sanjay goel, school of business/center for information forensics and assurance university at albany...

Sanjay Goel, School of Business/Center for Information Forensics and AssuranceUniversity at Albany Proprietary Information

1

Unit OutlineInformation Security Risk Assessment

Module 1: Introduction to Risk

Module 2: Definitions and Nomenclature

Module 3: Security Risk Assessment

Module 4-5: Methodology and Objectives

Module 6: Case Study

Module 7: Summary

Module 1Introduction to Risk


3

• Students should be able to: – Gain understanding of introductory risk

concepts– Conceptualize risk for simple situations– Gain a historical perspective of risk

analysis– Understand application of risk to different

disciplines

RiskLearning Objectives


4

• Risk – perception of uncertainty in events that occur and actions taken.

• Risks encountered in everyday decision-making

• Multiple ways to consider risks:– Risk as feelings– Risk as analysis– Risk as politics

• We primarily evaluate risk intuitively (as feelings)

RiskDefinition


5

• Statisticians– Probabilities– Consequences of Adverse Events– Quantifiable

• Social scientists– Invented to cope with uncertainties– Dependent on perception– Risk perception: blending of science and judgment with

important psychological, social, cultural, and political factors

• Risk estimation depends on risk definition

RiskOpposing Views

– Needs to be a consistent and universally accepted definition of risk per domain

– Our risk domain is information security


6

• Uncertainty in computing risk is unavoidable• Reactions to risk based on emotion, rather than scientific

evidence. – When people become outraged, they may overreact. – If people are not outraged, they may under-react. – An industrial process producing an unpronounceable

chemical is a much less acceptable risk than something more everyday, like driving or eating junk food.

• Risk comparisons may be more clear than using absolute numbers

• Emotions must be considered with scientific evidence.

Risk Human Factors

• People become uneasy when scientists are not certain about the risk posed by a hazard (effect, severity, or prevalence). – Rather than diminish legitimate

concerns or heighten illegitimate ones, psychological factors must be addressed to encourage constructive action.


7

• Risk is the probability that a specific threat will successfully exploit a vulnerability causing a loss.

• Risks are evaluated by three distinguishing characteristics:1. Loss associated with an event, e.g., disclosure of

confidential data, lost time and revenues.

2. Likelihood that event will occur, i.e. probability of occurrence

3. Degree risk outcome can be influenced, i.e. controls

Risk Formal Definition

•Various forms of threats exist

– Different stakeholders have different perceptions

–Several sources of threats exist simultaneously


8

• Risk is the probability that a specific threat will successfully exploit a vulnerability causing a loss.

RiskRisk Management Process

What can go wrong (Initiating

Events)?

How Bad(Consequences)?

How Often(Likelihood of

failure)?

Aggregate Risk(Likelihood of consequences calculated for every possible

combination of precipitating events)

Measures to reduce the consequences of risk until they reach acceptable levels

(Benefits > Aggregated Risk)


9

Risk Example #1: Caveman Going to Hunt

• Potential Accidents– Being eaten by prey– Being mistakenly hurt by tribe member– Accidentally getting hurt on terrain

• Hazard Control (Reduce likelihood of damage)

– Avoid dangerous terrain– Scare animals with fire or sticks– Hide from animals– Hunt in groups

• Protection & Damage Limitation (Reduce Consequences)

– Apply first aid– Run once animal follows you

• How Bad (Consequences)

– Injury– Death

Ris

k =

Con

seq

uen

ce x

Lik

eli

hood

Cost-Benefit Analysis

Total Risk

TotalBenefit

Food


10

Risk Example #2: Participating in Sports Event

• Potential Accidents– Collision– Slipping– Tripping


– Training– Being Careful– Using proper footwear & protective gear– Following Rules


– First Aid– Ambulance – Medical & Hospital Services


– Out for Match– Out for Season

Ris

k =

Con

seq

uen

ce x

Lik

eli

hood


– Broken Bone

– Sprained Muscle

– Torn Ligament

Thrill & PrideTotal Risk

TotalBenefit


11

RiskExample #3: Driving to Work

• Potential Accidents– Head on Collision– Side/Rear-end impact– Hit pedestrian– Overturn Car– Carjacking


– License– Proper road & signal construction– Safety Barriers– Police Surveillance & speed control– Obeying traffic rules


– Having Airbags Installed in Vehicle– Wearing Seatbelts– First Aid & Hospitalization


– Vehicle Damage– Traffic Ticket

Ris

k =

Con

seq

uen

ce x

Lik

eli

hood


– Death

– Insurance Premium Hike

– Injury

• Causes – Fatigue– Poor Judgment– Environmental

Conditions– Failure to see

traffic signals

EmploymentTotal Risk

TotalBenefit


12

• Finance– Risk in investments, insurance etc.,

• Industrial– Plant failures, accidents, competitive risks

• Political– Impact of decisions, probabilities of success etc.

• Nuclear– Plant operation, fuel storage, proliferation of fissile

material

• Aviation– Safety of airplanes, weather conditions, terrorism

impact

• Medicine– Weighing different treatment options

Risk Applications


13

• Risk can be viewed as uncertainty and similarly risk analysis can be viewed as decision making in terms of uncertainty.

• Risk be analyzed intuitively or analytically• In a lot of day to day activities risk is considered

intuitively – Such skills are honed via years of experience in

dealing with some situations

• Humans have limitations in handling multiple pieces of information– Analytic techniques are required for complex problems

where a lot of factors are required.

Risk Summary

sanjay goel, school of business/center for information forensics and assurance university at albany...

Documents