SlideShare a Scribd company logo

Ch07 Managing Risk

P
phanleson

This document defines key concepts in managing risk such as defining risk, vulnerabilities, threats, targets, agents, and events. It also discusses how to identify risks to an organization by locating vulnerabilities and threats and examining countermeasures. Risks are measured in terms of potential costs including money, time, resources, reputation, and lost business. The overall goal of security risk management is to identify risks, measure their potential impacts, and develop appropriate approaches to manage risks.

BusinessTechnology
1 of 22
Downloaded 17 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Lesson 7-Managing Risk
Overview Defining risk. Identifying the risk to an organization. Measuring risk.
Defining Risk Risk is the potential for loss that requires protection. Risk management provides a basis for valuing an organization’s information assets. Risk is the measure of vulnerabilities and threats.
Defining Risk Vulnerability Threats
Vulnerability Vulnerabilities make computer systems and networks prone to technical, non-technical, or social engineering attacks. It is characterized by the difficulty and the level of technical skill that is required to exploit it. The result of such exploitation must also be considered.
Threat A threat is an action or event that violates the security of an information system environment. It can have multiple targets. The components of threat are targets, agents, and events.
Targets The targets of threat or attack are security services such as: Confidentiality - Disclosure of classified information to unauthorized individuals. Integrity - Tampering of information. Availability - Denial-of-service attack. Accountability - Prevents organization from reconstructing past events.
Agents (1/2) The characteristics of agents who are the people who may wish to harm the organization are: Access - An agent must have direct or indirect access to system, network, facility, or information. Knowledge - An agent must have some knowledge about the target. More familiar an agent is with the target, more likely the agent will know about the vulnerabilities. Motivation - An agent may tamper with information as a challenge, greed to gain something, or purely with a malicious intent.
Agents (2/2) A threat occurs when an agent with access and knowledge gains motivation to take action. Such agents could be: Employees having necessary access and knowledge to systems. Ex-employees having any grudges. Hackers, terrorists, and criminals with a malicious intent to harm the organization. Commercial rivals who are interested in classified business information of the organization.
Events Events are the ways in which an agent of threat may cause harm to an organization. It is the extent of harm that could possibly be done if the agent gained access.
Risk and How to Identify the Risk to an Organization Risk is the combination of threat and vulnerability. Risks can be categorized as low, medium, or high-risk.
Identifying Vulnerabilities To identify specific vulnerabilities: Locate all the entry points (electronic and physical) to the organization. Identify system configurations. Identify which information and systems are accessible. Include any known vulnerabilities in operating systems and applications.
Identifying Real Threats Real or targeted threats may not show themselves until an event has occurred. All targeted threats are time-consuming and difficult.
Examining Countermeasures Countermeasures for each access point within an organization must be identified. Some of the countermeasures include firewalls, anti-virus software, access control mechanisms, and biometrics.
Identifying Risk Identify specific risks to the organization. Identify what possible harm can be done through each access point. Rate each risk as high risk, medium risk, or low risk. The same vulnerability may pose different levels of risk based on the access point.
Measuring Risk Risks can be measured in terms of: Money. Time. Resources. Reputation and lost business.
Money The cost for managing risks include: Lost productivity. Stolen equipment or money. Cost of an investigation. Cost to repair or replace systems. Cost of experts to assist. Employee overtime.
Time The amount of time taken to manage risks may include: The time a technical staff member is unavailable to perform normal tasks due to a security event. The downtime of a key system. Delay in product delivery or service.
Resources Includes people, systems, communication lines, applications, or access as resources. Computes the monetary cost of using a resource to troubleshoot.
Reputation and Lost Business Data compromise can affect the organization’s reputation. Future business is in jeopardy as people lose faith in the brand name. Losses due to system failures and production delay cannot be ruled out.
Measuring Risk To measure risk: Identify the extent of risk – best case, worst case, or most likely case. Identify the damage in terms of money, time, resources, reputation, and lost business. Identify the cost of restoration. Examine the potential results in each risk measurement area. Develop appropriate risk management approaches.
Summary Security is managing risk. To identify risks, identify vulnerabilities, and threats. Examine countermeasures for each risk. Identify the extent of risk. Measure risk in terms of money, time, resources, reputation, and lost business.

More Related Content

PPTX
Chapter 11: Information Security Incident Management
Nada G.Youssef
 
PPT
Chapter 3: Information Security Framework
Nada G.Youssef
 
PDF
A to Z of Information Security Management
Mark Conway
 
PDF
Information security management system (isms) overview
Julia Urbina-Pineda
 
PPT
Information security management
UMaine
 
PPTX
Introduction to Incident Response Management
Don Caeiro
 
PDF
Information Security It's All About Compliance
Dinesh O Bareja
 
PPTX
VAPT - Vulnerability Assessment & Penetration Testing
Netpluz Asia Pte Ltd
 
Chapter 11: Information Security Incident Management
Nada G.Youssef
 
Chapter 3: Information Security Framework
Nada G.Youssef
 
A to Z of Information Security Management
Mark Conway
 
Information security management system (isms) overview
Julia Urbina-Pineda
 
Information security management
UMaine
 
Introduction to Incident Response Management
Don Caeiro
 
Information Security It's All About Compliance
Dinesh O Bareja
 
VAPT - Vulnerability Assessment & Penetration Testing
Netpluz Asia Pte Ltd
 

What's hot (20)

PPT
information security management
Gurpreetkaur838
 
PPT
Information security in todays world
Sibghatullah Khattak
 
PPT
Basics of Information System Security
chauhankapil
 
PPTX
Chapter 8: Communications and Operations Security
Nada G.Youssef
 
PPTX
Cybersecurity Risk Management Tools and Techniques (1).pptx
ClintonKelvin
 
PPTX
Chapter 5: Asset Management
Nada G.Youssef
 
PPT
Digital forensics
Nicholas Davis
 
PPTX
Information security management system
Arani Srinivasan
 
PPSX
Security policies
Nishant Pahad
 
PDF
INCIDENT RESPONSE NIST IMPLEMENTATION
Sylvain Martinez
 
PPTX
27001 awareness Training
Dr Madhu Aman Sharma
 
PPT
Lesson 1 - Technical Controls
MLG College of Learning, Inc
 
PPT
Lesson 1- Intrusion Detection
MLG College of Learning, Inc
 
PPT
Asset, Vulnerability, Threat, Risk & Control
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
PDF
Physical Security Management System
Daniel Suchy, CPP, MSyI
 
PPT
Lesson 2- Information Asset Valuation
MLG College of Learning, Inc
 
PPTX
Physical Security Assessment
Faheem Ul Hasan
 
PPTX
Information security
avinashbalakrishnan2
 
PPTX
Chapter 9: Access Control Management
Nada G.Youssef
 
PPT
IT Security management and risk assessment
CAS
 
information security management
Gurpreetkaur838
 
Information security in todays world
Sibghatullah Khattak
 
Basics of Information System Security
chauhankapil
 
Chapter 8: Communications and Operations Security
Nada G.Youssef
 
Cybersecurity Risk Management Tools and Techniques (1).pptx
ClintonKelvin
 
Chapter 5: Asset Management
Nada G.Youssef
 
Digital forensics
Nicholas Davis
 
Information security management system
Arani Srinivasan
 
Security policies
Nishant Pahad
 
INCIDENT RESPONSE NIST IMPLEMENTATION
Sylvain Martinez
 
27001 awareness Training
Dr Madhu Aman Sharma
 
Lesson 1 - Technical Controls
MLG College of Learning, Inc
 
Lesson 1- Intrusion Detection
MLG College of Learning, Inc
 
Asset, Vulnerability, Threat, Risk & Control
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
Physical Security Management System
Daniel Suchy, CPP, MSyI
 
Lesson 2- Information Asset Valuation
MLG College of Learning, Inc
 
Physical Security Assessment
Faheem Ul Hasan
 
Information security
avinashbalakrishnan2
 
Chapter 9: Access Control Management
Nada G.Youssef
 
IT Security management and risk assessment
CAS
 
Ad

Viewers also liked (8)

PDF
Ch18 Internet Security
phanleson
 
PDF
Ch11 Vpn
phanleson
 
PDF
Ch20 Wireless Security
phanleson
 
PDF
Ch14 Desktop Protection
phanleson
 
PDF
Ch08 8 Information Security Process it-slideshares.blogspot.com
phanleson
 
PDF
Ch06 Policy
phanleson
 
PDF
Ch12 Encryption
phanleson
 
PDF
Ch09 Information Security Best Practices
phanleson
 
Ch18 Internet Security
phanleson
 
Ch11 Vpn
phanleson
 
Ch20 Wireless Security
phanleson
 
Ch14 Desktop Protection
phanleson
 
Ch08 8 Information Security Process it-slideshares.blogspot.com
phanleson
 
Ch06 Policy
phanleson
 
Ch12 Encryption
phanleson
 
Ch09 Information Security Best Practices
phanleson
 
Ad

Similar to Ch07 Managing Risk (20)

PPTX
REPORTING IAS101djfjfjffjfjfjjfjfjjf.pptx
JakeariesMacarayo
 
PPTX
IAS101REPORTINGINFORMATIONRISKBSIT3B.pptx
JakeariesMacarayo
 
PPTX
3.IS@Mohsin.pptx,.,,........,.............
salmannawaz6566504
 
PDF
Vskills Certified Network Security Professional Sample Material
Vskills
 
DOCX
Create your own variant of both a hiring and a termination policy rela.docx
earleanp
 
PPTX
IT Security and Management - Semi Finals by Mark John Lado
Mark John Lado, MIT
 
PPTX
Purple Gradient Illustration Cyber Security Presentation (1).pptx
adnanhanif190b
 
PPTX
Best Open Threat Management Platform in USA
CompanySeceon
 
PPTX
Information Security and Risk Management.pptx
prembasnet12
 
PDF
Describe two methods for communicating the material in an Informatio.pdf
archgeetsenterprises
 
PDF
Threat and Vulnerability Management https://www.omexsecurity.com/
sanadilawar2990
 
PDF
New Age Red Teaming - Enterprise Infilteration
Shritam Bhowmick
 
PDF
Safeguarding Your Business: Understanding, Preventing, and Responding to Data...
CyberPro Magazine
 
PPTX
Threats safety and Vulnerabilities in workplace .pptx
takatorifernandez
 
PDF
Internal Threats: The New Sources of Attack
Mekhi Da ‘Quay Daniels
 
PPTX
web application penetration testing.pptx
Fayemunoz
 
PDF
Outsourcing
karlhennessy
 
DOCX
4Brian DennisonJohn DensonIT454 -1504B-01Mon, 121415.docx
gilbertkpeters11344
 
PDF
Domain1_Security_Principles --(My_Notes)
efs14135
 
PPTX
EBRE TABOR UNIVERSITY Gafat Institute of Technology Department of Information...
shambelworku8
 
REPORTING IAS101djfjfjffjfjfjjfjfjjf.pptx
JakeariesMacarayo
 
IAS101REPORTINGINFORMATIONRISKBSIT3B.pptx
JakeariesMacarayo
 
3.IS@Mohsin.pptx,.,,........,.............
salmannawaz6566504
 
Vskills Certified Network Security Professional Sample Material
Vskills
 
Create your own variant of both a hiring and a termination policy rela.docx
earleanp
 
IT Security and Management - Semi Finals by Mark John Lado
Mark John Lado, MIT
 
Purple Gradient Illustration Cyber Security Presentation (1).pptx
adnanhanif190b
 
Best Open Threat Management Platform in USA
CompanySeceon
 
Information Security and Risk Management.pptx
prembasnet12
 
Describe two methods for communicating the material in an Informatio.pdf
archgeetsenterprises
 
Threat and Vulnerability Management https://www.omexsecurity.com/
sanadilawar2990
 
New Age Red Teaming - Enterprise Infilteration
Shritam Bhowmick
 
Safeguarding Your Business: Understanding, Preventing, and Responding to Data...
CyberPro Magazine
 
Threats safety and Vulnerabilities in workplace .pptx
takatorifernandez
 
Internal Threats: The New Sources of Attack
Mekhi Da ‘Quay Daniels
 
web application penetration testing.pptx
Fayemunoz
 
Outsourcing
karlhennessy
 
4Brian DennisonJohn DensonIT454 -1504B-01Mon, 121415.docx
gilbertkpeters11344
 
Domain1_Security_Principles --(My_Notes)
efs14135
 
EBRE TABOR UNIVERSITY Gafat Institute of Technology Department of Information...
shambelworku8
 

More from phanleson (20)

PDF
Learning spark ch01 - Introduction to Data Analysis with Spark
phanleson
 
PPT
Firewall - Network Defense in Depth Firewalls
phanleson
 
PPT
Mobile Security - Wireless hacking
phanleson
 
PPT
Authentication in wireless - Security in Wireless Protocols
phanleson
 
PPT
E-Commerce Security - Application attacks - Server Attacks
phanleson
 
PPT
Hacking web applications
phanleson
 
PPTX
HBase In Action - Chapter 04: HBase table design
phanleson
 
PPT
HBase In Action - Chapter 10 - Operations
phanleson
 
PPT
Hbase in action - Chapter 09: Deploying HBase
phanleson
 
PPTX
Learning spark ch11 - Machine Learning with MLlib
phanleson
 
PPTX
Learning spark ch10 - Spark Streaming
phanleson
 
PPTX
Learning spark ch09 - Spark SQL
phanleson
 
PPT
Learning spark ch07 - Running on a Cluster
phanleson
 
PPTX
Learning spark ch06 - Advanced Spark Programming
phanleson
 
PPTX
Learning spark ch05 - Loading and Saving Your Data
phanleson
 
PPTX
Learning spark ch04 - Working with Key/Value Pairs
phanleson
 
PPTX
Learning spark ch01 - Introduction to Data Analysis with Spark
phanleson
 
PPT
Hướng Dẫn Đăng Ký LibertaGia - A guide and introduciton about Libertagia
phanleson
 
PPT
Lecture 1 - Getting to know XML
phanleson
 
PPTX
Lecture 4 - Adding XTHML for the Web
phanleson
 
Learning spark ch01 - Introduction to Data Analysis with Spark
phanleson
 
Firewall - Network Defense in Depth Firewalls
phanleson
 
Mobile Security - Wireless hacking
phanleson
 
Authentication in wireless - Security in Wireless Protocols
phanleson
 
E-Commerce Security - Application attacks - Server Attacks
phanleson
 
Hacking web applications
phanleson
 
HBase In Action - Chapter 04: HBase table design
phanleson
 
HBase In Action - Chapter 10 - Operations
phanleson
 
Hbase in action - Chapter 09: Deploying HBase
phanleson
 
Learning spark ch11 - Machine Learning with MLlib
phanleson
 
Learning spark ch10 - Spark Streaming
phanleson
 
Learning spark ch09 - Spark SQL
phanleson
 
Learning spark ch07 - Running on a Cluster
phanleson
 
Learning spark ch06 - Advanced Spark Programming
phanleson
 
Learning spark ch05 - Loading and Saving Your Data
phanleson
 
Learning spark ch04 - Working with Key/Value Pairs
phanleson
 
Learning spark ch01 - Introduction to Data Analysis with Spark
phanleson
 
Hướng Dẫn Đăng Ký LibertaGia - A guide and introduciton about Libertagia
phanleson
 
Lecture 1 - Getting to know XML
phanleson
 
Lecture 4 - Adding XTHML for the Web
phanleson
 

Recently uploaded (20)

PPTX
ICG2025_ICG 6th steering committee 30-8-24.pptx
AtiarRahaman5
 
DOCX
Euro SEO Services 1st 3 General Updates.docx
AmirNazir49
 
PDF
Nidhal Samdaie CV - International Business Consultant
Nidhal Samdaie
 
DOCX
Business Management - unit 1 and 2
anithak410
 
PPTX
5 Stages of group development guide.pptx
keerthanashanmugam201
 
PPTX
Business Ethics - An introduction and its overview.pptx
Keerthana Chinnathambi
 
PDF
Roadmap Map-digital Banking feature MB,IB,AB
Alemayehu
 
PPTX
Belch_12e_PPT_Ch18_Accessible_university.pptx
Haitham327103
 
PDF
BsN 7th Sem Course GridNNNNNNNN CCN.pdf
ZAMANYousufzai1
 
PDF
A Brief Introduction About Julia Allison
Julia Allison
 
PDF
Business model innovation report 2022.pdf
pradvapal
 
PPTX
AI-assistance in Knowledge Collection and Curation supporting Safe and Sustai...
Barry Hardy
 
PDF
Ôn tập tiếng anh trong kinh doanh nâng cao
thaoonguyenn2311
 
PPTX
job Avenue by vinith.pptxvnbvnvnvbnvbnbmnbmbh
kaniece
 
PDF
Elevate Cleaning Efficiency Using Tallfly Hair Remover Roller Factory Expertise
farsookmon97766765
 
PPTX
Amazon (Business Studies) management studies
AbhirupVerma
 
PDF
Dr. Enrique Segura Ense Group - A Self-Made Entrepreneur And Executive
Dr. Enrique Segura Ense Group
 
PDF
IFRS Notes in your pocket for study all the time
jjj81507
 
PPTX
Lecture (1)-Introduction.pptx business communication
HamzaGhani10
 
PDF
COST SHEET- Tender and Quotation unit 2.pdf
MANJU N
 
ICG2025_ICG 6th steering committee 30-8-24.pptx
AtiarRahaman5
 
Euro SEO Services 1st 3 General Updates.docx
AmirNazir49
 
Nidhal Samdaie CV - International Business Consultant
Nidhal Samdaie
 
Business Management - unit 1 and 2
anithak410
 
5 Stages of group development guide.pptx
keerthanashanmugam201
 
Business Ethics - An introduction and its overview.pptx
Keerthana Chinnathambi
 
Roadmap Map-digital Banking feature MB,IB,AB
Alemayehu
 
Belch_12e_PPT_Ch18_Accessible_university.pptx
Haitham327103
 
BsN 7th Sem Course GridNNNNNNNN CCN.pdf
ZAMANYousufzai1
 
A Brief Introduction About Julia Allison
Julia Allison
 
Business model innovation report 2022.pdf
pradvapal
 
AI-assistance in Knowledge Collection and Curation supporting Safe and Sustai...
Barry Hardy
 
Ôn tập tiếng anh trong kinh doanh nâng cao
thaoonguyenn2311
 
job Avenue by vinith.pptxvnbvnvnvbnvbnbmnbmbh
kaniece
 
Elevate Cleaning Efficiency Using Tallfly Hair Remover Roller Factory Expertise
farsookmon97766765
 
Amazon (Business Studies) management studies
AbhirupVerma
 
Dr. Enrique Segura Ense Group - A Self-Made Entrepreneur And Executive
Dr. Enrique Segura Ense Group
 
IFRS Notes in your pocket for study all the time
jjj81507
 
Lecture (1)-Introduction.pptx business communication
HamzaGhani10
 
COST SHEET- Tender and Quotation unit 2.pdf
MANJU N
 

Ch07 Managing Risk

  • 2. Overview Defining risk. Identifying the risk to an organization. Measuring risk.
  • 3. Defining Risk Risk is the potential for loss that requires protection. Risk management provides a basis for valuing an organization’s information assets. Risk is the measure of vulnerabilities and threats.
  • 5. Vulnerability Vulnerabilities make computer systems and networks prone to technical, non-technical, or social engineering attacks. It is characterized by the difficulty and the level of technical skill that is required to exploit it. The result of such exploitation must also be considered.
  • 6. Threat A threat is an action or event that violates the security of an information system environment. It can have multiple targets. The components of threat are targets, agents, and events.
  • 7. Targets The targets of threat or attack are security services such as: Confidentiality - Disclosure of classified information to unauthorized individuals. Integrity - Tampering of information. Availability - Denial-of-service attack. Accountability - Prevents organization from reconstructing past events.
  • 8. Agents (1/2) The characteristics of agents who are the people who may wish to harm the organization are: Access - An agent must have direct or indirect access to system, network, facility, or information. Knowledge - An agent must have some knowledge about the target. More familiar an agent is with the target, more likely the agent will know about the vulnerabilities. Motivation - An agent may tamper with information as a challenge, greed to gain something, or purely with a malicious intent.
  • 9. Agents (2/2) A threat occurs when an agent with access and knowledge gains motivation to take action. Such agents could be: Employees having necessary access and knowledge to systems. Ex-employees having any grudges. Hackers, terrorists, and criminals with a malicious intent to harm the organization. Commercial rivals who are interested in classified business information of the organization.
  • 10. Events Events are the ways in which an agent of threat may cause harm to an organization. It is the extent of harm that could possibly be done if the agent gained access.
  • 11. Risk and How to Identify the Risk to an Organization Risk is the combination of threat and vulnerability. Risks can be categorized as low, medium, or high-risk.
  • 12. Identifying Vulnerabilities To identify specific vulnerabilities: Locate all the entry points (electronic and physical) to the organization. Identify system configurations. Identify which information and systems are accessible. Include any known vulnerabilities in operating systems and applications.
  • 13. Identifying Real Threats Real or targeted threats may not show themselves until an event has occurred. All targeted threats are time-consuming and difficult.
  • 14. Examining Countermeasures Countermeasures for each access point within an organization must be identified. Some of the countermeasures include firewalls, anti-virus software, access control mechanisms, and biometrics.
  • 15. Identifying Risk Identify specific risks to the organization. Identify what possible harm can be done through each access point. Rate each risk as high risk, medium risk, or low risk. The same vulnerability may pose different levels of risk based on the access point.
  • 16. Measuring Risk Risks can be measured in terms of: Money. Time. Resources. Reputation and lost business.
  • 17. Money The cost for managing risks include: Lost productivity. Stolen equipment or money. Cost of an investigation. Cost to repair or replace systems. Cost of experts to assist. Employee overtime.
  • 18. Time The amount of time taken to manage risks may include: The time a technical staff member is unavailable to perform normal tasks due to a security event. The downtime of a key system. Delay in product delivery or service.
  • 19. Resources Includes people, systems, communication lines, applications, or access as resources. Computes the monetary cost of using a resource to troubleshoot.
  • 20. Reputation and Lost Business Data compromise can affect the organization’s reputation. Future business is in jeopardy as people lose faith in the brand name. Losses due to system failures and production delay cannot be ruled out.
  • 21. Measuring Risk To measure risk: Identify the extent of risk – best case, worst case, or most likely case. Identify the damage in terms of money, time, resources, reputation, and lost business. Identify the cost of restoration. Examine the potential results in each risk measurement area. Develop appropriate risk management approaches.
  • 22. Summary Security is managing risk. To identify risks, identify vulnerabilities, and threats. Examine countermeasures for each risk. Identify the extent of risk. Measure risk in terms of money, time, resources, reputation, and lost business.