SlideShare a Scribd company logo

Lesson 2

•Download as PPT, PDF•
•
M
MLG College of Learning, Inc

Information Asset Valuation

Education
1 of 22
Principles of Information Security, Fifth Edition Chapter 5 Risk Management Lesson 2 – Information Asset Valuation
Learning Objectives • Upon completion of this material, you should be able to: – Define risk management, risk identification, and risk control – Describe how risk is identified and assessed – Assess risk based on probability of occurrence and likely impact – Explain the fundamental aspects of documenting risk via the process of risk assessment Principles of Information Security, Fifth Edition 2
Learning Objectives (cont’d) – Describe the various risk mitigation strategy options – Identify the categories that can be used to classify controls – Discuss conceptual frameworks for evaluating risk controls and formulate a cost-benefit analysis Principles of Information Security, Fifth Edition 3
Information Asset Valuation • Questions help develop criteria for asset valuation. • Which information asset: – Is most critical to the organization’s success? – Generates the most revenue/profitability? – Plays the biggest role in generating revenue or delivering services? – Would be the most expensive to replace or protect? – Would be the most embarrassing or cause greatest liability if revealed? Principles of Information Security, Fifth Edition 4
Principles of Information Security, Fifth Edition 5
Information Asset Valuation (cont’d) • Information asset prioritization – Create weighting for each category based on the answers to questions. – Prioritize each asset using weighted factor analysis. – List the assets in order of importance using a weighted factor analysis worksheet. Principles of Information Security, Fifth Edition 6
Principles of Information Security, Fifth Edition 7
Identifying and Prioritizing Threats • Realistic threats need investigation; unimportant threats are set aside. • Threat assessment: – Which threats present danger to assets? – Which threats represent the most danger to information? – How much would it cost to recover from a successful attack? – Which threat requires greatest expenditure to prevent? Principles of Information Security, Fifth Edition 8
Principles of Information Security, Fifth Edition 9
Specifying Asset Vulnerabilities • Specific avenues threat agents can exploit to attack an information asset are called vulnerabilities. • Examine how each threat could be perpetrated and list the organization’s assets and vulnerabilities. • Process works best when people with diverse backgrounds within organization work iteratively in a series of brainstorming sessions. • At the end of the risk identification process, prioritized list of assets with their vulnerabilities is achieved. – Can be combined with weighted list of threats to form threats-vulnerabilities-assets (TVA) worksheet Principles of Information Security, Fifth Edition 10
Principles of Information Security, Fifth Edition 11
Principles of Information Security, Fifth Edition 12
Risk Assessment • Risk assessment evaluates the relative risk for each vulnerability. • It assigns a risk rating or score to each information asset. • Planning and organizing risk assessment – The goal at this point is to create a method for evaluating the relative risk of each listed vulnerability. Principles of Information Security, Fifth Edition 13
Principles of Information Security, Fifth Edition 14
Determining the Loss Frequency • Describes an assessment of the likelihood of an attack combined with expected probability of success • Use external references for values that have been reviewed/adjusted for your circumstances. • Assign numeric value to likelihood, typically annual value. – Targeted by hackers once every five years: 1/5, 20 percent • Determining an attack’s success probability by estimating quantitative value (e.g., 10 percent) for the likelihood of a successful attack; value subject to uncertainty Principles of Information Security, Fifth Edition 15
Evaluating Loss Magnitude • The next step is to determine how much of an information asset could be lost in a successful attack. – Also known as loss magnitude or asset exposure • Combines the value of information asset with the percentage of asset lost in event of a successful attack • Difficulties involve: – Valuating an information asset – Estimating percentage of information asset lost during best-case, worst-case, and most likely scenarios Principles of Information Security, Fifth Edition 16
Calculating Risk • For the purpose of relative risk assessment, risk equals: – Loss frequency TIMES loss magnitude – MINUS the percentage of risk mitigated by current controls – PLUS an element of uncertainty Principles of Information Security, Fifth Edition 17
Principles of Information Security, Fifth Edition 18
Assessing Risk Acceptability • For each threat and associated vulnerabilities that have residual risk, create ranking of relative risk levels. • Residual risk is the left-over risk after the organization has done everything feasible to protect its assets. • If risk appetite is less than the residual risk, it must look for additional strategies to further reduce the risk. – If risk appetite is greater than the residual risk, it must proceed to the latter stages of risk control. Principles of Information Security, Fifth Edition 19
Documenting the Results of Risk Assessment • The final summarized document is the ranked vulnerability risk worksheet. • Worksheet describes asset, asset relative value, vulnerability, loss frequency, and loss magnitude. • Ranked vulnerability risk worksheet is the initial working document for the next step in the risk management process: assessing and controlling risk. Principles of Information Security, Fifth Edition 20
Principles of Information Security, Fifth Edition 21
Principles of Information Security, Fifth Edition 22

Recommended

Lesson 3- Fair Approach
Lesson 3- Fair ApproachLesson 3- Fair Approach
Lesson 3- Fair ApproachMLG College of Learning, Inc
 
Lesson 3
Lesson 3Lesson 3
Lesson 3MLG College of Learning, Inc
 
Lesson 1 - Introduction
Lesson 1 - Introduction Lesson 1 - Introduction
Lesson 1 - Introduction MLG College of Learning, Inc
 
Lesson 2
Lesson 2Lesson 2
Lesson 2MLG College of Learning, Inc
 
Lesson 1- Information Policy
Lesson 1- Information PolicyLesson 1- Information Policy
Lesson 1- Information PolicyMLG College of Learning, Inc
 
Lesson 4
Lesson 4Lesson 4
Lesson 4MLG College of Learning, Inc
 
Lesson 3
Lesson 3Lesson 3
Lesson 3MLG College of Learning, Inc
 
Lesson 1
Lesson 1Lesson 1
Lesson 1MLG College of Learning, Inc
 

Recommended

Lesson 3- Fair Approach
Lesson 3- Fair ApproachLesson 3- Fair Approach
Lesson 3- Fair ApproachMLG College of Learning, Inc
 
Lesson 3
Lesson 3Lesson 3
Lesson 3MLG College of Learning, Inc
 
Lesson 1 - Introduction
Lesson 1 - Introduction Lesson 1 - Introduction
Lesson 1 - Introduction MLG College of Learning, Inc
 
Lesson 2
Lesson 2Lesson 2
Lesson 2MLG College of Learning, Inc
 
Lesson 1- Information Policy
Lesson 1- Information PolicyLesson 1- Information Policy
Lesson 1- Information PolicyMLG College of Learning, Inc
 
Lesson 4
Lesson 4Lesson 4
Lesson 4MLG College of Learning, Inc
 
Lesson 3
Lesson 3Lesson 3
Lesson 3MLG College of Learning, Inc
 
Lesson 1
Lesson 1Lesson 1
Lesson 1MLG College of Learning, Inc
 
Lesson 1- Risk Managment
Lesson 1- Risk ManagmentLesson 1- Risk Managment
Lesson 1- Risk ManagmentMLG College of Learning, Inc
 
Lesson 3- Effectiveness of IDPS
Lesson 3- Effectiveness of IDPSLesson 3- Effectiveness of IDPS
Lesson 3- Effectiveness of IDPSMLG College of Learning, Inc
 
Lesson 1 - Technical Controls
Lesson 1 - Technical ControlsLesson 1 - Technical Controls
Lesson 1 - Technical ControlsMLG College of Learning, Inc
 
Lesson 3
Lesson 3Lesson 3
Lesson 3MLG College of Learning, Inc
 
Information Assurance And Security - Chapter 1 - Lesson 2
Information Assurance And Security - Chapter 1 - Lesson 2Information Assurance And Security - Chapter 1 - Lesson 2
Information Assurance And Security - Chapter 1 - Lesson 2MLG College of Learning, Inc
 
Information Assurance And Security - Chapter 1 - Lesson 4
Information Assurance And Security - Chapter 1 - Lesson 4Information Assurance And Security - Chapter 1 - Lesson 4
Information Assurance And Security - Chapter 1 - Lesson 4MLG College of Learning, Inc
 
Lesson 1
Lesson 1Lesson 1
Lesson 1MLG College of Learning, Inc
 
Lesson 2
Lesson 2Lesson 2
Lesson 2MLG College of Learning, Inc
 
Lesson 1
Lesson 1Lesson 1
Lesson 1MLG College of Learning, Inc
 
Information Security Blueprint
Information Security BlueprintInformation Security Blueprint
Information Security BlueprintZefren Edior
 
Information Assurance And Security - Chapter 1 - Lesson 3
Information Assurance And Security - Chapter 1 - Lesson 3Information Assurance And Security - Chapter 1 - Lesson 3
Information Assurance And Security - Chapter 1 - Lesson 3MLG College of Learning, Inc
 
Chapter 5
Chapter 5Chapter 5
Chapter 5sivadnolram
 
Lesson 2
Lesson 2Lesson 2
Lesson 2MLG College of Learning, Inc
 
Lesson 2
Lesson 2Lesson 2
Lesson 2MLG College of Learning, Inc
 
Lesson 1- Intrusion Detection
Lesson 1- Intrusion DetectionLesson 1- Intrusion Detection
Lesson 1- Intrusion DetectionMLG College of Learning, Inc
 
Information Assurance And Security - Chapter 1 - Lesson 1
Information Assurance And Security - Chapter 1 - Lesson 1Information Assurance And Security - Chapter 1 - Lesson 1
Information Assurance And Security - Chapter 1 - Lesson 1MLG College of Learning, Inc
 
Lesson 1
Lesson 1Lesson 1
Lesson 1MLG College of Learning, Inc
 
Introduction to information security - by Ivan Nganda
Introduction to information security - by Ivan NgandaIntroduction to information security - by Ivan Nganda
Introduction to information security - by Ivan NgandaSee You Rise Holdings
 
Information Security
Information SecurityInformation Security
Information Securitychenpingling
 
Resume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and ControlsResume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and ControlsRd. R. Agung Trimanda
 
Lesson 2- Information Asset Valuation
Lesson 2- Information Asset ValuationLesson 2- Information Asset Valuation
Lesson 2- Information Asset ValuationMLG College of Learning, Inc
 
Lesson 1
Lesson 1Lesson 1
Lesson 1MLG College of Learning, Inc
 

More Related Content

What's hot

Information Assurance And Security - Chapter 1 - Lesson 2
Information Assurance And Security - Chapter 1 - Lesson 2Information Assurance And Security - Chapter 1 - Lesson 2
Information Assurance And Security - Chapter 1 - Lesson 2MLG College of Learning, Inc
 
Information Assurance And Security - Chapter 1 - Lesson 4
Information Assurance And Security - Chapter 1 - Lesson 4Information Assurance And Security - Chapter 1 - Lesson 4
Information Assurance And Security - Chapter 1 - Lesson 4MLG College of Learning, Inc
 
Information Security Blueprint
Information Security BlueprintInformation Security Blueprint
Information Security BlueprintZefren Edior
 
Information Assurance And Security - Chapter 1 - Lesson 3
Information Assurance And Security - Chapter 1 - Lesson 3Information Assurance And Security - Chapter 1 - Lesson 3
Information Assurance And Security - Chapter 1 - Lesson 3MLG College of Learning, Inc
 
Information Assurance And Security - Chapter 1 - Lesson 1
Information Assurance And Security - Chapter 1 - Lesson 1Information Assurance And Security - Chapter 1 - Lesson 1
Information Assurance And Security - Chapter 1 - Lesson 1MLG College of Learning, Inc
 
Introduction to information security - by Ivan Nganda
Introduction to information security - by Ivan NgandaIntroduction to information security - by Ivan Nganda
Introduction to information security - by Ivan NgandaSee You Rise Holdings
 
Information Security
Information SecurityInformation Security
Information Securitychenpingling
 
Resume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and ControlsResume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and ControlsRd. R. Agung Trimanda
 

What's hot (20)

Lesson 1- Risk Managment
Lesson 1- Risk ManagmentLesson 1- Risk Managment
Lesson 1- Risk Managment
 
Lesson 3- Effectiveness of IDPS
Lesson 3- Effectiveness of IDPSLesson 3- Effectiveness of IDPS
Lesson 3- Effectiveness of IDPS
 
Lesson 1 - Technical Controls
Lesson 1 - Technical ControlsLesson 1 - Technical Controls
Lesson 1 - Technical Controls
 
Lesson 3
Lesson 3Lesson 3
Lesson 3
 
Information Assurance And Security - Chapter 1 - Lesson 2
Information Assurance And Security - Chapter 1 - Lesson 2Information Assurance And Security - Chapter 1 - Lesson 2
Information Assurance And Security - Chapter 1 - Lesson 2
 
Information Assurance And Security - Chapter 1 - Lesson 4
Information Assurance And Security - Chapter 1 - Lesson 4Information Assurance And Security - Chapter 1 - Lesson 4
Information Assurance And Security - Chapter 1 - Lesson 4
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
 
Lesson 2
Lesson 2Lesson 2
Lesson 2
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
 
Information Security Blueprint
Information Security BlueprintInformation Security Blueprint
Information Security Blueprint
 
Information Assurance And Security - Chapter 1 - Lesson 3
Information Assurance And Security - Chapter 1 - Lesson 3Information Assurance And Security - Chapter 1 - Lesson 3
Information Assurance And Security - Chapter 1 - Lesson 3
 
Chapter 5
Chapter 5Chapter 5
Chapter 5
 
Lesson 2
Lesson 2Lesson 2
Lesson 2
 
Lesson 2
Lesson 2Lesson 2
Lesson 2
 
Lesson 1- Intrusion Detection
Lesson 1- Intrusion DetectionLesson 1- Intrusion Detection
Lesson 1- Intrusion Detection
 
Information Assurance And Security - Chapter 1 - Lesson 1
Information Assurance And Security - Chapter 1 - Lesson 1Information Assurance And Security - Chapter 1 - Lesson 1
Information Assurance And Security - Chapter 1 - Lesson 1
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
 
Introduction to information security - by Ivan Nganda
Introduction to information security - by Ivan NgandaIntroduction to information security - by Ivan Nganda
Introduction to information security - by Ivan Nganda
 
Information Security
Information SecurityInformation Security
Information Security
 
Resume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and ControlsResume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and Controls
 

Similar to Lesson 2

Security risk management
Security risk managementSecurity risk management
Security risk managementbrijesh singh
 
Module 3_Lesson 7.pptx
Module 3_Lesson 7.pptxModule 3_Lesson 7.pptx
Module 3_Lesson 7.pptxcejobelle
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE360 BSI
 
Building Risk Management into Enterprise Architecture
Building Risk Management into Enterprise ArchitectureBuilding Risk Management into Enterprise Architecture
Building Risk Management into Enterprise Architectureiasaglobal
 
ch14.ppt
ch14.pptch14.ppt
ch14.pptFizZaShYkh
 
OWASP Risk Rating Methodology.pptx
OWASP Risk Rating Methodology.pptxOWASP Risk Rating Methodology.pptx
OWASP Risk Rating Methodology.pptxChandan Singh Ghodela
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpointrandalje86
 
Top 10 Interview Questions for Risk Analyst.pptx
Top 10 Interview Questions for Risk Analyst.pptxTop 10 Interview Questions for Risk Analyst.pptx
Top 10 Interview Questions for Risk Analyst.pptxinfosec train
 
Microsoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileMicrosoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileVijayananda Mohire
 
Selling security to the C-level
Selling security to the C-levelSelling security to the C-level
Selling security to the C-levelDonald Tabone
 
Risk Management (1) (1).ppt
Risk Management (1) (1).pptRisk Management (1) (1).ppt
Risk Management (1) (1).pptAjjuSingh2
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniyaseraljohani
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniYaser Alrefai
 
Management Control and Risk.pptx
Management Control and Risk.pptxManagement Control and Risk.pptx
Management Control and Risk.pptxSuku Thomas Samuel
 

Similar to Lesson 2 (20)

Lesson 2- Information Asset Valuation
Lesson 2- Information Asset ValuationLesson 2- Information Asset Valuation
Lesson 2- Information Asset Valuation
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
 
Security risk management
Security risk managementSecurity risk management
Security risk management
 
Lesson 3
Lesson 3Lesson 3
Lesson 3
 
Module 3_Lesson 7.pptx
Module 3_Lesson 7.pptxModule 3_Lesson 7.pptx
Module 3_Lesson 7.pptx
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
 
Building Risk Management into Enterprise Architecture
Building Risk Management into Enterprise ArchitectureBuilding Risk Management into Enterprise Architecture
Building Risk Management into Enterprise Architecture
 
ch14.ppt
ch14.pptch14.ppt
ch14.ppt
 
OWASP Risk Rating Methodology.pptx
OWASP Risk Rating Methodology.pptxOWASP Risk Rating Methodology.pptx
OWASP Risk Rating Methodology.pptx
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpoint
 
Top 10 Interview Questions for Risk Analyst.pptx
Top 10 Interview Questions for Risk Analyst.pptxTop 10 Interview Questions for Risk Analyst.pptx
Top 10 Interview Questions for Risk Analyst.pptx
 
Microsoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileMicrosoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobile
 
Selling security to the C-level
Selling security to the C-levelSelling security to the C-level
Selling security to the C-level
 
Risk Management (1) (1).ppt
Risk Management (1) (1).pptRisk Management (1) (1).ppt
Risk Management (1) (1).ppt
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
 
Risk Assessment
Risk AssessmentRisk Assessment
Risk Assessment
 
Notes prep guide
Notes prep guideNotes prep guide
Notes prep guide
 
Cissp Study notes.pdf
Cissp Study notes.pdfCissp Study notes.pdf
Cissp Study notes.pdf
 
Management Control and Risk.pptx
Management Control and Risk.pptxManagement Control and Risk.pptx
Management Control and Risk.pptx
 

More from MLG College of Learning, Inc

More from MLG College of Learning, Inc (20)

PC111.Lesson2
PC111.Lesson2PC111.Lesson2
PC111.Lesson2
 
PC111.Lesson1
PC111.Lesson1PC111.Lesson1
PC111.Lesson1
 
PC111-lesson1.pptx
PC111-lesson1.pptxPC111-lesson1.pptx
PC111-lesson1.pptx
 
PC LEESOON 6.pptx
PC LEESOON 6.pptxPC LEESOON 6.pptx
PC LEESOON 6.pptx
 
PC 106 PPT-09.pptx
PC 106 PPT-09.pptxPC 106 PPT-09.pptx
PC 106 PPT-09.pptx
 
PC 106 PPT-07
PC 106 PPT-07PC 106 PPT-07
PC 106 PPT-07
 
PC 106 PPT-01
PC 106 PPT-01PC 106 PPT-01
PC 106 PPT-01
 
PC 106 PPT-06
PC 106 PPT-06PC 106 PPT-06
PC 106 PPT-06
 
PC 106 PPT-05
PC 106 PPT-05PC 106 PPT-05
PC 106 PPT-05
 
PC 106 Slide 04
PC 106 Slide 04PC 106 Slide 04
PC 106 Slide 04
 
PC 106 Slide no.02
PC 106 Slide no.02PC 106 Slide no.02
PC 106 Slide no.02
 
pc-106-slide-3
pc-106-slide-3pc-106-slide-3
pc-106-slide-3
 
PC 106 Slide 2
PC 106 Slide 2PC 106 Slide 2
PC 106 Slide 2
 
PC 106 Slide 1.pptx
PC 106 Slide 1.pptxPC 106 Slide 1.pptx
PC 106 Slide 1.pptx
 
Db2 characteristics of db ms
Db2 characteristics of db msDb2 characteristics of db ms
Db2 characteristics of db ms
 
Db1 introduction
Db1 introductionDb1 introduction
Db1 introduction
 
Lesson 3.2
Lesson 3.2Lesson 3.2
Lesson 3.2
 
Lesson 3.1
Lesson 3.1Lesson 3.1
Lesson 3.1
 
Lesson 1.6
Lesson 1.6Lesson 1.6
Lesson 1.6
 
Lesson 3.2
Lesson 3.2Lesson 3.2
Lesson 3.2
 

Recently uploaded

_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting DataJhengPantaleon
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsanshu789521
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...Marc Dusseiller Dusjagr
 
Science lesson Moon for 4th quarter lesson
Science lesson Moon for 4th quarter lessonScience lesson Moon for 4th quarter lesson
Science lesson Moon for 4th quarter lessonJericReyAuditor
 
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfEnzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfSumit Tiwari
 
ENGLISH5 QUARTER4 MODULE1 WEEK1-3 How Visual and Multimedia Elements.pptx
ENGLISH5 QUARTER4 MODULE1 WEEK1-3 How Visual and Multimedia Elements.pptxENGLISH5 QUARTER4 MODULE1 WEEK1-3 How Visual and Multimedia Elements.pptx
ENGLISH5 QUARTER4 MODULE1 WEEK1-3 How Visual and Multimedia Elements.pptxAnaBeatriceAblay2
 
Science 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsScience 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsKarinaGenton
 
भारत-रोम व्यापार.pptx, Indo-Roman Trade,
भारत-रोम व्यापार.pptx, Indo-Roman Trade,भारत-रोम व्यापार.pptx, Indo-Roman Trade,
भारत-रोम व्यापार.pptx, Indo-Roman Trade,Virag Sontakke
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Sakshi Ghasle
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Celine George
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxthorishapillay1
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentInMediaRes1
 
Pharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdfPharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdfMahmoud M. Sallam
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxmanuelaromero2013
 
Painted Grey Ware.pptx, PGW Culture of India
Painted Grey Ware.pptx, PGW Culture of IndiaPainted Grey Ware.pptx, PGW Culture of India
Painted Grey Ware.pptx, PGW Culture of IndiaVirag Sontakke
 

Recently uploaded (20)

_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data_Math 4-Q4 Week 5.pptx Steps in Collecting Data
_Math 4-Q4 Week 5.pptx Steps in Collecting Data
 
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha elections
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
 
Science lesson Moon for 4th quarter lesson
Science lesson Moon for 4th quarter lessonScience lesson Moon for 4th quarter lesson
Science lesson Moon for 4th quarter lesson
 
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfEnzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
 
ENGLISH5 QUARTER4 MODULE1 WEEK1-3 How Visual and Multimedia Elements.pptx
ENGLISH5 QUARTER4 MODULE1 WEEK1-3 How Visual and Multimedia Elements.pptxENGLISH5 QUARTER4 MODULE1 WEEK1-3 How Visual and Multimedia Elements.pptx
ENGLISH5 QUARTER4 MODULE1 WEEK1-3 How Visual and Multimedia Elements.pptx
 
Science 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsScience 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its Characteristics
 
भारत-रोम व्यापार.pptx, Indo-Roman Trade,
भारत-रोम व्यापार.pptx, Indo-Roman Trade,भारत-रोम व्यापार.pptx, Indo-Roman Trade,
भारत-रोम व्यापार.pptx, Indo-Roman Trade,
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application )
 
Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17Computed Fields and api Depends in the Odoo 17
Computed Fields and api Depends in the Odoo 17
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptx
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media Component
 
Pharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdfPharmacognosy Flower 3. Compositae 2023.pdf
Pharmacognosy Flower 3. Compositae 2023.pdf
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptx
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
Painted Grey Ware.pptx, PGW Culture of India
Painted Grey Ware.pptx, PGW Culture of IndiaPainted Grey Ware.pptx, PGW Culture of India
Painted Grey Ware.pptx, PGW Culture of India
 

Lesson 2

  • 1. Principles of Information Security, Fifth Edition Chapter 5 Risk Management Lesson 2 – Information Asset Valuation
  • 2. Learning Objectives • Upon completion of this material, you should be able to: – Define risk management, risk identification, and risk control – Describe how risk is identified and assessed – Assess risk based on probability of occurrence and likely impact – Explain the fundamental aspects of documenting risk via the process of risk assessment Principles of Information Security, Fifth Edition 2
  • 3. Learning Objectives (cont’d) – Describe the various risk mitigation strategy options – Identify the categories that can be used to classify controls – Discuss conceptual frameworks for evaluating risk controls and formulate a cost-benefit analysis Principles of Information Security, Fifth Edition 3
  • 4. Information Asset Valuation • Questions help develop criteria for asset valuation. • Which information asset: – Is most critical to the organization’s success? – Generates the most revenue/profitability? – Plays the biggest role in generating revenue or delivering services? – Would be the most expensive to replace or protect? – Would be the most embarrassing or cause greatest liability if revealed? Principles of Information Security, Fifth Edition 4
  • 5. Principles of Information Security, Fifth Edition 5
  • 6. Information Asset Valuation (cont’d) • Information asset prioritization – Create weighting for each category based on the answers to questions. – Prioritize each asset using weighted factor analysis. – List the assets in order of importance using a weighted factor analysis worksheet. Principles of Information Security, Fifth Edition 6
  • 7. Principles of Information Security, Fifth Edition 7
  • 8. Identifying and Prioritizing Threats • Realistic threats need investigation; unimportant threats are set aside. • Threat assessment: – Which threats present danger to assets? – Which threats represent the most danger to information? – How much would it cost to recover from a successful attack? – Which threat requires greatest expenditure to prevent? Principles of Information Security, Fifth Edition 8
  • 9. Principles of Information Security, Fifth Edition 9
  • 10. Specifying Asset Vulnerabilities • Specific avenues threat agents can exploit to attack an information asset are called vulnerabilities. • Examine how each threat could be perpetrated and list the organization’s assets and vulnerabilities. • Process works best when people with diverse backgrounds within organization work iteratively in a series of brainstorming sessions. • At the end of the risk identification process, prioritized list of assets with their vulnerabilities is achieved. – Can be combined with weighted list of threats to form threats-vulnerabilities-assets (TVA) worksheet Principles of Information Security, Fifth Edition 10
  • 11. Principles of Information Security, Fifth Edition 11
  • 12. Principles of Information Security, Fifth Edition 12
  • 13. Risk Assessment • Risk assessment evaluates the relative risk for each vulnerability. • It assigns a risk rating or score to each information asset. • Planning and organizing risk assessment – The goal at this point is to create a method for evaluating the relative risk of each listed vulnerability. Principles of Information Security, Fifth Edition 13
  • 14. Principles of Information Security, Fifth Edition 14
  • 15. Determining the Loss Frequency • Describes an assessment of the likelihood of an attack combined with expected probability of success • Use external references for values that have been reviewed/adjusted for your circumstances. • Assign numeric value to likelihood, typically annual value. – Targeted by hackers once every five years: 1/5, 20 percent • Determining an attack’s success probability by estimating quantitative value (e.g., 10 percent) for the likelihood of a successful attack; value subject to uncertainty Principles of Information Security, Fifth Edition 15
  • 16. Evaluating Loss Magnitude • The next step is to determine how much of an information asset could be lost in a successful attack. – Also known as loss magnitude or asset exposure • Combines the value of information asset with the percentage of asset lost in event of a successful attack • Difficulties involve: – Valuating an information asset – Estimating percentage of information asset lost during best-case, worst-case, and most likely scenarios Principles of Information Security, Fifth Edition 16
  • 17. Calculating Risk • For the purpose of relative risk assessment, risk equals: – Loss frequency TIMES loss magnitude – MINUS the percentage of risk mitigated by current controls – PLUS an element of uncertainty Principles of Information Security, Fifth Edition 17
  • 18. Principles of Information Security, Fifth Edition 18
  • 19. Assessing Risk Acceptability • For each threat and associated vulnerabilities that have residual risk, create ranking of relative risk levels. • Residual risk is the left-over risk after the organization has done everything feasible to protect its assets. • If risk appetite is less than the residual risk, it must look for additional strategies to further reduce the risk. – If risk appetite is greater than the residual risk, it must proceed to the latter stages of risk control. Principles of Information Security, Fifth Edition 19
  • 20. Documenting the Results of Risk Assessment • The final summarized document is the ranked vulnerability risk worksheet. • Worksheet describes asset, asset relative value, vulnerability, loss frequency, and loss magnitude. • Ranked vulnerability risk worksheet is the initial working document for the next step in the risk management process: assessing and controlling risk. Principles of Information Security, Fifth Edition 20
  • 21. Principles of Information Security, Fifth Edition 21
  • 22. Principles of Information Security, Fifth Edition 22