SlideShare a Scribd company logo

Analyzing Risk in Information Systems

E
Eric Sorenson

The document discusses identifying and analyzing risk in information systems. It provides guidance on how to assess risk through the following steps: (1) identify threats and vulnerabilities, (2) relate threats to vulnerabilities to determine likelihood and impact, (3) categorize likelihood and impact, (4) determine organizational effect, and (5) identify risk management strategies. It stresses the importance of communication and training in managing risk.

1 of 21
Download to read offline
IDENTIFYING AND ANALYZING RISK IN INFORMATION SYSTEMS ERIC SORENSON Utah Chapter of ISACA April 21, 2016
Identifying and Analyzing Risk In Information Systems • Identify – establish who or what is • Analyze – examine in detail the information for purpose • Risk – the potential of gaining or losing something of value • Harm from current or future event • Threat - accidentally trigger or intentionally exploit a specific vulnerability
UNUSUAL PLOY IN ANTHEM BREACH CASE FAILS • You may recall, ≈ 80 million records breached • Database Administrator discovers his credentials are being used to execute a questionable query • Someone had gained unauthorized access to their IT systems • Health Plan Anthem Inc., makes a bold motion, “to access plaintiffs’ computers, smartphones and tablets to image and copy them to determine whether the data breach or embedded malware was responsible for the potential harm that could include identity theft and tax problems”** • Could the consumer be at fault? **http://www.databreachtoday.com/blogs/unusual-ploy-in-anthem-breach-case-fails-p-2101
What Do You Think? • Should consumers bear some of the risk?
https://www.youtube.com/watch?v=NZJrGuC92U8
Informational Authentication Threat Landscape Execution Denial of Service Users Acts of Nature
How is Risk Assessed? • Identify the threats and vulnerabilities • Analyze the impact to the organization or process, then determine the likelihood of an event • Easy right?
What Do You Think? • What are some guiding principles you use to analyze risk?
Internal and External Risks Effect Decision-Making INTERNAL EXTERNAL • Employees • Technology • Security • Compliance – legal and regulatory • IP • Former Employees • Natural Disasters • Hackers • Vendors • Regulators looking at compliance
https://www.youtube.com/watch?v=opRMrEfAIiI
How I Identify and Analyze Risk • First • Identify threats • Identify vulnerabilities • Second • Relate threats to vulnerabilities • Threat VulnerabilityPair
How I Identify and Analyze Risk (Continued) • Define the likelihood • You have a threat, how likely is it going to occur against the vulnerability? Likelihood – These percentages are relative to your organization Low 0 – 40% Medium 41 – 75% High 76 – 100%
How I Identify and Analyze Risk (Continued) • What’s the Impact? • Availability • I use the CIA triad • Confidentiality – loss leads to limited, serious, or severe effect upon the organization • Integrity • Availability • I categorize them by low, medium, and high
How I Identify and Analyze Risk (Continued) • Organizational Effect? • Business Disruption – Capability how is it effected • Financial loss – Assigned dollar amount • Employees – Incapacitated • I categorize them by limited, serious, and severe
How I Identify and Analyze Risk (Continued) • “Assessing risk is determining the likelihood of the threat being exercised against the vulnerability and the resulting impact from a successful compromise.” SANS Institute • The purpose of assessing risk is to assist management in decision making on where resources should be assigned
How I Identify and Analyze Risk (Continued) • Four strategies for managing risk • Mitigation – Most common. Fixing the flaw or a control • Transference – Primarily financial. Another party assumes the risk • Acceptance – We know the risk is there, so we accept it. • Avoidance – Remove the vulnerability or even eliminate the system
How I Identify and Analyze Risk (Continued) • In many ways, our greatest risk are employees within organizations • Is he your employee?
How I Identify and Analyze Risk (Continued) • COMMUNICATE • Management and employees to know and understand the risks and how the organization will deal with risks • I’m going to say it again, COMMUNICATE! • Train, Train, and Train • I cannot stress enough how important training is • Every month, test the employees • Send out examples of attacks and what the outcome was
“Apply” What I’ve Learned • Risk will always be unique to an organization • Know the threats and vulnerabilities • Need to analyze all aspects of the business • Create or enhance a Risk Management Program • Communicate • Train

Recommended

Relating Risk to Vulnerability
Relating Risk to Vulnerability Relating Risk to Vulnerability
Relating Risk to Vulnerability Resolver Inc.
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk AssessmentsJoAnna Cheshire
 
Executive Travel, Keeping Your Employees Safe
Executive Travel, Keeping Your Employees SafeExecutive Travel, Keeping Your Employees Safe
Executive Travel, Keeping Your Employees SafeResolver Inc.
 
Risk Culture. At The Heart Of Your Decisions
Risk Culture. At The Heart Of Your DecisionsRisk Culture. At The Heart Of Your Decisions
Risk Culture. At The Heart Of Your Decisionsdtsiolis
 
Data Driven Risk Management
Data Driven Risk ManagementData Driven Risk Management
Data Driven Risk ManagementResolver Inc.
 
Improve Your Risk Assessment Process in 4 Steps
Improve Your Risk Assessment Process in 4 StepsImprove Your Risk Assessment Process in 4 Steps
Improve Your Risk Assessment Process in 4 StepsResolver Inc.
 
Ballot: Risk Assessments Made Simple
Ballot: Risk Assessments Made SimpleBallot: Risk Assessments Made Simple
Ballot: Risk Assessments Made SimpleResolver Inc.
 
Ch07 Managing Risk
Ch07 Managing RiskCh07 Managing Risk
Ch07 Managing Riskphanleson
 

Recommended

Relating Risk to Vulnerability
Relating Risk to Vulnerability Relating Risk to Vulnerability
Relating Risk to Vulnerability Resolver Inc.
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk AssessmentsJoAnna Cheshire
 
Executive Travel, Keeping Your Employees Safe
Executive Travel, Keeping Your Employees SafeExecutive Travel, Keeping Your Employees Safe
Executive Travel, Keeping Your Employees SafeResolver Inc.
 
Risk Culture. At The Heart Of Your Decisions
Risk Culture. At The Heart Of Your DecisionsRisk Culture. At The Heart Of Your Decisions
Risk Culture. At The Heart Of Your Decisionsdtsiolis
 
Data Driven Risk Management
Data Driven Risk ManagementData Driven Risk Management
Data Driven Risk ManagementResolver Inc.
 
Improve Your Risk Assessment Process in 4 Steps
Improve Your Risk Assessment Process in 4 StepsImprove Your Risk Assessment Process in 4 Steps
Improve Your Risk Assessment Process in 4 StepsResolver Inc.
 
Ballot: Risk Assessments Made Simple
Ballot: Risk Assessments Made SimpleBallot: Risk Assessments Made Simple
Ballot: Risk Assessments Made SimpleResolver Inc.
 
Ch07 Managing Risk
Ch07 Managing RiskCh07 Managing Risk
Ch07 Managing Riskphanleson
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber riskStephen Cobb
 
Cyber Security # Lec 3
Cyber Security # Lec 3 Cyber Security # Lec 3
Cyber Security # Lec 3 Kabul Education University
 
crisc_wk_3.pptx
crisc_wk_3.pptxcrisc_wk_3.pptx
crisc_wk_3.pptxdotco
 
Cybercrime and the Hidden Perils of Patient Data
Cybercrime and the Hidden Perils of Patient DataCybercrime and the Hidden Perils of Patient Data
Cybercrime and the Hidden Perils of Patient DataStephen Cobb
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
Module 3_Lesson 7.pptx
Module 3_Lesson 7.pptxModule 3_Lesson 7.pptx
Module 3_Lesson 7.pptxcejobelle
 
Risk Management (1) (1).ppt
Risk Management (1) (1).pptRisk Management (1) (1).ppt
Risk Management (1) (1).pptAjjuSingh2
 
Combating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdfCombating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdfChinatu Uzuegbu
 
How to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital PresenceHow to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital PresenceSurfWatch Labs
 
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Shawn Tuma
 
Be More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small BusinessBe More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small BusinessArt Ocain
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Ernest Staats
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedSteve Lodin
 
CISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk ManagementCISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk ManagementKarthikeyan Dhayalan
 
Undertake the Risk Analysis Policy
Undertake the Risk Analysis PolicyUndertake the Risk Analysis Policy
Undertake the Risk Analysis PolicyKomal Zahra
 
OWASP Risk Rating Methodology.pptx
OWASP Risk Rating Methodology.pptxOWASP Risk Rating Methodology.pptx
OWASP Risk Rating Methodology.pptxChandan Singh Ghodela
 
IS-Risk-Management-Lecture-2.pdf
IS-Risk-Management-Lecture-2.pdfIS-Risk-Management-Lecture-2.pdf
IS-Risk-Management-Lecture-2.pdfAbdulrafiiMohammed
 
Cybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfCybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfTheWalkerGroup1
 
How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?PECB
 
How to build a cyber threat intelligence program
How to build a cyber threat intelligence programHow to build a cyber threat intelligence program
How to build a cyber threat intelligence programMark Arena
 

More Related Content

Similar to Analyzing Risk in Information Systems

How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber riskStephen Cobb
 
crisc_wk_3.pptx
crisc_wk_3.pptxcrisc_wk_3.pptx
crisc_wk_3.pptxdotco
 
Cybercrime and the Hidden Perils of Patient Data
Cybercrime and the Hidden Perils of Patient DataCybercrime and the Hidden Perils of Patient Data
Cybercrime and the Hidden Perils of Patient DataStephen Cobb
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
Module 3_Lesson 7.pptx
Module 3_Lesson 7.pptxModule 3_Lesson 7.pptx
Module 3_Lesson 7.pptxcejobelle
 
Risk Management (1) (1).ppt
Risk Management (1) (1).pptRisk Management (1) (1).ppt
Risk Management (1) (1).pptAjjuSingh2
 
Combating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdfCombating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdfChinatu Uzuegbu
 
How to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital PresenceHow to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital PresenceSurfWatch Labs
 
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Shawn Tuma
 
Be More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small BusinessBe More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small BusinessArt Ocain
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Ernest Staats
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedSteve Lodin
 
Undertake the Risk Analysis Policy
Undertake the Risk Analysis PolicyUndertake the Risk Analysis Policy
Undertake the Risk Analysis PolicyKomal Zahra
 
IS-Risk-Management-Lecture-2.pdf
IS-Risk-Management-Lecture-2.pdfIS-Risk-Management-Lecture-2.pdf
IS-Risk-Management-Lecture-2.pdfAbdulrafiiMohammed
 
Cybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfCybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfTheWalkerGroup1
 
How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?PECB
 
How to build a cyber threat intelligence program
How to build a cyber threat intelligence programHow to build a cyber threat intelligence program
How to build a cyber threat intelligence programMark Arena
 

Similar to Analyzing Risk in Information Systems (20)

How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber risk
 
Cyber Security # Lec 3
Cyber Security # Lec 3 Cyber Security # Lec 3
Cyber Security # Lec 3
 
crisc_wk_3.pptx
crisc_wk_3.pptxcrisc_wk_3.pptx
crisc_wk_3.pptx
 
Cybercrime and the Hidden Perils of Patient Data
Cybercrime and the Hidden Perils of Patient DataCybercrime and the Hidden Perils of Patient Data
Cybercrime and the Hidden Perils of Patient Data
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
 
Module 3_Lesson 7.pptx
Module 3_Lesson 7.pptxModule 3_Lesson 7.pptx
Module 3_Lesson 7.pptx
 
Risk Management (1) (1).ppt
Risk Management (1) (1).pptRisk Management (1) (1).ppt
Risk Management (1) (1).ppt
 
Combating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdfCombating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdf
 
How to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital PresenceHow to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital Presence
 
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
 
Be More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small BusinessBe More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small Business
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - Submitted
 
CISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk ManagementCISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk Management
 
Undertake the Risk Analysis Policy
Undertake the Risk Analysis PolicyUndertake the Risk Analysis Policy
Undertake the Risk Analysis Policy
 
OWASP Risk Rating Methodology.pptx
OWASP Risk Rating Methodology.pptxOWASP Risk Rating Methodology.pptx
OWASP Risk Rating Methodology.pptx
 
IS-Risk-Management-Lecture-2.pdf
IS-Risk-Management-Lecture-2.pdfIS-Risk-Management-Lecture-2.pdf
IS-Risk-Management-Lecture-2.pdf
 
Cybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfCybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdf
 
How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?
 
How to build a cyber threat intelligence program
How to build a cyber threat intelligence programHow to build a cyber threat intelligence program
How to build a cyber threat intelligence program
 

Analyzing Risk in Information Systems

  • 1. IDENTIFYING AND ANALYZING RISK IN INFORMATION SYSTEMS ERIC SORENSON Utah Chapter of ISACA April 21, 2016
  • 2.
  • 3. Identifying and Analyzing Risk In Information Systems • Identify – establish who or what is • Analyze – examine in detail the information for purpose • Risk – the potential of gaining or losing something of value • Harm from current or future event • Threat - accidentally trigger or intentionally exploit a specific vulnerability
  • 4. UNUSUAL PLOY IN ANTHEM BREACH CASE FAILS • You may recall, ≈ 80 million records breached • Database Administrator discovers his credentials are being used to execute a questionable query • Someone had gained unauthorized access to their IT systems • Health Plan Anthem Inc., makes a bold motion, “to access plaintiffs’ computers, smartphones and tablets to image and copy them to determine whether the data breach or embedded malware was responsible for the potential harm that could include identity theft and tax problems”** • Could the consumer be at fault? **http://www.databreachtoday.com/blogs/unusual-ploy-in-anthem-breach-case-fails-p-2101
  • 5. What Do You Think? • Should consumers bear some of the risk?
  • 8.
  • 9. How is Risk Assessed? • Identify the threats and vulnerabilities • Analyze the impact to the organization or process, then determine the likelihood of an event • Easy right?
  • 10. What Do You Think? • What are some guiding principles you use to analyze risk?
  • 11. Internal and External Risks Effect Decision-Making INTERNAL EXTERNAL • Employees • Technology • Security • Compliance – legal and regulatory • IP • Former Employees • Natural Disasters • Hackers • Vendors • Regulators looking at compliance
  • 13. How I Identify and Analyze Risk • First • Identify threats • Identify vulnerabilities • Second • Relate threats to vulnerabilities • Threat VulnerabilityPair
  • 14. How I Identify and Analyze Risk (Continued) • Define the likelihood • You have a threat, how likely is it going to occur against the vulnerability? Likelihood – These percentages are relative to your organization Low 0 – 40% Medium 41 – 75% High 76 – 100%
  • 15. How I Identify and Analyze Risk (Continued) • What’s the Impact? • Availability • I use the CIA triad • Confidentiality – loss leads to limited, serious, or severe effect upon the organization • Integrity • Availability • I categorize them by low, medium, and high
  • 16. How I Identify and Analyze Risk (Continued) • Organizational Effect? • Business Disruption – Capability how is it effected • Financial loss – Assigned dollar amount • Employees – Incapacitated • I categorize them by limited, serious, and severe
  • 17. How I Identify and Analyze Risk (Continued) • “Assessing risk is determining the likelihood of the threat being exercised against the vulnerability and the resulting impact from a successful compromise.” SANS Institute • The purpose of assessing risk is to assist management in decision making on where resources should be assigned
  • 18. How I Identify and Analyze Risk (Continued) • Four strategies for managing risk • Mitigation – Most common. Fixing the flaw or a control • Transference – Primarily financial. Another party assumes the risk • Acceptance – We know the risk is there, so we accept it. • Avoidance – Remove the vulnerability or even eliminate the system
  • 19. How I Identify and Analyze Risk (Continued) • In many ways, our greatest risk are employees within organizations • Is he your employee?
  • 20. How I Identify and Analyze Risk (Continued) • COMMUNICATE • Management and employees to know and understand the risks and how the organization will deal with risks • I’m going to say it again, COMMUNICATE! • Train, Train, and Train • I cannot stress enough how important training is • Every month, test the employees • Send out examples of attacks and what the outcome was
  • 21. “Apply” What I’ve Learned • Risk will always be unique to an organization • Know the threats and vulnerabilities • Need to analyze all aspects of the business • Create or enhance a Risk Management Program • Communicate • Train