1 / 13

Unit Outline Information Security Risk Assessment

Unit Outline Information Security Risk Assessment.  Module 1: Introduction to Risk Module 2: Definitions and Nomenclature Module 3: Security Risk Assessment Module 4-5: Methodology and Objectives Module 6: Case Study Module 7: Summary. Module 1 Introduction to Risk.

yamal
Download Presentation

Unit Outline Information Security Risk Assessment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Unit OutlineInformation Security Risk Assessment  Module 1: Introduction to Risk Module 2: Definitions and Nomenclature Module 3: Security Risk Assessment Module 4-5: Methodology and Objectives Module 6: Case Study Module 7: Summary

  2. Module 1Introduction to Risk

  3. RiskLearning Objectives • Students should be able to: • Gain understanding of introductory risk concepts • Conceptualize risk for simple situations • Gain a historical perspective of risk analysis • Understand application of risk to different disciplines

  4. RiskDefinition • Risk – perception of uncertainty in events that occur and actions taken. • Risks encountered in everyday decision-making • Multiple ways to consider risks: • Risk as feelings • Risk as analysis • Risk as politics • We primarily evaluate risk intuitively (as feelings)

  5. RiskOpposing Views • Statisticians • Probabilities • Consequences of Adverse Events • Quantifiable • Social scientists • Invented to cope with uncertainties • Dependent on perception • Risk perception: blending of science and judgment with important psychological, social, cultural, and political factors • Risk estimation depends on risk definition • Needs to be a consistent and universally accepted definition of risk per domain • Our risk domain is information security

  6. Risk Human Factors • Uncertainty in computing risk is unavoidable • Reactions to risk based on emotion, rather than scientific evidence. • When people become outraged, they may overreact. • If people are not outraged, they may under-react. • An industrial process producing an unpronounceable chemical is a much less acceptable risk than something more everyday, like driving or eating junk food. • Risk comparisons may be more clear than using absolute numbers • Emotions must be considered with scientific evidence. • People become uneasy when scientists are not certain about the risk posed by a hazard (effect, severity, or prevalence). • Rather than diminish legitimate concerns or heighten illegitimate ones, psychological factors must be addressed to encourage constructive action.

  7. Risk Formal Definition • Risk is the probability that a specific threat will successfully exploit a vulnerability causing a loss. • Risks are evaluated by three distinguishing characteristics: • Loss associated with an event, e.g., disclosure of confidential data, lost time and revenues. • Likelihood that event will occur, i.e. probability of occurrence • Degree risk outcome can be influenced, i.e. controls • Various forms of threats exist • Different stakeholders have different perceptions • Several sources of threats exist simultaneously

  8. RiskRisk Management Process What can go wrong (Initiating Events)? • Risk is the probability that a specific threat will successfully exploit a vulnerability causing a loss. How Bad (Consequences)? How Often (Likelihood of failure)? Aggregate Risk (Likelihood of consequences calculated for every possible combination of precipitating events) Measures to reduce the consequences of risk until they reach acceptable levels (Benefits > Aggregated Risk)

  9. Total Risk Food Total Benefit Risk Example #1: Caveman Going to Hunt Cost-Benefit Analysis • Potential Accidents • Being eaten by prey • Being mistakenly hurt by tribe member • Accidentally getting hurt on terrain • How Bad • (Consequences) • Injury • Death Risk = Consequence x Likelihood • Hazard Control • (Reduce likelihood of damage) • Avoid dangerous terrain • Scare animals with fire or sticks • Hide from animals • Hunt in groups • Protection & Damage Limitation • (Reduce Consequences) • Apply first aid • Run once animal follows you

  10. Total Risk Total Benefit Risk Example #2: Participating in Sports Event Cost-Benefit Analysis • Potential Accidents • Collision • Slipping • Tripping Thrill & Pride • How Bad • (Consequences) • Out for Match • Out for Season Risk = Consequence x Likelihood • Broken Bone • Sprained Muscle • Torn Ligament • Hazard Control • (Reduce likelihood of damage) • Training • Being Careful • Using proper footwear & protective gear • Following Rules • Protection & Damage Limitation • (Reduce Consequences) • First Aid • Ambulance • Medical & Hospital Services

  11. Total Risk Total Benefit RiskExample #3: Driving to Work Cost-Benefit Analysis • Potential Accidents • Head on Collision • Side/Rear-end impact • Hit pedestrian • Overturn Car • Carjacking • Causes • Fatigue • Poor Judgment • Environmental Conditions • Failure to see traffic signals Employment Risk = Consequence x Likelihood • How Bad • (Consequences) • Vehicle Damage • Traffic Ticket • Death • Insurance Premium Hike • Injury • Hazard Control • (Reduce likelihood of damage) • License • Proper road & signal construction • Safety Barriers • Police Surveillance & speed control • Obeying traffic rules • Protection & Damage Limitation • (Reduce Consequences) • Having Airbags Installed in Vehicle • Wearing Seatbelts • First Aid & Hospitalization

  12. Risk Applications • Finance • Risk in investments, insurance etc., • Industrial • Plant failures, accidents, competitive risks • Political • Impact of decisions, probabilities of success etc. • Nuclear • Plant operation, fuel storage, proliferation of fissile material • Aviation • Safety of airplanes, weather conditions, terrorism impact • Medicine • Weighing different treatment options

  13. Risk Summary • Risk can be viewed as uncertainty and similarly risk analysis can be viewed as decision making in terms of uncertainty. • Risk be analyzed intuitively or analytically • In a lot of day to day activities risk is considered intuitively • Such skills are honed via years of experience in dealing with some situations • Humans have limitations in handling multiple pieces of information • Analytic techniques are required for complex problems where a lot of factors are required.

More Related