Scribd Logo
Upload

Welcome to Scribd!

  • Information Security Risk Analysis

    Uploaded by

    Mahesh Singh
    14 views27 pages
    ppt

    Original Title

    A1991370857_12438_2_2020_Lect 4

    Copyright

    © © All Rights Reserved

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    ppt

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    14 views27 pages

    Information Security Risk Analysis

    Uploaded by

    Mahesh Singh
    ppt

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 27

    INFORMATION SECURITY RISK ANALYSIS

    KEY POINTS

    • What is Risk Management?


    • What is the need for Risk Management?
    • Approach to Risk Management
    • Risk Assessment
    What is Risk?

    • Risk is made up of two parts:


    – Probability
    – negative consequences
    Risk

    • Potential for loss or damage


    • Examples of risk
    • ????
    • Risk = Threat X Vulnerability
    Vulnerability

    – It is a weakness which allows an attacker to reduce a


    system’s information assurance.
    • Example
    – ????
    Risk Management Process

    IDENTIFICATION

    CATEGORIZE

    MANAGE

    MONITOR
    Risk Management Process

    • Following activities involved in risk management


    process:-
    • 1.) Identification
    • 2.) Categorize/Prioritization
    • 3.) Manage
    • 4.) Monitor
    RISK MANAGEMENT PROCESS
    Risk Analysis

    • Systematic process to estimate the level of risk for


    identified and approved risks.
    • Risk analysis is the process of defining
    and analyzing the dangers
    • Investigation of available information to identify
    hazards and estimate risks.
    Types of Risk Analysis

    -Qualitative Risk Analysis


    -Quantitative Risk Analysis
    Qualitative Risk Analysis

    • Prioritizes the identified risks using a pre-defined


    rating scale.
    • Risks will be scored based on their probability
    • Necessary after risk factors have been identified.
    • Examples:
    – ????
    Quantitative Risk Analysis

    • Provides a numerical estimate of the overall effect


    of risk.
    • Helps in calculating estimates of overall risk.
    RELATIONSHIP AMONG DIFFERENT
    SECURITY CONCEPTS
    TERMS AND DEFINITIONS FOR RISK
    ANALYSIS
    • Asset
    – Something that an organization considers important so as to be
    protected.
    • Threat
    – Presence of any potential event.
    • Safeguard
    – ‘control’ or ‘countermeasure’.
    • Vulnerability
    – The absence or weakness of a ‘safeguard’.
    • Exposure related terms
    – Exposure factor(EF): Represents the percentage loss that a threat
    event would have on a specific asset.
    – Single loss expectancy(SLE): A monetary figure that is assigned
    to a single threat event.
    SLE= Asset value * EF
    eg; asset value=USD 45000, EF =20% then SLE will be (45000*
    0.2)
    i.e. USD 900
    – Annualized rate of occurrence(ARO): Represents the estimated
    probability of a specific threat taking place within a one-year
    time frame.
    • The range of probability is from 0.0 to 1.0
    • Eg, Probability of flood is once in 1000 years, ARO value is 0.001
    – Annualized loss expectancy(ALE): Is a monetary value derived
    from
    ALE= SLE * ARO
    FORMULA FOR RISK ANALYSIS
    Exposure-related concept Formula for calculation

    Exposure factor(EF) Percentage of asset loss caused by a threat

    Single loss expectancy(SLE) Asset value * EF

    Annualized rate of occurrence(ARO) Frequency of threat occurrence per year

    Annualized loss expectancy(ALE) SLE * ARO


    RISK MANAGEMENT AND RISK ANALYSIS

    • Risk analysis:
    • Science of observation, knowledge and evaluation;
    • Risk management:
    • The ongoing process of identifying the risks and
    implementing plans to address them.
    • Risk evaluation:
    • Provides a baseline that can be used to focus mitigation
    and improvement activities.

    Risk = threat * vulnerability * asset value


    STAGED METHODOLOGY FOR RISK
    ANALYSIS
    • Methodology: a framework for managing a task
    efficiently.
    • Three main stages in risk analysis:
    – Asset evaluation
    – Analysis of threats and vulnerabilities
    – Selection of safeguards
    Considerations For Risk Analysis

    • Valuation(estimation) of Assets
    • Selection of Safeguards
    Asset Evaluation

    • Calculation of the financial value of an


    organization’s assets reported at the end of a
    financial period
    • to produce the financial value of the highway
    infrastructure assets owned by an organization.
    Asset Classification

    • Asset classification is necessary for asset


    evaluation.
    • Categories of information assets:
    – Hardware
    – Software
    – Data
    – Documentation
    – Personnel
    – Procedures
    – Models
    – Communication equipments
    – Logical data sets
    – Intangible aspects such as business reputation
    Why Asset Evaluation is Required?

    • Asset Evaluation is required for a number of


    reasons:
    • 1.as a basis for cost/benefit analysis.
    • 2.insurance-related
    • 3.for making decisions
    • 4.as a part of mandated due care.
    Asset evaluation factors
    • Usefulness and life span.
    • Initial one-time cost.
    • Ongoing operational cost.
    • Maintenance support cost.
    • Hidden costs associated with the asset.
    • Value of the IP.
    Selection Of Safeguards

    • to perform a research on safeguards


    • to ensure that the selected safeguards match the
    threat.
    • Cost/benefit analysis
    • Level of manual operations
    • Auditability/accountability
    • Ability for recovery
    THANK YOU…

    You might also like