190 likes | 422 Views
Risk 2. CST 481/598. Many thanks to Jeni Li. Visualizing and quantifying risk. Risk matrix or cube Cost effectiveness analysis Annualized Loss Expectancy Multi-Attribute Risk Assessment Monte Carlo analysis … et cetera. The three basic variables. Vulnerability Threat Impact.
E N D
Risk 2 CST 481/598 Many thanks to Jeni Li
Visualizing and quantifying risk • Risk matrix or cube • Cost effectiveness analysis • Annualized Loss Expectancy • Multi-Attribute Risk Assessment • Monte Carlo analysis • … et cetera
The three basic variables • Vulnerability • Threat • Impact
Defining impact • Cost of recovering lost or modified data • Business value of unrecoverable data • Lost productivity due to down time • Replacement cost of physical assets • Fines and penalties • For unauthorized disclosures or posting inaccurate information • Damage compensation to compromised customers • Fines imposed by regulatory agencies • Damage to reputation
The basic steps are always the same • (more or less) • Asset identification and valuation • Threat/vulnerability assessment • Risk calculation • Countermeasure selection
Risk matrix or cube • From Jones/Ashenden text • R = V x T x I • Useful for visuals and comparisons • Not much else
Cost effectiveness analysis • Combines soft and hard numbers • Can use estimates or probability tables • Examples: ROSI, CRAMM
Annualized Loss Expectancy • ALE = SLE x ARO • SLE: Single Loss Expectancy • How much will it cost if it happens once? • ARO: Annualized Rate of Occurrence • How many times a year will it happen? • Actual losses will vary, of course • Poisson distribution, Monte Carlo analysis
Monte Carlo analysis • Used to introduce “controlled randomness” • Goal: Make estimates more realistic • Often used with ALE models • Used in latest version of ROSI • Many algorithms exist • Some information for the interested • http://en.wikipedia.org/wiki/Monte_Carlo_method
CRAMM • Origin: UK government • Commercial software (cramm.com) • Used by UK, NATO, Dutch military, T-Mobile • Used for ISO 27001 compliance • Can be used to justify cost of controls • Based on statistical analysis of other agencies • Detailed departmental questionnaires • Or informed estimates (Express version) • Database of controls • Pre-assigned effectiveness, cost/benefit values
ROSI • Origin and user: AU government • Freely available • http://www.gcio.nsw.gov.au/search?SearchableText=rosi • Based on Annualized Loss Expectancy and Australian Threat/Risk Assessment • User-assigned values for TRA descriptions
SAEM • Origin: Carnegie-Mellon University • http://www.cs.cmu.edu/~shawnb/ • Based on Multi-Attribute Risk Assessment • Categorizes attributes of impact • Revenue, Reputation, Productivity, Penalties • Likelihood, impact ratings based on industry peer review • Emphasizes coverage of threats • Protect, Detect, React • Doesn’t quantify risk financially
Mitigating risk • Avoidance • Reduction • Retention • Transfer
Mitigating risk • Avoidance • Reduction • Retention • Transfer
Risk avoidance • Get out of (or don’t get into) the risky business • Do this when… • Probability of a loss is high • Potential impact is high • Gain from continuing the function is low
Risk reduction • Protect, detect, react • This is what we usually think of in IS • Do this when… • Probability of a loss is high • Potential impact is low
Risk reduction • Protect • Prevent the threat from meeting with the vulnerability • Detect • Discover and respond to a threat before it causes too much damage • React (Recover) • Minimize impact after an incident
Risk retention • “Cost of doing business” • Live with it when… • Probability of a loss is low • Potential impact is low • Gain from continuing the function is high
Risk transfer • Common methods • Buy insurance • Outsource the risky function • Do this when… • Probability of a loss is low • Potential impact is high • Gain from continuing the function is high