The document discusses identifying and analyzing risk in information systems. It provides guidance on how to assess risk through the following steps: (1) identify threats and vulnerabilities, (2) relate threats to vulnerabilities to determine likelihood and impact, (3) categorize likelihood and impact, (4) determine organizational effect, and (5) identify risk management strategies. It stresses the importance of communication and training in managing risk.
3. Identifying and Analyzing Risk In Information Systems
• Identify – establish who or what is
• Analyze – examine in detail the information for purpose
• Risk – the potential of gaining or losing something of value
• Harm from current or future event
• Threat - accidentally trigger or intentionally exploit a specific
vulnerability
4. UNUSUAL PLOY IN ANTHEM BREACH CASE FAILS
• You may recall, ≈ 80 million records breached
• Database Administrator discovers his credentials are being used to
execute a questionable query
• Someone had gained unauthorized access to their IT systems
• Health Plan Anthem Inc., makes a bold motion, “to access plaintiffs’
computers, smartphones and tablets to image and copy them to
determine whether the data breach or embedded malware was
responsible for the potential harm that could include identity theft
and tax problems”**
• Could the consumer be at fault?
**http://www.databreachtoday.com/blogs/unusual-ploy-in-anthem-breach-case-fails-p-2101
5. What Do You Think?
• Should consumers bear some of the risk?
9. How is Risk Assessed?
• Identify the threats and vulnerabilities
• Analyze the impact to the organization or process,
then determine the likelihood of an event
• Easy right?
10. What Do You Think?
• What are some guiding principles you use to analyze
risk?
11. Internal and External Risks Effect Decision-Making
INTERNAL EXTERNAL
• Employees
• Technology
• Security
• Compliance – legal and
regulatory
• IP
• Former Employees
• Natural Disasters
• Hackers
• Vendors
• Regulators looking at
compliance
13. How I Identify and Analyze Risk
• First
• Identify threats
• Identify vulnerabilities
• Second
• Relate threats to vulnerabilities
• Threat VulnerabilityPair
14. How I Identify and Analyze Risk (Continued)
• Define the likelihood
• You have a threat, how likely is it going to occur against
the vulnerability?
Likelihood – These percentages are relative to your organization
Low 0 – 40%
Medium 41 – 75%
High 76 – 100%
15. How I Identify and Analyze Risk (Continued)
• What’s the Impact?
• Availability
• I use the CIA triad
• Confidentiality – loss leads to limited, serious, or severe
effect upon the organization
• Integrity
• Availability
• I categorize them by low, medium, and high
16. How I Identify and Analyze Risk (Continued)
• Organizational Effect?
• Business Disruption – Capability how is it effected
• Financial loss – Assigned dollar amount
• Employees – Incapacitated
• I categorize them by limited, serious, and severe
17. How I Identify and Analyze Risk (Continued)
• “Assessing risk is determining the likelihood of the threat
being exercised against the vulnerability and the resulting
impact from a successful compromise.” SANS Institute
• The purpose of assessing risk is to assist management in
decision making on where resources should be assigned
18. How I Identify and Analyze Risk (Continued)
• Four strategies for managing risk
• Mitigation – Most common. Fixing the flaw or a control
• Transference – Primarily financial. Another party assumes the
risk
• Acceptance – We know the risk is there, so we accept it.
• Avoidance – Remove the vulnerability or even eliminate the
system
19. How I Identify and Analyze Risk (Continued)
• In many ways, our greatest risk are employees within
organizations
• Is he your employee?
20. How I Identify and Analyze Risk (Continued)
• COMMUNICATE
• Management and employees to know and understand the risks
and how the organization will deal with risks
• I’m going to say it again, COMMUNICATE!
• Train, Train, and Train
• I cannot stress enough how important training is
• Every month, test the employees
• Send out examples of attacks and what the outcome was
21. “Apply” What I’ve Learned
• Risk will always be unique to an organization
• Know the threats and vulnerabilities
• Need to analyze all aspects of the business
• Create or enhance a Risk Management Program
• Communicate
• Train