Risk (Lecture 4) Flashcards
Define Security
Security is aimed at preventing loss or disclosure of data while maintaining authorised access
Define Risk
The possibility or likelihood that something could happen to damage, destroy or disclose data and other resources without authorisation.
The more likely the occurrence of the threat, the greater the risk
Can be quantified as Risk = Threat x vulnerability
Why is understanding risk management important?
Essential to establish an sufficient security stance, governance and legal proof of due care and diligence
Who is responsible for risk management in an organisation?
Responsibility of senior management and organisations governing board
Usually define the scope, purpose and parameters for a risk analysis
Day-to-day tasks generally delegated throughout the organisation to team with specialist knowledge or skill
Senior management must review results and authorise all decisions relating to risk
Due Care legal requirement (Data Protection, Transaction Processing)
What does the term ‘Risk Appetite’ mean?
Risk appetite refers to how far away from ‘zero risk’ an organisation is willing to be and what amount of risk is acceptable
Whats is the primary goal of risk management?
To reduce risk to an acceptable level
Acceptable levels vary between organisations and even departments within
What can change acceptable levels of risk?
Value of assets
Budgets
Organisational Objectives and deliverables (Service Level Agreement)
As well as computer based risks, what other risks are there?
Natural disaster (fire, flood)
Terrorism/Activism
Accidental Damage
What is Risk Analysis?
Process by which risk can be measured and quantified to assist in risk management.
Includes examining an environment for risk
Evaluates each threat for Likelihood of Occurrence and potential impact/consequence
What does risk analysis focus on
Cost Vs Benefit
Likelihood of success
Implementation requirements
Define a Breach
Occurrence of a security mechanism being bypassed or thwarted by a threat actor or attacker
Define Penetration/Intrusion
Refers to a condition in which a threat actor has gained access to an organisations infrastructure or resources by breaching security mechanisms
What is asset valuation
A monetary value assigned to an asset indicating its value to the organisation including costs relating to Tangible Costs (maintenance, repair, replacement, staffing)
and Intangible Costs (public confidence, industry support, organisational impact)
What is a realised threat?
A threat or event that has taken place
What does Exposure mean?
The potential future loss assigned to a threat or vulnerability.
Exposure to a ‘realised threat’ is called Experienced Exposure
What does Mitigation mean?
AKA Countermeasures, security controls or safeguards - any measures which reduces vulnerabilities and therefore risk to protect against one or more threats
Can include software patching, changing configuration, employing physical security, training personnel
How do you identify threats and vulnerabilities?
By creating an exhaustive list of all organisation assets called and Assets Register which should include physical and digital assets.
Then a list should be compiled of all possible threats for each asset. Should include threat agents as well as threat events
Name and explain two types of risk analysis
Quantitative risk analysis - assigns monetary figures to the loss of an asset
Qualitative risk analysis - assigns subjective and intangible values to the loss of an asset
How do you formulate a Quantitative Risk Figure for each asset and threat pair?
Assets assigned a value (Asset Value - AV)
Research each asset and produce list of possible threats to each asset
For each threat calculate the Exposure Factor (EF) and Single Loss Expectancy (SLE)
Perform a threat analysis to calculate likelihood of each threat being realised in a single year (Annualised Rate of Occurrence - ARO
Derive overall loss potential per threat by calculating Annualised Loss Expectancy (ALE)
Research countermeasures for each threat and calculate changes to ARO and ALE based on them being applied
Perform Cost/Benefit analysis of each countermeasure
List considerations when determining asset value
Purchase cost Development cost Administrative cost Maintenance cost Market valuation Liability Operational cost
What is Exposure Factor (EF)?
Shows percentage of loss that an organisation would experience if a specific asset was violated by a realised risk.
It is the expected overall asset value loss because of single realised risk
Expressed as a percentage
Needed to calculate Single Loss Expectancy
What is Single Loss Expectancy (SLE)?
It is the cost associated with a single realised risk against a specific asset
Expressed as monetary value
Calculated by:-
SLE = Asset Value (AV) x Exposure Factor (EF)
What is Annual Rate of Occurrence? (ARO)
It is expected frequency a threat or risk will occur in a single year AKA Probability Determination
Can be derived from historical records, statistical analysis or guesswork
ARO = Number of known events/ Number of years
or
ARO = Number of users x likelihood of threat per user
What is Annualised Loss Expectancy (ALE) and how is it calculated
Possible yearly cost of all instances of a specific realised threat against a specific asset
ALE = SLE x ARO
What is Qualitative Risk Analysis?
More scenario based than calculators based
Rank threats on a scale to evaluate potential impact rather than assign possible monetary losses
Should be used alongside Quantitative to evaluate all factors
Can measure repetitional impacts
Involves judgement intuition and experience
What are the results of risk analysis?
Complete and detailed valuation all assets
Exhaustive list of all threats and risks, rate of occurrence and extent of loss if realised
List of threat specific mitigations and their effectiveness
Cost/benefit analysis of each mitigation
What are the 4 possible responses to risk?
Mitigate - Implement controls to reduce the risk
Transfer - Move the risk to someone else (insurance)
Accept - Accept the risk level and monitor for events
Reject - Ignore the risk and hope for the best
What would a new mitigation look to do to be deemed a viable solution in quantitative risk?
Calculate ALE for the asset after mitigation implemented
Look to reduce either Exposure Factor (EF), Annualised Rate of Occurrence (ARO) or both.
This will reduce the Annualised Loss Expectancy (ALE)
Mitigation may be considered financially viable under what circumstances?
If the difference between the old and new ALE value is greater than the Annualised Cost of Mitigation (ACM)
(ALE1 – ALE2) – ACM = value of mitigation
What is qualitative mitigation?
Imagine mitigation has been put in place, compare new predicted likelihood and impact to original risk matrix and look for reduction in either or both these factors
When is qualitative mitigation deemed viable?
If the reduction brings the overall score/risk into an acceptable level
What factors should be considered when calculating Annualised Cost of Mitigation?
Cost of purchase, development and licensing
Cost of implementation and customisation
Cost of annual operation, maintenance, administration
Productivity improvements/impairments
Cost of testing/evaluating
When might senior management choose to accept a risk?
If the mitigation costs more than the potential loss due to an event. In this case senior management must agree to accept the consequences if risk is realised
If risk is accepted, a clearly written statement should provide what?
why mitigation was not implemented
Who is responsible for the decision
Who will be responsible if risk is realised