1 / 10

Risk Analysis

Risk Analysis. Risk impact - loss associated with an event risk probability – likelihood that the event will occur Risk control – degree to which we can change the outcome Risk exposure – risk impact * risk probability. Risk Analysis – risk reduction. Avoid the risk Transfer the risk

nwilson
Télécharger la présentation

Risk Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Risk Analysis • Risk impact - loss associated with an event • risk probability – likelihood that the event will occur • Risk control – degree to which we can change the outcome • Risk exposure – risk impact * risk probability

  2. Risk Analysis – risk reduction • Avoid the risk • Transfer the risk • Assume the risk • Risk leverage = [(risk exposure before reduction) – (risk exposure after reduction)] / cost of risk reduction • Cannot guarantee systems are risk free • Security plans must address action needed should an unexpected risk becomes a problem

  3. Steps of a Risk Analysis • Identify assets • Determine vulnerabilities • Estimate likelihood of exploitation • Compute expected annual loss • Survey applicable controls and their costs • Project annual savings of control

  4. Identify Assets • Hardware • Software • Data • People • Procedures (policies, training) • Documentation • Supplies • Infrastructure (building, power, water,…)

  5. Determine Vulnerabilities

  6. Determine Vulnerabilities • What are the effects of unintentional errors? • What are the effects of willfully malicious insiders? • What are the effects of outsiders? • What are the effects of natural and physical disasters?

  7. Risk Analysis • Estimate Likelihood of Exploitation • Classical probability • Frequency probability (simulation) • Subjective probability (Delphi approach) • Computer Expected Lost (look for hidden costs) • Legal obligations • Side effects • Psychological effects

  8. Risk Analysis • Survey and Select New Controls • What Criteria Are Used for Selecting Controls? • Vulnerability Assessment and Mitigation (VAM) Methodology • How Do Controls Affect What They Control? • Which Controls Are Best? • Project Savings • Do costs outweigh benefits of preventing / mitigating risks

  9. Arguments for Risk Analysis • Improve awareness • Relate security mission to management objectives • Identify assets, vulnerabilities, and controls • Improve basis for decisions • Justify expenditures for security

  10. Arguments against Risk Analysis • False sense of precision and confidence • Hard to perform • Immutability (filed and forgotten) • Lack of accuracy • “Today’s complex Internet networks cannot be made watertight…. A system administrator has to get everything right all the time; a hacker only has to find one small hole. A sysadmin has to be lucky all of the time; a hacker only has to get lucky once. It is easier to destroy than to create.” • Robert Graham, lead architect of Internet Security Systems

More Related