Information Security Risks AllinOne Terminology Information Security Risk
- Slides: 12
Information Security Risks; All-in-One Terminology
Information Security Risk Management Lifecycle with some Basic Elements (controls)
Qualitative Risk Analysis (Nitel Risk Analizi) > Generally used in Information Security • Hard to make meaningful valuations and meaningful probabilities • Relative ordering is faster and more important > Many approaches to performing qualitative risk analysis > Same basic steps as quantitative analysis • Still identifying asserts, threats, vulnerabilities, and controls • Just evaluating importance differently
Qual. Risk Analysis in 10 steps > Step 1: Identify Scope • Bound the problem > Step 2: Assemble team • Include subject matter experts, management in charge of implementing, users > Step 3: Identify Threats • Pick from lists of known threats • Brainstorm new threats • Mixing threats and vulnerabilities here. . .
Step 4: Threat prioritization > Prioritize threats for each assert • Likelihood of occurrence (note that this is likelihood because it is not a statistical probability value) > Define a fixed threat rating • E. g. , Low(1) … High(5) > Associate a rating with each threat > Note: Approximation to the risk probability in quantitative approach
Step 5: Loss Impact > With each threat determine loss impact > Define a fixed ranking • E. g. , Low(1) … High(5) > Used to prioritize damage to asset from threat
Step 6: Total impact > Example 2: Another alternative method, where the scaled qualitative values are multiplied) Threat Fire Threat Priority 3 Impact Priority 5 Risk Factor 15 Water 2 5 10 Theft 2 3 6
Step 7: Identify Controls/Safeguards > Potentially come into the analysis with an initial set of possible controls > Associate controls with each threat > Starting with high priority risks • Do cost-benefits and coverage analysis (Step 8) • Rank controls (Step 9)
Step 8: Safeguard (Control) Evaluation Step 9: Rank these Controls !
Step 10: Communicate Results > Most risk analysis projects result in a written report • Generally not read • Make a good executive summary • Beneficial to track decisions. > Real communication done in meetings an presentations
Another Qualitative Inf. Sec. Risk Assessment Example (by multiplying the scaled values)
- Sap allinone
- Allinone remote
- Credit risk market risk operational risk
- The biggest risk is not taking any risks
- Related risks that increase in effect with each added risk
- Risks of instant messaging in the workplace
- Challenges in media information
- Privat security
- Risk terminology
- Visa international security model
- What is nstissc security model
- What is risk projection in software engineering
- Risk reduction vs risk avoidance