Professional Documents
Culture Documents
CC7178 Cyber Security Management Risk Identification and Risk Assessment
CC7178 Cyber Security Management Risk Identification and Risk Assessment
Lecture 2
Risk Identification and Risk Assessment
Risk Identification
• Asset Identification
Types of assets:
1. People (different employees, contractors, vendors)
2. Procedures (Standard and Sensitive)
3. Data (transmission, processing and storage)
4. Software (applications, operating system, security components)
5. Hardware
6. Network (Network devices, more attacked)
Risk Identification(Asset Classification)
• Next goal is to prioritize each asset by giving value to determine its significance.
1. Which information asset is the most critical to the success of the organization?
2. Which information asset generates the most revenue?
3. Which information asset generates the highest profitability?
4. Which information asset is the most expensive to replace?
5. Which information asset’s loss or compromise would be the most embarrassing or cause the greatest
liability? (Cambridge Analytics Scandals)
Weigh can range from 1 to 100 or 0.1 to 1(generator vs server)
Non-Critical a
Individual weights
Critical asset
Threat identification and assessment
• process of identifying threat that has potential to endanger the organization.
Criteria for threat assessment(prioritizing threat that can have severe impact)
1. Which threat represent most danger to the organization. Danger is depend upon
a. Probability of threat attacking organization
b. Frequency with which attack can occur
c.Amount of damage that it could create
Final goal of Risk Assessment apply control measures for the risks
that have been prioritized
This document is an extension of the TVA spreadsheet(which shows the relationship between assets, threat and
vulnerability) discussed earlier, showing only the assets and
relevant vulnerabilities.
Asset value * exposure factor = Loss
Documenting Risk Assessment Process….
Risk Assessment(Risk Rating Factor)
Process of determining which threats are more likely to happen that will affect
the information assets of organization.
Risk =
The likelihood(0.1 to 1 or 1 to 100 not 0)
of the occurrence of a vulnerability
Multiplied by
The value of the information asset
Minus
The percentage of risk mitigated by current
controls
Plus
The uncertainty of current knowledge of the
vulnerability
Risk Assessment
Likelihood
- Probability that specific vulnerability will be exploited for successful attack.
- Ranges from value 0.1 to 1 or 1 to 100 but not 0
How much % of risk that we have mitigated using controls should be deducted
Question:
Asset A has a value of 50 and one vulnerability, which has a likelihood of 1.0 with no current
controls. Your assumptions and data are 90% accurate.
Home Work