lecture 6 octave. octave why? key differences between octave and other approaches octave other...
TRANSCRIPT
Lecture 6OCTAVE
Octave Why?
Key Differences Between OCTAVE and Other Approaches
OCTAVEOther Evaluations
Organization evaluation System evaluation
Focus on security practices Focus on technology
Strategic issues Tactical issues
Self direction Expert led
Examples
Examples
Example 1• Risks:
– disclosure of company confidential information,– computation based on incorrect data
• Cost to correct data: $1,000,000• @10%liklihood per year: $100,000• Effectiveness of access control sw:60%: -$60,000• Cost of access control software: +$25,000• Expected annual costs due to loss and controls:
– $100,000 - $60,000 + $25,000 = $65,000
• Savings: – $100,000 - $65,000 = $35,000
Example 2
• Control cost• Hardware +$10,000
• Software +$4,000
• Support personnel +$40,000
– Annual cost $54,000
– Expected annual cost (6000 6000+54000)$54,000
– Savings (6000 – 54,000)
-$48,000
Example 1: Risk = Likelihood x Impact
Example 2: Risk Rating Matrix 1
Example 3: Risk Rating Matrix 2
References• http://www.sis.pitt.edu/~amirreza/is2150-fall11/lecture_risk.ppt• http://meminagaoglu.yasar.edu.tr/wp-content/uploads/2011/11/octave-s-
riskassessment.ppt• https://www.owasp.org/index.php/Threat_Risk_Modeling• http://www.cert.org/octave/• Joseph G. Boyce Dan W. Jennings, Information Assurance - Managing
Organizational IT Security Risks, Elsevier Science, 2002• https://www.networkworld.com/news/2010/020210-black-hat-processor-
security.html• http://www.backupcentral.com/mr-backup-blog-mainmenu-47/13-mr-
backup-blog/167-encrypted-data-hacked.html• http://www.csoonline.com/article/220665/19-ways-to-build-physical-
security-into-a-data-center?page=3• http://fengnet.com/book/bssl/bssrvrlnx-CHP-2-SECT-2.html• http://www.checkpoint.com/
Wise man looking on us