Onur YÜKSEKTEPELİBilgi Güvenliği Danışmanıwww.onuryuksektepeli.comtwitter.com/oyuksektepelifacebook.com/onuryuksektepeli
Risk Analysis and ManagementRisk Management – Principles and GuidelinesISO 31000:2009
Unique Terms and DefinitionsAnnualized Loss Expectancy - The Cost of loss due to a Risk over a yearThreat – A Potentiall...
What is Risk?Risk = Threat x Vulnerability
Example: Earthquake Disaster Risk IndexSan Francisco – Near the Pasicific OceanBoston - NortheastSan Francisco Threat, 4Sa...
IMPACT Severity of the DamageRisk = Threat x Vulnerability x ImpactEmpty Building Risk = 2 (threat) x 4 (vulnerability) x...
Risk Analysis Matrix
Calculating Annualized Loss Expectancy
Calculating Annualized Loss ExpectancyALE = Annual Cost of a loss due to riskAsset Value= Value of the asset you are tryin...
Calculating Annualized Loss Expectancy Exposure FactorThe Percentage of value an asset lost due to an incident.Exposure F...
Total Cost of OwnershipTotal Cost of Ownership (TCO) is the total cost of a mitigating safequard.Total Cost of Ownership m...
Total Cost of Ownership1000 LaptopsSoftware = $100/laptop = 100000$Annual Support Fee = %10 Annually 10000$4000 Staff Hour...
Return of InvestmentThe Amount of Money saved by implementing a safeguard.TCO < ALE – Postive ROI, Good ChoiceTCO > ALE – ...
Risk ChoiceAccept the RiskMitigate the RiskTransfer the RiskRisk Avoidance
Onur YÜKSEKTEPELİBilgi Güvenliği Danışmanıwww.onuryuksektepeli.comtwitter.com/oyuksektepelifacebook.com/onuryuksektepeli
Upcoming SlideShare
Loading in …5
×

Information Security Risk Management

1,798 views

Published on

Information Security Risk Management And Calculations.

Published in: Business, Economy & Finance
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,798
On SlideShare
0
From Embeds
0
Number of Embeds
715
Actions
Shares
0
Downloads
27
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Information Security Risk Management

  1. 1. Onur YÜKSEKTEPELİBilgi Güvenliği Danışmanıwww.onuryuksektepeli.comtwitter.com/oyuksektepelifacebook.com/onuryuksektepeli
  2. 2. Risk Analysis and ManagementRisk Management – Principles and GuidelinesISO 31000:2009
  3. 3. Unique Terms and DefinitionsAnnualized Loss Expectancy - The Cost of loss due to a Risk over a yearThreat – A Potentially negative occurenceVulnerability – A Weakness in a SystemRisk – A Matched Threat and VulnerabilitySafeguard – A Measure taken to Reduce RiskTotal Cost of Ownership – The Cost of a SafequardReturn of Investment – Money Saved by deploying a Safeguard
  4. 4. What is Risk?Risk = Threat x Vulnerability
  5. 5. Example: Earthquake Disaster Risk IndexSan Francisco – Near the Pasicific OceanBoston - NortheastSan Francisco Threat, 4San Francisco vulnerability, 2San Francisco risk = 4 x 2 = 8Boston Threat, 2Boston Vulnerability, 4Boston Risk = 2 x 4= 8Rachel Davidson Earthquake Disaster Risk Indexhttp://www.sciencedaily.com/releases/1997/08/970821233648.htm
  6. 6. IMPACT Severity of the DamageRisk = Threat x Vulnerability x ImpactEmpty Building Risk = 2 (threat) x 4 (vulnerability) x 2 (impact) = 16Full Building Risk = 2 (threat) x 4 (vulnerability) x 5 = 40
  7. 7. Risk Analysis Matrix
  8. 8. Calculating Annualized Loss Expectancy
  9. 9. Calculating Annualized Loss ExpectancyALE = Annual Cost of a loss due to riskAsset Value= Value of the asset you are trying to protectStolen Computer Example:Hardware Cost = 2500$Data Cost = 22.500$Asset Value = 25000$Asset Value Market Approach Income Approach Cost Approach
  10. 10. Calculating Annualized Loss Expectancy Exposure FactorThe Percentage of value an asset lost due to an incident.Exposure Factor of Stolen Computer = %100Singel Loss Expectancy (SLE)The Cost of a single loss.SLE = Asset Value (25000$) x Exposure Factor(%100) = 25000$ Annual Rate of Occurrence (ARO)Number of losses you suffer per year.ARO = 11Annualized Loss ExpectancyALE = SLE (25000) x ARO (11) = 275000$
  11. 11. Total Cost of OwnershipTotal Cost of Ownership (TCO) is the total cost of a mitigating safequard.Total Cost of Ownership must contain;• One – Time capital expense• Annual Cost• Staff Hours• Ventor Maintenance fees• Software Subscriptions etc.
  12. 12. Total Cost of Ownership1000 LaptopsSoftware = $100/laptop = 100000$Annual Support Fee = %10 Annually 10000$4000 Staff Hours$50 / hour$20 / hour$70/ hour x 4000 = 280000$3 Years Technology Refresh CycleSoftware Cost = $1000003 Years of Vendor Support = $10000 x 3 = $30000Hourly Staff Cost = $280000TCO for 3 Years = $410000TCO per Year = $410000 / 3 = 136,667/year
  13. 13. Return of InvestmentThe Amount of Money saved by implementing a safeguard.TCO < ALE – Postive ROI, Good ChoiceTCO > ALE – Negative ROI, Poor ChoiceTCO = $136,667ALE = $275,000After Encryption ImplementAsset Value = $25000 - $22500 = 25000Exposure Factor = %10$275000 * %10 = $27,5000By Making InvestmentYou Save;Old ALE ($275,000) – New ALE ($27,500) = $247,500Your ROI = $247,500 - $136,667 = $110,833
  14. 14. Risk ChoiceAccept the RiskMitigate the RiskTransfer the RiskRisk Avoidance
  15. 15. Onur YÜKSEKTEPELİBilgi Güvenliği Danışmanıwww.onuryuksektepeli.comtwitter.com/oyuksektepelifacebook.com/onuryuksektepeli

×