Risk Management

CS5493

Risk Management

The process of ● identifying, ● assessing, ● prioritizing, and ● mitigating

risks

Risk Management

● An ongoing process that has a life-cycle– (sustainability cycle)

Risk Management

● Minimize the effects of negative risks● Maximize the effects of positive risks

Risk Management

● Asset – anything of value

Risk Management

● threat – anything that can exploit, obtain, damage or destroy an asset via a vulnerability intentionally or accidentally.

A threat is what you wish to protect against.

Risk Management

● Vulnerability – weaknesses exploited by threats that compromise assets.

A vulnerability is a weakness

Define a Risk Equation

● Risk = Threats x Vulnerabilities– Threats = frequency of an adverse event– Vulnerability = the probability that a threat will

succeed.– Risk = the risk probability

Risk Management

● The exposure cost is the product of the risk-probability value times the loss (of the asset) in dollars.

Cost = RiskProbability * AssetLoss

Example (annual)

● Probability of a fire in the data center resulting in a loss: 0.75%

● Probability of the fire destroying all assets in the data center: 15%

● Risk Probability = .0075*.15 = .001125

Example (annual)

● Replacement value of the data center: $750,000.

● Estimated annual loss due to fire = $843.75

(risk probability * value of the asset)

Risk Identification

● The process of determining the risks to assets.● Create the “risk register”

Risk Register

● Creation:– Brainstorming meeting to identify the risks– Surveys– Other events to collect information.

Risk Register

● Content– A description of each identified risk– Probability of the risk event occurring– Steps to mitigate– Rank each risk in the register– Describe the impact if the risk-event actually

occurs and include the cost.

Risk Register

● Ranking risks– Limited budget will require dropping some

perceived risks.– Concentrate on the most important issues.

Risk Analysis

● Qualitative● Quantitative

Risk Analysis

● Qualitative– Risk classification

● High● Medium● Low

– risk impact : how would it impact the overall business.

Risk Analysis

● Quantitative– Use math

Risk Analysis

● Quantitative– EF = Exposure Factor– SLE = Single Loss Expectancy

● SLE = Asset Value x EF– ARO = annual rate of occurrence– ALE = annual loss expectancy

● ALE = SLE x ARO

Quantitative Risk Table

Resource Risk Value EF SLE ARO ALE

Building Fire $700,000.00 0.6 $420,000.00 0.2 $84,000.00

File Server disk crash $50,000.00 0.5 $25,000.00 0.2 $5,000.00

Data theft $200,000.00 0.9 $180,000.00 0.7 $126,000.00

Risk Response Planning

● Negative Risks● Positive Risks

Risk Response Planning

● Responses to negative risks– Eliminate– Transfer– Mitigate– Accept

Negative Risk Response

● Eliminate – implies that the threat has been eliminated (probability of zero).

● Transfer – insurance is used to transfer risk● Mitigate – reduce the probability of the event

from occurring by taking some action.● Accept – take no additional action.

Risk Response Planning

● Response to positive risks– Exploit– Share– Enhance– Accept

Positive Risk Response

● Exploit – S-A-P is packaged and sold.● Share – finding a partner to purchase in bulk

and capture a lower price.● Enhance – meeting a deadline ahead of

schedule and collecting a bonus● Accept – take no action

BIA

● Business Impact Analysis, BIA– A formal analysis separating an organization's

functions into critical and non-critical categories

BIA RPO

● RPO - Recovery Point Objective,– Determine the amount of asset loss that is

acceptable

BIA RTO

● RTO - Recovery Time Objective,– The maximum allowable time to recover from

asset loss.

Risk Management

• BIA- Business Impact Analysis

• BCP- Business Continuity Plan

• DRP - Disaster Recovery Plan

BIA

● Business Impact Analysis,– Classifying business functions and activities into

critical or non-critical categories.– Determining the prerequisites to support each

function/activity.– Determine the maximum amount of time each

function/activity can be unavailable.

BCP

● BCP – Business Continuity Plan– A response plan to interruptions of critical

functions● An interruption is an event that lasts for a short period

and while it will result in measurable loss, is not fatal.● Creation of an IT intrusion response team

DRP

● DRP – Disaster Recovery Plan– A plan for responding to losses and interruptions

critical to the sustainability of the enterprise.– Creation of an IT disaster response team

DRP

● DRP – Disaster Recovery Plan– Fire– Flood– Hurricane– Tornado– Earthquake

DRP Requirements

● Contact list of critical personnel● Complete inventory of physical assets● Inventory of IT software applications for critical

business functions.● Data/system backups● Alternate or redundant facility planning