CC7178

Cyber Security Management

Lecture 2
Risk Identification and Risk Assessment

Presenter : Kiran Kumar Shah

 Learning Objectives
• To define risk management and its role in the organization
• To use risk management techniques identifying and prioritizing risk factors
for information assets
• To assess risk based on the likelihood of adverse events and the effects on
information assets when events occur
• To document the results of risk identification
Asset, Vulnerability, Threat, Risk, Loss concepts Oversimplified……

Threat fire, weight

Risk = fire, broken egg
Loss = broken egg
 Risk Management

Know Your System

Understand the information system currently place in organization

E.g: Database Security Administrator

1. What type of data stored

2. Where are database servers
 Risk Management

Know Your Enemy

Identify, examine and understand threat

E.g. SQL Injection

 Risk Management

Know Your Weapons

Identify and apply controls to mitigate threats.

E.g. Controls against SQL Injection

• If you know the enemy and know yourself, you need not
fear the result of a hundred battles

• If you know yourself but not the enemy, for every

victory gained you will also suffer a defeat

• If you know neither the enemy nor yourself, you will

succumb in every battle
544–496 BC, The Art of War -- Sun Tzu
 What is Risk Management ?

1. Risk identification( Identify Assets, threat and calculate its risk)

2. Risk Control (Deciding on what safeguards to be placed)

 Risk Management Process

Risk Identification

• Asset Identification
Types of assets:
1. People (different employees, contractors, vendors)
2. Procedures (Standard and Sensitive)
3. Data (transmission, processing and storage)
4. Software (applications, operating system, security components)
5. Hardware
6. Network (Network devices, more attacked)
 Risk Identification(Asset Classification)

Classifying and Categorizing Assets

Asset Classification: (Comprehensive and Mutually Exclusive)
Classify the asset as per priority(Critical or non-critical)
 Risk Identification(Asset Classification)

Listing Assets in Order of Importance

• Assets Inventory list.

• Next goal is to prioritize each asset by giving value to determine its significance.

How to assign value to the asset

1. Which information asset is the most critical to the success of the organization?
2. Which information asset generates the most revenue?
3. Which information asset generates the highest profitability?
4. Which information asset is the most expensive to replace?
5. Which information asset’s loss or compromise would be the most embarrassing or cause the greatest
liability? (Cambridge Analytics Scandals)
Weigh can range from 1 to 100 or 0.1 to 1(generator vs server)

Overall org weight

Non-Critical a
Individual weights
Critical asset
 Threat identification and assessment
• process of identifying threat that has potential to endanger the organization.

Criteria for threat assessment(prioritizing threat that can have severe impact)
1. Which threat represent most danger to the organization. Danger is depend upon
a. Probability of threat attacking organization
b. Frequency with which attack can occur
c.Amount of damage that it could create

2. How much cost to recover from damages?

 Vulnerability

Vulnerability is a flaw, loophole, error in the IT infrastructure so

when vulnerability is exploited, it will cause loss/damage to the
asset.

Vulnerability Assessment sheet shows the list of threat and their

associated vulnerabilities
 The Threats-Vulnerabilities-Assets (TVA)
Worksheet

• At the end of the risk identification process, a list of assets and

their vulnerabilities has been developed.

• Another list prioritizes threats facing the organization based on the

weighted table discussed earlier.

• These two lists can be combined into a single worksheet

 Ranked Vulnerability Risk Worksheet

Final goal of Risk Assessment apply control measures for the risks
that have been prioritized
This document is an extension of the TVA spreadsheet(which shows the relationship between assets, threat and
vulnerability) discussed earlier, showing only the assets and
relevant vulnerabilities.
Asset value * exposure factor = Loss
Documenting Risk Assessment Process….
 Risk Assessment(Risk Rating Factor)
Process of determining which threats are more likely to happen that will affect
the information assets of organization.

Risk =
The likelihood(0.1 to 1 or 1 to 100 not 0)
of the occurrence of a vulnerability
Multiplied by
The value of the information asset
Minus
The percentage of risk mitigated by current
controls
Plus
The uncertainty of current knowledge of the
vulnerability
 Risk Assessment
Likelihood
- Probability that specific vulnerability will be exploited for successful attack.
- Ranges from value 0.1 to 1 or 1 to 100 but not 0

Value of asset = cost of asset

How much % of risk that we have mitigated using controls should be deducted

Uncertainty mean lack of knowledge about threat.

Question:
Asset A has a value of 50 and one vulnerability, which has a likelihood of 1.0 with no current
controls. Your assumptions and data are 90% accurate.
 Home Work

Identify what are risk management components for the following

assets and create inventory list
Assets Risk Management Components with
Examples
People
Procedures
Data
Software
Hardware
Networking

CHEAT CODE: GO through the book “Principles of Information Security Management”