1 / 45

CMGT 442

CMGT 442. Information Systems Risk Management. Philip Robbins – November 28, 2012 (Week 3) University of Phoenix Mililani Campus. Objectives: Week 3. Risk Assessment (Part 2) Review Week 1 & 2: Concepts LT Activity: Week 3 & Week 4 Article Readings

elisha
Download Presentation

CMGT 442

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CMGT 442 Information Systems Risk Management Philip Robbins – November 28, 2012 (Week 3) University of Phoenix Mililani Campus

  2. Objectives: Week 3 • Risk Assessment (Part 2) • Review Week 1 & 2: Concepts • LT Activity: Week 3 & Week 4 Article Readings • Discuss Homework Assignments & Class Videos • Week 3: Quantitative Risk Analysis vs. Qualitative Risk Assessments • Review NIST SP 800-39 • Review Week 3: Questions • Assignments: IDV & LT Papers • Quiz #3

  3. Learning Team Activity • Activity: Review Week 3 & 4 ‘Article’ Readings • 15 minutes: Read Articles • 10 minutes: Answer article questions • 10 minutes: Present your article to the class • Submit for credit.

  4. LT Activity: Week 3 Article Readings • Barr (2011). Federal Business Continuity Plans • - Do you think the private sector must employ something similar to the Federal Government’s Continuity of Operations Process (COOP) as an integral part of their enterprise risk management plan? • Ledford (2012). FISMA • - Do you think the Federal Information Security Management Act (FISMA) might provide the basis for a standard framework for enterprise risk management adaptable to the private sector?

  5. LT Activity: Week 4 Article Readings • Ainworth (2009). The BCP Process • - Might an effective risk management plan be considered a process that may restore all systems, businesses, processes, facilities, and people? • Barr (2011). Good Practice for Information Security • - What changes would you recommend for the Information Security Forum’s 2007 Standard? • - Which of these changes must be incorporated into the enterprise’s risk management plan?

  6. REVIEW: IDV Assignments #1 & #2 • #1: Risks associated with an industry. • #2: Organization that has recently been compromised. • - Focus on risks from Information Systems and how we manage those risks. • - This involves understanding what Information Systems are and how they work. • - Risks are all around you. (Class Videos)

  7. Break? • This is probably time for a break…

  8. QUICK REVIEW: Week 1 • What is Information Systems Risk Management? • - Information Systems Risk Management is the process of identifying, assessing, and reducing (mitigating) risks to an acceptable level.

  9. QUICK REVIEW: Week 2 • What are the components of Information Systems Risk? • - Threats& Threat Agents • - Vulnerabilities(Weakness) • - Controls(Safeguards) • - Impact

  10. REVIEW: Information Assurance Services • Taken from DoD 8500.2

  11. REVIEW: Quantitative Risk Analysis

  12. REVIEW: Qualitative Risk Matrix SEVERE HIGH MEDIUM LOW Catastrophic (5) Material (4) Major (3) Minor (2) Insignificant (1) RISK Impact Rare(1) Unlikely(2) Moderate(3) Likely (4) Frequent(5) Probability (Vulnerability | Threat)

  13. REVIEW: Risk Responses Risk Severity Exploitation Frequency

  14. REVIEW: Risk Responses • Risk Avoidance • Halt or stop activity causing risk • Risk Transference • Transfer the risk (i.e. buy insurance) • Risk Mitigation • Reduce impact with controls/safeguards • Risk Acceptance • Understand consequences and accept risk

  15. REVIEW: Total vs. Residual Risk • When a company chooses not to implement a safeguard (if they accept the risk) then they accept the total risk. • The leftover risk after applying countermeasures is called the residual risk. • No matter what controls you place to protect an asset, it will never be 100% secure. • Risk is never zero, thus, there is always some form of residual risk.

  16. Week 3: Risk Assessment (Part 2) • Objectives - What is Quantitative Risk Analysis? - What is Qualitative Risk Assessment? - Positives (pros) and Negatives (cons) of each. - Which method is preferred?

  17. Value of Information and Assets • Risk Management • It’s important to understand the value of your information and information systems. • So what is my information worth? - Value can be measured both Quantitatively and Qualitatively.

  18. Two Types of Approaches • Quantitative Analysis • Qualitative Assessment - Tangible impacts can be measured Quantitatively in lost revenue, repair costs, or resources. - Other impacts (i.e. loss of public confidence or credibility, etc.) can be qualified in terms of High, Medium, or Low impacts.

  19. Let’s start • …with Quantitative analysis. - Warning: There is MATH… much more math. =(

  20. Quantitative Analysis • Quantitative analysis attempts to assign real values to all elements of the risk analysis process. - Asset value - Safeguards / Controls - Threat frequency - Probability of incident

  21. Quantitative Analysis • Purely Quantitative Risk Analysis is impossible. • There are always unknown values. • There are always “Qualitative” values. • What is the value of a reputation? • …but what if you focused on Information Security Services as a unit of measurement? • Quantitative analysis can be automated with software and tools. - Requires large amounts of data to be collected.

  22. Quantitative Analysis: Step-by-Step • Assign value to your information. • Estimate cost for each asset and threat combination. • Perform a Threat Analysis – determine the probability of exploitation. • Derive the overall loss potential per year. • Reduce, Transfer, Avoid, or Accept the Risk.

  23. Step 1: Assign Value to Assets • What is my information assets worth? - What is my costs to obtain? - How much money does an asset bring in? - What is its value to my competitors? - How much would it cost to re-create? - Are there possible legal liabilities to account for?

  24. Step 2: Estimate Loss Potential • For each threat, we need to determine how much a successful compromise could cost: - Physical damage - Loss of productivity - Cost for repairs • Amount of Damage - “Single Loss Expectancy” per asset and threat* • Example: if you have a virus outbreak and each outbreak costs $50K in lost revenue and repair costs. Your SLE = $50K

  25. Step 2: Estimate of Loss potential • When determining SLE, you may hear the term EF (exposure factor). • Loss then becomes a percentage of the assets value (AV). - This is where EF comes in… SLE = AV X EF

  26. Step 3: Perform a Threat Analysis • Figure out the likelihood of a threat incident. - Analyze vulnerabilities and rate of exploits. - Analyze probabilities of threats to your location and systems. - Review historical records of incidents. • Annualized Rate of Occurrence (ARO) Example: If the chance of a virus outbreak in any month is = 75%, then ARO = .75 * 12 (1 year) = 9 occurrences per year

  27. Step 4: Derive the ALE Derive the Annual Loss Expectancy ALE = SLE * ARO • Example: Cost of a virus outbreak is $50K (SLE) X 9 occurrences per year (ARO) ------------------------------------------------------------------ $450K cost total (ALE)

  28. Step 5: Risk Response • Risk Avoidance • Halt or stop activity causing risk • Risk Transference • Transfer the risk (i.e. buy insurance) • Risk Mitigation • Reduce impact with controls/safeguards • Risk Acceptance • Understand consequences and accept risk

  29. Reducing Risk • When deciding whether to implement controls, safeguards, or countermeasures: you SHOULD be concerned about saving costs. • It doesn’t make sense to spend more to protect an asset that’s worth less! • So how do we determine if it’s worth it? …

  30. Reducing Risk • Reducing risks through controls / safeguards / countermeasures makes sense when: • If the cost (per year) of a countermeasure is more than the ALE, don’t implement it.

  31. Definitions • The Annualized Rate of Occurrence (ARO) is the likelihood of a risk occurring within a year. • The Single Loss Expectancy (SLE) is the dollar value of the loss that equals the total cost of the risk. • The ALE is calculated by multiplying the ARO by the SLE: • ALE = ARO x SLE

  32. Review of Quantitative Analysis • Assign value to information & assets: Asset Value (AV) • Estimate: Single Loss Expectancy (SLE) • Estimate: Likelihood of Threats (ARO) • Calculate: Annual Loss Expectancy (ALE) • Risk Response: Reduce, Transfer, Avoid or Accept.

  33. Class Exercise: Quantitative Analysis • You own a data warehouse valued at $1,000,000 USD (information & infrastructure included). • If the threat of a fire breaking out were to occur, it is expected that 40% of warehouse (including the data) would be damaged/lost. • The chance of a fire breaking out for this type of warehouse is known to be 8% annually.

  34. Let’s move on to • …Qualitative assessments.

  35. Qualitative Risk Assessment • Instead of assigning specific values… • We walk through different scenarios, rank and prioritize based on threats and counter measures. • Techniques includes: - Judgment - Best practices - Intuition (gut feelings) - Experience

  36. Qualitative Assessments • Specific techniques include: - Delphi method (opinions provided anonymously) - Brainstorming - Storyboarding - Focus groups - Surveys - Questioners - Interviews / one-on-one meetings … very subjective

  37. Qualitative Assessment SEVERE HIGH MEDIUM LOW Risk • Remember this? Catastrophic (5) Material (4) Major (3) Minor (2) Insignificant (1) RISK Impact Rare(1) Unlikely(2) Moderate(3) Likely (4) Frequent(5) Compromise

  38. Qualitative Assessment Risk Severity Exploitation Frequency

  39. Review of Q vs. Q (NIST SP 800-30) • Quantitative Advantage Provides a measurement of the impacts’ magnitude. • Quantitative Disadvantage Meaning of the analysis may be unclear, requiring the results to be interpreted in a qualitative manner. • Qualitative Advantage Prioritizes the risks, identifying areas for immediate improvement. • Qualitative Disadvantage Does not provide specific quantifiable measurements of the impacts magnitude.

  40. What is the Difference between Q vs. Q? • Quantitative Advantage Impact is quantified (measurable). • Quantitative Disadvantage Analysis involves complex calculations and can be confusing and resource intensive. vs. • Qualitative Advantage Impact is clear & easy to understand. • Qualitative Disadvantage No unit of measure; assessment is subjective (Low-Med-High).

  41. What is the Difference between Q vs. Q? • Which approach is preferred when it comes to Information Systems Risk Management? • Why? - Let’s discuss…

  42. Break? • This is probably time for a break…

  43. Quiz: Week 3 • 10-15 minutes

  44. IDV and LT Assignments for Week #3 • Laptops at UOPX • - Explain your thought process behind risk management as a new information system is introduced to an existing network. • Constraints involved with Information Sharing • - Identify and discuss the risk components involved and possible constraints that may add to your risk. • - Outlined formats are OK.

  45. Week 3 Review Questions • We’ll review these • questions & • more next week to prep • for the final exam…

More Related