SlideShare a Scribd company logo

Cyber Security Awareness Month 2017-Nugget 3

Download as PPSX, PDF
C
Chinatu Uzuegbu

'Determining The Ideal Security Measure' is Nugget 3 in the series 'Cyber Security Awareness Month 2017'. You must ensure that the best and cost effective measure applies...

Technology
1 of 14
Cyber Security Awareness Month 2017: Nugget 3 Determining The Ideal Security Measure Chinatu Uzuegbu Cyber Security Consultant CISSP, CISM, CISA, CEH, ITIL, MCSE
Previous Nuggets Recap • We identified and classified the Information Assets based on the Value and Criticality of the Assets. • We learnt that the Identification and Classification of the Assets could be achieved using the Risk Assessment and Impact Analysis Techniques. • We discussed the CIA Triad(Confidentiality, Integrity and Availability), the three Control Types, Security Services and Measures centred around each control and the Assets therein. • We discussed that in protecting your Information Assets, you must have a good understanding of the Control Types(Administrative, Technical and Physical) as well as the Security Services and Measures(Preventive, detective, deterrent, corrective, recovery, compensating and Directive). • We also discussed that it is important you understand the ideal security measure to apply on each classified asset using Vulnerability and Risk Assessment Techniques. • We finally looked at some important facts on ‘protecting your Information Assets’.
In This Nugget: Determining The Ideal Security Measure • We have had a good understanding of the Controls and Security Measures, we would further look at how the Assets could be protected by applying the ideal Security measures. • We would look at how these measures of protection could be ascertained using some Vulnerabilities/Risk Assessment Methodologies. • We would discuss Vulnerabilities, Threats and Risks extensively. • We would look at how we could tie the cost of each Security measure with the actual value of the Assets. • A little Math would apply here but nevertheless it would not be much of a bother. • Finally, we would outline some important facts on Risk Management.
Determining The Ideal Security Measure: Vulnerability • A Vulnerability could be defined as a weakness or looseness. • An Asset or any object could be seen as vulnerable if there is an element of weakness around that Asset. • The weakness could be in form of an opening, exposure or something important lacking on the Asset. • There is an element of visible and invisible vulnerabilities surrounding every newly installed or procured Asset. • It is a good practice to pro-actively outline the vulnerabilities around an Asset immediately after identifying it as Critical for your Business. • In Cyber Security, it is important to start your Risk Management process with a Vulnerability check list around the Asset. • For example, a Critical Server Operating System(Asset) with no Anti Virus, no updated patches, weak log-in password, easily accessible by unauthorised parties, no Uninterrupted Power Supply(UPS) plug-in and other weaknesses surrounding the Asset is seen as highly Vulnerable.
Determining The Ideal Security Measure: Threat • A Threat is that point at which the vulnerability is seen as a danger that could be exploited by the bad guys(hackers, criminals, attackers, others) known as Threat Agents. • For example, some of the Critical Operating System vulnerabilities outlined in the previous slide could cause so much harm on both the Asset and the business if exploited by the bad guys(Threat Agents). • The bad guys(Threat Agents) could take advantage of the fact that there is no Anti-Virus program on the system and get it infected with Virus(Threat). • Malware infection on a Critical System could be disastrous and negatively affect the Confidentiality, Integrity and Availability principles of Security. • An Asset could be Vulnerable but with High or minimal Threat, it all depends on the scenarios around the vulnerability and the probability of Impact.
Determining The Ideal Security Measure: Risk • Risk is the probability or likelihood that a Vulnerability could be exploited with a Threat by a Threat Agent. • Following our Critical Operating System example, one of the vulnerabilities is that of weak log-in Password which could be easily guessed and attacked(Threat) by the Threat Agents. • The Probability or likelihood that actually the weak Log-in Password(Vulnerability) could be exploited with guessing attacks(Threat) by the Threat Agent is referred to as Risks. • It is this level of certainty or probability that now determines whether the risk is high, low or insignificant. • If the Risk is high, a Security Measure which at this point is referred to as a Counter Measure or Safeguard is proffered. • As discussed in the previous Nugget, the weak Log-in Password is a Vulnerability that falls under Technical Control which could breach the three basic principles in the CIA Triad. • The Security Measure (Counter Measure) would be a Preventive Technical Control which is tailored down to a stricter Password Management approach. • We would be looking at Risk from various perspectives in the subsequent slides.
Determining The Ideal Security Measure: Risk Equation • We would now derive the Risk value from the Vulnerability and Threat as discussed in the previous slides. • Risk= Vulnerability * Threat * Impact • Impact is the consequence of the Threat exploiting the Vulnerability. • The Risk Equation assists us to understand the Risk level of a Threat exploiting a vulnerability on an Asset. • For example, the Critical Operating System’s missing patch(Vulnerability) could lead to unauthorised access to the system and other Applications on the System(Threat) and the consequence could amount to theft of data and so many others(Impact). • The Risk Equation would assist us to determine the Risk Response, that is if the Risk should be mitigated, Accepted, Avoided or transferred to Insurance.
Determining The Ideal Security Measure: Risk Responses Risk Response is a process of determining a suitable Counter Measure to be applied on the Asset. The four basic Risk Responses are: • Mitigate: Reduce Risk to an Acceptable Level and with the right protection Mechanism to maintain it at that level. • Accept: To take the Risk as it is probably due to a minimal or insignificant likelihood. • Avoid: Not to do anything that is causing the Risk. • Transference: To involve a Third Party Insurance on the Assets especially when the cost of Counter Measure is unbearable to the Business.
Determining The Ideal Security Measure: Risk Analysing Types We have two types of Risks generally: • The Quantitative Risk Analysis: A process of calculating Risk using numerical and monetary values. The quantitative Risk Analysis takes into consideration: – The Asset Value (AV): The cost of the Asset, the man hour and cost of labour. – The Exposure Factor of Asset(EF): The level of Exposure – The Single Loss Expectancy(SLE): The value of loss expected on an event disruption. (AV *EF) – The Annual Rate of Occurrence(ARO): Frequency at which the disruption could occur in one year. – The Annual Loss Expectancy(ALE): The value of loss expected in one year. (SLE*ARO). • The Qualitative Risk Analysis: A process of calculating Risk using determined scenarios that could be subjective in nature.
Determining The Ideal Security Measure: Cost of Counter Measure vs Value of Asset • Recall that the Cost of Counter Measure should not be more than the value of Asset. It is advisable that you use a compensating control at that point. • After you arrive at a Counter Measure using the Risk Equation and Risk Analysis, it is a good practice to evaluate the cost of Counter Measure and ascertain that it is not more than the Value of the Asset. • To achieve this: Cost Counter Measure = Annual Loss Expectancy(ALE) before Counter Measure-Annual Loss Expectancy(ALE) after Counter Measure-Annual Cost of Counter Measure.
Determining The Ideal Security Measure: Risk Management Frameworks It is a good practice to run your Risk Management and Analysis using any of the methodologies. • NIST Sp 800-50 • FRAP • OCTAVE • FMEA • Others. Kindly do a search on each of the frameworks and apply accordingly.
Determining The Ideal Security Measure: Important Facts on Risk Management • Information Risk Management is the responsibility of the Business Unit or Group Managers even though it has to be in support of the Top Level Management. • Risk Management focuses on reducing risk to a level acceptable by the Business and with the right mechanisms to maintain that level. • Risk Management would help to ascertain the most cost effective, relevant, up-to-date, ideal and resilient Counter Measure on a given Asset. • The right countermeasure would eliminate the Vulnerability and Threat but cannot eliminate Risk and the Threat agent. The Asset would be protected by reducing or mitigating Risk and preventing the Threat Agent from exploiting Vulnerabilities around the Asset. • There would always be some elements of risk left after applying the Counter Measure. This left-out Risk is referred to as Residual Risk.
Determining The Ideal Security Measure: In Summary This Nugget may sound a bit technical to most of us here, you may not need to worry much but grab this : • We looked at the various ways to ascertain the ideal Counter Measure to be applied on a given Asset. • We first of all looked at the various Vulnerabilities and Threats around the Asset and explained Risk as the probability that the Threats could exploit the vulnerabilities by Threat Agents. • We worked around the Risk areas: Risk Equation, Quantitative and Qualitative Risk Analysis and Risk Responses. • Each of the Risk areas drew us closer to ascertaining the ideal and best Countermeasure to be applied on a given Asset. • The Risk Equation(Vulnerability*Threat*Impact) ascertained the level of Risk whether High, Medium or Low. • Then based on the Risk level ascertained from the Risk Equation, the Risk Response is determined. The response could be to Mitigate, Accept, Avoid or Transfer to the Third Party Insurance. • We further looked at how we can generate the Annual Loss Expectancy(ALE=SLE*ARO) based on the Value of the Asset(AV), The Exposure Factor(EF), The Single Loss Expectancy(SLE=AV*EF) and The Annual Rate of Occurrence(ARO). • We finally used the derived Annual Loss Expectancy to generate the Cost of Countermeasure which must be much less than the Annual Loss expectancy. Cost of Counter Measure= ALE before-ALE after-Annual cost of Counter Measure. • We hope we have well understood the concept of Cyber Security so far in this Awareness series: Identify , Classify, Protect(Vulnerabilities, Threats, Risk and Counter Measures). • Going forward we would bring home the various Threats and the ideal Counter Measures for combating the Threats. • We hope this helps...
See You in the Next Nugget! Thank You Chinatu Uzuegbu CISSP, CISM, CISA, CEH, ITIL, MCSE

Recommended

Cyber Security Awareness Month 2017- Nugget2
Cyber Security Awareness Month 2017- Nugget2Cyber Security Awareness Month 2017- Nugget2
Cyber Security Awareness Month 2017- Nugget2Chinatu Uzuegbu
 
Cyber Security Awareness Month 2017-Nugget 6
Cyber Security Awareness Month 2017-Nugget 6Cyber Security Awareness Month 2017-Nugget 6
Cyber Security Awareness Month 2017-Nugget 6Chinatu Uzuegbu
 
Cissp- Security and Risk Management
Cissp- Security and Risk ManagementCissp- Security and Risk Management
Cissp- Security and Risk ManagementHamed Moghaddam
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber riskStephen Cobb
 
Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2FRSecure
 
Mitigating Risk from Cyber Security Attacks
Mitigating Risk from Cyber Security AttacksMitigating Risk from Cyber Security Attacks
Mitigating Risk from Cyber Security AttacksTripwire
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinarIntergen
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security ManagementJonathan Coleman
 

Recommended

Cyber Security Awareness Month 2017- Nugget2
Cyber Security Awareness Month 2017- Nugget2Cyber Security Awareness Month 2017- Nugget2
Cyber Security Awareness Month 2017- Nugget2Chinatu Uzuegbu
 
Cyber Security Awareness Month 2017-Nugget 6
Cyber Security Awareness Month 2017-Nugget 6Cyber Security Awareness Month 2017-Nugget 6
Cyber Security Awareness Month 2017-Nugget 6Chinatu Uzuegbu
 
Cissp- Security and Risk Management
Cissp- Security and Risk ManagementCissp- Security and Risk Management
Cissp- Security and Risk ManagementHamed Moghaddam
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber riskStephen Cobb
 
Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2FRSecure
 
Mitigating Risk from Cyber Security Attacks
Mitigating Risk from Cyber Security AttacksMitigating Risk from Cyber Security Attacks
Mitigating Risk from Cyber Security AttacksTripwire
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinarIntergen
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security ManagementJonathan Coleman
 
Incident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber AttacksIncident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber AttacksResilient Systems
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinarEmpired
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessmentCAS
 
The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016Ashley Deuble
 
Chapter 12 iso 27001 awareness
Chapter 12 iso 27001 awarenessChapter 12 iso 27001 awareness
Chapter 12 iso 27001 awarenessnewbie2019
 
Information risk management
Information risk managementInformation risk management
Information risk managementAkash Saraswat
 
12 security policies
12 security policies12 security policies
12 security policiesSaqib Raza
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDonald Tabone
 
5 Steps to Improve Your Incident Response Plan
5 Steps to Improve Your Incident Response Plan5 Steps to Improve Your Incident Response Plan
5 Steps to Improve Your Incident Response PlanResilient Systems
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellenceErik Taavila
 
Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?John Gilligan
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsKarthikeyan Dhayalan
 
Introduction to Ethical Hacking
Introduction to Ethical HackingIntroduction to Ethical Hacking
Introduction to Ethical HackingUK Defence Cyber School
 
Incident handling.final
Incident handling.finalIncident handling.final
Incident handling.finalahmad abdelhafeez
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Resilient Systems
 
Slide Deck - CISSP Mentor Program Class Session 1
Slide Deck - CISSP Mentor Program Class Session 1Slide Deck - CISSP Mentor Program Class Session 1
Slide Deck - CISSP Mentor Program Class Session 1FRSecure
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSCybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSJohn Gilligan
 
SEC440: Incident Response Plan
SEC440: Incident Response PlanSEC440: Incident Response Plan
SEC440: Incident Response PlanThomas Christopher Ty
 
The red book
The red book The red book
The red book habiba Elmasry
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityErnest Staats
 
Health information security session 4 risk management
Health information security session 4 risk managementHealth information security session 4 risk management
Health information security session 4 risk managementDr. Lasantha Ranwala
 
Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 

More Related Content

What's hot

Incident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber AttacksIncident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber AttacksResilient Systems
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinarEmpired
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessmentCAS
 
The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016Ashley Deuble
 
Chapter 12 iso 27001 awareness
Chapter 12 iso 27001 awarenessChapter 12 iso 27001 awareness
Chapter 12 iso 27001 awarenessnewbie2019
 
Information risk management
Information risk managementInformation risk management
Information risk managementAkash Saraswat
 
12 security policies
12 security policies12 security policies
12 security policiesSaqib Raza
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDonald Tabone
 
5 Steps to Improve Your Incident Response Plan
5 Steps to Improve Your Incident Response Plan5 Steps to Improve Your Incident Response Plan
5 Steps to Improve Your Incident Response PlanResilient Systems
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellenceErik Taavila
 
Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?John Gilligan
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsKarthikeyan Dhayalan
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Resilient Systems
 
Slide Deck - CISSP Mentor Program Class Session 1
Slide Deck - CISSP Mentor Program Class Session 1Slide Deck - CISSP Mentor Program Class Session 1
Slide Deck - CISSP Mentor Program Class Session 1FRSecure
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSCybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSJohn Gilligan
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityErnest Staats
 

What's hot (20)

Incident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber AttacksIncident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber Attacks
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessment
 
The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016
 
Chapter 12 iso 27001 awareness
Chapter 12 iso 27001 awarenessChapter 12 iso 27001 awareness
Chapter 12 iso 27001 awareness
 
Information risk management
Information risk managementInformation risk management
Information risk management
 
12 security policies
12 security policies12 security policies
12 security policies
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber Resilience
 
5 Steps to Improve Your Incident Response Plan
5 Steps to Improve Your Incident Response Plan5 Steps to Improve Your Incident Response Plan
5 Steps to Improve Your Incident Response Plan
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellence
 
Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security Concepts
 
Introduction to Ethical Hacking
Introduction to Ethical HackingIntroduction to Ethical Hacking
Introduction to Ethical Hacking
 
Incident handling.final
Incident handling.finalIncident handling.final
Incident handling.final
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)
 
Slide Deck - CISSP Mentor Program Class Session 1
Slide Deck - CISSP Mentor Program Class Session 1Slide Deck - CISSP Mentor Program Class Session 1
Slide Deck - CISSP Mentor Program Class Session 1
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSCybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHS
 
SEC440: Incident Response Plan
SEC440: Incident Response PlanSEC440: Incident Response Plan
SEC440: Incident Response Plan
 
The red book
The red book The red book
The red book
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber Security
 

Similar to Cyber Security Awareness Month 2017-Nugget 3

Health information security session 4 risk management
Health information security session 4 risk managementHealth information security session 4 risk management
Health information security session 4 risk managementDr. Lasantha Ranwala
 
Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 
Critical systems specification
Critical systems specificationCritical systems specification
Critical systems specificationAryan Ajmer
 
Risk Management (1) (1).ppt
Risk Management (1) (1).pptRisk Management (1) (1).ppt
Risk Management (1) (1).pptAjjuSingh2
 
Combating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdfCombating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdfChinatu Uzuegbu
 
IT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoIT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoMark John Lado, MIT
 
Undertake the Risk Analysis Policy
Undertake the Risk Analysis PolicyUndertake the Risk Analysis Policy
Undertake the Risk Analysis PolicyKomal Zahra
 
Introduction to Risk Management Fundamentals
Introduction to Risk Management FundamentalsIntroduction to Risk Management Fundamentals
Introduction to Risk Management FundamentalsToño Herrera
 
Stay Ahead of Threats with Advanced Security Protection - Fortinet
Stay Ahead of Threats with Advanced Security Protection - FortinetStay Ahead of Threats with Advanced Security Protection - Fortinet
Stay Ahead of Threats with Advanced Security Protection - FortinetMarcoTechnologies
 
information security presentation topics
information security presentation topicsinformation security presentation topics
information security presentation topicsOlajide Kuku
 
educational content, educational contented educational content
educational content, educational contented educational contenteducational content, educational contented educational content
educational content, educational contented educational contentOlajide Kuku
 
INFORMATION SECURITY STUDY GUIDE for STUDENTS
INFORMATION SECURITY STUDY GUIDE for STUDENTSINFORMATION SECURITY STUDY GUIDE for STUDENTS
INFORMATION SECURITY STUDY GUIDE for STUDENTShenlydailymotion
 
IS-Risk-Management-Lecture-2.pdf
IS-Risk-Management-Lecture-2.pdfIS-Risk-Management-Lecture-2.pdf
IS-Risk-Management-Lecture-2.pdfAbdulrafiiMohammed
 
IT Security & Risk
IT Security & Risk IT Security & Risk
IT Security & Risk Tanujpandey5
 
Review of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementReview of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementRand W. Hirt
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk ManagementNikhil Soni
 

Similar to Cyber Security Awareness Month 2017-Nugget 3 (20)

Health information security session 4 risk management
Health information security session 4 risk managementHealth information security session 4 risk management
Health information security session 4 risk management
 
Security risk management
Security risk managementSecurity risk management
Security risk management
 
Critical systems specification
Critical systems specificationCritical systems specification
Critical systems specification
 
Risk Management (1) (1).ppt
Risk Management (1) (1).pptRisk Management (1) (1).ppt
Risk Management (1) (1).ppt
 
Combating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdfCombating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdf
 
IT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoIT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John Lado
 
Undertake the Risk Analysis Policy
Undertake the Risk Analysis PolicyUndertake the Risk Analysis Policy
Undertake the Risk Analysis Policy
 
Introduction to Risk Management Fundamentals
Introduction to Risk Management FundamentalsIntroduction to Risk Management Fundamentals
Introduction to Risk Management Fundamentals
 
Stay Ahead of Threats with Advanced Security Protection - Fortinet
Stay Ahead of Threats with Advanced Security Protection - FortinetStay Ahead of Threats with Advanced Security Protection - Fortinet
Stay Ahead of Threats with Advanced Security Protection - Fortinet
 
ch01.ppt
ch01.pptch01.ppt
ch01.ppt
 
information security presentation topics
information security presentation topicsinformation security presentation topics
information security presentation topics
 
educational content, educational contented educational content
educational content, educational contented educational contenteducational content, educational contented educational content
educational content, educational contented educational content
 
INFORMATION SECURITY STUDY GUIDE for STUDENTS
INFORMATION SECURITY STUDY GUIDE for STUDENTSINFORMATION SECURITY STUDY GUIDE for STUDENTS
INFORMATION SECURITY STUDY GUIDE for STUDENTS
 
Cyber Security # Lec 3
Cyber Security # Lec 3 Cyber Security # Lec 3
Cyber Security # Lec 3
 
IS-Risk-Management-Lecture-2.pdf
IS-Risk-Management-Lecture-2.pdfIS-Risk-Management-Lecture-2.pdf
IS-Risk-Management-Lecture-2.pdf
 
CISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk ManagementCISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk Management
 
IT Security & Risk
IT Security & Risk IT Security & Risk
IT Security & Risk
 
Review of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementReview of Enterprise Security Risk Management
Review of Enterprise Security Risk Management
 
Risk Mitigation
Risk MitigationRisk Mitigation
Risk Mitigation
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Management
 

More from Chinatu Uzuegbu

Business Process Revamp is Paramount in 2024.pdf
Business Process Revamp is Paramount in 2024.pdfBusiness Process Revamp is Paramount in 2024.pdf
Business Process Revamp is Paramount in 2024.pdfChinatu Uzuegbu
 
Preventing Cloud Data Breaches.pdf
Preventing Cloud Data Breaches.pdfPreventing Cloud Data Breaches.pdf
Preventing Cloud Data Breaches.pdfChinatu Uzuegbu
 
Securing The Clouds Proactively-BlackisTech.pptx
Securing The Clouds Proactively-BlackisTech.pptxSecuring The Clouds Proactively-BlackisTech.pptx
Securing The Clouds Proactively-BlackisTech.pptxChinatu Uzuegbu
 
Securing The Clouds with The Standard Best Practices-1.pdf
Securing The Clouds with The Standard Best Practices-1.pdfSecuring The Clouds with The Standard Best Practices-1.pdf
Securing The Clouds with The Standard Best Practices-1.pdfChinatu Uzuegbu
 
World Password Management Day, 2023.pdf
World Password Management Day, 2023.pdfWorld Password Management Day, 2023.pdf
World Password Management Day, 2023.pdfChinatu Uzuegbu
 
The Nigerian Cybersecurity Space-How Regulated Are We?
The Nigerian Cybersecurity Space-How Regulated Are We?The Nigerian Cybersecurity Space-How Regulated Are We?
The Nigerian Cybersecurity Space-How Regulated Are We?Chinatu Uzuegbu
 
Fundamentals for Stronger Cloud Security2.pdf
Fundamentals for Stronger Cloud Security2.pdfFundamentals for Stronger Cloud Security2.pdf
Fundamentals for Stronger Cloud Security2.pdfChinatu Uzuegbu
 
Effectiveness of Cyber Security Awareness.pdf
Effectiveness of Cyber Security Awareness.pdfEffectiveness of Cyber Security Awareness.pdf
Effectiveness of Cyber Security Awareness.pdfChinatu Uzuegbu
 
What The Cyber Entails-2.pdf
What The Cyber Entails-2.pdfWhat The Cyber Entails-2.pdf
What The Cyber Entails-2.pdfChinatu Uzuegbu
 
What The Cyber Entails-1.pdf
What The Cyber Entails-1.pdfWhat The Cyber Entails-1.pdf
What The Cyber Entails-1.pdfChinatu Uzuegbu
 
Identity & Access Management Day 2022.pdf
Identity & Access Management Day 2022.pdfIdentity & Access Management Day 2022.pdf
Identity & Access Management Day 2022.pdfChinatu Uzuegbu
 
Combating cyber crimes chinatu
Combating cyber crimes chinatuCombating cyber crimes chinatu
Combating cyber crimes chinatuChinatu Uzuegbu
 
Understanding Identity Management and Security.
Understanding Identity Management and Security.Understanding Identity Management and Security.
Understanding Identity Management and Security.Chinatu Uzuegbu
 
Practical approach to combating cyber crimes
Practical approach to combating cyber crimesPractical approach to combating cyber crimes
Practical approach to combating cyber crimesChinatu Uzuegbu
 
Cyber Security Awareness Month 2017-Wrap-Up
Cyber Security Awareness Month 2017-Wrap-UpCyber Security Awareness Month 2017-Wrap-Up
Cyber Security Awareness Month 2017-Wrap-UpChinatu Uzuegbu
 
Cyber crime (prohibition,prevention,etc)_act,_2015
Cyber crime (prohibition,prevention,etc)_act,_2015Cyber crime (prohibition,prevention,etc)_act,_2015
Cyber crime (prohibition,prevention,etc)_act,_2015Chinatu Uzuegbu
 
Cyber Security Awareness Month 2017
Cyber Security Awareness Month 2017Cyber Security Awareness Month 2017
Cyber Security Awareness Month 2017Chinatu Uzuegbu
 

More from Chinatu Uzuegbu (17)

Business Process Revamp is Paramount in 2024.pdf
Business Process Revamp is Paramount in 2024.pdfBusiness Process Revamp is Paramount in 2024.pdf
Business Process Revamp is Paramount in 2024.pdf
 
Preventing Cloud Data Breaches.pdf
Preventing Cloud Data Breaches.pdfPreventing Cloud Data Breaches.pdf
Preventing Cloud Data Breaches.pdf
 
Securing The Clouds Proactively-BlackisTech.pptx
Securing The Clouds Proactively-BlackisTech.pptxSecuring The Clouds Proactively-BlackisTech.pptx
Securing The Clouds Proactively-BlackisTech.pptx
 
Securing The Clouds with The Standard Best Practices-1.pdf
Securing The Clouds with The Standard Best Practices-1.pdfSecuring The Clouds with The Standard Best Practices-1.pdf
Securing The Clouds with The Standard Best Practices-1.pdf
 
World Password Management Day, 2023.pdf
World Password Management Day, 2023.pdfWorld Password Management Day, 2023.pdf
World Password Management Day, 2023.pdf
 
The Nigerian Cybersecurity Space-How Regulated Are We?
The Nigerian Cybersecurity Space-How Regulated Are We?The Nigerian Cybersecurity Space-How Regulated Are We?
The Nigerian Cybersecurity Space-How Regulated Are We?
 
Fundamentals for Stronger Cloud Security2.pdf
Fundamentals for Stronger Cloud Security2.pdfFundamentals for Stronger Cloud Security2.pdf
Fundamentals for Stronger Cloud Security2.pdf
 
Effectiveness of Cyber Security Awareness.pdf
Effectiveness of Cyber Security Awareness.pdfEffectiveness of Cyber Security Awareness.pdf
Effectiveness of Cyber Security Awareness.pdf
 
What The Cyber Entails-2.pdf
What The Cyber Entails-2.pdfWhat The Cyber Entails-2.pdf
What The Cyber Entails-2.pdf
 
What The Cyber Entails-1.pdf
What The Cyber Entails-1.pdfWhat The Cyber Entails-1.pdf
What The Cyber Entails-1.pdf
 
Identity & Access Management Day 2022.pdf
Identity & Access Management Day 2022.pdfIdentity & Access Management Day 2022.pdf
Identity & Access Management Day 2022.pdf
 
Combating cyber crimes chinatu
Combating cyber crimes chinatuCombating cyber crimes chinatu
Combating cyber crimes chinatu
 
Understanding Identity Management and Security.
Understanding Identity Management and Security.Understanding Identity Management and Security.
Understanding Identity Management and Security.
 
Practical approach to combating cyber crimes
Practical approach to combating cyber crimesPractical approach to combating cyber crimes
Practical approach to combating cyber crimes
 
Cyber Security Awareness Month 2017-Wrap-Up
Cyber Security Awareness Month 2017-Wrap-UpCyber Security Awareness Month 2017-Wrap-Up
Cyber Security Awareness Month 2017-Wrap-Up
 
Cyber crime (prohibition,prevention,etc)_act,_2015
Cyber crime (prohibition,prevention,etc)_act,_2015Cyber crime (prohibition,prevention,etc)_act,_2015
Cyber crime (prohibition,prevention,etc)_act,_2015
 
Cyber Security Awareness Month 2017
Cyber Security Awareness Month 2017Cyber Security Awareness Month 2017
Cyber Security Awareness Month 2017
 

Recently uploaded

Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 

Recently uploaded (20)

Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 

Cyber Security Awareness Month 2017-Nugget 3

  • 1. Cyber Security Awareness Month 2017: Nugget 3 Determining The Ideal Security Measure Chinatu Uzuegbu Cyber Security Consultant CISSP, CISM, CISA, CEH, ITIL, MCSE
  • 2. Previous Nuggets Recap • We identified and classified the Information Assets based on the Value and Criticality of the Assets. • We learnt that the Identification and Classification of the Assets could be achieved using the Risk Assessment and Impact Analysis Techniques. • We discussed the CIA Triad(Confidentiality, Integrity and Availability), the three Control Types, Security Services and Measures centred around each control and the Assets therein. • We discussed that in protecting your Information Assets, you must have a good understanding of the Control Types(Administrative, Technical and Physical) as well as the Security Services and Measures(Preventive, detective, deterrent, corrective, recovery, compensating and Directive). • We also discussed that it is important you understand the ideal security measure to apply on each classified asset using Vulnerability and Risk Assessment Techniques. • We finally looked at some important facts on ‘protecting your Information Assets’.
  • 3. In This Nugget: Determining The Ideal Security Measure • We have had a good understanding of the Controls and Security Measures, we would further look at how the Assets could be protected by applying the ideal Security measures. • We would look at how these measures of protection could be ascertained using some Vulnerabilities/Risk Assessment Methodologies. • We would discuss Vulnerabilities, Threats and Risks extensively. • We would look at how we could tie the cost of each Security measure with the actual value of the Assets. • A little Math would apply here but nevertheless it would not be much of a bother. • Finally, we would outline some important facts on Risk Management.
  • 4. Determining The Ideal Security Measure: Vulnerability • A Vulnerability could be defined as a weakness or looseness. • An Asset or any object could be seen as vulnerable if there is an element of weakness around that Asset. • The weakness could be in form of an opening, exposure or something important lacking on the Asset. • There is an element of visible and invisible vulnerabilities surrounding every newly installed or procured Asset. • It is a good practice to pro-actively outline the vulnerabilities around an Asset immediately after identifying it as Critical for your Business. • In Cyber Security, it is important to start your Risk Management process with a Vulnerability check list around the Asset. • For example, a Critical Server Operating System(Asset) with no Anti Virus, no updated patches, weak log-in password, easily accessible by unauthorised parties, no Uninterrupted Power Supply(UPS) plug-in and other weaknesses surrounding the Asset is seen as highly Vulnerable.
  • 5. Determining The Ideal Security Measure: Threat • A Threat is that point at which the vulnerability is seen as a danger that could be exploited by the bad guys(hackers, criminals, attackers, others) known as Threat Agents. • For example, some of the Critical Operating System vulnerabilities outlined in the previous slide could cause so much harm on both the Asset and the business if exploited by the bad guys(Threat Agents). • The bad guys(Threat Agents) could take advantage of the fact that there is no Anti-Virus program on the system and get it infected with Virus(Threat). • Malware infection on a Critical System could be disastrous and negatively affect the Confidentiality, Integrity and Availability principles of Security. • An Asset could be Vulnerable but with High or minimal Threat, it all depends on the scenarios around the vulnerability and the probability of Impact.
  • 6. Determining The Ideal Security Measure: Risk • Risk is the probability or likelihood that a Vulnerability could be exploited with a Threat by a Threat Agent. • Following our Critical Operating System example, one of the vulnerabilities is that of weak log-in Password which could be easily guessed and attacked(Threat) by the Threat Agents. • The Probability or likelihood that actually the weak Log-in Password(Vulnerability) could be exploited with guessing attacks(Threat) by the Threat Agent is referred to as Risks. • It is this level of certainty or probability that now determines whether the risk is high, low or insignificant. • If the Risk is high, a Security Measure which at this point is referred to as a Counter Measure or Safeguard is proffered. • As discussed in the previous Nugget, the weak Log-in Password is a Vulnerability that falls under Technical Control which could breach the three basic principles in the CIA Triad. • The Security Measure (Counter Measure) would be a Preventive Technical Control which is tailored down to a stricter Password Management approach. • We would be looking at Risk from various perspectives in the subsequent slides.
  • 7. Determining The Ideal Security Measure: Risk Equation • We would now derive the Risk value from the Vulnerability and Threat as discussed in the previous slides. • Risk= Vulnerability * Threat * Impact • Impact is the consequence of the Threat exploiting the Vulnerability. • The Risk Equation assists us to understand the Risk level of a Threat exploiting a vulnerability on an Asset. • For example, the Critical Operating System’s missing patch(Vulnerability) could lead to unauthorised access to the system and other Applications on the System(Threat) and the consequence could amount to theft of data and so many others(Impact). • The Risk Equation would assist us to determine the Risk Response, that is if the Risk should be mitigated, Accepted, Avoided or transferred to Insurance.
  • 8. Determining The Ideal Security Measure: Risk Responses Risk Response is a process of determining a suitable Counter Measure to be applied on the Asset. The four basic Risk Responses are: • Mitigate: Reduce Risk to an Acceptable Level and with the right protection Mechanism to maintain it at that level. • Accept: To take the Risk as it is probably due to a minimal or insignificant likelihood. • Avoid: Not to do anything that is causing the Risk. • Transference: To involve a Third Party Insurance on the Assets especially when the cost of Counter Measure is unbearable to the Business.
  • 9. Determining The Ideal Security Measure: Risk Analysing Types We have two types of Risks generally: • The Quantitative Risk Analysis: A process of calculating Risk using numerical and monetary values. The quantitative Risk Analysis takes into consideration: – The Asset Value (AV): The cost of the Asset, the man hour and cost of labour. – The Exposure Factor of Asset(EF): The level of Exposure – The Single Loss Expectancy(SLE): The value of loss expected on an event disruption. (AV *EF) – The Annual Rate of Occurrence(ARO): Frequency at which the disruption could occur in one year. – The Annual Loss Expectancy(ALE): The value of loss expected in one year. (SLE*ARO). • The Qualitative Risk Analysis: A process of calculating Risk using determined scenarios that could be subjective in nature.
  • 10. Determining The Ideal Security Measure: Cost of Counter Measure vs Value of Asset • Recall that the Cost of Counter Measure should not be more than the value of Asset. It is advisable that you use a compensating control at that point. • After you arrive at a Counter Measure using the Risk Equation and Risk Analysis, it is a good practice to evaluate the cost of Counter Measure and ascertain that it is not more than the Value of the Asset. • To achieve this: Cost Counter Measure = Annual Loss Expectancy(ALE) before Counter Measure-Annual Loss Expectancy(ALE) after Counter Measure-Annual Cost of Counter Measure.
  • 11. Determining The Ideal Security Measure: Risk Management Frameworks It is a good practice to run your Risk Management and Analysis using any of the methodologies. • NIST Sp 800-50 • FRAP • OCTAVE • FMEA • Others. Kindly do a search on each of the frameworks and apply accordingly.
  • 12. Determining The Ideal Security Measure: Important Facts on Risk Management • Information Risk Management is the responsibility of the Business Unit or Group Managers even though it has to be in support of the Top Level Management. • Risk Management focuses on reducing risk to a level acceptable by the Business and with the right mechanisms to maintain that level. • Risk Management would help to ascertain the most cost effective, relevant, up-to-date, ideal and resilient Counter Measure on a given Asset. • The right countermeasure would eliminate the Vulnerability and Threat but cannot eliminate Risk and the Threat agent. The Asset would be protected by reducing or mitigating Risk and preventing the Threat Agent from exploiting Vulnerabilities around the Asset. • There would always be some elements of risk left after applying the Counter Measure. This left-out Risk is referred to as Residual Risk.
  • 13. Determining The Ideal Security Measure: In Summary This Nugget may sound a bit technical to most of us here, you may not need to worry much but grab this : • We looked at the various ways to ascertain the ideal Counter Measure to be applied on a given Asset. • We first of all looked at the various Vulnerabilities and Threats around the Asset and explained Risk as the probability that the Threats could exploit the vulnerabilities by Threat Agents. • We worked around the Risk areas: Risk Equation, Quantitative and Qualitative Risk Analysis and Risk Responses. • Each of the Risk areas drew us closer to ascertaining the ideal and best Countermeasure to be applied on a given Asset. • The Risk Equation(Vulnerability*Threat*Impact) ascertained the level of Risk whether High, Medium or Low. • Then based on the Risk level ascertained from the Risk Equation, the Risk Response is determined. The response could be to Mitigate, Accept, Avoid or Transfer to the Third Party Insurance. • We further looked at how we can generate the Annual Loss Expectancy(ALE=SLE*ARO) based on the Value of the Asset(AV), The Exposure Factor(EF), The Single Loss Expectancy(SLE=AV*EF) and The Annual Rate of Occurrence(ARO). • We finally used the derived Annual Loss Expectancy to generate the Cost of Countermeasure which must be much less than the Annual Loss expectancy. Cost of Counter Measure= ALE before-ALE after-Annual cost of Counter Measure. • We hope we have well understood the concept of Cyber Security so far in this Awareness series: Identify , Classify, Protect(Vulnerabilities, Threats, Risk and Counter Measures). • Going forward we would bring home the various Threats and the ideal Counter Measures for combating the Threats. • We hope this helps...
  • 14. See You in the Next Nugget! Thank You Chinatu Uzuegbu CISSP, CISM, CISA, CEH, ITIL, MCSE