1 / 12

Unit Outline Qualitative Risk Analysis

Unit Outline Qualitative Risk Analysis.  Module 1: Qualitative Risk Analysis Module 2: Determine Assets and Vulnerabilities Module 3: Determine Threats and Controls Module 4: Matrix Based Approach Module 5: Case Study Module 6: Summary.

denim
Download Presentation

Unit Outline Qualitative Risk Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Unit OutlineQualitative Risk Analysis  Module 1: Qualitative Risk Analysis Module 2: Determine Assets and Vulnerabilities Module 3:Determine Threats and Controls Module 4: Matrix Based Approach Module 5: Case Study Module 6: Summary

  2. Module 1Risk Analysis: Qualitative Risk Analysis

  3. Risk AnalysisLearning Objectives • Students should be able to: • Recognize the difficulties associated with information security risk analysis • Identify the the two different risk analysis approaches • Understand how a qualitative risk analysis is performed.

  4. Risk AnalysisRisk Analysis Definition • Risk analysis involves the identification and assessment of the levels of risks calculated from the known values of assets and the levels of threats to, and vulnerabilities of, those assets. • It involves the interaction of the following elements: • Assets • Vulnerabilities • Threats • Impacts • Likelihoods • Controls

  5. Risk AnalysisConcept Map • Threats exploit system vulnerabilities which expose system assets. • Security controls protect against threats by meeting security requirements established on the basis of asset values. Source: Australian Standard Handbook of Information Security Risk Management – HB231-2000

  6. Risk AnalysisDifficulties with Information Security Risk Analysis • Relatively new field • Lack of formal models • Lack of data • Evolving threats • Constantly changing information systems and vulnerabilities • Human factors related to security • No standard of practice

  7. Risk AnalysisApproaches • Two Risk Analysis Approaches • Quantitative • Qualitative

  8. Risk AnalysisQuantitative Approach • Quantitative Risk Analysis • Relating to or based on the amount or number of something, capable of being measured or expressed in numerical terms. • Quantitative Risk Analysis computes risks in terms of actual losses

  9. Risk AnalysisQualitative Approach • Qualitative Risk Analysis • Based on literal description of risk factors and risk is expressed in terms of its potential. Threats and vulnerabilities are identified and analyzed using subjective judgment. Uses checklists to determine if recommended controls are implemented and if different information systems or organizations are secure.

  10. Risk Analysis: QualitativeMethodology • Qualitative risk analysis methodologies involve relative comparison of risks and prioritization of controls • Usually associate relationships between interrelated factors • Assets: Things of value for the organization • Threats: things that can go wrong  • Vulnerabilities: Weaknesses that make a system more prone to attack or make an attack more likely to succeed   • Controls: These are the countermeasures for vulnerabilities

  11. Risk Analysis: QualitativeMethodology, cont’d. • More practical since it is based on user inference and follows current processes better. It capitalizes on user experience and doesn’t resort to extensive data gathering. • Allows for easier valuation of non-tangible assets. • Probability data is not required and only estimated potential loss may be used

  12. Risk AnalysisSummary • Risk analysis involves assessing assets, vulnerabilities, threats, and controls, as well as the impact they have on each other in order to determine risk. • Information security risk analysis is a new field and is constantly changing due to introduction of new assets, discovery of new vulnerabilities, presence of new threats, and development of new controls. • Two different types of risk analysis exist: • Quantitative, which are based on actual numerical values, and • Qualitative, which involves relative values based on prioritization and expert judgment.

More Related