Download to read offline
![Case Study: Information Security Risk Assessment
In this case study assignment, you will perform a quantitative
risk assessment (risk analysis) for the company network shown
below. Use the “Case Study Information Security Risk
Assessment Answer Sheet” for your answers.
Assets are shown in the diagram. Feel free to suggest
vulnerabilities and threats that might be applicable to these
assets.
The following risk analysis formula will guide you through the
process:
Risk = Probability of the exploitation of a vulnerability by a
threat * Impact of the exploitation
There are six steps in the risk analysis process.
Step 1) Specify three assets by using the network topology and
the explanations.[footnoteRef:2] [2: An asset is anything that
has value for the company. It can be software, hardware, storage
media, documents, or even employees. One of the most critical
assets is information. Note that one of the essential duties of the
other assets (software, hardware, etc.) is to process information.
Therefore, the value of software, for example, is directly
proportional to the value of the information it processes.]
Step 2) For each of the assets, determine one
vulnerability.[footnoteRef:3] [3: A vulnerability is a weakness
in an asset's design, development, structure, properties, or
configurations. An asset's weakness could allow it to be
exploited and harmed by one or more threats.]](https://image.slidesharecdn.com/casestudyinformationsecurityriskassessmentinthiscasestu-220921012530-a7843d1b/95/Case-Study-Information-Security-Risk-AssessmentIn-this-case-stu-1-1024.jpg)
![Step 3) For each vulnerability, determine one threat that may
exploit the vulnerability.[footnoteRef:4] [4: A threat i s an
active agent with the intent and potential of exploiting
vulnerabilities and causing harm. There are many threat agents
that fall into broad categories of deliberate or accidental actions
of humans (internal or external to the organization) and acts of
nature. ]
Fill out the first three columns of Table-1 for the three assets
you choose from the diagram.
Table-1
Assets
Vulnerabilities
Threats
Probability (the numerical value)
Impact
(the numerical value)
Risk
(the numerical value)
Risk = Probability x Impact](https://image.slidesharecdn.com/casestudyinformationsecurityriskassessmentinthiscasestu-220921012530-a7843d1b/95/Case-Study-Information-Security-Risk-AssessmentIn-this-case-stu-2-1024.jpg)
Case Study Information Security Risk AssessmentIn this case stu
- 1. Case Study: InformationSecurity Risk Assessment In this case study assignment, you will perform a quantitative risk assessment (risk analysis) for the company network shown below. Use the “Case Study Information Security Risk Assessment Answer Sheet” for your answers. Assets are shown in the diagram. Feel free to suggest vulnerabilities and threats that might be applicable to these assets. The following risk analysis formula will guide you through the process: Risk = Probability of the exploitation of a vulnerability by a threat * Impact of the exploitation There are six steps in the risk analysis process. Step 1) Specify three assets by using the network topology and the explanations.[footnoteRef:2] [2: An asset is anything that has value for the company. It can be software, hardware, storage media, documents, or even employees. One of the most critical assets is information. Note that one of the essential duties of the other assets (software, hardware, etc.) is to process information. Therefore, the value of software, for example, is directly proportional to the value of the information it processes.] Step 2) For each of the assets, determine one vulnerability.[footnoteRef:3] [3: A vulnerability is a weakness in an asset's design, development, structure, properties, or configurations. An asset's weakness could allow it to be exploited and harmed by one or more threats.]
- 2. Step 3) Foreach vulnerability, determine one threat that may exploit the vulnerability.[footnoteRef:4] [4: A threat i s an active agent with the intent and potential of exploiting vulnerabilities and causing harm. There are many threat agents that fall into broad categories of deliberate or accidental actions of humans (internal or external to the organization) and acts of nature. ] Fill out the first three columns of Table-1 for the three assets you choose from the diagram. Table-1 Assets Vulnerabilities Threats Probability (the numerical value) Impact (the numerical value) Risk (the numerical value) Risk = Probability x Impact
- 3. Step 4) Foreach asset, choose a numerical value from the table below for the probability of the exploitation of the vulnerability by the threat. While selecting a numerical value, you should consider factors like “is the threat agent external or internal? Is the vulnerability remotely exploitable? and to what extent does the asset value draw the attention of attackers?” Type the numerical value into the fourth column of Table-1. Probability Numerical value Frequency of exploitation Very Low 1 Once per year Low 2 Once every six months Medium 3 Once per month High 4 Once per week
- 4. Very High 5 Once perday Type your justifications here: Probability (the numerical value) Your Justification (Why you assigned that value for the probability) Step 5) For each asset, appraise the impact once the asset is compromised. For this estimation, use the following reference table. While choosing a numerical value, you should consider factors like “the extent of damage that the threat agent may cause, the severity of the vulnerability." Type the numerical value to the fifth column of Table-1. Impact Numerical value Impact of exploitation Very Low 1 The systems/asset may be restored immediately. Low 2 The systems/asset may be restored in the short term. Medium 3
- 5. The systems/asset maybe restored in the medium term. High 4 The systems/asset may be restored in the long term. Very High 5 The systems/asset may not be restored in the long term, and the adverse effects may persist even longer. Type your justifications here: Impact (the numerical value) Your Justification (Why you assigned that value for the impact) Step 6) Multiply the probability and impact values and type the resulting risk value into the sixth column of Table-1. The below table shows all possible risk values. Risk Impact 1 2 3 4 5 Probability 1 1
- 6.
- 7. Highest priority 5, 6,8, 9, 10 Medium priority 1, 2, 3, 4 Lowest priority Fill out Table-2 from the highest priority to the lowest. Also replace the <asset>, <vulnerability>, and <threat> with yours. Type your risk response into the third column. If the risk value is low, you may accept the risk; otherwise, consider mitigating risk and type your mitigation actions. You may use other risk response options shown in the table as well. Table-2 Definition of Risk Priority Risk Response (Risk Acceptance, Risk Mitigation, Risk Avoidance, Risk Transfer, etc.) The exploitation of the <vulnerability> of <asset> by <threat> The exploitation of the <vulnerability> of <asset> by <threat> The exploitation of the <vulnerability> of <asset> by <threat> Use the "Case Study Information Security Risk Assessment Answer Sheet” document for your answers. Case Study: Information Security Risk Assessment – Answer Sheet
- 8. Table-1 Assets Vulnerabilities Threats Probability (the numericalvalue) Impact (the numerical value) Risk (the numerical value) Risk = Probability x Impact
- 9. Probability (the numericalvalue) Your Justification (Why you assigned that value for the probability) Impact (the numerical value) Your Justification (Why you assigned that value for the impact) Table-2 Definition of Risk Priority Risk Response (Risk Acceptance, Risk Mitigation, Risk Avoidance, Risk Transfer, etc.) The exploitation of the <vulnerability> of <asset> by <threat> The exploitation of the <vulnerability> of <asset> by <threat> The exploitation of the <vulnerability> of <asset> by <threat>