Lecture 6OCTAVE

Octave Why?

Key Differences Between OCTAVE and Other Approaches

OCTAVEOther Evaluations

Organization evaluation System evaluation

Focus on security practices Focus on technology

Strategic issues Tactical issues

Self direction Expert led

Examples

Examples

Example 1• Risks:

– disclosure of company confidential information,– computation based on incorrect data

• Cost to correct data: $1,000,000• @10%liklihood per year: $100,000• Effectiveness of access control sw:60%: -$60,000• Cost of access control software: +$25,000• Expected annual costs due to loss and controls:

– $100,000 - $60,000 + $25,000 = $65,000

• Savings: – $100,000 - $65,000 = $35,000

Example 2

• Control cost• Hardware +$10,000

• Software +$4,000

• Support personnel +$40,000

– Annual cost $54,000

– Expected annual cost (6000 6000+54000)$54,000

– Savings (6000 – 54,000)

-$48,000

Example 1: Risk = Likelihood x Impact

Example 2: Risk Rating Matrix 1

Example 3: Risk Rating Matrix 2

References• http://www.sis.pitt.edu/~amirreza/is2150-fall11/lecture_risk.ppt• http://meminagaoglu.yasar.edu.tr/wp-content/uploads/2011/11/octave-s-

riskassessment.ppt• https://www.owasp.org/index.php/Threat_Risk_Modeling• http://www.cert.org/octave/• Joseph G. Boyce Dan W. Jennings, Information Assurance - Managing

Organizational IT Security Risks, Elsevier Science, 2002• https://www.networkworld.com/news/2010/020210-black-hat-processor-

security.html• http://www.backupcentral.com/mr-backup-blog-mainmenu-47/13-mr-

backup-blog/167-encrypted-data-hacked.html• http://www.csoonline.com/article/220665/19-ways-to-build-physical-

security-into-a-data-center?page=3• http://fengnet.com/book/bssl/bssrvrlnx-CHP-2-SECT-2.html• http://www.checkpoint.com/

Wise man looking on us