SlideShare a Scribd company logo

Lecture2.pptx

Download as PPTX, PDF
M
MohammedNouh7

software security and reliability

Technology
1 of 21
Risk Management Framework (RMF)
2 Risk Assessment RISK Threats Vulnerabilities Consequences
3 Financial Loss Dollar Amount Losses by Type Total Loss (2006): $53,494,290 CSI/FBI Computer Crime and Security Survey Computer Security Institute
4 Real Cost of Cyber Attack  Damage of the target may not reflect the real amount of damage  Services may rely on the attacked service, causing a cascading and escalating damage  Need: support for decision makers to – Evaluate risk and consequences of cyber attacks – Support methods to prevent, deter, and mitigate consequences of attacks
5 System Security Engineering (Traditional View) Specify System Architecture Identify Threats, Vulnerabilities, Attacks Estimate Risk Prioritize Vulnerabilities Identify and Install Safeguards Risk is acceptably low
Risk Management Framework (Business Context) Five Stages  RMF occurs in parallel with SDLC activities Understand the Business context Identify the Business and Technical Risk Artifact Analysis Synthesize and Rank the Risks Define the Risk Mitigation Strategy Carry out fixes And validate Business Context 1 2 3 4 5 Measurement and reporting
Stage 1: Understand Business Context  Risk management  Occurs in a business context  Affected by business motivation  Key activity of an analyst  Extract and describe business goals – clearly  Increasing revenue; reducing dev cost; meeting SLAs; generating high return on investment (ROI)  Set priorities  Understand circumstances  Bottomline – answer the question  who cares?
Stage 2: Identify the business & technical risks  Business risks have impact Direct financial loss; loss of reputation; violation of customer or regulatory requirements; increase in development cost  Severity of risks Should be capture in financial or project management terms  Key is – tie technical risks to business context
Stage 3: Synthesize and rank the risks  Prioritize the risks alongside the business goals  Assign risks appropriate weights for resolution  Risk metrics Risk likelihood Risk impact Number of risks mitigated over time
Stage 4: Risk Mitigation Strategy  Develop a coherent strategy  For mitigating risks  In cost effective manner; account for  Cost Implementation time  Completeness Impact  Likelihood of success  A mitigation strategy should  Be developed within the business context  Be based on what the organization can afford, integrate and understand  Must directly identify validation techniques
Stage 5: Carry out Fixes and Validate  Execute the chosen mitigation strategy  Rectify the artifacts Measure completeness Estimate  Progress, residual risks  Validate that risks have been mitigated Testing can be used to demonstrate Develop confidence that unacceptable risk does not remain
RMF - A Multi-loop  Risk management is a continuous process  Five stages may need to be applied many times  Ordering may be interleaved in different ways  Risk can emerge at any time in SDLC  One way – apply in each phase of SDLC  Risk can be found between stages  Level of application  Primary – project level  Each stage must capture complete project  SDLC phase level  Artifact level  It is important to know that RM is  Cumulative  At times arbitrary and difficult to predict
13 Measuring and Reporting  Continuous and consistent identification and storage of risk information over time  Maintain risk information at all stages of risk management  Establish measurements, e.g., Number of risks, severity of risks, cost of mitigation, etc.
14 Assets-Threat Model (1) Threats compromise assets Threats have a probability of occurrence and severity of effect Assets have values Assets are vulnerable to threats Threats Assets
15 Assets-Threat Model (2) Risk: expected loss from the threat against an asset R=V*P*S  R risk  V value of asset  P probability of occurrence of threat  V vulnerability of the asset to the threat
16 System-Failure Model Estimate probability of highly undesirable events Risk: likelihood of undesirable outcome Threat System Undesirable outcome
17 Risk Acceptance Certification  How well the system meet the security requirements (technical) Accreditation  Management’s approval of automated system (administrative)
Risk Management Framework (Business Context) Understand the Business context Identify the Business and Technical Risk Artifact Analysis Synthesize and Rank the Risks Define the Risk Mitigation Strategy Carry out fixes And validate Business Context 1 2 3 4 5 Measurement and reporting Who Why What How Strengthen system
NEXT TOPIC IS RECOMMENDED ONLY 19
INCIDENT HANDLING Computer Security Incident Handling Guide, Recommendations of the National Institute of Standards and Technology 20 HTTP://CSRC.NIST.GOV/PUBLICATIONS/NIS TPUBS/800-61-REV1/SP800-61REV1.PDF
Questions? 21

Recommended

Dealing with Operational and Ecosystem Risk
Dealing with Operational and Ecosystem RiskDealing with Operational and Ecosystem Risk
Dealing with Operational and Ecosystem RiskFinancial Services Innovators
 
Level 2
Level 2Level 2
Level 2GWC GROUP
 
Level 2
Level 2Level 2
Level 2GWC GROUP
 
project risk management
project risk managementproject risk management
project risk managementAshima Thakur
 
Security risk management
Security risk managementSecurity risk management
Security risk managementbrijesh singh
 
Chapter 5 - Risk Management - 2nd Semester - M.Com - Bangalore University
Chapter 5 - Risk Management - 2nd Semester - M.Com - Bangalore UniversityChapter 5 - Risk Management - 2nd Semester - M.Com - Bangalore University
Chapter 5 - Risk Management - 2nd Semester - M.Com - Bangalore UniversitySwaminath Sam
 
e-Symposium_ISACA_Ramsés_Gallego
e-Symposium_ISACA_Ramsés_Gallegoe-Symposium_ISACA_Ramsés_Gallego
e-Symposium_ISACA_Ramsés_GallegoRamsés Gallego
 
Review of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementReview of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementRand W. Hirt
 

Recommended

Dealing with Operational and Ecosystem Risk
Dealing with Operational and Ecosystem RiskDealing with Operational and Ecosystem Risk
Dealing with Operational and Ecosystem RiskFinancial Services Innovators
 
Level 2
Level 2Level 2
Level 2GWC GROUP
 
Level 2
Level 2Level 2
Level 2GWC GROUP
 
project risk management
project risk managementproject risk management
project risk managementAshima Thakur
 
Security risk management
Security risk managementSecurity risk management
Security risk managementbrijesh singh
 
Chapter 5 - Risk Management - 2nd Semester - M.Com - Bangalore University
Chapter 5 - Risk Management - 2nd Semester - M.Com - Bangalore UniversityChapter 5 - Risk Management - 2nd Semester - M.Com - Bangalore University
Chapter 5 - Risk Management - 2nd Semester - M.Com - Bangalore UniversitySwaminath Sam
 
e-Symposium_ISACA_Ramsés_Gallego
e-Symposium_ISACA_Ramsés_Gallegoe-Symposium_ISACA_Ramsés_Gallego
e-Symposium_ISACA_Ramsés_GallegoRamsés Gallego
 
Review of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementReview of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementRand W. Hirt
 
Erm talking points
Erm talking pointsErm talking points
Erm talking pointsEnterpriseGRC Solutions, Inc.
 
Risk
RiskRisk
RiskRahul Hada
 
Session 02 Risk Assessment Program for YSP_The Risk Assessment Process
Session 02 Risk Assessment Program for YSP_The Risk Assessment ProcessSession 02 Risk Assessment Program for YSP_The Risk Assessment Process
Session 02 Risk Assessment Program for YSP_The Risk Assessment ProcessMuizz Anibire
 
Project risk analysis
Project risk analysisProject risk analysis
Project risk analysisNur E Alam Siddike
 
Risk Management (1) (1).ppt
Risk Management (1) (1).pptRisk Management (1) (1).ppt
Risk Management (1) (1).pptAjjuSingh2
 
Hands on IT risk assessment
Hands on IT risk assessmentHands on IT risk assessment
Hands on IT risk assessmentGeorge Delikouras
 
COSO Vs ERM - NMIMS INDORE
COSO Vs ERM - NMIMS INDORECOSO Vs ERM - NMIMS INDORE
COSO Vs ERM - NMIMS INDORENaresh Parandhaman
 
Risk Management
Risk ManagementRisk Management
Risk Managementrajuinstru
 
Presentation1.pptx
Presentation1.pptxPresentation1.pptx
Presentation1.pptxPandiya Rajan
 
Beyond PMP: Risk Management
Beyond PMP: Risk ManagementBeyond PMP: Risk Management
Beyond PMP: Risk Managementabhinayverma
 
CRISC Course Preview
CRISC Course PreviewCRISC Course Preview
CRISC Course PreviewInvensis Learning
 
risk-management-121021125051-phpapp02 (1).pdf
risk-management-121021125051-phpapp02 (1).pdfrisk-management-121021125051-phpapp02 (1).pdf
risk-management-121021125051-phpapp02 (1).pdfPriyanshTan
 
Comprehensive Overview Of Risk Management
Comprehensive Overview Of Risk ManagementComprehensive Overview Of Risk Management
Comprehensive Overview Of Risk ManagementAndrew Valenti
 
Risk management
Risk managementRisk management
Risk managementSazzad Hossain, ITP, MBA, CSCA™
 
Risk-management
Risk-management Risk-management
Risk-managementUmesh Gupta
 
Understanding enterprise risk management and fair
Understanding enterprise risk management and fairUnderstanding enterprise risk management and fair
Understanding enterprise risk management and fairiaemedu
 
Top 5 secrets to successfully jumpstarting your cyber-risk program
Top 5 secrets to successfully jumpstarting your cyber-risk programTop 5 secrets to successfully jumpstarting your cyber-risk program
Top 5 secrets to successfully jumpstarting your cyber-risk programPriyanka Aash
 
Software Engineering
Software EngineeringSoftware Engineering
Software EngineeringVijayapriyaP1
 
Final Class Presentation on Determining Project Stakeholders & Risks.pptx
Final Class Presentation on Determining Project Stakeholders & Risks.pptxFinal Class Presentation on Determining Project Stakeholders & Risks.pptx
Final Class Presentation on Determining Project Stakeholders & Risks.pptxGeorgeKabongah2
 
Project Risk Management-Pankaj K Sinha
Project Risk Management-Pankaj K SinhaProject Risk Management-Pankaj K Sinha
Project Risk Management-Pankaj K SinhaPankaj K Sinha
 
JavaProgramming 17321_CS202-Chapter8.ppt
JavaProgramming 17321_CS202-Chapter8.pptJavaProgramming 17321_CS202-Chapter8.ppt
JavaProgramming 17321_CS202-Chapter8.pptMohammedNouh7
 
Chapter7 database management system.pptx
Chapter7 database management system.pptxChapter7 database management system.pptx
Chapter7 database management system.pptxMohammedNouh7
 

More Related Content

Similar to Lecture2.pptx

Session 02 Risk Assessment Program for YSP_The Risk Assessment Process
Session 02 Risk Assessment Program for YSP_The Risk Assessment ProcessSession 02 Risk Assessment Program for YSP_The Risk Assessment Process
Session 02 Risk Assessment Program for YSP_The Risk Assessment ProcessMuizz Anibire
 
Risk Management (1) (1).ppt
Risk Management (1) (1).pptRisk Management (1) (1).ppt
Risk Management (1) (1).pptAjjuSingh2
 
Risk Management
Risk ManagementRisk Management
Risk Managementrajuinstru
 
Beyond PMP: Risk Management
Beyond PMP: Risk ManagementBeyond PMP: Risk Management
Beyond PMP: Risk Managementabhinayverma
 
risk-management-121021125051-phpapp02 (1).pdf
risk-management-121021125051-phpapp02 (1).pdfrisk-management-121021125051-phpapp02 (1).pdf
risk-management-121021125051-phpapp02 (1).pdfPriyanshTan
 
Comprehensive Overview Of Risk Management
Comprehensive Overview Of Risk ManagementComprehensive Overview Of Risk Management
Comprehensive Overview Of Risk ManagementAndrew Valenti
 
Risk-management
Risk-management Risk-management
Risk-managementUmesh Gupta
 
Understanding enterprise risk management and fair
Understanding enterprise risk management and fairUnderstanding enterprise risk management and fair
Understanding enterprise risk management and fairiaemedu
 
Top 5 secrets to successfully jumpstarting your cyber-risk program
Top 5 secrets to successfully jumpstarting your cyber-risk programTop 5 secrets to successfully jumpstarting your cyber-risk program
Top 5 secrets to successfully jumpstarting your cyber-risk programPriyanka Aash
 
Software Engineering
Software EngineeringSoftware Engineering
Software EngineeringVijayapriyaP1
 
Final Class Presentation on Determining Project Stakeholders & Risks.pptx
Final Class Presentation on Determining Project Stakeholders & Risks.pptxFinal Class Presentation on Determining Project Stakeholders & Risks.pptx
Final Class Presentation on Determining Project Stakeholders & Risks.pptxGeorgeKabongah2
 
Project Risk Management-Pankaj K Sinha
Project Risk Management-Pankaj K SinhaProject Risk Management-Pankaj K Sinha
Project Risk Management-Pankaj K SinhaPankaj K Sinha
 

Similar to Lecture2.pptx (20)

Erm talking points
Erm talking pointsErm talking points
Erm talking points
 
Risk
RiskRisk
Risk
 
Session 02 Risk Assessment Program for YSP_The Risk Assessment Process
Session 02 Risk Assessment Program for YSP_The Risk Assessment ProcessSession 02 Risk Assessment Program for YSP_The Risk Assessment Process
Session 02 Risk Assessment Program for YSP_The Risk Assessment Process
 
Project risk analysis
Project risk analysisProject risk analysis
Project risk analysis
 
Risk Management (1) (1).ppt
Risk Management (1) (1).pptRisk Management (1) (1).ppt
Risk Management (1) (1).ppt
 
Hands on IT risk assessment
Hands on IT risk assessmentHands on IT risk assessment
Hands on IT risk assessment
 
COSO Vs ERM - NMIMS INDORE
COSO Vs ERM - NMIMS INDORECOSO Vs ERM - NMIMS INDORE
COSO Vs ERM - NMIMS INDORE
 
Risk Management
Risk ManagementRisk Management
Risk Management
 
Presentation1.pptx
Presentation1.pptxPresentation1.pptx
Presentation1.pptx
 
Beyond PMP: Risk Management
Beyond PMP: Risk ManagementBeyond PMP: Risk Management
Beyond PMP: Risk Management
 
CRISC Course Preview
CRISC Course PreviewCRISC Course Preview
CRISC Course Preview
 
risk-management-121021125051-phpapp02 (1).pdf
risk-management-121021125051-phpapp02 (1).pdfrisk-management-121021125051-phpapp02 (1).pdf
risk-management-121021125051-phpapp02 (1).pdf
 
Comprehensive Overview Of Risk Management
Comprehensive Overview Of Risk ManagementComprehensive Overview Of Risk Management
Comprehensive Overview Of Risk Management
 
Risk management
Risk managementRisk management
Risk management
 
Risk-management
Risk-management Risk-management
Risk-management
 
Understanding enterprise risk management and fair
Understanding enterprise risk management and fairUnderstanding enterprise risk management and fair
Understanding enterprise risk management and fair
 
Top 5 secrets to successfully jumpstarting your cyber-risk program
Top 5 secrets to successfully jumpstarting your cyber-risk programTop 5 secrets to successfully jumpstarting your cyber-risk program
Top 5 secrets to successfully jumpstarting your cyber-risk program
 
Software Engineering
Software EngineeringSoftware Engineering
Software Engineering
 
Final Class Presentation on Determining Project Stakeholders & Risks.pptx
Final Class Presentation on Determining Project Stakeholders & Risks.pptxFinal Class Presentation on Determining Project Stakeholders & Risks.pptx
Final Class Presentation on Determining Project Stakeholders & Risks.pptx
 
Project Risk Management-Pankaj K Sinha
Project Risk Management-Pankaj K SinhaProject Risk Management-Pankaj K Sinha
Project Risk Management-Pankaj K Sinha
 

More from MohammedNouh7

JavaProgramming 17321_CS202-Chapter8.ppt
JavaProgramming 17321_CS202-Chapter8.pptJavaProgramming 17321_CS202-Chapter8.ppt
JavaProgramming 17321_CS202-Chapter8.pptMohammedNouh7
 
Chapter7 database management system.pptx
Chapter7 database management system.pptxChapter7 database management system.pptx
Chapter7 database management system.pptxMohammedNouh7
 
Introduction to database m Chapter 9.pptx
Introduction to database m Chapter 9.pptxIntroduction to database m Chapter 9.pptx
Introduction to database m Chapter 9.pptxMohammedNouh7
 
database management system lessonchapter
database management system lessonchapterdatabase management system lessonchapter
database management system lessonchapterMohammedNouh7
 
41slideAdvancedDatabaseProgramming.ppt
41slideAdvancedDatabaseProgramming.ppt41slideAdvancedDatabaseProgramming.ppt
41slideAdvancedDatabaseProgramming.pptMohammedNouh7
 
34slideDatabaseProgramming.ppt
34slideDatabaseProgramming.ppt34slideDatabaseProgramming.ppt
34slideDatabaseProgramming.pptMohammedNouh7
 

More from MohammedNouh7 (11)

JavaProgramming 17321_CS202-Chapter8.ppt
JavaProgramming 17321_CS202-Chapter8.pptJavaProgramming 17321_CS202-Chapter8.ppt
JavaProgramming 17321_CS202-Chapter8.ppt
 
Chapter7 database management system.pptx
Chapter7 database management system.pptxChapter7 database management system.pptx
Chapter7 database management system.pptx
 
Introduction to database m Chapter 9.pptx
Introduction to database m Chapter 9.pptxIntroduction to database m Chapter 9.pptx
Introduction to database m Chapter 9.pptx
 
database management system lessonchapter
database management system lessonchapterdatabase management system lessonchapter
database management system lessonchapter
 
Chapter 1.ppt
Chapter 1.pptChapter 1.ppt
Chapter 1.ppt
 
Ch13.pptx
Ch13.pptxCh13.pptx
Ch13.pptx
 
Ch21.pptx
Ch21.pptxCh21.pptx
Ch21.pptx
 
41slideAdvancedDatabaseProgramming.ppt
41slideAdvancedDatabaseProgramming.ppt41slideAdvancedDatabaseProgramming.ppt
41slideAdvancedDatabaseProgramming.ppt
 
34slideDatabaseProgramming.ppt
34slideDatabaseProgramming.ppt34slideDatabaseProgramming.ppt
34slideDatabaseProgramming.ppt
 
11slide.ppt
11slide.ppt11slide.ppt
11slide.ppt
 
10slide.ppt
10slide.ppt10slide.ppt
10slide.ppt
 

Recently uploaded

Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 

Recently uploaded (20)

Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 

Lecture2.pptx

  • 3. 3 Financial Loss Dollar Amount Losses by Type Total Loss (2006): $53,494,290 CSI/FBI Computer Crime and Security Survey Computer Security Institute
  • 4. 4 Real Cost of Cyber Attack  Damage of the target may not reflect the real amount of damage  Services may rely on the attacked service, causing a cascading and escalating damage  Need: support for decision makers to – Evaluate risk and consequences of cyber attacks – Support methods to prevent, deter, and mitigate consequences of attacks
  • 5. 5 System Security Engineering (Traditional View) Specify System Architecture Identify Threats, Vulnerabilities, Attacks Estimate Risk Prioritize Vulnerabilities Identify and Install Safeguards Risk is acceptably low
  • 6. Risk Management Framework (Business Context) Five Stages  RMF occurs in parallel with SDLC activities Understand the Business context Identify the Business and Technical Risk Artifact Analysis Synthesize and Rank the Risks Define the Risk Mitigation Strategy Carry out fixes And validate Business Context 1 2 3 4 5 Measurement and reporting
  • 7. Stage 1: Understand Business Context  Risk management  Occurs in a business context  Affected by business motivation  Key activity of an analyst  Extract and describe business goals – clearly  Increasing revenue; reducing dev cost; meeting SLAs; generating high return on investment (ROI)  Set priorities  Understand circumstances  Bottomline – answer the question  who cares?
  • 8. Stage 2: Identify the business & technical risks  Business risks have impact Direct financial loss; loss of reputation; violation of customer or regulatory requirements; increase in development cost  Severity of risks Should be capture in financial or project management terms  Key is – tie technical risks to business context
  • 9. Stage 3: Synthesize and rank the risks  Prioritize the risks alongside the business goals  Assign risks appropriate weights for resolution  Risk metrics Risk likelihood Risk impact Number of risks mitigated over time
  • 10. Stage 4: Risk Mitigation Strategy  Develop a coherent strategy  For mitigating risks  In cost effective manner; account for  Cost Implementation time  Completeness Impact  Likelihood of success  A mitigation strategy should  Be developed within the business context  Be based on what the organization can afford, integrate and understand  Must directly identify validation techniques
  • 11. Stage 5: Carry out Fixes and Validate  Execute the chosen mitigation strategy  Rectify the artifacts Measure completeness Estimate  Progress, residual risks  Validate that risks have been mitigated Testing can be used to demonstrate Develop confidence that unacceptable risk does not remain
  • 12. RMF - A Multi-loop  Risk management is a continuous process  Five stages may need to be applied many times  Ordering may be interleaved in different ways  Risk can emerge at any time in SDLC  One way – apply in each phase of SDLC  Risk can be found between stages  Level of application  Primary – project level  Each stage must capture complete project  SDLC phase level  Artifact level  It is important to know that RM is  Cumulative  At times arbitrary and difficult to predict
  • 13. 13 Measuring and Reporting  Continuous and consistent identification and storage of risk information over time  Maintain risk information at all stages of risk management  Establish measurements, e.g., Number of risks, severity of risks, cost of mitigation, etc.
  • 14. 14 Assets-Threat Model (1) Threats compromise assets Threats have a probability of occurrence and severity of effect Assets have values Assets are vulnerable to threats Threats Assets
  • 15. 15 Assets-Threat Model (2) Risk: expected loss from the threat against an asset R=V*P*S  R risk  V value of asset  P probability of occurrence of threat  V vulnerability of the asset to the threat
  • 16. 16 System-Failure Model Estimate probability of highly undesirable events Risk: likelihood of undesirable outcome Threat System Undesirable outcome
  • 17. 17 Risk Acceptance Certification  How well the system meet the security requirements (technical) Accreditation  Management’s approval of automated system (administrative)
  • 18. Risk Management Framework (Business Context) Understand the Business context Identify the Business and Technical Risk Artifact Analysis Synthesize and Rank the Risks Define the Risk Mitigation Strategy Carry out fixes And validate Business Context 1 2 3 4 5 Measurement and reporting Who Why What How Strengthen system
  • 20. INCIDENT HANDLING Computer Security Incident Handling Guide, Recommendations of the National Institute of Standards and Technology 20 HTTP://CSRC.NIST.GOV/PUBLICATIONS/NIS TPUBS/800-61-REV1/SP800-61REV1.PDF

Editor's Notes

  1. Risk is a function of threats exploiting vulnerabilities to obtain, damage or destroy assets. R= T X V X C We mean by asset people, property, and information…
  2. Did you know that a single cyber attack can cost an enterprise company millions of dollars and completely destroys small businesses? Damage of the target may not reflect the real amount of damage The reason is that other services may rely on the attacked service, causing a cascading and escalating damage
  3. Install Safeguards i.e. try to find the best fit protection…
  4. “Who cares?” “Why should business care?” “What should be done first?” “How to mitigate risks?” Strengthen system