Chapter 17 – Risk Management doc

Risk Management 493The idea of analyzing your business processes and determining what are the risks that threaten those processes, and choosing cost effective countermeasures to minimize

All-In-One Edition Chapter 17 – Risk Management

Brian E Brzezicki

Risk Management

Risk Management (493)

The idea of analyzing your business processes and determining what are the risks that threaten those processes, and choosing cost effective

countermeasures to minimize the risks and the

associated losses

Risk Management Terms (494)

• Risk – the possibility of suffering harm or loss

• Risk Management/Risk Analysis – the overall

decision making process of identifying the risks

(threats and vulnerabilities) and mitigating actions to determined the impact of an event that would affect

a project, program or business

(more)

Risk Management Terms (494)

• Asset – resource or information an organization

needs to conduct it’s business

• Threat – any circumstance or event with the potential

to cause harm to an asset

• Vulnerability - A software hardware or procedural

weakness that may provide an attacker the

opportunity to obtain unauthorized access

• Impact – the resulting loss when a threat exploits a vulnerability

(more)

Risk Analysis Terms (495)

• Countermeasures / control / safeguard – a measure taken to detect, prevent, or mitigate the risk

associated with a threat

• Qualitative Risk Analysis – The process of

subjectively determining the impact of an event

• Quantitative Risk Analysis – The process of

objectively determining the impact of an event

Specifically assigning numbers to understand the event (probability, Loss, cost etc)

(more)

• Vendors going out of business

• Revenue Streams stopping

• Fraud

(more)

Random Thoughts

Risk Management always is concerned with providing COST EFFECTIVE safeguards…

Don’t bother protecting something if the cost of

protecting it, is more than it’s worth!

Risk also can be hard to quantify (reputation)?

What’s a reputation worth to a business?

Risk management Flowchart (496)

Quantitative Risk Analysis

Terms

SLE – Single Loss Expectancy

(507)SLE = how much you expect to lose if an event occursSLE= Asset Value * EF

Ex if you have a building worth $1,000,000.00 and

your EF is 25 what is your SLE?

SLE = Asset Value * EF

SLE = $1,000,000 * 25

SLE = $250,000

ARO – Annual Rate of Occurrence

Ex If you expect 1 fire every 10 years

ARO = (1 fire)/(10 years)

ARO = 1

Use ARO to determine ALE

ALE – Annual Loss Expectancy

(507)

ALE – how much money you expect to loss in a year due to a certain threat

ALE = SLE * ARO

Ex If your warehouse fire SLE = $250,000 and you expect 2 fires a year

ALE = SLE * ARO

ALE = $250,000 * 2

ALE = $500,000

Choosing a Countermeasure

When analyzing a countermeasure you need to look

at the ALE BEFORE the countermeasure, and the ALE AFTER the countermeasure and compare that

to the cost of the countermeasure

If a countermeasure reduces the ALE more than the countermeasure costs, then it is COST effective

and should be applied

(ALE before) – (ALE after) > Cost of Countermeasure

(more)

Risk Analysis Example problem

You have an important server For every hour that the server is down it costs your company $1000.00

There is a 25% chance every month that the server

will get hacked, if it does it will cost you 4 hours to clean and reinstall the server (nobody will be able to use it)

There is an intrusion prevention system that will take the risk of hacked system to 0% (don’t we wish),

however it costs $5,000.00 per year subscription

fee

Should you purchase the IPS? If you do how much

money will you save or lose?

What is avoiding the risk?

Risk Analysis Example problem

You have an important server For every hour that the server is down it costs your company $1000.00.

There is a 25% chance every month that the server will get hacked, if it does it will cost you 4 hours to clean and reinstall the server (nobody will be able to use it) There is an intrusion prevention system that will take the risk of hacked system to 0% (don’t we wish),

however it costs $5,000.00 per year subscription fee Should you purchase the IPS? If you do how much

money will you save or lose?

Residual Risk (501)

Understand that no countermeasure can 100% reduce the risk There will always be some risk left over after applying controls This is called

Residual Risk.

Quantitative Risk Analysis (502)

Truly quantitative analysis, requires a lot of number

crunching You should use software to automate

this task Be aware you cannot truly 100% eliminate risk, and you cannot truly 100% quantify risk (some things simply cannot be measured)

Qualitative Risk Analysis

Qualitative Risk analysis doesn’t try to crunch

numbers to analyze risk, instead all involved parties get together to try to subjectively understand risk

• What business functions are critical

• What would happen if a function was lost

• What functions are more important that others

• What are threats

• How can we mitigate threats

Chapter 17 - Review

Q Any countermeasure you deploy should ultimately

be _

Q If my ALE for a threat is $50K a year, and a

countermeasure to eliminate the threat costs $30K

a year, should I implement it?

Q If my ALE is $50K a year, a countermeasure will reduce the ALE by 50%, and the countermeasure costs 30K a year, should I implement it?

Chapter 17 - Review

Q What is “residual risk”

Q What is risk transference

Q What is risk avoidance

Q What is risk acceptance