130 likes | 497 Views
Unit Outline Qualitative Risk Analysis. Module 1: Qualitative Risk Analysis Module 2: Determine Assets and Vulnerabilities Module 3: Determine Threats and Controls Module 4: Matrix Based Approach Module 5: Case Study Module 6: Summary.
E N D
Unit OutlineQualitative Risk Analysis Module 1: Qualitative Risk Analysis Module 2: Determine Assets and Vulnerabilities Module 3:Determine Threats and Controls Module 4: Matrix Based Approach Module 5: Case Study Module 6: Summary
Risk AnalysisLearning Objectives • Students should be able to: • Recognize the difficulties associated with information security risk analysis • Identify the the two different risk analysis approaches • Understand how a qualitative risk analysis is performed.
Risk AnalysisRisk Analysis Definition • Risk analysis involves the identification and assessment of the levels of risks calculated from the known values of assets and the levels of threats to, and vulnerabilities of, those assets. • It involves the interaction of the following elements: • Assets • Vulnerabilities • Threats • Impacts • Likelihoods • Controls
Risk AnalysisConcept Map • Threats exploit system vulnerabilities which expose system assets. • Security controls protect against threats by meeting security requirements established on the basis of asset values. Source: Australian Standard Handbook of Information Security Risk Management – HB231-2000
Risk AnalysisDifficulties with Information Security Risk Analysis • Relatively new field • Lack of formal models • Lack of data • Evolving threats • Constantly changing information systems and vulnerabilities • Human factors related to security • No standard of practice
Risk AnalysisApproaches • Two Risk Analysis Approaches • Quantitative • Qualitative
Risk AnalysisQuantitative Approach • Quantitative Risk Analysis • Relating to or based on the amount or number of something, capable of being measured or expressed in numerical terms. • Quantitative Risk Analysis computes risks in terms of actual losses
Risk AnalysisQualitative Approach • Qualitative Risk Analysis • Based on literal description of risk factors and risk is expressed in terms of its potential. Threats and vulnerabilities are identified and analyzed using subjective judgment. Uses checklists to determine if recommended controls are implemented and if different information systems or organizations are secure.
Risk Analysis: QualitativeMethodology • Qualitative risk analysis methodologies involve relative comparison of risks and prioritization of controls • Usually associate relationships between interrelated factors • Assets: Things of value for the organization • Threats: things that can go wrong • Vulnerabilities: Weaknesses that make a system more prone to attack or make an attack more likely to succeed • Controls: These are the countermeasures for vulnerabilities
Risk Analysis: QualitativeMethodology, cont’d. • More practical since it is based on user inference and follows current processes better. It capitalizes on user experience and doesn’t resort to extensive data gathering. • Allows for easier valuation of non-tangible assets. • Probability data is not required and only estimated potential loss may be used
Risk AnalysisSummary • Risk analysis involves assessing assets, vulnerabilities, threats, and controls, as well as the impact they have on each other in order to determine risk. • Information security risk analysis is a new field and is constantly changing due to introduction of new assets, discovery of new vulnerabilities, presence of new threats, and development of new controls. • Two different types of risk analysis exist: • Quantitative, which are based on actual numerical values, and • Qualitative, which involves relative values based on prioritization and expert judgment.