Professional Documents
Culture Documents
RM 2 - Risk Assessment
RM 2 - Risk Assessment
Unit 2
Mukesh Patel School of Technology Management and Engineering Rejo Mathew, Asst Prof, IT
www.nmims.edu/Engineering
Outline
Introduction
Critical components of Risk Assessment
Types of Risk assessment – Quantitative and Qualitative
Identification and Evaluation of Threats
IPR infringement
Vulnerabilities and Countermeasures
Mukesh Patel School of Technology Management and Engineering Rejo Mathew, Asst Prof, IT
www.nmims.edu/Engineering
Introduction
Risk Assessment/ Risk Analysis- process to identify and evaluate risks
Mukesh Patel School of Technology Management and Engineering Rejo Mathew, Asst Prof, IT
www.nmims.edu/Engineering
Introduction
Importance of Risk Assessment.
RA should be completed
When evaluating risk—Risk assessments are a part of the overall risk
management process. Risk assessments are useful any time risk
management is being used. This is true if the risks need to be
prioritized.
When evaluating a control—You can use an RA to evaluate the
usefulness of a control. Management can’t approve all controls. They
will approve some controls and not others. An RA helps management
decide which controls to adopt.
Periodically after a control has been implemented—An RA is a point-
in-time document. However, risks don’t stand still. Attackers are
constantly upgrading their techniques and tactics. You should
schedule RAs on a regular basis after a control has been
implemented. The goal is to determine if the control is still useful.
Mukesh Patel School of Technology Management and Engineering Rejo Mathew, Asst Prof, IT
www.nmims.edu/Engineering
Introduction
Steps of Risk Assessment
Mukesh Patel School of Technology Management and Engineering Rejo Mathew, Asst Prof, IT
www.nmims.edu/Engineering
Critical Components of RA
Critical steps of Risk Assessment.
Identify scope.
The scope identifies the boundary of the RA. It helps to
eliminate scope creep by keeping the project on track.
Identify critical areas.
RA identifies the critical areas that should be included. This
helps the RA team focus only on what’s important.
Identify team
RA team personnel should not be the same people who are
responsible for correcting deficiencies. This helps avoid a
conflict of interest.
Mukesh Patel School of Technology Management and Engineering Rejo Mathew, Asst Prof, IT
www.nmims.edu/Engineering
Types of Risk Assessment
Quantitative
It is an objective method. It uses numbers such as actual dollar
values. It requires a significant amount of data. Gathering this
data often takes time. If the data is available, this type of RA
becomes a simple math problem with the use of formulas.
Qualitative
It is a subjective method. It uses relative values based on
opinions from experts. Experts provide their input on the
probability and impact of a risk. It can be completed rather
quickly.
Mukesh Patel School of Technology Management and Engineering Rejo Mathew, Asst Prof, IT
www.nmims.edu/Engineering
Identifying and Valuing Assets
Identify the information assets in your organization
(hardware, software, and data) and place values on them.
Mukesh Patel School of Technology Management and Engineering Rejo Mathew, Asst Prof, IT
www.nmims.edu/Engineering
Quantitative Risk Assessment
Quantitative risk assessment attempts to assign values to
each risk and then use those values to weigh the potential
benefit achieved by implementing additional security
measures.
Mukesh Patel School of Technology Management and Engineering Rejo Mathew, Asst Prof, IT
www.nmims.edu/Engineering
Few definitions
Asset value (AV): The value of the asset, as determined by one of the methods
described previously.
Exposure factor (EF): The expected portion of an asset that would be destroyed
by a given risk, expressed as a percentage of the asset.
Annualized rate of occurrence (ARO): The number of times you expect a risk to
occur each year.
Single loss expectancy (SLE): The loss expected from a single incident. It is
computed as the product of the AV and EF.
Annualized loss expectancy (ALE): The expected loss for a year from a given risk.
It is computed as the product of the ARO and the SLE.
Cost of measure/ Safeguard control: The cost of control used to mitigate the risk
Mukesh Patel School of Technology Management and Engineering Rejo Mathew, Asst Prof, IT
www.nmims.edu/Engineering
Quantitative Risk Assessment
A company issues laptop computers to employees. The value of each
laptop is $2,000. This includes the hardware, software, and data. About
100 laptops are being used at any time. In the past two years, the
company has lost an average of one laptop per quarter. These laptops
were stolen when systems were left unattended. Calculate the following
a. SLE
b. ARO
c. ALE
SLE - $2,000
ARO - 4
ALE - $2,000 x 4 - $8,000
Mukesh Patel School of Technology Management and Engineering Rejo Mathew, Asst Prof, IT
www.nmims.edu/Engineering
Quantitative Risk Assessment
The company could purchase hardware locks for the laptops in bulk at a
cost of $10 each. The safeguard value is $10 x 100 laptops, or $1,000. It’s
estimated that if the locks are purchased, the ARO will decrease from 4 to
1. Should the company purchase these locks?
a. ARO and ALE with control
b. Savings with Control
c. Safeguard value (cost of control)
d. Realized Savings
ARO with Control – 1 ALE with control - $2000
Savings with Control - $6000
Safeguard value (cost of control) - $10 x100 - $1000
Realized Savings - $5000 (Savings with control of $6,000 - safeguard
value of $1,000)
Mukesh Patel School of Technology Management and Engineering Rejo Mathew, Asst Prof, IT
www.nmims.edu/Engineering
Qualitative Risk Assessment
It focuses on analyzing the intangible properties of an asset rather than
focusing on monetary value.
Mukesh Patel School of Technology Management and Engineering Rejo Mathew, Asst Prof, IT
www.nmims.edu/Engineering
Qualitative Risk Assessment
Probability Scale
Impact Scale
Mukesh Patel School of Technology Management and Engineering Rejo Mathew, Asst Prof, IT
www.nmims.edu/Engineering
Qualitative Risk Assessment
Prioritizing Risks
An online website selling e-commerce products
Mukesh Patel School of Technology Management and Engineering Rejo Mathew, Asst Prof, IT
www.nmims.edu/Engineering
Qualitative Risk Assessment
Prioritizing Risks
An online website selling e-commerce products
Risk Matrix
Mukesh Patel School of Technology Management and Engineering Rejo Mathew, Asst Prof, IT
www.nmims.edu/Engineering
Qualitative Risk Assessment
Evaluating Effectiveness of Controls
An online website selling e-commerce products
Mukesh Patel School of Technology Management and Engineering Rejo Mathew, Asst Prof, IT
www.nmims.edu/Engineering
Limitations of Qualitative RA
No cost-benefit analysis
The usefulness of the controls isn’t as clear as with a quantitative analysis.
Although the opinions of the experts are still valuable, the results may not
be as clear to management. Management may have a more difficult time
deciding which safeguards to use.
No real standards
A company needs to define the scales used in the process. For example, the
scale can be as simple as Low, Medium, and High. However, the scale needs
to be developed and defined for the participants. This requires the
expertise of someone that understands risk assessments and how the data
will be used.
Mukesh Patel School of Technology Management and Engineering Rejo Mathew, Asst Prof, IT
www.nmims.edu/Engineering
Quantitative vs Qualitative
Quantitative Qualitative
Objective Subjective
Deductive Inductive
Uses numeric value and tools Based on opinion of experts
Time consuming Less time consuming
Costly as it depends on data
collection which is difficult to
obtain Less Costly
Mukesh Patel School of Technology Management and Engineering Rejo Mathew, Asst Prof, IT
www.nmims.edu/Engineering
Identifying and Evaluating Threats
Review historical Data
Attacks The success of the next attack depends on the level of protection
you implemented since then. This is true for any event
Natural Events Most organizations that are in risk zones for natural
disasters have disaster recovery and business continuity plans in place.
This includes hurricanes, tornadoes, and earthquakes.
Accidents any event that affects C I A. E.g. users accidentally deleting data
or user errors or mishaps in the workplace.
Mukesh Patel School of Technology Management and Engineering Rejo Mathew, Asst Prof, IT
www.nmims.edu/Engineering
Identifying and Evaluating Threats
Threat Modelling : process used to identify possible threats
on a system. Attackers perspective
It provides information on
The system it includes background information of the system
Threat Profile a list of threats. It identifies what the attacker may try to
do to the system, including possible goals of the attack.
Mukesh Patel School of Technology Management and Engineering Rejo Mathew, Asst Prof, IT
www.nmims.edu/Engineering
IPR Infringement
Copyright Infringement works protected by copyright used without
permission such as the right to reproduce, distribute, display or perform
the protected work, or to make derivative works. Copyright holders can
invoke legal and technological measures to prevent and penalize
copyright infringement.
Mukesh Patel School of Technology Management and Engineering Rejo Mathew, Asst Prof, IT
www.nmims.edu/Engineering
Identifying and Evaluating
Vulnerabilities
By using different assessments
Mukesh Patel School of Technology Management and Engineering Rejo Mathew, Asst Prof, IT
www.nmims.edu/Engineering
Identifying and Evaluating
Countermeasures
One should consider the following and the purpose
In place controls These are controls that are currently installed in the
operational system
Mukesh Patel School of Technology Management and Engineering Rejo Mathew, Asst Prof, IT
www.nmims.edu/Engineering
Identifying and Evaluating
Countermeasures
Control Categories
Physical Security Controls Locked doors, Guards and access logs, Video
cameras, Fire detection and suppression, Water leak detection,
Temperature and humidity detection, Electrical grounding and circuit
breakers
Mukesh Patel School of Technology Management and Engineering Rejo Mathew, Asst Prof, IT
www.nmims.edu/Engineering