1

Lahore Garrison University

CSC374-Professional Practice
Week-10 Lecture-2
Fall 2024
 2
Previous Lecture Recap

LectureRecap
Software Risk

Lahore Garrison University

 3
Learning Outcomes

 What will be the learning outcomes of students after the lecture

 Risk management Process and its implication

Lahore Garrison University

Threat Identification (cont’d.)

Weighted ranks of threats to information security

Source: Adapted from M. E. Whitman. Enemy at
the gates: Threats to information security.
Management of Information Security, 3rd
Communications of the ACM, August
ed.
2003. Reprinted with permission
Threat Identification (cont’d.)

• Vulnerability Assessment
– Begin to review every information asset for each threat
– This review leads to the creation of a list of
vulnerabilities that remain potential risks to the
organization
• Vulnerabilities are specific avenues that threat agents can
exploit to attack an information asset
– At the end of the risk identification process, a list of
assets and their vulnerabilities has been developed

Management of Information Security, 3rd

ed.
Threat Identification (cont’d.)

 Vulnerability Assessment (cont’d.)

 This list serves as the starting point for the next step in the risk management
process - risk assessment

Management of Information Security, 3rd

ed.
Threat Identification (cont’d.)

Table 8-4 Vulnerability assessment of a DMZ router

Management of Information Security, 3rd
ed.
Source: Course Technology/Cengage Learning
The TVA Worksheet

 At the end of the risk identification process, a list of assets and their
vulnerabilities has been developed
 Another list prioritizes threats facing the organization based on the
weighted table discussed earlier
 These lists can be combined into a single worksheet

Management of Information Security, 3rd

ed.
The TVA Worksheet (cont’d.)

Table 8-5 Sample TVA spreadsheet

Management of Information Security, 3rd
ed.
Source: Course Technology/Cengage Learning
Introduction to Risk Assessment
 The goal is to create a method to evaluate the relative risk of each
listed vulnerability

Figure 8-3 Risk identification estimate factors

Management of Information Security, 3rd

ed.
Source: Course Technology/Cengage Learning
Likelihood

• The overall rating of the probability that a

specific vulnerability will be exploited
– Often using numerical value on a defined scale
(such as 0.1 – 1.0)
• Using the information documented during the
risk identification process, you can assign
weighted scores based on the value of each
information asset, i.e. 1-100, low-med-high, etc
Management of Information Security, 3rd
ed.
Assessing Potential Loss

 Questions to ask when assessing potential loss

 Which threats present a danger to this organization’s assets in the given
environment?
 Which threats represent the most danger to the organization’s information?
 How much would it cost to recover from a successful attack?

Management of Information Security, 3rd

ed.
Assessing Potential Loss (cont’d.)

 Questions to ask when assessing potential loss (cont’d.)

 Which threats would require the greatest expenditure to prevent?
 Which of the aforementioned questions is the most important to the
protection of information from threats within this organization?

Management of Information Security, 3rd

ed.
Percentage of Risk
Mitigated by Current Controls

 If a vulnerability is fully managed by an existing control, it can be

set aside
 If it is partially controlled, estimate what percentage of the
vulnerability has been controlled

Management of Information Security, 3rd

ed.
Uncertainty

 It is not possible to know everything about every vulnerability

 The degree to which a current control can reduce risk is also subject to
estimation error
 Uncertainty is an estimate made by the manager using judgment and
experience

Management of Information Security, 3rd

ed.
Risk Determination

• Example
– Asset A has a value of 50 and has one vulnerability,
which has a likelihood of 1.0 with no current controls.
Your assumptions and data are 90% accurate
– Asset B has a value of 100 and has two vulnerabilities:
vulnerability #2 has a likelihood of 0.5 with a current
control that addresses 50% of its risk; vulnerability #
3 has a likelihood of 0.1 with no current controls. Your
assumptions and data are 80% accurate

Management of Information Security, 3rd

ed.
Risk Determination (cont’d.)

 Example (cont’d.)
 The resulting ranked list of risk ratings for the three vulnerabilities is as
follows:
 Asset A: Vulnerability 1 rated as 55 = (50 × 1.0) – 0% + 10%
 Asset B: Vulnerability 2 rated as 35 = (100 × 0.5) – 50% + 20%
 Asset B: Vulnerability 3 rated as 12 = (100 × 0.1) – 0 % + 20%

Management of Information Security, 3rd

ed.
Likelihood and Consequences

 Likelihood and consequence rating

 Another approach
 From the Australian and New Zealand Risk Management Standard 4360i
 Uses qualitative methods of determining risk based on a threat’s probability
of occurrence and expected results of a successful attack

Management of Information Security, 3rd

ed.
 Likelihood and
Consequences (cont’d)

 Likelihood and consequence rating (cont’d.)

 Consequences (or impact assessment) are evaluated on 5 levels ranging
from insignificant (level 1) to catastrophic (level 5), as assessed by the
organization
 Qualitative likelihood assessments levels are represented by values ranging
from A (almost certain) to E (rare), as determined by the organization

Management of Information Security, 3rd

ed.
Identify Possible Controls

 For each threat and its associated vulnerabilities that have residual risk,
create a preliminary list of control ideas
 Three general categories of controls exist:
 Policies
 Programs
 Technical controls

Management of Information Security, 3rd

ed.
Likelihood and Consequences (cont’d.)

Table 8-6 Consequence levels for organizational threats

Management of Information Security, 3rd

Source: Risk management plan templates and forms
ed.
from www.treasury.act.gov.au/actia/Risk.htm
Likelihood and Consequences (cont’d.)

Table 8-7 Likelihood levels for organizational threats

Management of Information Security, 3rd

Source: Risk management plan templates and forms
ed.
from www.treasury.act.gov.au/actia/Risk.htm
Likelihood and Consequences
(cont’d.)

 Consequences and likelihoods are combined

 Enabling the organization to determine which threats represent the greatest
danger to the organization’s information assets
 The resulting rankings can then be inserted into the TVA tables for use
in risk assessment

Management of Information Security, 3rd

ed.
Likelihood and Consequences (cont’d.)

Table 8-8 Qualitative risk analysis matrix

Management of Information Security, 3rd

Source: Risk management plan templates and forms
ed.
from www.treasury.act.gov.au/actia/Risk.htm
Documenting the Results
of Risk Assessment

 Goals of the risk management process

 To identify information assets and their vulnerabilities
 To rank them according to the need for protection
 In preparing this list, a wealth of factual information about the assets
and the threats they face is collected

Management of Information Security, 3rd

ed.
Documenting the Results
of Risk Assessment (cont’d.)

 Information about the controls that are already in place is also collected
 The final summarized document is the ranked vulnerability risk
worksheet

Management of Information Security, 3rd

ed.
Table 8-9 Ranked vulnerability risk worksheet
Management of Information Security, 3rd
ed.
Source: Course Technology/Cengage Learning
Documenting the Results of Risk Assessment (cont’d.)

 What should the documentation package look like?

 What are the deliverables from this stage of the risk management
project?
 The risk identification process should designate what function the
reports serve, who is responsible for preparing them, and who reviews
them

Management of Information Security, 3rd

ed.
Documenting the Results of Risk Assessment (cont’d.)

Table 8-10 Risk identification and assessment deliverables

Management of Information Security, 3rd

ed.
Source: Course Technology/Cengage Learning
Summary

 Introduction
 Risk management
 Risk identification
 Risk assessment
 Documenting the results of risk assessment

Management of Information Security, 3rd

ed.
 31

Q&A

Lahore Garrison University

 32
References

 These lecture notes were taken from following source:

 Professional Issues in Software Engineering M.F. Bott
et al. Latest edition
 Computer Ethics, Deborah G. Johnson, Pearson
Education (2001) 3rd edition

Lahore Garrison University