Information

Technology
Risk
Here starts the
lesson!
Introduction

Any risk related to IT. Various

events or incidents that
compromise IT in some way
can therefore cause adverse
impacts on the organization’s
business
 Definitions

By Committee on NSS By ISO

Risk - Possibility that a particular
The potential that a given
threat will adversely impact an IS
by exploiting a particular threat will exploit
vulnerability vulnerabilities of an asset or
group of assets and thereby
cause harm to the
By Risk Management Insight organization.
IT risk is the probable
frequency and probable
magnitude of future loss
 Measuring IT Risk
It is very difficult to measure exact risk rather it is impossible to measure exact
IT risk.

We can measure approximate risk.

Four fundamental forces involved in risk management :

1. Assets
2. Impact
3. Threats
4. Likelihood
Risk
R=LXI
IT Risk
Management

Avoid Transfer
Eliminate the risk by not Share risk with partners or
taking up or avoiding the transfer to insurance
specific business process coverage

Mitigate Accept
Implement controls Formally acknowledge that
the risk exists and monitor it
Network Security

● Message Confidentiality

● Message Integrity

● Message Authentication

● Message Non Repudiation

● Entity Authentication
Cryptography
Encryption
Transforming plain
text to cipher text

Decryption
Transforming cipher
text into plain text
 Entity Authentication

Something Something Something

Known Possessed Inherent
● Password ● Passport ● Signature
● One time ● PAN Card ● Fingerprints
password ● Driver’s ● Voice
(OTP) License ● Facial Characteristics
● PIN ● I- Card ● Retinal Pattern
● Credit Card ● Handwriting
● Smart Card
 SET
● Secure Electronic
Transaction
● Developed by MasterCard
and Visa
● Protocol designed for
handling credit card
transactions over Internet
● Ensures the identities of all
parties involved in the
transaction
● Encrypts information before
transmitting
SSL
● Secure Sockets Layer
● URL changes from http to
https
● It can be used only with
http messages
● Encryption is based on
session key
● SSL protocol provides data
encryption, server
authentication, optional
client authentication and
message integrity
Firewall
● Helps to keep your
computer more secure
● Can be hardware based
or software based
● A barrier between
external and internal
network
● Prevents direct
communication
● Prevents unauthorized
access
 Email
Encryption
● Encryption of email messages to ● By means of some tools, persons
protect the content from being read other than the designated recipients
by other entities can read the email contents
● It may also include authentication
● Email is prone to disclosure of
information
● Most emails are currently transmitted
in the clear form
Website Risks
First party Risks
● Physical damage to website
operations
● Loss of data, programs, software
● Virus attacks
● DOS attacks
● Hacking and site penetration
● Website hijacking
● Loyalty and Fraud by employees
● Credit card fraud and phishing
Third party Risks
● Contract and consumer law
● Defamation and falsehoods
● Data protection
● Confidence and privacy
● Innocent transmissions
● Discrimination and harassment
● General regulations and laws
● IP and domain name
infringements
● Jurisdictions of trading
The Elements of Security
1. Vulnerability
(the absence or weakness of a safeguard that could be
exploited
2. Threat
(Any potential danger to information or systems)
3. Risk
(The likelihood of a threat agent taking advantage of
vulnerability and the corresponding business impact)
4. Exposure
(An instance of being exposed to losses from a threat agent)
5. Countermeasure or Safeguard
(It is an application that mitigates the risk)
Thank you