![Page 1: CST 481/598 Many thanks to Jeni Li. Potential negative impact to an asset Probability of a loss A function of three variables The probability](https://reader030.vdocument.in/reader030/viewer/2022032800/56649d2d5503460f94a04693/html5/thumbnails/1.jpg)
RISK 1
CST 481/598
Many thanks to Jeni Li
![Page 2: CST 481/598 Many thanks to Jeni Li. Potential negative impact to an asset Probability of a loss A function of three variables The probability](https://reader030.vdocument.in/reader030/viewer/2022032800/56649d2d5503460f94a04693/html5/thumbnails/2.jpg)
Risk
Potential negative impact to an asset Probability of a loss A function of three variables
The probability of a threat The probability of a vulnerability The potential impact
A measurable quantity
![Page 3: CST 481/598 Many thanks to Jeni Li. Potential negative impact to an asset Probability of a loss A function of three variables The probability](https://reader030.vdocument.in/reader030/viewer/2022032800/56649d2d5503460f94a04693/html5/thumbnails/3.jpg)
Types of Risk
o Technicalo Information Securityo Business
o Where measuredo How Measuredo Who cares – stakeholders
regulatory requirements, corporate governance
o CIA – Confidentiality, Integrity, Availability
![Page 4: CST 481/598 Many thanks to Jeni Li. Potential negative impact to an asset Probability of a loss A function of three variables The probability](https://reader030.vdocument.in/reader030/viewer/2022032800/56649d2d5503460f94a04693/html5/thumbnails/4.jpg)
Asset
"An asset is a resource controlled by the enterprise as a result of past events and from which future economic benefits are expected to flow to the enterprise.”
IOW, the stuff that has value to your company and its ability to conduct its business operations
![Page 5: CST 481/598 Many thanks to Jeni Li. Potential negative impact to an asset Probability of a loss A function of three variables The probability](https://reader030.vdocument.in/reader030/viewer/2022032800/56649d2d5503460f94a04693/html5/thumbnails/5.jpg)
Asset (examples)
Information Customer records Sales leads Intellectual property Business transaction records
Systems Workstations, servers, network infrastructure
People Staff, clientele
Products (may be outside our scope)
![Page 6: CST 481/598 Many thanks to Jeni Li. Potential negative impact to an asset Probability of a loss A function of three variables The probability](https://reader030.vdocument.in/reader030/viewer/2022032800/56649d2d5503460f94a04693/html5/thumbnails/6.jpg)
Impact
The magnitude of a potential loss The seriousness of an event
![Page 7: CST 481/598 Many thanks to Jeni Li. Potential negative impact to an asset Probability of a loss A function of three variables The probability](https://reader030.vdocument.in/reader030/viewer/2022032800/56649d2d5503460f94a04693/html5/thumbnails/7.jpg)
Vulnerability
A weakness that provides the opportunity for a threat to occur
Examples Operating system vulnerabilities Exploitable Web applications Staff members susceptible to social
engineering Server room located directly below the
bathrooms?
![Page 8: CST 481/598 Many thanks to Jeni Li. Potential negative impact to an asset Probability of a loss A function of three variables The probability](https://reader030.vdocument.in/reader030/viewer/2022032800/56649d2d5503460f94a04693/html5/thumbnails/8.jpg)
Threat
A possible danger that might exploit a vulnerability
Anything that could cause harm to your assets
May be accidental or intentional
![Page 9: CST 481/598 Many thanks to Jeni Li. Potential negative impact to an asset Probability of a loss A function of three variables The probability](https://reader030.vdocument.in/reader030/viewer/2022032800/56649d2d5503460f94a04693/html5/thumbnails/9.jpg)
Types of threats
Accidental Natural disasters
Earthquake, fire, flood, lightning True accidents
Unintentional misuse or damage by employees Other unintended threats
Power grid outage
![Page 10: CST 481/598 Many thanks to Jeni Li. Potential negative impact to an asset Probability of a loss A function of three variables The probability](https://reader030.vdocument.in/reader030/viewer/2022032800/56649d2d5503460f94a04693/html5/thumbnails/10.jpg)
Types of threats
Intentional (aka, malicious) Caused by a threat agent Examples
Corporate espionage Terrorist attack Hacktivism
![Page 11: CST 481/598 Many thanks to Jeni Li. Potential negative impact to an asset Probability of a loss A function of three variables The probability](https://reader030.vdocument.in/reader030/viewer/2022032800/56649d2d5503460f94a04693/html5/thumbnails/11.jpg)
Threat agent
An individual or group that will implement the threat. Needs the following factors: Motivation
Why does the attacker want to attack? Capability
Skills and resources Opportunity
Physical or electronic access to the target Catalyst
Something that causes the attacker to act
![Page 12: CST 481/598 Many thanks to Jeni Li. Potential negative impact to an asset Probability of a loss A function of three variables The probability](https://reader030.vdocument.in/reader030/viewer/2022032800/56649d2d5503460f94a04693/html5/thumbnails/12.jpg)
Types of threat agents
Nation state sponsored Terrorist Pressure (activist) group Commercial organization Criminal group Hacker group Disgruntled insider
![Page 13: CST 481/598 Many thanks to Jeni Li. Potential negative impact to an asset Probability of a loss A function of three variables The probability](https://reader030.vdocument.in/reader030/viewer/2022032800/56649d2d5503460f94a04693/html5/thumbnails/13.jpg)
Threat vector
The path or tool used by a threat agent Examples
Spam, instant messaging, a specific worm Sniffer, keystroke logger, dumpster diving Pipe bomb, truck bomb
![Page 14: CST 481/598 Many thanks to Jeni Li. Potential negative impact to an asset Probability of a loss A function of three variables The probability](https://reader030.vdocument.in/reader030/viewer/2022032800/56649d2d5503460f94a04693/html5/thumbnails/14.jpg)
Threat inhibitors
Factors that influence the threat agent not to carry out the attack against the target
![Page 15: CST 481/598 Many thanks to Jeni Li. Potential negative impact to an asset Probability of a loss A function of three variables The probability](https://reader030.vdocument.in/reader030/viewer/2022032800/56649d2d5503460f94a04693/html5/thumbnails/15.jpg)
Threat amplifiers
Factors that encourage the threat agent to carry out the attack against the target
![Page 16: CST 481/598 Many thanks to Jeni Li. Potential negative impact to an asset Probability of a loss A function of three variables The probability](https://reader030.vdocument.in/reader030/viewer/2022032800/56649d2d5503460f94a04693/html5/thumbnails/16.jpg)
Controls
Measures taken to eliminate or mitigate risk Examples
Physical security (e.g., locks, barriers) Personnel security (e.g., background checks,
training) Procedural security (e.g., policies/other
documents) Technical security (hardware, software)
Must be cost-effective Sometimes the best control is no control at
all
![Page 17: CST 481/598 Many thanks to Jeni Li. Potential negative impact to an asset Probability of a loss A function of three variables The probability](https://reader030.vdocument.in/reader030/viewer/2022032800/56649d2d5503460f94a04693/html5/thumbnails/17.jpg)
The general process
Identification Assessment Treatment plan
Development Implementation Review/evaluation
![Page 18: CST 481/598 Many thanks to Jeni Li. Potential negative impact to an asset Probability of a loss A function of three variables The probability](https://reader030.vdocument.in/reader030/viewer/2022032800/56649d2d5503460f94a04693/html5/thumbnails/18.jpg)
Identification
Assets Vulnerabilities Threats Threat vectors Threat agents
![Page 19: CST 481/598 Many thanks to Jeni Li. Potential negative impact to an asset Probability of a loss A function of three variables The probability](https://reader030.vdocument.in/reader030/viewer/2022032800/56649d2d5503460f94a04693/html5/thumbnails/19.jpg)
Assessment
Estimate or measure the risk Can be qualitative or quantitative
Qualitative is good for comparing risks Quantitative is good for determining ROI
![Page 20: CST 481/598 Many thanks to Jeni Li. Potential negative impact to an asset Probability of a loss A function of three variables The probability](https://reader030.vdocument.in/reader030/viewer/2022032800/56649d2d5503460f94a04693/html5/thumbnails/20.jpg)
(probability of event) x (impact of event) = risk
![Page 21: CST 481/598 Many thanks to Jeni Li. Potential negative impact to an asset Probability of a loss A function of three variables The probability](https://reader030.vdocument.in/reader030/viewer/2022032800/56649d2d5503460f94a04693/html5/thumbnails/21.jpg)
Australian standard technical risk assessment
EC: Adequacy of Existing Controls1 (excellent) to 7 (none)
L: Likelihood of the Risk Occurring1 (may never occur) to 5 (is expected to occur)
I: Impact/Consequence1 (minimal to no impact) to 5 (total destruction)
Risk = (7*EC + 3*L + 4*I)/84
![Page 22: CST 481/598 Many thanks to Jeni Li. Potential negative impact to an asset Probability of a loss A function of three variables The probability](https://reader030.vdocument.in/reader030/viewer/2022032800/56649d2d5503460f94a04693/html5/thumbnails/22.jpg)
Cost Effectiveness Analysis
Asset value (AV) Exposure factor (EF) Single loss expectancy (SLE) Annualized rate of occurrence (ARO) Annualized loss expectancy (ALE)
![Page 23: CST 481/598 Many thanks to Jeni Li. Potential negative impact to an asset Probability of a loss A function of three variables The probability](https://reader030.vdocument.in/reader030/viewer/2022032800/56649d2d5503460f94a04693/html5/thumbnails/23.jpg)
Estimate
Asset value: What’s it worth to you? Tangible and intangible If we lost this asset, we would lose $...
Exposure factor: How bad would it be? Percentage of asset loss caused by a threat 0 to 100%
Annualized rate of occurrence How many times per year could it happen? Once in 5 years = 1/5
![Page 24: CST 481/598 Many thanks to Jeni Li. Potential negative impact to an asset Probability of a loss A function of three variables The probability](https://reader030.vdocument.in/reader030/viewer/2022032800/56649d2d5503460f94a04693/html5/thumbnails/24.jpg)
Calculate
Single loss expectancy SLE = AV x EF
Annualized loss expectancy ALE = ARO x SLE
![Page 25: CST 481/598 Many thanks to Jeni Li. Potential negative impact to an asset Probability of a loss A function of three variables The probability](https://reader030.vdocument.in/reader030/viewer/2022032800/56649d2d5503460f94a04693/html5/thumbnails/25.jpg)
Compare
ALE before safeguard/control ALE after safeguard/control Cost to deploy safeguard/control
ALEb – ALEa – Cost = Value of safeguard
Careful how you define those costs!
![Page 26: CST 481/598 Many thanks to Jeni Li. Potential negative impact to an asset Probability of a loss A function of three variables The probability](https://reader030.vdocument.in/reader030/viewer/2022032800/56649d2d5503460f94a04693/html5/thumbnails/26.jpg)
Risk treatment plan
How will you handle each risk? Avoidance (get out of the business) Mitigation (apply a safeguard/control) Retention (live with it) Transfer (buy insurance)
![Page 27: CST 481/598 Many thanks to Jeni Li. Potential negative impact to an asset Probability of a loss A function of three variables The probability](https://reader030.vdocument.in/reader030/viewer/2022032800/56649d2d5503460f94a04693/html5/thumbnails/27.jpg)
Other approaches exist
Multi-Attribute Risk Assessment, Security Attribute Evaluation Method Monte Carlo analysis CCTA Risk Analysis/Management Method
(CRAMM) Enterprise risk management … and so on
![Page 28: CST 481/598 Many thanks to Jeni Li. Potential negative impact to an asset Probability of a loss A function of three variables The probability](https://reader030.vdocument.in/reader030/viewer/2022032800/56649d2d5503460f94a04693/html5/thumbnails/28.jpg)
What’s important about each asset?
Confidentiality Integrity Availability Non-repudiability
![Page 29: CST 481/598 Many thanks to Jeni Li. Potential negative impact to an asset Probability of a loss A function of three variables The probability](https://reader030.vdocument.in/reader030/viewer/2022032800/56649d2d5503460f94a04693/html5/thumbnails/29.jpg)
Infosec Assessment Method(ology)
Uses the CIA model Identify information assets
Build an information criticality matrix Identify systems
Build a systems criticality matrix Determine most critical systems Identify safeguards/controls