mgmt 755 security risk analysis n.
Skip this Video
Download Presentation
MGMT 755 Security Risk Analysis

Loading in 2 Seconds...

play fullscreen
1 / 15

MGMT 755 Security Risk Analysis - PowerPoint PPT Presentation

  • Uploaded on

New York Institute of Technology School of Management. MGMT 755 Security Risk Analysis. Dr. Benjamin Khoo Chapter 3: Risk Assessment Process. 3.1 Risk = someone or something that creates or suggests a hazard 3.2 Risk Assessment Process:

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'MGMT 755 Security Risk Analysis' - bethany-walters

Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
mgmt 755 security risk analysis

New York Institute of Technology

School of Management

MGMT 755 Security Risk Analysis

Dr. Benjamin Khoo

chapter 3 risk assessment process
Chapter 3: Risk Assessment Process

3.1 Risk = someone or something that creates or suggests a hazard

3.2 Risk Assessment Process:

+ must support the business mission/objectives

+ accepted by the user community

◆ Meet with the client to determine:

  • what to review
  • kinds of risk elements to be examined
  • deliverables or results from the process

◆ find business friendly controls or counter-measures

chapter 3 risk assessment process1
Chapter 3: Risk Assessment Process

3.3 Information is an Asset

Goal of an enterprisewide information security program is to determine the threat impact to information assets based on:

  • Integrity – information is as intended without inappropriate modification or corruption
  • Confidentiality – information is protected from unauthorized or accidental disclosure
  • Availability – Authorized users can access applications and systems when required

See Table 3.1 for more specific definition.

chapter 3 risk assessment process2
Chapter 3: Risk Assessment Process

Business manager owner determine the value of the information asset by:

  • cost of producing information asset
  • value on the open market
  • cost of reproducing information asset is destroyed
  • benefit to the enterprise
  • cost to the enterprise if released, altered or destroyed
  • repercussions to the enterprise information asset is destroyed
  • loss of client or customer confidence
  • loss of public credibility
chapter 3 risk assessment process3
Chapter 3: Risk Assessment Process

3.4 Risk Assessment Methodology

Consists of:

  • assets scoped
  • threats identified
  • risk level established
  • possible controls selected

Assets types:

1. Physical e.g. people, telecom infrastructure, hardware, software, data, information, procedures, etc.

2. Logical e.g. intellectual assets, goodwill, brand name, etc.

chapter 3 risk assessment process4
Chapter 3: Risk Assessment Process

3.4.1 Threat Identification

threat = an indication of an impending undesirable event

Sources of threat:

  • natural
  • human – accidental or deliberate
  • environmental

See Table 3.2 for source, motivation & threat.

chapter 3 risk assessment process5
Chapter 3: Risk Assessment Process Elements of Threats

3 elements of threats:

  • agent ⇒ catalyst
  • motive ⇒ causes
  • results ⇒ outcome

Factors that impact a threat:

  • Geographical location – infrastructure
  • Facility
  • Your neighbors

See Table 3.3

chapter 3 risk assessment process6
Chapter 3: Risk Assessment Process Threat Occurrence Rates

Value of Asset X Likelihood = Annual Loss Exposure

(this figure can be deceiving)

Likelihood of Occurrence:

Natural threats === local (or National) weather centers

by years

Criminal activities === local law enforcement, FBI, state agencies

Other threats === insurance companies

Use something like Table 3.4

chapter 3 risk assessment process7
Chapter 3: Risk Assessment Process Risk Level Determination

⇨ how lightly that threat is to occur

2 ways to assess:

1. establish probability without consideration for existing control e.g. initial assessment

2. establish probability taking into account the existing control e.g. assessing specific LAN, application or subnet.

See Table 3.5 for probability level definitions

chapter 3 risk assessment process8
Chapter 3: Risk Assessment Process

Before impact analysis, consider:

  • asset mission === from project scope
  • information sensitivity
  • asset criticality === importance to the organization

Impact measure:

Quantitative = loss revenue, cost of repairing the system, level of effect required to correct, etc

Intangible = loss of public confidence, loss of creditability, damage to reputation, etc

See Figure 3 (Probability vs Impact)

chapter 3 risk assessment process9
Chapter 3: Risk Assessment Process Controls and Safeguards

Identify controls to mitigate the risk to an acceptable level

Control factors:

  • How effective is the recommended control?
  • Legal & regulatory requirements?
  • Operational impact to the organization?
  • Safety & reliability of the control?
  • Rule of thumb == cost > asset ⇒ bad ROI
  • Cross reference threats mitigated for each control == good ROI?

Analyze the controls , see Table 3.7

chapter 3 risk assessment process10
Chapter 3: Risk Assessment Process

Types of Controls

Technical = safeguards for hardware, software, control mechanisms, identification & authentication processes, encryption tools, intrusion detection software, etc

Non-technical = management & operational controls – policies, procedures, standards, personnel security, environmental control mechanisms, etc

chapter 3 risk assessment process11
Chapter 3: Risk Assessment Process

Control Categories:

  • Avoidance controls = minimize risk
  • Assurance controls = ensure the on-going effectiveness
  • Detection Controls = early detection, interception & response to breaches
  • Recovery Controls = restore secure environment

See Table 3.8

Can also map controls to enterprise – operations, applications, systems, security, etc

International standard ISO 1799 (cf Table 3.11)

chapter 3 risk assessment process12
Chapter 3: Risk Assessment Process Cost-Benefit Analysis


  • cost of implementation
  • operational effectiveness
  • additional policies needed?
  • additional staff needed?
  • cost of training, etc.