3 - Security Risk Analysis and Management
3 - Security Risk Analysis and Management
RISK MANAGEMENT:
CONTROLLING RISK IN
INFORMATION SECURITY
THE PURPOSE OF RISK MANAGEMENT
Organizational: Does the plan correspond to the organization’s objectives? What is in it for
the organization? Does it limit the organization’s capabilities in any way?
Operational: Will shareholders (users, managers, etc.) be able/willing to accept the plan? Is
the system compatible with the new changes? Have the possible changes been communicated
to the employees?
Technical: Is the necessary technology owned or obtainable? Are our employees trained and
if not can we afford to train them? Should we hire new employees?
Political: Can InfoSec acquire the necessary budget and approval to implement the plan? Is
the budget required justifiable? Does InfoSec have to compete with other departments to
acquire the desired budget?
RISK CONTROL STRATEGIES
Defense
Transferal
Mitigation
Acceptance (Abandonment)
Termination
RISK CONTROL STRATEGY: DEFENSE
Pros Cons
Defense: Preferred all round approach Defense: Expensive and laborious
Transferal: Easy and effective Transferal: Dependence on external
entities
Mitigation: Effective when all else fails
Mitigation: Guarantees company loss
Acceptance: Cheap and easy
Acceptance: Rarely appropriate, unsafe
Termination: Relatively cheap and safe
Termination: Rarely appropriate,
requires company loss
STANDARD APPROACHES TO RISK
MANAGEMENT
U.S CERT’s Operationally Critical Threat Assessment Vulnerability Evaluation
(OCTAVE) Methods (Original, OCTAVE-S, OCTAVE-Allegro)
ISO 27005 Standard for InfoSec Risk Management
NIST Risk Management Model
Microsoft Risk Management Approach
Jack A. Jones’ Factor Analysis of Information Risk (FAIR)
Delphi Technique
RISK MANAGEMENT SOFTWARE
https://www.youtube.com/watch?v=lUZy7je-nMY