AR
Uploaded byAdesh Rampat
PPTX, PDF828 views

Risk Equation

The document proposes a new risk equation that incorporates resilience and incident response alongside traditional probability and impact factors. This revised formula aims to give organizations a clearer understanding of their risk and improve their incident management strategies in response to evolving threats. Two examples demonstrate how to apply this equation to assess risks from cyber attacks and internal fraud, ultimately indicating a high level of risk for both scenarios.

Embed presentation

Download to read offline
Risk Equation Most risk equations include the standard approach of probability and impact. Nowadays, with the changing threat landscape, a new approach to the risk equation should be looked at. Adesh Rampat (adeshpcs@yahoo.com)
Risk Equation Standard risk equations use probability and impact to calculate the extent of a particular risk, often displaying the result in a risk matrix. However, such an approach neglects two important aspects from an organizational perspective: resilience and incident response. To rectify this I propose a new approach, as follows: Risk = Impact x Resilience/Incident Response
Risk Equation This equation allows for risk to be easily understood especially when it comes to the level of incident response required to address an event. It also assists in the assessment process as to the critical areas to focus on in today’s constantly changing threat landscape. When an organization is hit by a cyber attack, for example, the probable questions that are asked include: What is the impact? What systems within the network has the attack penetrated? Is our current incident response plan effective?
Risk Equation Let’s analyze what this equation is about: Impact: this is the effect on the organization due to the occurrence of a risk. Resilience: organizational resilience against threats. This must take into consideration the following: Ability to deal with the effects of a natural disaster – this will include the relocation of systems and staff required to have the organization functioning within a reasonable period of time. Ability to withstand the effect of technology related threats such as distributed denial of service attacks (DDOS). Resiliency in this area would range from employing sufficient bandwidth to ‘cushion’ such an attack to recognizing a threat through the use of monitoring systems. Conducting periodic penetration tests (both on the external perimeter and internal network) to understand where vulnerability exists and implementing the necessary fixes. Employing user awareness programs, to combat, for example, against Ransomware and other social engineering threats.
Risk Equation Incident response: the time it takes for an organization to respond to an attack in the event that its systems have been penetrated or have been hit by a natural disaster. An organization must have a sound incident management plan which it can use to be able to recover within the shortest possible time.
Risk Equation Measurements For measuring each of the variables in the equation (impact, resilience and incident response) a scale of 1 to 10 can be used: 0-2 Low 3-5 Medium 6-8 High 9-10 Critical
Risk Equation Example one The organization is reviewing its ability to withstand a DDOS attack. The questions that can be asked are: What is the impact of this attack on the organization if systems deemed critical are affected? Can the organization’s IT infrastructure withstand such an attack (resiliency)? In the event that the organization’s systems have been penetrated, how sound is the incident response? Applying the risk equation: Impact: High (6-8) Resilience: Medium (3-5) the organization has determined that its perimeter defense / defence is adequate; however, it may need to make some improvements. Incident response: Medium (3-5) the organization already has an incident response plan, however it has determined that this plan requires some modification to ensure that its business continuity mechanisms are adequate. Taking the low ends of the scale for each of the variables, the overall risk can be calculated as follows: 6 x 3 / 3 = 6 Therefore, the organization’s overall risk to a DDOS attack considering the three variables is rated as HIGH.
Risk Equation Example two In the following example an organization is looking at its internal controls to determine effectiveness against fraud. The questions that can be asked are: What is the impact to the organization of an employee committing fraud? Are the organization’s IT internal controls and procedures sound enough to prevent fraud? In the event that the organization’s systems and procedures have been compromised, how sound is the organization’s incident response? Applying the risk equation: Impact: High (6-8) Resilience: High (6-8) the organization has completed a risk assessment on its systems and procedures and determined that is has a number of recommendations to implement. Incident response: High (6-8) the organization’s incident response plan does not cover incidents relating to fraud and requires major modification to ensure that its business continuity mechanisms are adequate enough to deal with this incident. Taking the low ends of the scale for each of the variables, the overall risk can be calculated as follows: 6 x 6 / 6 = 6 The organization’s overall risk in dealing with a fraud related incident considering the three variables is rated as HIGH.
Risk Equation With this new approach to calculating risk, organizations can have a much clearer view as to the risks faced when its resilience and incident response are being tested.

More Related Content

PDF
We live in a VUCA world
byDragonLight Films
 
PPTX
Awdl 24 - Aneirin - Cymraeg Lefel A
byadolygu
 
PPTX
Transforming the Global HR Contact Center at EY
byNatalya Copeland
 
PPTX
Organizing For Innovation & Growth
byDr. Marc Sniukas
 
PPSX
Organisational Development (OD) Models
byRahul K
 
PDF
What is a strategy ?
byMai Bằng
 
PPT
Strategic management process
bybwire sedrick
 
PPT
Hr & Organizational Strategies
byNISHA SHAH
 
We live in a VUCA world
byDragonLight Films
 
Awdl 24 - Aneirin - Cymraeg Lefel A
byadolygu
 
Transforming the Global HR Contact Center at EY
byNatalya Copeland
 
Organizing For Innovation & Growth
byDr. Marc Sniukas
 
Organisational Development (OD) Models
byRahul K
 
What is a strategy ?
byMai Bằng
 
Strategic management process
bybwire sedrick
 
Hr & Organizational Strategies
byNISHA SHAH
 

Similar to Risk Equation

PDF
Department of Homeland Security Guidance
byMeg Weber
 
PDF
DHS Guidelines
byMeg Weber
 
PDF
Hands on IT risk assessment
byGeorge Delikouras
 
PDF
Dr.M.Florence Dayana - Risk Management.pdf
byDr.Florence Dayana
 
PPTX
Information Security and Risk Management.pptx
byprembasnet12
 
PPTX
Risk-Management-and-Incident-Response-Planning.pptx
byAmirMohamedNabilSale
 
PDF
Risk bridges business and security
byM. Isaiah McGowan
 
PDF
Dj24712716
byIJERA Editor
 
PPTX
CapTech Talks Webinar April 2023 Joshua Sinai.pptx
byCapitolTechU
 
PDF
Cyber risk management and the benefits of quantification
byDavid X Martin
 
PDF
Quantifying Cyber Risk
byPhil Huggins FBCS CITP
 
PDF
Zlatibor risk based balancing of organizational and technical controls for ...
byDejan Jeremic
 
PPTX
Risk Management / Information Security
byNicollai Kostadinov
 
PDF
Optimization of different objective function in risk assessment system
byAlexander Decker
 
PDF
Cervone uof t - nist framework (1)
byStephen Abram
 
DOCX
4Brian DennisonJohn DensonIT454 -1504B-01Mon, 121415.docx
bygilbertkpeters11344
 
DOCX
DEPARTMENT CYBERSECURITY What’s Your IT Risk Approa
byLinaCovington707
 
DOCX
Cyber Management vfd
byLadd Muzzy
 
PDF
Hse, Risk Assessment
byTara Smith
 
PPTX
cybersecurity TEMCA powerpoint presentation on starting a cyber career
by2kentest1
 
Department of Homeland Security Guidance
byMeg Weber
 
DHS Guidelines
byMeg Weber
 
Hands on IT risk assessment
byGeorge Delikouras
 
Dr.M.Florence Dayana - Risk Management.pdf
byDr.Florence Dayana
 
Information Security and Risk Management.pptx
byprembasnet12
 
Risk-Management-and-Incident-Response-Planning.pptx
byAmirMohamedNabilSale
 
Risk bridges business and security
byM. Isaiah McGowan
 
Dj24712716
byIJERA Editor
 
CapTech Talks Webinar April 2023 Joshua Sinai.pptx
byCapitolTechU
 
Cyber risk management and the benefits of quantification
byDavid X Martin
 
Quantifying Cyber Risk
byPhil Huggins FBCS CITP
 
Zlatibor risk based balancing of organizational and technical controls for ...
byDejan Jeremic
 
Risk Management / Information Security
byNicollai Kostadinov
 
Optimization of different objective function in risk assessment system
byAlexander Decker
 
Cervone uof t - nist framework (1)
byStephen Abram
 
4Brian DennisonJohn DensonIT454 -1504B-01Mon, 121415.docx
bygilbertkpeters11344
 
DEPARTMENT CYBERSECURITY What’s Your IT Risk Approa
byLinaCovington707
 
Cyber Management vfd
byLadd Muzzy
 
Hse, Risk Assessment
byTara Smith
 
cybersecurity TEMCA powerpoint presentation on starting a cyber career
by2kentest1
 

More from Adesh Rampat

PDF
Using FIRM to assess risk
byAdesh Rampat
 
PPTX
IDEA
byAdesh Rampat
 
PPTX
Fraud Diamond
byAdesh Rampat
 
PPTX
IDEA Logo
byAdesh Rampat
 
PPTX
Risk equation
byAdesh Rampat
 
PPTX
Fraud Diamond with Resilience
byAdesh Rampat
 
Using FIRM to assess risk
byAdesh Rampat
 
IDEA
byAdesh Rampat
 
Fraud Diamond
byAdesh Rampat
 
IDEA Logo
byAdesh Rampat
 
Risk equation
byAdesh Rampat
 
Fraud Diamond with Resilience
byAdesh Rampat
 

Recently uploaded

DOCX
How to Buy Verified OnlyFans Creator Accounts – Real, Original & PVA.docx
byPremium Phone Verified Account Providers
 
PDF
OIL CHECK 500 Portable - Air Quality Monitoring System
byCS Instruments
 
PDF
Chris Elwell Woburn - An Experienced IT Executive
byChris Elwell Woburn
 
DOCX
Best Top 7 sites to Buy Old Gmail Accounts (PVA & Aged).docx
byhttps://pvaallit.com/product/buy-google-5-star-reviews/
 
PDF
RFI Responses for Govt Contracting Tips.
byiQuasar LLC
 
PDF
Best Top 3 Sites to Buy Google Reviews (5-Star & Non-Drop).pdf
byhttps://pvaallit.com/product/buy-google-5-star-reviews/
 
DOCX
A Complete Manual for Bulk Buying Old Gmail Accounts.docx
byhttps://propvaservice.com/product/buy-old-gmail-accounts/
 
PPTX
REVIEWER-3rd-quarter-exam-mathematics.pptx
bydominicdaltoncaling2
 
PDF
The threat to financial insitutions of quantum computing breaking all encrypt...
byChris Skinner
 
DOCX
Trusted Marketplace for Buying Snapchat Accounts.docx
byPremium Phone Verified Account Providers
 
DOCX
How Verified Cash App Accounts Work and How to Buy.docx
byhttps://pvaisback.com/product/buy-old-gmail-accounts/
 
PDF
enterprise software is not dead and here is why
bywangbin26
 
PDF
BendelPuertoRicoCubaGuyanaVenezuelaPetroleumRefineryPetrochemicalPetroAgroInd...
byOsaJOkundayeODMDFAAO
 
PDF
Vision.pdf TPR document on trusteeship and governance
byHenry Tapper
 
PDF
How To Buy Verified Cash App Accounts - Secure Your Transactions.pdf
byhttps://pvaallit.com/product/buy-verified-apple-pay-accounts/
 
PDF
17 Guide to Buying Verified Binance Accounts in the US.pdf
byhttps://pvaisback.com/product/buy-old-gmail-accounts/
 
PDF
Camil Institutional Presentation_Dez25.pdf
byCAMILRI
 
PDF
The APCO Geopolitical Radar Q1 2026 Edition
byAPCO
 
PDF
_5 Trusted Strategies to Buy Verified Wise Accounts Safely & Legally.pdf
byBuy Verified Wise Accounts
 
DOCX
How to Buy a Verified PayPal Account_ Step-by-Step Instructions.docx
byhttps://pvaallit.com/product/buy-verified-apple-pay-accounts/
 
How to Buy Verified OnlyFans Creator Accounts – Real, Original & PVA.docx
byPremium Phone Verified Account Providers
 
OIL CHECK 500 Portable - Air Quality Monitoring System
byCS Instruments
 
Chris Elwell Woburn - An Experienced IT Executive
byChris Elwell Woburn
 
Best Top 7 sites to Buy Old Gmail Accounts (PVA & Aged).docx
byhttps://pvaallit.com/product/buy-google-5-star-reviews/
 
RFI Responses for Govt Contracting Tips.
byiQuasar LLC
 
Best Top 3 Sites to Buy Google Reviews (5-Star & Non-Drop).pdf
byhttps://pvaallit.com/product/buy-google-5-star-reviews/
 
A Complete Manual for Bulk Buying Old Gmail Accounts.docx
byhttps://propvaservice.com/product/buy-old-gmail-accounts/
 
REVIEWER-3rd-quarter-exam-mathematics.pptx
bydominicdaltoncaling2
 
The threat to financial insitutions of quantum computing breaking all encrypt...
byChris Skinner
 
Trusted Marketplace for Buying Snapchat Accounts.docx
byPremium Phone Verified Account Providers
 
How Verified Cash App Accounts Work and How to Buy.docx
byhttps://pvaisback.com/product/buy-old-gmail-accounts/
 
enterprise software is not dead and here is why
bywangbin26
 
BendelPuertoRicoCubaGuyanaVenezuelaPetroleumRefineryPetrochemicalPetroAgroInd...
byOsaJOkundayeODMDFAAO
 
Vision.pdf TPR document on trusteeship and governance
byHenry Tapper
 
How To Buy Verified Cash App Accounts - Secure Your Transactions.pdf
byhttps://pvaallit.com/product/buy-verified-apple-pay-accounts/
 
17 Guide to Buying Verified Binance Accounts in the US.pdf
byhttps://pvaisback.com/product/buy-old-gmail-accounts/
 
Camil Institutional Presentation_Dez25.pdf
byCAMILRI
 
The APCO Geopolitical Radar Q1 2026 Edition
byAPCO
 
_5 Trusted Strategies to Buy Verified Wise Accounts Safely & Legally.pdf
byBuy Verified Wise Accounts
 
How to Buy a Verified PayPal Account_ Step-by-Step Instructions.docx
byhttps://pvaallit.com/product/buy-verified-apple-pay-accounts/
 

Risk Equation

  • 1.
    Risk Equation Most riskequations include the standard approach of probability and impact. Nowadays, with the changing threat landscape, a new approach to the risk equation should be looked at. Adesh Rampat (adeshpcs@yahoo.com)
  • 2.
    Risk Equation Standard riskequations use probability and impact to calculate the extent of a particular risk, often displaying the result in a risk matrix. However, such an approach neglects two important aspects from an organizational perspective: resilience and incident response. To rectify this I propose a new approach, as follows: Risk = Impact x Resilience/Incident Response
  • 3.
    Risk Equation This equationallows for risk to be easily understood especially when it comes to the level of incident response required to address an event. It also assists in the assessment process as to the critical areas to focus on in today’s constantly changing threat landscape. When an organization is hit by a cyber attack, for example, the probable questions that are asked include: What is the impact? What systems within the network has the attack penetrated? Is our current incident response plan effective?
  • 4.
    Risk Equation Let’s analyzewhat this equation is about: Impact: this is the effect on the organization due to the occurrence of a risk. Resilience: organizational resilience against threats. This must take into consideration the following: Ability to deal with the effects of a natural disaster – this will include the relocation of systems and staff required to have the organization functioning within a reasonable period of time. Ability to withstand the effect of technology related threats such as distributed denial of service attacks (DDOS). Resiliency in this area would range from employing sufficient bandwidth to ‘cushion’ such an attack to recognizing a threat through the use of monitoring systems. Conducting periodic penetration tests (both on the external perimeter and internal network) to understand where vulnerability exists and implementing the necessary fixes. Employing user awareness programs, to combat, for example, against Ransomware and other social engineering threats.
  • 5.
    Risk Equation Incident response:the time it takes for an organization to respond to an attack in the event that its systems have been penetrated or have been hit by a natural disaster. An organization must have a sound incident management plan which it can use to be able to recover within the shortest possible time.
  • 6.
    Risk Equation Measurements For measuringeach of the variables in the equation (impact, resilience and incident response) a scale of 1 to 10 can be used: 0-2 Low 3-5 Medium 6-8 High 9-10 Critical
  • 7.
    Risk Equation Example one Theorganization is reviewing its ability to withstand a DDOS attack. The questions that can be asked are: What is the impact of this attack on the organization if systems deemed critical are affected? Can the organization’s IT infrastructure withstand such an attack (resiliency)? In the event that the organization’s systems have been penetrated, how sound is the incident response? Applying the risk equation: Impact: High (6-8) Resilience: Medium (3-5) the organization has determined that its perimeter defense / defence is adequate; however, it may need to make some improvements. Incident response: Medium (3-5) the organization already has an incident response plan, however it has determined that this plan requires some modification to ensure that its business continuity mechanisms are adequate. Taking the low ends of the scale for each of the variables, the overall risk can be calculated as follows: 6 x 3 / 3 = 6 Therefore, the organization’s overall risk to a DDOS attack considering the three variables is rated as HIGH.
  • 8.
    Risk Equation Example two Inthe following example an organization is looking at its internal controls to determine effectiveness against fraud. The questions that can be asked are: What is the impact to the organization of an employee committing fraud? Are the organization’s IT internal controls and procedures sound enough to prevent fraud? In the event that the organization’s systems and procedures have been compromised, how sound is the organization’s incident response? Applying the risk equation: Impact: High (6-8) Resilience: High (6-8) the organization has completed a risk assessment on its systems and procedures and determined that is has a number of recommendations to implement. Incident response: High (6-8) the organization’s incident response plan does not cover incidents relating to fraud and requires major modification to ensure that its business continuity mechanisms are adequate enough to deal with this incident. Taking the low ends of the scale for each of the variables, the overall risk can be calculated as follows: 6 x 6 / 6 = 6 The organization’s overall risk in dealing with a fraud related incident considering the three variables is rated as HIGH.
  • 9.
    Risk Equation With thisnew approach to calculating risk, organizations can have a much clearer view as to the risks faced when its resilience and incident response are being tested.