corresponding vulnerability both exist.

e.g. the threat of a particular virus x the vulnerability of a system without antivirus
software combines to constitute a risk to that system.

 Total Risk = Threat x Vulnerability x Asset Value

 Residual Risk = Total Risks - Controls

Mukesh Patel School of Technology Management and Engineering Rejo Mathew, Asst Prof, IT
www.nmims.edu/Engineering
Seven Domains of IT Infra

Mukesh Patel School of Technology Management and Engineering Rejo Mathew, Asst Prof, IT
www.nmims.edu/Engineering
 Seven Domains of IT Infra
 User Domain
 People are weakest link, social engineering attacks
 Workstation Domain
 Systems should be updated with latest antivirus and firewall
 LAN Domain
 Network devices to be protected, sniffing attacks, protocol analyzer
 LAN to WAN Domain
 Not controlled by us, boundary/edge protection, constantly probed by attackers
 Remote Access Domain
 Mobile workers, secure reliable VPN
 WAN Domain
 Shared lines or semi private lines, lot of risks
 System/ Application Domain
 Remove unneeded services/protocols, patch and update servers regularly, enable local
firewall, change default settings and passwords

Mukesh Patel School of Technology Management and Engineering Rejo Mathew, Asst Prof, IT
www.nmims.edu/Engineering
 Risk Impact
 High Impact - If a threat exploits the vulnerability it may,
 Result in the costly lost of major assets or resources
 Significantly violate, harm, or impede an organization's mission,
reputation or interest
 OR Result in human death or serious injury

 Medium Impact - If a threat exploits the vulnerability it may,

 Result in the costly lost of assets or resources
 Violate, harm, or impede an organization's mission, reputation or
interest
 OR, Result in human injury

 Low Impact - If a threat exploits the vulnerability it may,

 Result in the lost of some assets or resources
 Noticeably affect the organization's mission, reputation or interest
Mukesh Patel School of Technology Management and Engineering Rejo Mathew, Asst Prof, IT
www.nmims.edu/Engineering
 Risk Impact

Matrix derived from NIST SP 800-30

For example, instead of assigning values of low, medium, and
high for the threat likelihood, assign actual percentages. It
allows greater separation between the categories. Similarly,
one can assign any number within a range to the impact. One
numbers between 1 and 100, if desired.
Mukesh Patel School of Technology Management and Engineering Rejo Mathew, Asst Prof, IT
www.nmims.edu/Engineering
 Risk Management Framework
 ISO Risk Framework
 It is a thoroughly interactive
process that involves input from
all levels of the organization.
 Five steps of a risk cycle:
 Establish context
 Risk identification
 Risk analysis
 Risk evaluation
 Risk treatment

Mukesh Patel School of Technology Management and Engineering Rejo Mathew, Asst Prof, IT
www.nmims.edu/Engineering
 Risk Identification
 Three steps for risk identification
 Identify Threats
 Identify Vulnerabilities
 Estimate the likelihood of a threat exploiting a vulnerability
 Identify Threats
 Creating list of threats
 Categories of Threats
 External or Internal
 Natural or Man-Made
 Intentional or Accidental

Mukesh Patel School of Technology Management and Engineering Rejo Mathew, Asst Prof, IT
www.nmims.edu/Engineering
 Risk Identification
 Identify Vulnerabilities
 Audits
 Certification and Accreditation records
 System Logs
 Prior Events
 Trouble Reports
 Incident Response Teams

Mukesh Patel School of Technology Management and Engineering Rejo Mathew, Asst Prof, IT
www.nmims.edu/Engineering
 Risk Management
 Risk avoidance
 Eliminating the source of the risk—The company can stop the risky
activity. For example, a company may have a wireless network that is
vulnerable to attacks. The risk could be avoided by removing the
wireless network. This can be done if the wireless network isn’t an
important asset in the company.
 Eliminating the exposure of assets to the risk—The company can move
the asset. For example, a data center could be at risk because it is
located where earthquakes are common. It could be moved to an
earthquake-free zone to eliminate this risk. The cost to move the data
center will be high. However, if the risk is unacceptable and the value
of the data center is higher it makes sense.

Mukesh Patel School of Technology Management and Engineering Rejo Mathew, Asst Prof, IT
www.nmims.edu/Engineering
 Risk Management
 Risk transference
 Insurance—You purchase insurance to protect your company from a
loss. If a loss occurs, the insurance covers it. Many types of insurance
are available, including fire insurance.
 Outsourcing the activity—For example, your company may want to
host a Web site on the Internet. The company can host the Web site
with a Web hosting provider. Your company and the provider can
agree on who assumes responsibility for security, backups, and
availability.

Mukesh Patel School of Technology Management and Engineering Rejo Mathew, Asst Prof, IT
www.nmims.edu/Engineering
 Risk Management
 Risk Mitigation
 Alter the physical environment—Replace hubs with switches. Locate
servers in locked server rooms.
 Change procedures—Implement a backup plan. Store a copy of
backups offsite, and test the backups.
 Add fault tolerance—Use Redundant Array of Independent Disks
(RAID) for important data stored on disks. Use failover clusters to
protect servers.
 Modify the technical environment—Increase security on the firewalls.
Add intrusion detection systems. Keep antivirus software up to date.
 Train employees—Train technical personnel on how to implement
controls. Train end users on social engineering tactics.

Mukesh Patel School of Technology Management and Engineering Rejo Mathew, Asst Prof, IT
www.nmims.edu/Engineering
 Risk Management
 Risk Acceptance
 When the cost of the control outweighs the potential loss.
 E.g. A company hosts a Web server used for ecommerce. The Web
server generates about $1,000 per month in revenue. The server could
be protected using a failover cluster. However, estimates indicate that a
failover cluster will cost approximately $10,000. If the server goes
down, it may be down for only one or two hours, which equates to less
than $3. (Revenue per hour 5 $1,000  12  365  24 5 $1.37.)

Mukesh Patel School of Technology Management and Engineering Rejo Mathew, Asst Prof, IT
www.nmims.edu/Engineering