1 / 41

CMGT 442

CMGT 442. Information Systems Risk Management. Philip Robbins – November 21, 2012 (Week 2) University of Phoenix Mililani Campus. Objectives: Week 2. Risk Assessment (Part 1) Review Week 1: Concepts LT Activity: Week 1 & Week 2 Article Readings Stuxnet Week 2: Components of Risk Quiz #2

vashon
Download Presentation

CMGT 442

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CMGT 442 Information Systems Risk Management Philip Robbins – November 21, 2012 (Week 2) University of Phoenix Mililani Campus

  2. Objectives: Week 2 • Risk Assessment (Part 1) • Review Week 1: Concepts • LT Activity: Week 1 & Week 2 Article Readings • Stuxnet • Week 2: Components of Risk • Quiz #2 • Review Week 2: Questions • Assignments: IDV & LT Papers • Review Information Sharing Articles

  3. Review: Information Security Services

  4. Review: Information Assurance Services Information Assurance Services (IAS) ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü Source: Cieslak, Randall (Dec 2011). Cyber Fundamentals. USPACOM Chief Information Officer.

  5. Review: NIST SP 800-30

  6. Review: NIST SP 800-30

  7. Learning Team Activity • Activity: Review Week 1 & 2 ‘Article’ Readings • 15 minutes: Read Articles • 10 minutes: Answer article questions • 10 minutes: Present your article to the class • Submit for credit.

  8. LT Activity: Week 1 Article Readings • Barr (2011) • What special issues must be addressed for a risk management strategy that supports user-facing, web-based systems? • What are the risks associated with disruption of these systems? • Ledford (2012) • What special issues must be considered for corporate data which are not fully digitized? • What are the risks associated with the loss of this data? • What recovery procedures do you recommend for these situations?

  9. LT Activity: Week 2 Article Readings • Keston (2008) • How important is enterprise identity management for reducing risk throughout the enterprise? • Explain why a viable risk management strategy must include, at a minimum, a solid enterprise identity management process. • Vosevich (2011) • What software must be considered to provide adequate security management across the enterprise?

  10. Future Risks • Weapons in Cyberspace: Are we at war? • Cyber Crime vs. Cyber Warfare vs. Cyber Conflict

  11. Break? • This is probably time for a break…

  12. Review: Risk Definition • What is Risk? • thus • Units for measurement: • Confidentiality, Integrity, Availability Source: Robbins, P. (Dec, 2011). Security Risk Analysis and Critical Information Systems. Hawaii Pacific University, Honolulu, HI.

  13. Defining Risk • Risk is conditional, NOTindependent. Source: Robbins, P. (Dec, 2011). Security Risk Analysis and Critical Information Systems. Hawaii Pacific University, Honolulu, HI.

  14. Defining Risk • Expected Value of Risk = Product of Risks • Risk is never zero: “We can never be 100% confident for protection” • Risk Dimension (units): confidence in the loss of ISS, C-I-A • “Risk Loss Confidence” Source: Robbins, P. (Dec, 2011). Security Risk Analysis and Critical Information Systems. Hawaii Pacific University, Honolulu, HI.

  15. Risk Behavior Risk Loss Confidence Increases through interconnections with other network enclaves (risks)! Network Enclave #1 Network Enclave #3 Network Enclave #2

  16. Risk Behavior RiskEV = R1 x R2 x R3 RiskEV = LOW x MEDx HIGH RiskEV = ? Network Enclave #1 Network Enclave #3 R1 = LOW R3 = HIGH R2 = MED Network Enclave #2

  17. Risk Behavior RiskEV = R1 x R2 x R3 RiskEV = LOW x MEDx HIGH RiskEV = HIGH Network Enclave #1 Network Enclave #3 R1 = LOW R3 = HIGH R2 = MED Network Enclave #2

  18. Risk Behavior RiskEV = R1 x R2 x R3 RiskEV = LOW x MEDx HIGH RiskEV = HIGH Network Enclave #1 Network Enclave #3 R1 = LOW R3 = HIGH R2 = MED Network Enclave #2

  19. Risk Behavior: REV & RLC • Expected Valueand Risk Loss Confidencevs. Cumulative Risk Product Source: Robbins, P. (Dec, 2011). Security Risk Analysis and Critical Information Systems. Hawaii Pacific University, Honolulu, HI.

  20. Total Risk • How do we quantify total risk? • - Average the risk to each Information Security Service: Source: Robbins, P. (Dec, 2011). Security Risk Analysis and Critical Information Systems. Hawaii Pacific University, Honolulu, HI.

  21. Risk Component: Threats • Rapid growth of Advanced Persistent Threats (APTs) • Half million cases of cyber related incidents in 2012. • - Is this a problem? • - What about vulnerabilities • associated with • interconnections? • - How does risk management • help deal with APTs? Source: US-CERT

  22. Risk Component: Vulnerabilities • What are vulnerabilities? Any flaw or weakness that can be exploited. • Poorly communicated or implemented policy • Improperly configured systems or controls • Inadequately trained personnel

  23. Quantitative Risk Thresholds

  24. Semi-Quantitative Risk Matrix SEVERE HIGH MEDIUM LOW Catastrophic (5) Material (4) Major (3) Minor (2) Insignificant (1) Impact Rare(1) Unlikely(2) Moderate(3) Likely (4) Frequent(5) Likelihood

  25. Risk Responses Severity Frequency

  26. Risk Responses • Risk Avoidance • Halt or stop activity causing risk • Risk Transference • Transfer the risk (i.e. buy insurance) • Risk Mitigation • Reduce impact with controls/safeguards • Risk Acceptance • Understand consequences and accept risk

  27. Information Systems Risk Components • Let’s recap: • What are the components of Information Systems Risk? • - Threats& Threat Agents • - Vulnerabilities(Weakness) • - Controls(Safeguards) • - Impact • How is each component important to understanding and managing risk?

  28. Risk Component Relationship Source: Harris, S. (2010). CISSP all in one exam guide, fifth edition. McGraw-Hill, New York, NY.

  29. Break? • This is probably time for a break…

  30. Quiz: Week 1 • 10-15 minutes

  31. Week 2 Review Questions

  32. Question #1 What is the likelihood of a threat taking advantage of a vulnerability called? A. A risk B. A residual risk C. An exposure D. A countermeasure

  33. Question #1 What is the likelihood of a threat taking advantage of a vulnerability called? A. A risk B. A residual risk C. An exposure D. A countermeasure

  34. Question #2 Which of the following combinations best defines risk? A. Threat coupled with a breach. B. Threat coupled with a vulnerability. C. Threat coupled with a breach of security. D. Vulnerability coupled with an attack.

  35. Question #2 Which of the following combinations best defines risk? A. Threat coupled with a breach. B. Threat coupled with a vulnerability. C. Threat coupled with a breach of security. D. Vulnerability coupled with an attack.

  36. Question #3 What can be defined as an event that could cause harm to information systems? A. A risk B. A threat C. A vulnerability D. A weakness

  37. Question #3 What can be defined as an event that could cause harm to information systems? A. A risk B. A threat C. A vulnerability D. A weakness

  38. Question #4 What is the definition of a security exposure? A. An instance of being exposed to losses from a threat B. Any potential danger to information or systems C. Any potential danger to information or systems D. Loss potential due to a threat

  39. Question #4 What is the definition of a security exposure? A. An instance of being exposed to losses from a threat B. Any potential danger to information or systems C. Any potential danger to information or systems D. Loss potential due to a threat

  40. Question #5 The absence of a safeguard, or a weakness in a system that may possibly be exploited, is called a? A. Threat B. Exposure C. Vulnerability D. Risk

  41. Question #5 The absence of a safeguard, or a weakness in a system that may possibly be exploited, is called a? A. Threat B. Exposure C. Vulnerability D. Risk

More Related