1 / 19

Risk 2

Risk 2. CST 481/598. Many thanks to Jeni Li. Visualizing and quantifying risk. Risk matrix or cube Cost effectiveness analysis Annualized Loss Expectancy Multi-Attribute Risk Assessment Monte Carlo analysis … et cetera. The three basic variables. Vulnerability Threat Impact.

saxon
Download Presentation

Risk 2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Risk 2 CST 481/598 Many thanks to Jeni Li

  2. Visualizing and quantifying risk • Risk matrix or cube • Cost effectiveness analysis • Annualized Loss Expectancy • Multi-Attribute Risk Assessment • Monte Carlo analysis • … et cetera

  3. The three basic variables • Vulnerability • Threat • Impact

  4. Defining impact • Cost of recovering lost or modified data • Business value of unrecoverable data • Lost productivity due to down time • Replacement cost of physical assets • Fines and penalties • For unauthorized disclosures or posting inaccurate information • Damage compensation to compromised customers • Fines imposed by regulatory agencies • Damage to reputation

  5. The basic steps are always the same • (more or less) • Asset identification and valuation • Threat/vulnerability assessment • Risk calculation • Countermeasure selection

  6. Risk matrix or cube • From Jones/Ashenden text • R = V x T x I • Useful for visuals and comparisons • Not much else

  7. Cost effectiveness analysis • Combines soft and hard numbers • Can use estimates or probability tables • Examples: ROSI, CRAMM

  8. Annualized Loss Expectancy • ALE = SLE x ARO • SLE: Single Loss Expectancy • How much will it cost if it happens once? • ARO: Annualized Rate of Occurrence • How many times a year will it happen? • Actual losses will vary, of course • Poisson distribution, Monte Carlo analysis

  9. Monte Carlo analysis • Used to introduce “controlled randomness” • Goal: Make estimates more realistic • Often used with ALE models • Used in latest version of ROSI • Many algorithms exist • Some information for the interested • http://en.wikipedia.org/wiki/Monte_Carlo_method

  10. CRAMM • Origin: UK government • Commercial software (cramm.com) • Used by UK, NATO, Dutch military, T-Mobile • Used for ISO 27001 compliance • Can be used to justify cost of controls • Based on statistical analysis of other agencies • Detailed departmental questionnaires • Or informed estimates (Express version) • Database of controls • Pre-assigned effectiveness, cost/benefit values

  11. ROSI • Origin and user: AU government • Freely available • http://www.gcio.nsw.gov.au/search?SearchableText=rosi • Based on Annualized Loss Expectancy and Australian Threat/Risk Assessment • User-assigned values for TRA descriptions

  12. SAEM • Origin: Carnegie-Mellon University • http://www.cs.cmu.edu/~shawnb/ • Based on Multi-Attribute Risk Assessment • Categorizes attributes of impact • Revenue, Reputation, Productivity, Penalties • Likelihood, impact ratings based on industry peer review • Emphasizes coverage of threats • Protect, Detect, React • Doesn’t quantify risk financially

  13. Mitigating risk • Avoidance • Reduction • Retention • Transfer

  14. Mitigating risk • Avoidance • Reduction • Retention • Transfer

  15. Risk avoidance • Get out of (or don’t get into) the risky business • Do this when… • Probability of a loss is high • Potential impact is high • Gain from continuing the function is low

  16. Risk reduction • Protect, detect, react • This is what we usually think of in IS • Do this when… • Probability of a loss is high • Potential impact is low

  17. Risk reduction • Protect • Prevent the threat from meeting with the vulnerability • Detect • Discover and respond to a threat before it causes too much damage • React (Recover) • Minimize impact after an incident

  18. Risk retention • “Cost of doing business” • Live with it when… • Probability of a loss is low • Potential impact is low • Gain from continuing the function is high

  19. Risk transfer • Common methods • Buy insurance • Outsource the risky function • Do this when… • Probability of a loss is low • Potential impact is high • Gain from continuing the function is high

More Related