Scribd Logo
Upload

Welcome to Scribd!

  • 10 views

    CH 9 Risk

    Uploaded by

    Naveed Riaz
    The document discusses risk management and controlling risk through various strategies such as avoidance, transference, mitigation, and acceptance. It also covers managing residual risk, conducting cost-benefit analyses to determine the feasibility of risk controls, and considerations for risk management related to employees. The overall goal of risk management is to design and create a safe environment for business processes and procedures while keeping up with competition.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    CH 9 Risk

    Uploaded by

    Naveed Riaz
    10 views24 pages
    The document discusses risk management and controlling risk through various strategies such as avoidance, transference, mitigation, and acceptance. It also covers managing residual risk, conducting cost-benefit analyses to determine the feasibility of risk controls, and considerations for risk management related to employees. The overall goal of risk management is to design and create a safe environment for business processes and procedures while keeping up with competition.

    Original Description:

    Risk Management

    Original Title

    Ch9Risk

    Copyright

    © © All Rights Reserved

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document discusses risk management and controlling risk through various strategies such as avoidance, transference, mitigation, and acceptance. It also covers managing residual risk, conducting cost-benefit analyses to determine the feasibility of risk controls, and considerations for risk management related to employees. The overall goal of risk management is to design and create a safe environment for business processes and procedures while keeping up with competition.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as ppt, pdf, or txt
    10 views24 pages

    CH 9 Risk

    Uploaded by

    Naveed Riaz
    The document discusses risk management and controlling risk through various strategies such as avoidance, transference, mitigation, and acceptance. It also covers managing residual risk, conducting cost-benefit analyses to determine the feasibility of risk controls, and considerations for risk management related to employees. The overall goal of risk management is to design and create a safe environment for business processes and procedures while keeping up with competition.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as ppt, pdf, or txt
    of 24

    INFORMATION SECURITY

    MANAGEMENT

    LECTURE 8: RISK MANAGEMENT


    CONTROLLING RISK

    You got to be careful if you don’t know where you’re going,


    because you might not get there. – Yogi Berra
    Introduction

    To keep up with the competition, organizations must


    design and create a safe environment in which business
    processes and procedures can function
    Risk Control Strategies

    Choose one of four basic strategies:

     Avoidance
     Transference
     Mitigation
     Acceptance
    Avoidance

    The risk control strategy that attempts to prevent the


    exploitation of the vulnerability

    •Examples
    Transference

    The control approach that attempts to shift the risk to


    other assets, other processes, or other organizations

    •Examples
    Mitigation

    The control approach that attempts to reduce the damage


    caused by exploitation of vulnerability

    •Types of Mitigation Plans


    Acceptance

    • Do nothing to protect an information asset


    – To accept the loss when it occurs
    Managing Risk

    • Risk appetite (also known as risk tolerance)


    Managing Risk – Residual Risk

    • Residual Risk is a combined function of:


    – Threats, vulnerabilities and assets, less the effects of the
    safeguards in place
    Managing Risk – Residual Risk

    • Once a control strategy has been selected and


    implemented:
    – The effectiveness of controls should be monitored and
    measured on an ongoing basis (remember our discussion
    on metrics and baselining)

    • determines effectiveness and accuracy of the residual


    risk estimate
    Managing Risk – Risk Control

    • Risk control involves selecting one of the four risk


    control strategies

    Should the organization ever


    accept the risk?
    Risk Acceptance

    Figure 9-2 Risk-handling action points


    Source: Course Technology/Cengage Learning
    Feasibility and Cost-Benefit Analysis

    • There are a number of ways to determine the


    advantage or disadvantage of a specific control
    • The primary means are based on the value of the information
    assets that it is designed to protect

    • Economic feasibility
    – Evaluating the worth of the information assets to be protected
    and the loss in value if those information assets are
    compromised
    Cost-Benefit Analysis: Cost

    • Factors that affect the cost of a safeguard


    – Cost of development or acquisition of hardware, software,
    and services
    – Training fees
    – Cost of implementation
    – Service and maintenance costs
    Cost-Benefit Analysis: Benefit

    The value to the organization of using controls to prevent


    losses associated with a specific vulnerability
    Cost-Benefit Analysis: Asset Valuation

    The process of assigning financial value or worth to each


    information asset

    Involves estimation of real and perceived costs associated


    with the design, development, installation, maintenance,
    protection, recovery, and defense against loss and litigation
    Cost-Benefit Analysis: Asset Valuation

    • An organization must be able to place a dollar value


    on each information asset it owns

    • Potential loss is that which could occur from the


    exploitation of vulnerability or a threat occurrence
    Cost-Benefit Analysis Calculation

    • CBA determines whether or not a control alternative is


    worth its associated cost

    • CBAs may be calculated before a control or safeguard


    is implemented Or calculated after controls have been
    implemented and have been functioning for a time
    Cost-Benefit Analysis Calculation

    CBA = ALE(prior) – ALE(post) – ACS

    – ALE (prior to control) is the annualized loss


    expectancy of the risk before the implementation
    of the control

    – ALE (post-control) is the ALE examined after the


    control has been in place for a period of time

    – ACS is the annual cost of the safeguard


    Example of Cost-Benefit Analysis Calculation

    Dropping an iPad and breaking the screen


    Asset value: $700
     Exposure factor: 50%
     SLE = ?
     ARO = 25% chance of damaging
     ALE (prior) = ?
     Assume the ARO is reduced to 5% by using control
     ALE (post) = ?

    CBA (cost of case = $30)


     CBA = ALE(prior) – ALE(post) – ACS
     CBA = ?
    Example of Cost-Benefit Analysis Calculation

    Unprotected customer database


    Asset value: $200,000
     Exposure factor: 50%
     SLE = ?
     ARO = 75% chance of occurring
     ALE (prior) = ?
     Assume the ARO is reduced to 5% by using control
     ALE (post) = ?

    CBA (ACS = $5,000)


     CBA = ALE(prior) – ALE(post) – ACS
     CBA = ?
    Other Methods of Establishing Feasibility

    • Organizational feasibility analysis


    • Operational feasibility
    • Technical feasibility
    • Political feasibility
    Alternatives to Feasibility Analysis

    • Benchmarking
    • Due care and due diligence
    • Best business practices
    • Gold standard
    • Government recommendations
    • Baseline
    Risk Management and Employees

    “Only two things are finite, the universe and human stupidity,
    and I’m not sure about the former.”
    - Albert Einstein

    Types of Employees and Security Knowledge


     Those who know
     Those who don’t
     Those who think they know but don’t

    You might also like