Dan Vasile - Risk Calculation and Visualization

•Download as PPTX, PDF•

0 likes•273 views

Dan Vasile

E-Crime & Cyber Security - Benelux Summit 2017

Technology

A new paradigm
for
risk calculation
and
visualization

FrAppSec
Framework for Application Security
https://frappsec.org

Risk
=
Impact x Likelihood
x Business Factor

Risk 1 = Impact x Likelihood x Business Factor
Risk 2 = Impact x Likelihood x Business Factor
.
.
Risk n = Impact x Likelihood x Business Factor

Risk 1 = Impact x Likelihood x Business Factor
Risk 2 = Impact x Likelihood x Business Factor
.
.
Risk n = Impact x Likelihood x Business Factor
Total Risk = Σ Risk i

Risk appetite = 30 risk points, no high risks

Risk appetite = 30 risk points, no high risks
Case 1
25

Risk appetite = 30 risk points, no high risks
Case 2
20

Risk appetite = 30 risk points, no high risks
Case 3
35

A meaningful risk visualization
Sirius
Polaris
Vega
Aldebaran
Rigel
Deneb
Betelgeuse
Arcturus Canopus
Altair
Fomalhaut
Pollux

A meaningful risk visualization
Sirius
Polaris
Vega
Aldebaran
Rigel
Deneb
Betelgeuse
Arcturus Canopus
Altair
Fomalhaut
Pollux
20182017

1. Combat risk illiteracy
2. View risk as a bubble
3. Use meaningful visualization

Similar to Dan Vasile - Risk Calculation and Visualization

Session 04_Risk Assessment Program for YSP_Risk Analysis IMuizz Anibire

Risk assessmentPANNALAL SONI

PMP Muzette Charles_Sp2019_Week5_Chapter11_RiskMuzette Charles, PMP

Risk management intruduction part 2MEEQAT HOSPITAL

Deploying Risk Management in SMEsSikiru Salami ACA MRM

Kuala Lumpur - PMI Global Congress 2009 - Risk ManagementTorsten Koerting

Managing Risk and Uncertainty in Business.pptxTope Osanyintuyi

Risk Assessment.pptxDivyesh Jha

Project Risk Management-Pankaj K SinhaPankaj K Sinha

Risk Assessment - Refresher Training for ManagersVictoria Finch

Risk Analysis in Occupational Health SettingAhmed-Refat Refat

Rsc 05PMInstituteIndia

COSO VS ERM - Naresh Parandhaman

Sameer Mitter Bournemouth - What do understand by Risk managementSameer Mitter

Risk analysis and risk mgt.ÄĥŸäń Pegason

PRMG195 - Rsik Management Case Study.pdfmohamed Ismail

Risk Management for New Era - Risk Magazine Spring 2023The IRM India

BBA 4226, Risk Management 1 Course Learning Outcomes .docxaryan532920

Similar to Dan Vasile - Risk Calculation and Visualization (18)

Session 04_Risk Assessment Program for YSP_Risk Analysis I

Risk assessment

PMP Muzette Charles_Sp2019_Week5_Chapter11_Risk

Risk management intruduction part 2

Deploying Risk Management in SMEs

Kuala Lumpur - PMI Global Congress 2009 - Risk Management

Managing Risk and Uncertainty in Business.pptx

Risk Assessment.pptx

Project Risk Management-Pankaj K Sinha

Risk Assessment - Refresher Training for Managers

Risk Analysis in Occupational Health Setting

Rsc 05

COSO VS ERM -

Sameer Mitter Bournemouth - What do understand by Risk management

Risk analysis and risk mgt.

PRMG195 - Rsik Management Case Study.pdf

Risk Management for New Era - Risk Magazine Spring 2023

BBA 4226, Risk Management 1 Course Learning Outcomes .docx

Recently uploaded

My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar

Install Stable Diffusion in windows machinePadma Pradeep

Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group

Slack Application Development 101 Slidespraypatel2

Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software

Presentation on how to chat with PDF using ChatGPT code interpreternaman860154

FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh

Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst

Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard

08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls

Artificial intelligence in the post-deep learning eraDeakin University

Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK

08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls

Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies

Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j

E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxnull - The Open Security Community

CloudStudio User manual (basic edition):comworks

Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada

The transition to renewables in India.pdfCompetition Advisory Services (India) LLP

IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge

Recently uploaded (20)

My Hashitalk Indonesia April 2024 Presentation

Install Stable Diffusion in windows machine

Snow Chain-Integrated Tire for a Safe Drive on Winter Roads

Slack Application Development 101 Slides

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation

Presentation on how to chat with PDF using ChatGPT code interpreter

FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi

Human Factors of XR: Using Human Factors to Design XR Systems

Maximizing Board Effectiveness 2024 Webinar.pptx

08448380779 Call Girls In Greater Kailash - I Women Seeking Men

Artificial intelligence in the post-deep learning era

Unblocking The Main Thread Solving ANRs and Frozen Frames

08448380779 Call Girls In Civil Lines Women Seeking Men

Benefits Of Flutter Compared To Other Frameworks

Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...

E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx

CloudStudio User manual (basic edition):

Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024

The transition to renewables in India.pdf

IAC 2024 - IA Fast Track to Search Focused AI Solutions

Dan Vasile - Risk Calculation and Visualization

1. A new paradigm for risk calculation and visualization

2. FrAppSec Framework for Application Security https://frappsec.org

3. risk as a bubble

4. = risk appetite

5. Risk = Impact x Likelihood

6. Risk = Impact x Likelihood x Business Factor

7. Risk 1 = Impact x Likelihood x Business Factor Risk 2 = Impact x Likelihood x Business Factor . . Risk n = Impact x Likelihood x Business Factor

8. Risk 1 = Impact x Likelihood x Business Factor Risk 2 = Impact x Likelihood x Business Factor . . Risk n = Impact x Likelihood x Business Factor Total Risk = Σ Risk i

9. Risk 1 = Impact x Likelihood x Business Factor Risk 2 = Impact x Likelihood x Business Factor . . Risk n = Impact x Likelihood x Business Factor Total Risk = Σ Risk i

10. Risk 1 = Impact x Likelihood x Business Factor Risk 2 = Impact x Likelihood x Business Factor . . Risk n = Impact x Likelihood x Business Factor Total Risk = Σ Risk i

11. = risk appetite

12. Risk appetite = 30 risk points, no high risks

13. Risk appetite = 30 risk points, no high risks Case 1 25

14. Risk appetite = 30 risk points, no high risks Case 2 20

15. Risk appetite = 30 risk points, no high risks Case 3 35

16. A meaningful risk visualization

17. A meaningful risk visualization Sirius Polaris Vega Aldebaran Rigel Deneb Betelgeuse Arcturus Canopus Altair Fomalhaut Pollux

18. A meaningful risk visualization Sirius Polaris Vega Aldebaran Rigel Deneb Betelgeuse Arcturus Canopus Altair Fomalhaut Pollux

19. A meaningful risk visualization Sirius Polaris Vega Aldebaran Rigel Deneb Betelgeuse Arcturus Canopus Altair Fomalhaut Pollux 20182017

20. 1. Combat risk illiteracy 2. View risk as a bubble 3. Use meaningful visualization

21. FrAppSec.org @DanCVasile

Editor's Notes

It all started when developing the Framework for Application Security.
Present risk as a bubble. Good analogy: if it’s too big, it’s going to pop.
Size is always a constraint for the risk bubble.
Traditional risk calculation formula.
Challenged and appended formula to allow quantification for executives. The business factor is the importance of the system from a business perspective and can be expressed as percentage. A mission critical system will thus have a business factor equal to one.
Each system has multiple vulnerabilities, each of them carrying an associated risk.
The total risk of the system is the sum of individual risks.
Individual risks have different severities. In this slide, risk 1 is high (red label), risk two is medium (orange label) and risk n is low (yellow label)
The total risk inherits the highest severity of individual risks.
We can now define the risk appetite based on the formula previously presented.
This is the acceptable bubble. It has a size of 30 risk points and the maximum accepted severity is medium.
Scenario 1: compliant. The risk value is within acceptable limits (25<30) and the maximum severity among individual risks is low.
Scenario 2: non-compliant. Even though the numeric value of the total risk is within the risk appetite statement(20<30), the severity of the total risk is high which is unacceptable.
Scenario 3: non-compliant. The numeric value of the total risk is greater than the risk appetite statement (35>30)
Building a meaningful risk visualization. Each bubble represents a system.
Improvement 1: add system names to quickly identify them
Improvement 2: add a visual indicator of non-compliancy
Improvement 3: add a timeline indicator to show the last assessment performed to measure risk.
Take away: Educate people on information security risks and mitigations. Use the risk as a bubble analogy for a more clear message Build a meaningful visualization to provide an overview of the total risk.

Dan Vasile - Risk Calculation and Visualization

Recommended

Recommended

More Related Content

Similar to Dan Vasile - Risk Calculation and Visualization

Similar to Dan Vasile - Risk Calculation and Visualization (18)

More from Dan Vasile

More from Dan Vasile (6)

Recently uploaded

Recently uploaded (20)

Dan Vasile - Risk Calculation and Visualization

Editor's Notes