cmgt 442 philip robbins – november 28, 2012 (week 3) university of phoenix mililani campus...
TRANSCRIPT
CMGT 442
Philip Robbins – November 28, 2012 (Week 3)University of Phoenix Mililani Campus
Information Systems Risk Management
Objectives: Week 3
• Risk Assessment (Part 2)- Review Week 1 & 2: Concepts- LT Activity: Week 3 & Week 4 Article Readings- Discuss Homework Assignments & Class Videos- Week 3: Quantitative Risk Analysis vs. Qualitative Risk
Assessments- Review NIST SP 800-39- Review Week 3: Questions- Assignments: IDV & LT Papers- Quiz #3
Learning Team Activity
• Activity: Review Week 3 & 4 ‘Article’ Readings- 15 minutes: Read Articles- 10 minutes: Answer article questions- 10 minutes: Present your article to the class- Submit for credit.
LT Activity: Week 3 Article Readings
• Barr (2011). Federal Business Continuity Plans- Do you think the private sector must employ something
similar to the Federal Government’s Continuity of Operations Process (COOP) as an integral part of their enterprise risk management plan?
• Ledford (2012). FISMA- Do you think the Federal Information Security Management
Act (FISMA) might provide the basis for a standard framework for enterprise risk management adaptable to the private sector?
LT Activity: Week 4 Article Readings
• Ainworth (2009). The BCP Process- Might an effective risk management plan be considered a
process that may restore all systems, businesses, processes, facilities, and people?
• Barr (2011). Good Practice for Information Security- What changes would you recommend for the Information
Security Forum’s 2007 Standard?- Which of these changes must be incorporated into the
enterprise’s risk management plan?
REVIEW: IDV Assignments #1 & #2
#1: Risks associated with an industry.#2: Organization that has recently been compromised.
- Focus on risks from Information Systems and how we manage those risks.
- This involves understanding what Information Systems are and how they work.
- Risks are all around you. (Class Videos)
Break?
• This is probably time for a break…
QUICK REVIEW: Week 1
• What is Information Systems Risk Management?
- Information Systems Risk Management is the process of identifying, assessing, and reducing (mitigating) risks to an acceptable level.
QUICK REVIEW: Week 2
• What are the components of Information Systems Risk?
- Threats & Threat Agents
- Vulnerabilities (Weakness)
- Controls (Safeguards)
- Impact
REVIEW: Information Assurance Services
• Taken from DoD 8500.2
REVIEW: Quantitative Risk Analysis
REVIEW: Qualitative Risk Matrix
Rare(1) Unlikely(2) Moderate(3) Likely (4) Frequent(5)
Catastrophic (5)
Material(4)
Major(3)
Minor(2)
Insignificant(1)
Probability (Vulnerability | Threat)
Imp
act
RISK
SE
VE
RE
HIG
H
ME
DIU
M
LOW
REVIEW: Risk Responses
RiskSeverity
Exploitation Frequency
High
Accept /
Transfer Avoid
Low Accept
Accept /
Transfer
Low High
REVIEW: Risk Responses
• Risk Avoidance– Halt or stop activity causing risk
• Risk Transference– Transfer the risk (i.e. buy insurance)
• Risk Mitigation– Reduce impact with controls/safeguards
• Risk Acceptance– Understand consequences and accept risk
REVIEW: Total vs. Residual Risk
• When a company chooses not to implement a safeguard (if they accept the risk) then they accept the total risk.
• The leftover risk after applying countermeasures is called the residual risk.
• No matter what controls you place to protect an asset, it will never be 100% secure.
• Risk is never zero, thus, there is always some form of residual risk.
Week 3: Risk Assessment (Part 2)
• Objectives
- What is Quantitative Risk Analysis?
- What is Qualitative Risk Assessment?
- Positives (pros) and Negatives (cons) of each.
- Which method is preferred?
Value of Information and Assets
• Risk Management• It’s important to understand the value of your
information and information systems.
• So what is my information worth?
- Value can be measured both Quantitatively and Qualitatively.
Two Types of Approaches
• Quantitative Analysis • Qualitative Assessment
- Tangible impacts can be measured Quantitatively in lost revenue, repair costs, or resources.
- Other impacts (i.e. loss of public confidence or credibility, etc.) can be qualified in terms of High, Medium, or Low impacts.
Let’s start
• …with Quantitative analysis.
- Warning: There is MATH… much more math. =(
Quantitative Analysis
• Quantitative analysis attempts to assign real values to all elements of the risk analysis process.
- Asset value
- Safeguards / Controls
- Threat frequency
- Probability of incident
Quantitative Analysis
• Purely Quantitative Risk Analysis is impossible.• There are always unknown values.• There are always “Qualitative” values.- What is the value of a reputation?- …but what if you focused on Information
Security Services as a unit of measurement?
• Quantitative analysis can be automated with software and tools.
- Requires large amounts of data to be collected.
Quantitative Analysis: Step-by-Step
1. Assign value to your information.
2. Estimate cost for each asset and threat combination.
3. Perform a Threat Analysis – determine the probability of exploitation.
4. Derive the overall loss potential per year.
5. Reduce, Transfer, Avoid, or Accept the Risk.
Step 1: Assign Value to Assets
• What is my information assets worth?
- What is my costs to obtain?
- How much money does an asset bring in?
- What is its value to my competitors?
- How much would it cost to re-create?
- Are there possible legal liabilities to account for?
Step 2: Estimate Loss Potential
• For each threat, we need to determine how much a successful compromise could cost:
- Physical damage- Loss of productivity- Cost for repairs- Amount of Damage - “Single Loss Expectancy” per
asset and threat*
• Example: if you have a virus outbreak and each outbreak costs $50K in lost revenue and repair costs. Your SLE = $50K
Step 2: Estimate of Loss potential
• When determining SLE, you may hear the term EF (exposure factor).
• Loss then becomes a percentage of the assets value (AV).
- This is where EF comes in…
SLE = AV X EF
Step 3: Perform a Threat Analysis
• Figure out the likelihood of a threat incident.- Analyze vulnerabilities and rate of exploits.- Analyze probabilities of threats to your location
and systems.- Review historical records of incidents.
• Annualized Rate of Occurrence (ARO)Example: If the chance of a virus outbreak in any
month is = 75%, then ARO = .75 * 12 (1 year) = 9 occurrences per year
Step 4: Derive the ALE
Derive the Annual Loss Expectancy
ALE = SLE * ARO
• Example:
Cost of a virus outbreak is $50K (SLE)
X 9 occurrences per year (ARO)
------------------------------------------------------------------ $450K cost total (ALE)
Step 5: Risk Response
• Risk Avoidance– Halt or stop activity causing risk
• Risk Transference– Transfer the risk (i.e. buy insurance)
• Risk Mitigation– Reduce impact with controls/safeguards
• Risk Acceptance– Understand consequences and accept risk
Reducing Risk
• When deciding whether to implement controls, safeguards, or countermeasures: you SHOULD be concerned about saving costs.
• It doesn’t make sense to spend more to protect an asset that’s worth less!
• So how do we determine if it’s worth it?
…
Reducing Risk
• Reducing risks through controls / safeguards / countermeasures makes sense when:
• If the cost (per year) of a countermeasure is more than the ALE, don’t implement it.
Definitions
• The Annualized Rate of Occurrence (ARO) is the likelihood of a risk occurring within a year.
• The Single Loss Expectancy (SLE) is the dollar value of the loss that equals the total cost of the risk.
• The ALE is calculated by multiplying the ARO by the SLE:
ALE = ARO x SLE
Review of Quantitative Analysis
• Assign value to information & assets:
Asset Value (AV)• Estimate: Single Loss Expectancy (SLE)• Estimate: Likelihood of Threats (ARO)• Calculate: Annual Loss Expectancy (ALE)• Risk Response: Reduce, Transfer, Avoid or Accept.
Class Exercise: Quantitative Analysis
• You own a data warehouse valued at $1,000,000 USD (information & infrastructure included).
• If the threat of a fire breaking out were to occur, it is expected that 40% of warehouse (including the data) would be damaged/lost.
• The chance of a fire breaking out for this type of warehouse is known to be 8% annually.
Let’s move on to
• …Qualitative assessments.
Qualitative Risk Assessment
• Instead of assigning specific values…• We walk through different scenarios, rank and
prioritize based on threats and counter measures.
• Techniques includes:- Judgment- Best practices- Intuition (gut feelings)- Experience
Qualitative Assessments
• Specific techniques include:
- Delphi method (opinions provided anonymously)- Brainstorming- Storyboarding- Focus groups- Surveys- Questioners- Interviews / one-on-one meetings
… very subjective
Qualitative Assessment
Rare(1) Unlikely(2) Moderate(3) Likely (4) Frequent(5)
Catastrophic (5)
Material(4)
Major(3)
Minor(2)
Insignificant(1)
Compromise
Imp
act
RISK
SE
VE
RE
HIG
H
ME
DIU
M
LOW
Risk• Remember this?
Qualitative Assessment
RiskSeverity
Exploitation Frequency
High
Accept /
Transfer Avoid
Low Accept
Accept /
Transfer
Low High
Review of Q vs. Q (NIST SP 800-30)
• Quantitative Advantage
Provides a measurement of the impacts’ magnitude.• Quantitative Disadvantage
Meaning of the analysis may be unclear, requiring the results to be interpreted in a qualitative manner.
• Qualitative Advantage
Prioritizes the risks, identifying areas for immediate improvement.
• Qualitative Disadvantage
Does not provide specific quantifiable measurements of the impacts magnitude.
What is the Difference between Q vs. Q?
• Quantitative Advantage
Impact is quantified (measurable).• Quantitative Disadvantage
Analysis involves complex calculations and can be confusing and resource intensive.
vs.• Qualitative Advantage
Impact is clear & easy to understand.• Qualitative Disadvantage
No unit of measure; assessment is subjective
(Low-Med-High).
What is the Difference between Q vs. Q?
• Which approach is preferred when it comes to Information Systems Risk Management?
• Why?
- Let’s discuss…
Break?
• This is probably time for a break…
Quiz: Week 3
• 10-15 minutes
IDV and LT Assignments for Week #3
• Laptops at UOPX
- Explain your thought process behind risk management as a new information system is introduced to an existing network.
• Constraints involved with Information Sharing
- Identify and discuss the risk components involved and possible constraints that may add to your risk.
- Outlined formats are OK.
Week 3 Review Questions
We’ll review these
questions &
more next week to prep
for the final exam…