Upcoming SlideShare
×

# Information Security Risk Management

1,798 views

Published on

Information Security Risk Management And Calculations.

Published in: Business, Economy & Finance
0 Likes
Statistics
Notes
• Full Name
Comment goes here.

Are you sure you want to Yes No
• Be the first to comment

• Be the first to like this

Views
Total views
1,798
On SlideShare
0
From Embeds
0
Number of Embeds
715
Actions
Shares
0
27
0
Likes
0
Embeds 0
No embeds

No notes for slide

### Information Security Risk Management

2. 2. Risk Analysis and ManagementRisk Management – Principles and GuidelinesISO 31000:2009
3. 3. Unique Terms and DefinitionsAnnualized Loss Expectancy - The Cost of loss due to a Risk over a yearThreat – A Potentially negative occurenceVulnerability – A Weakness in a SystemRisk – A Matched Threat and VulnerabilitySafeguard – A Measure taken to Reduce RiskTotal Cost of Ownership – The Cost of a SafequardReturn of Investment – Money Saved by deploying a Safeguard
4. 4. What is Risk?Risk = Threat x Vulnerability
5. 5. Example: Earthquake Disaster Risk IndexSan Francisco – Near the Pasicific OceanBoston - NortheastSan Francisco Threat, 4San Francisco vulnerability, 2San Francisco risk = 4 x 2 = 8Boston Threat, 2Boston Vulnerability, 4Boston Risk = 2 x 4= 8Rachel Davidson Earthquake Disaster Risk Indexhttp://www.sciencedaily.com/releases/1997/08/970821233648.htm
6. 6. IMPACT Severity of the DamageRisk = Threat x Vulnerability x ImpactEmpty Building Risk = 2 (threat) x 4 (vulnerability) x 2 (impact) = 16Full Building Risk = 2 (threat) x 4 (vulnerability) x 5 = 40
7. 7. Risk Analysis Matrix
8. 8. Calculating Annualized Loss Expectancy
9. 9. Calculating Annualized Loss ExpectancyALE = Annual Cost of a loss due to riskAsset Value= Value of the asset you are trying to protectStolen Computer Example:Hardware Cost = 2500\$Data Cost = 22.500\$Asset Value = 25000\$Asset Value Market Approach Income Approach Cost Approach
10. 10. Calculating Annualized Loss Expectancy Exposure FactorThe Percentage of value an asset lost due to an incident.Exposure Factor of Stolen Computer = %100Singel Loss Expectancy (SLE)The Cost of a single loss.SLE = Asset Value (25000\$) x Exposure Factor(%100) = 25000\$ Annual Rate of Occurrence (ARO)Number of losses you suffer per year.ARO = 11Annualized Loss ExpectancyALE = SLE (25000) x ARO (11) = 275000\$
11. 11. Total Cost of OwnershipTotal Cost of Ownership (TCO) is the total cost of a mitigating safequard.Total Cost of Ownership must contain;• One – Time capital expense• Annual Cost• Staff Hours• Ventor Maintenance fees• Software Subscriptions etc.
12. 12. Total Cost of Ownership1000 LaptopsSoftware = \$100/laptop = 100000\$Annual Support Fee = %10 Annually 10000\$4000 Staff Hours\$50 / hour\$20 / hour\$70/ hour x 4000 = 280000\$3 Years Technology Refresh CycleSoftware Cost = \$1000003 Years of Vendor Support = \$10000 x 3 = \$30000Hourly Staff Cost = \$280000TCO for 3 Years = \$410000TCO per Year = \$410000 / 3 = 136,667/year
13. 13. Return of InvestmentThe Amount of Money saved by implementing a safeguard.TCO < ALE – Postive ROI, Good ChoiceTCO > ALE – Negative ROI, Poor ChoiceTCO = \$136,667ALE = \$275,000After Encryption ImplementAsset Value = \$25000 - \$22500 = 25000Exposure Factor = %10\$275000 * %10 = \$27,5000By Making InvestmentYou Save;Old ALE (\$275,000) – New ALE (\$27,500) = \$247,500Your ROI = \$247,500 - \$136,667 = \$110,833
14. 14. Risk ChoiceAccept the RiskMitigate the RiskTransfer the RiskRisk Avoidance