risk management
play

Risk Management Information Security Dr Hans Georg Schaathun - PowerPoint PPT Presentation

Risk Management Information Security Dr Hans Georg Schaathun Hgskolen i lesund Autumn 2011 Week 5 Dr Hans Georg Schaathun Risk Management Autumn 2011 Week 5 1 / 1 Learning Outcomes After this week, students should be able to


  1. Risk Management Information Security Dr Hans Georg Schaathun Høgskolen i Ålesund Autumn 2011 – Week 5 Dr Hans Georg Schaathun Risk Management Autumn 2011 – Week 5 1 / 1

  2. Learning Outcomes After this week, students should be able to understand what risk is. know what one can do about risk. conduct a simple risk analysis using the FAIR framework. Dr Hans Georg Schaathun Risk Management Autumn 2011 – Week 5 2 / 1

  3. Risk and Risk Management Outline Dr Hans Georg Schaathun Risk Management Autumn 2011 – Week 5 3 / 1

  4. Risk and Risk Management What risk is Outline Dr Hans Georg Schaathun Risk Management Autumn 2011 – Week 5 4 / 1

  5. Risk and Risk Management What risk is Definition of Risk Risk is potential event which, if occuring, will cause some impact. Risk Loss Event Probable Loss Frequency Magntiude Dr Hans Georg Schaathun Risk Management Autumn 2011 – Week 5 5 / 1

  6. Risk and Risk Management Risk Treatment Outline Dr Hans Georg Schaathun Risk Management Autumn 2011 – Week 5 6 / 1

  7. Risk and Risk Management Risk Treatment Risk Treatment Only four approaches to risk — TARA Transfer Let someone else take the risk. Avoid Drop the business. Reduce Implement effective controls to reduce the probability and/or impact. Accept Conclude that the benefit outweighs the risk and live with it. Dr Hans Georg Schaathun Risk Management Autumn 2011 – Week 5 7 / 1

  8. Risk and Risk Management Risk Treatment Risk Treatment Only four approaches to risk — TARA Transfer Let someone else take the risk. Avoid Drop the business. Reduce Implement effective controls to reduce the probability and/or impact. Accept Conclude that the benefit outweighs the risk and live with it. Dr Hans Georg Schaathun Risk Management Autumn 2011 – Week 5 7 / 1

  9. Risk and Risk Management Risk Treatment Risk Treatment Only four approaches to risk — TARA Transfer Let someone else take the risk. Avoid Drop the business. Reduce Implement effective controls to reduce the probability and/or impact. Accept Conclude that the benefit outweighs the risk and live with it. Dr Hans Georg Schaathun Risk Management Autumn 2011 – Week 5 7 / 1

  10. Risk and Risk Management Risk Treatment Transfer Common example: insurance pay someone to take the risk for you insurers gather risks in large quantities Law of Large Numbers in Statistics reduces total risk Contractual matters transfer risk to your clients key issue of any contract: who takes the risk? Dr Hans Georg Schaathun Risk Management Autumn 2011 – Week 5 8 / 1

  11. Risk and Risk Management Risk Treatment Avoid Avoid means staying out of the business. Nothing ventured, nothing gained. One avoids the risk it outweighs the possible gain. Choosing not to have WiFi Choosing not to use BankID Choosing not to have web pages Choosing not to do business in South America There is NO other way to avoid risk. Dr Hans Georg Schaathun Risk Management Autumn 2011 – Week 5 9 / 1

  12. Risk and Risk Management Risk Treatment Reduce Controls reduce risk you can (almost?) never reduce risk to zero expect some residual risk Access control may reduce the risk of having WiFi Malware filters may reduce the risk of using BankID Good secure coding practice may reduce the risk of web pages Dr Hans Georg Schaathun Risk Management Autumn 2011 – Week 5 10 / 1

  13. Risk and Risk Management Risk Treatment Accept Risk does not have to be bad We accept risk when ... The possible gain outweighs the risk The cost of reducing or transferring the risk outweighs the risk itself Dr Hans Georg Schaathun Risk Management Autumn 2011 – Week 5 11 / 1

  14. Risk and Risk Management Risk Management Outline Dr Hans Georg Schaathun Risk Management Autumn 2011 – Week 5 12 / 1

  15. Risk and Risk Management Risk Management Graphical View of ISO 27005 Information Risk Management A graphical view of ISO 27005 Context Establishment Risk Appetite Risk Assessment Risk Analysis Risk Monitoring and Review Risk Communication Risk Identification Risk Estimation Risk Evaluation Assessment Satisfactory? Risk Treatment Treatment Satisfactory? Risk Acceptance www.cs.surrey.ac.uk Dr Hans Georg Schaathun Risk Management Autumn 2011 – Week 5 13 / 1

  16. Risk and Risk Management Risk Management ISO 31000 Risk Principles Risk management should create value be an integral part of organisational processes be part of decision making be systematic and structured be based on the best available information be tailored be transparent and inclusive be dynamic iterative and responsive to change be capable of continual improvement and enhancement Dr Hans Georg Schaathun Risk Management Autumn 2011 – Week 5 14 / 1

  17. Risk and Risk Management Risk Management Risk Appetite Risk Tolerance The organisation must decide how it values risk risk seeking or risk adverse? Risk appetite refers to the willingness to take risk decides what risk levels to accept risk does not have have to be negative ... high risk may mean huge gain FAIR speaks of risk tolerance how much risk will you tolerate? indicates that risk is always negative Dr Hans Georg Schaathun Risk Management Autumn 2011 – Week 5 15 / 1

  18. Risk and Risk Management Risk Management Assessing a methodology Risk analysis is never perfect. depends on approximation and guesswork Structure available information emphasise most important pieces of information Considering a methodology, FAIR asks: Is it useful? Is it logical? Does it track with reality? Dr Hans Georg Schaathun Risk Management Autumn 2011 – Week 5 16 / 1

  19. Risk and Risk Management Risk Management Possibilities and Probabilities Possiblility is a binary quantity. Either we might lose, or we cannot. Probability is a continuous measure. A negative outcome be more or less likely to happen, and we may or may not find the probability acceptable. Prediction is very difficult, especially about the future. Nils Bohr A security expert will always lose; either waste resources on controls where there is no loss lose when struck by a threat not controlled Dr Hans Georg Schaathun Risk Management Autumn 2011 – Week 5 17 / 1

  20. Risk and Risk Management Risk Management Possibilities and Probabilities Possiblility is a binary quantity. Either we might lose, or we cannot. Probability is a continuous measure. A negative outcome be more or less likely to happen, and we may or may not find the probability acceptable. Prediction is very difficult, especially about the future. Nils Bohr A security expert will always lose; either waste resources on controls where there is no loss lose when struck by a threat not controlled Dr Hans Georg Schaathun Risk Management Autumn 2011 – Week 5 17 / 1

  21. Risk and Risk Management Risk Management Possibilities and Probabilities Possiblility is a binary quantity. Either we might lose, or we cannot. Probability is a continuous measure. A negative outcome be more or less likely to happen, and we may or may not find the probability acceptable. Prediction is very difficult, especially about the future. Nils Bohr A security expert will always lose; either waste resources on controls where there is no loss lose when struck by a threat not controlled Dr Hans Georg Schaathun Risk Management Autumn 2011 – Week 5 17 / 1

  22. Risk and Risk Management Impact Outline Dr Hans Georg Schaathun Risk Management Autumn 2011 – Week 5 18 / 1

  23. Risk and Risk Management Impact Impact Personal Impacts 1 Death, injury Business Impacts 2 Bankruptcy Societal Impact 3 Collapse of social order Geo-Political Impact 4 War Environmental Impacts 5 Global Warming Dr Hans Georg Schaathun Risk Management Autumn 2011 – Week 5 19 / 1

  24. Risk and Risk Management Impact Impact Personal Impacts 1 Death, injury Business Impacts 2 Bankruptcy Societal Impact 3 Collapse of social order Geo-Political Impact 4 War Environmental Impacts 5 Global Warming Dr Hans Georg Schaathun Risk Management Autumn 2011 – Week 5 19 / 1

  25. Risk and Risk Management Impact Impact Personal Impacts 1 Death, injury Business Impacts 2 Bankruptcy Societal Impact 3 Collapse of social order Geo-Political Impact 4 War Environmental Impacts 5 Global Warming Dr Hans Georg Schaathun Risk Management Autumn 2011 – Week 5 19 / 1

  26. Risk and Risk Management Impact Impact Personal Impacts 1 Death, injury Business Impacts 2 Bankruptcy Societal Impact 3 Collapse of social order Geo-Political Impact 4 War Environmental Impacts 5 Global Warming Dr Hans Georg Schaathun Risk Management Autumn 2011 – Week 5 19 / 1

  27. Risk and Risk Management Impact Impact Personal Impacts 1 Death, injury Business Impacts 2 Bankruptcy Societal Impact 3 Collapse of social order Geo-Political Impact 4 War Environmental Impacts 5 Global Warming Dr Hans Georg Schaathun Risk Management Autumn 2011 – Week 5 19 / 1

  28. Risk and Risk Management Impact Impact Personal Impacts 1 Death, injury Business Impacts 2 Bankruptcy Societal Impact 3 Collapse of social order Geo-Political Impact 4 War Environmental Impacts 5 Global Warming Dr Hans Georg Schaathun Risk Management Autumn 2011 – Week 5 19 / 1

  29. The FAIR Framework Outline Dr Hans Georg Schaathun Risk Management Autumn 2011 – Week 5 20 / 1

Recommend


More recommend