logging in or signing up S-T-27B-Risk Analysis Soamisaran Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 12 Category: Business & Fin.. License: All Rights Reserved Like it (0) Dislike it (0) Added: November 18, 2011 This Presentation is Public Favorites: 0 Presentation Description basic Risk Analysis Fundas Comments Posting comment... Premium member Presentation Transcript Security Risk Analysis & Management: Security Risk Analysis & ManagementSecurity in System Development: Security in System Development Risk Analysis & Management needs to be a part of system development, not tacked on afterwards Baskerville's three generations of methods 1st Generation: Checklists Example: BS 7799 Part 1 2nd Generation: Mechanistic engineering methods Example: this risk analysis method 3rd Generation: Integrated design Not yet achieved [Baskerville, R. (1993). Information Systems Security Design Methods: Implications for Information Systems Development. ACM Computing Surveys 25 (4): 375-414.]Introduction: Introduction Risk Analysis and Management Framework Assets Threats Vulnerabilities Risks Security Measures } } Analysis ManagementDefinitions 1: Definitions 1 The meanings of terms in this area is not universally agreed. We will use the following Threat : Harm that can happen to an asset Impact : A measure of the seriousness of a threat Attack : A threatening event Attacker : The agent causing an attack (not necessarily human) Vulnerability : a weakness in the system that makes an attack more likely to succeed Risk : a quantified measure of the likelihood of a threat being realisedDefinitions 2: Definitions 2 Risk Analysis involves the identification and assessment of the levels of risk, calculated from the Values of assets Threats to the assets Their vulnerabilities and likelihood of exploitation Risk Management involves the identification, selection and adoption of security measures justified by The identified risks to assets The reduction of these risks to acceptable levelsGoals of Risk Analysis : Goals of Risk Analysis All assets have been identified All threats have been identified Their impact on assets has been valued All vulnerabilities have been identified and assessedProblems of Measuring Risk: Problems of Measuring Risk Businesses normally wish to measure in money, but Many of the entities do not allow this Valuation of assets Value of data and in-house software - no market value Value of goodwill and customer confidence Likelihood of threats How relevant is past data to the calculation of future probabilities? The nature of future attacks is unpredictable The actions of future attackers are unpredictable Measurement of benefit from security measures Problems with the difference of two approximate quantities How does an extra security measure affect a ~10 -5 probability of attack?Risk Levels: Risk Levels Precise monetary values give a false precision Better to use levels, e.g. High, Medium, Low High: major impact on the organisation Medium: noticeable impact (“material” in auditing terms) Low: can be absorbed without difficulty 1 - 10 Express money values in levels, e.g. For a large University Department a possibility is High Medium Low £1,000,000+ £1,000+ < £1,000Risk Analysis Steps: Risk Analysis Steps Decide on scope of analysis Set the system boundary Identification of assets & business processes Identification of threats and valuation of their impact on assets ( impact valuation ) Identification and assessment of vulnerabilities to threats Risk assessmentRisk Analysis – Process Analysis: Risk Analysis – Process Analysis Every company or organisation has some processes that are critical to its operation The criticality of a process may increase the impact valuation of one or more assets identified So Identify critical processes Review assets needed for critical processes Revise impact valuation of these assetsRisk Assessment: Risk Assessment Assess risk If we had accurate probabilities and values, risk would be Impact valuation x probability of threat Since we haven't, we construct matrices such as Risk Impact valuation Low Low Low Med Med Low Med High High High High Med Med Low Low VulnerabilityResponses to Risk: Responses to Risk Responses to risk Avoid it completely by withdrawing from an activity Accept it and do nothing Reduce it with security measures You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
S-T-27B-Risk Analysis Soamisaran Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 12 Category: Business & Fin.. License: All Rights Reserved Like it (0) Dislike it (0) Added: November 18, 2011 This Presentation is Public Favorites: 0 Presentation Description basic Risk Analysis Fundas Comments Posting comment... Premium member Presentation Transcript Security Risk Analysis & Management: Security Risk Analysis & ManagementSecurity in System Development: Security in System Development Risk Analysis & Management needs to be a part of system development, not tacked on afterwards Baskerville's three generations of methods 1st Generation: Checklists Example: BS 7799 Part 1 2nd Generation: Mechanistic engineering methods Example: this risk analysis method 3rd Generation: Integrated design Not yet achieved [Baskerville, R. (1993). Information Systems Security Design Methods: Implications for Information Systems Development. ACM Computing Surveys 25 (4): 375-414.]Introduction: Introduction Risk Analysis and Management Framework Assets Threats Vulnerabilities Risks Security Measures } } Analysis ManagementDefinitions 1: Definitions 1 The meanings of terms in this area is not universally agreed. We will use the following Threat : Harm that can happen to an asset Impact : A measure of the seriousness of a threat Attack : A threatening event Attacker : The agent causing an attack (not necessarily human) Vulnerability : a weakness in the system that makes an attack more likely to succeed Risk : a quantified measure of the likelihood of a threat being realisedDefinitions 2: Definitions 2 Risk Analysis involves the identification and assessment of the levels of risk, calculated from the Values of assets Threats to the assets Their vulnerabilities and likelihood of exploitation Risk Management involves the identification, selection and adoption of security measures justified by The identified risks to assets The reduction of these risks to acceptable levelsGoals of Risk Analysis : Goals of Risk Analysis All assets have been identified All threats have been identified Their impact on assets has been valued All vulnerabilities have been identified and assessedProblems of Measuring Risk: Problems of Measuring Risk Businesses normally wish to measure in money, but Many of the entities do not allow this Valuation of assets Value of data and in-house software - no market value Value of goodwill and customer confidence Likelihood of threats How relevant is past data to the calculation of future probabilities? The nature of future attacks is unpredictable The actions of future attackers are unpredictable Measurement of benefit from security measures Problems with the difference of two approximate quantities How does an extra security measure affect a ~10 -5 probability of attack?Risk Levels: Risk Levels Precise monetary values give a false precision Better to use levels, e.g. High, Medium, Low High: major impact on the organisation Medium: noticeable impact (“material” in auditing terms) Low: can be absorbed without difficulty 1 - 10 Express money values in levels, e.g. For a large University Department a possibility is High Medium Low £1,000,000+ £1,000+ < £1,000Risk Analysis Steps: Risk Analysis Steps Decide on scope of analysis Set the system boundary Identification of assets & business processes Identification of threats and valuation of their impact on assets ( impact valuation ) Identification and assessment of vulnerabilities to threats Risk assessmentRisk Analysis – Process Analysis: Risk Analysis – Process Analysis Every company or organisation has some processes that are critical to its operation The criticality of a process may increase the impact valuation of one or more assets identified So Identify critical processes Review assets needed for critical processes Revise impact valuation of these assetsRisk Assessment: Risk Assessment Assess risk If we had accurate probabilities and values, risk would be Impact valuation x probability of threat Since we haven't, we construct matrices such as Risk Impact valuation Low Low Low Med Med Low Med High High High High Med Med Low Low VulnerabilityResponses to Risk: Responses to Risk Responses to risk Avoid it completely by withdrawing from an activity Accept it and do nothing Reduce it with security measures