The document discusses information risk and provides examples of common risks such as data breaches, phishing attacks, and malware infections. It then covers threats to information systems, categorizing threats as accidental or deliberate, as well as internal or external. Vulnerabilities are also discussed and categorized. The risk management process involves identifying risks, analyzing impacts, assessing risks, treating risks, and continual monitoring. Risks are assessed qualitatively or quantitatively and tools can help with the assessment process.

1. Information Risk
PRESENTED BY:
JAKE ARIES R. MACARAYO
JERICHO E. ARREZA

2. LESSON MAP:

3. INFORMATION RISK
 Data Breaches: This occurs when sensitive or confidential information is accessed, disclosed,
or stolen by unauthorized individuals or entities.
 Phishing Attacks: Phishing is a type of cyber attack where attackers impersonate legitimate
entities to trick individuals into revealing sensitive information such as passwords or credit card
numbers.
 Malware Infections: Malware is malicious software designed to disrupt, damage, or gain
unauthorized access to a computer system.
 Insider Threats: Insider threats occur when individuals within an organization misuse their
access to sensitive data for malicious purposes.
 Physical Security Breaches: Information stored in physical form (e.g., printed documents,
portable storage devices) can be vulnerable to theft or unauthorized access if proper security
measures are not in place.
 Third-Party Risks: When organizations rely on third-party vendors or service providers to handle
their data or IT infrastructure, they introduce a risk if those third parties do not adequately
protect the information.

4. THREATS TO, AND VULNERABILITIES
OF, INFORMATION SYSTEMS
A threat is something that may happen, and that may
cause some undesirable consequence.
Threats must be realistic and may have already
occurred, with records of incidents supporting their
validity.
What is perceived as a threat to one party could be an
opportunity for another.
THREATS

5. Threat categorization
 Threats can be categorized into two main areas – accidental threats and
deliberate threats.
 Each of these areas may contain two further choices – internal
threats and external threats.
In information assurance,accidental threats include a number of
conditions, such as human error, system malfunctions, fire and
floods.
The implication is that there has been no deliberate attempt to
carry out the threat – it has simply happened.

6. Threat categorization
 Deliberate threats: Occur when someone sets out with every intention of
carrying out the threat. This type of threat includes hacking, malicious
software, sabotage, cyber terrorism, hi-tech crime, and so on
 Internal threats arise – The organization itself, or from business partners and
suppliers who have some degree of access to the organization’s information
systems environment.
 External threats arise -- from outside the organization and its less closely
linked business partners and suppliers. Typical external threats may arise
from hackers (of various kinds), competitors and protest groups.

7. Vulnerabilities
A vulnerability is a weakness in a system that, if exploited,
could lead to undesirable consequences.
 For instance, writing passwords on Post-It notes creates
vulnerability to unauthorized access.
Vulnerabilities can arise from poor software design, leaving
systems open to attacks.
Popular software and operating systems are often targeted by
hackers due to their widespread use and accessibility.

8. Vulnerabilities categorization
Vulnerabilities are divided into general and information-
specific categories. General vulnerabilities encompass
weaknesses in software, hardware, facilities, people,
processes, and procedures.
Information-specific vulnerabilities pertain to unsecured
computers, servers, operating systems, network devices,
wireless systems, web servers, email systems, and physical
storage units.
Assets become vulnerable due to inadequate security
measures or ineffective fixes. Threats exploit vulnerabilities to
achieve their objectives.

9. Assets
Information assets can take various forms, ranging from tangible
items like systems or buildings to intangible ones such as
intellectual property, business services, or brand reputation.
 Incidents impact assets, whether they are tangible or intangible,
emphasizing their critical importance to the organization's well-
being.

10. Impact
 Understanding the potential impact of a risk is crucial in information
assurance.
 If the impact is minimal, it might be acceptable to accept the risk and
monitor it periodically.
 However, significant potential impacts, such as loss of vital company
information, require appropriate countermeasures.
 Business impacts of threats include loss of confidentiality, integrity,
and availability, leading to financial loss, brand damage, and loss of
customer confidence.

11. Likelihood or probability
 Risk management involves assessing the likelihood of events
occurring, which can vary from very likely to highly improbable.
 Likelihood assessment can be quantitative, relying on clear metrics
and statistical data, or qualitative, based on subjective opinions.
 The risk of breach without password protection is deemed high, even
without exact incident numbers.
 Both assessment methods are valuable as long as they follow agreed
criteria.

12. Risk
 The combination of a vulnerability being exploited by a threat results in
an impact or consequence. Risk assessment for a threat considers both
the impact and the likelihood of it being carried out.
 Multiple circumstances can compound risks, potentially leading to more
serious security breaches.
 For instance, if files contain lists of usernames and passwords, it could
exacerbate security vulnerabilities.

13. Calculating the overall risk
 When assessing the risk for an information asset, factors such as
threats, potential impacts, and vulnerabilities must be considered.
 This process involves identifying threats and estimating their potential
impacts, as well as identifying vulnerabilities associated with the asset to
determine the likelihood of threats being realized.
 The initial stage, known as a business impact analysis (BIA), evaluates
the impact of threats on business assets
 Ms. Jackson, the chairperson, has been reminded that all GANT’s
information is held on a single computer system that was recently
compromised by a teenage hacker.
 GANT has no backup of the information and no suitable paper
documentation from which to easily recreate its records.

14. RISK MANAGEMENT
 Risk management process - involves four key areas: identifying threats,
analyzing their impact, assessing risks, treating them, and continually
monitoring outcomes.
 Risk assessments occur at various levels such as corporate, business
system, or physical location, each requiring different approaches but with
similar methodologies and applications of results.

15. The risk management life cycle

16. Identification
 To initiate a risk management process, identifying threats is crucial,
alongside understanding existing vulnerabilities.
 This may reveal multiple threats or consolidate various vulnerabilities into
one.
 Each identified threat is then evaluated based on its impact on the asset at
risk; for instance, a server breach could lead to service disruption, data
loss, or web page defacement, impacting profitability.
 Another approach involves listing critical organizational assets and
assessing potential threats against them.
 Subsequently, the resulting list of assets, threats, and potential impacts
guides further analysis.

17. Analysis
 Having identified the impact (or impacts) for each threat, the next task is to
assess the likelihood of it occurring.
 It must be remembered that this is ongoing work and that, if the patching
falls behind, the likelihood of an attack being successful will increase.

18. A typical risk matrix

19. Options for treating risks
 The risk matrix guides four potential courses of action for treating risks:
1. Avoid or terminate the risk: This involves refraining from actions that pose risks,
such as implementing policies to prohibit unauthorized software installation on
company computers.
2. Accept or tolerate the risk: When risks are assessed to be low, organizations may
consciously decide to tolerate them, ensuring accountability through formal sign-off
processes and regular monitoring.
3. Reduce or modify the risk: Actions to reduce risks include minimizing threats,
vulnerabilities, or impacts through controls such as security patches, firewall
settings, or implementing redundancy measures like disaster recovery systems.
4. Transfer or share the risk: Risks can be transferred via insurance policies or
outsourcing to third-party specialists, although ultimate responsibility and
ownership of the risk remain with the organization. Insurance helps mitigate
financial impacts, but may not cover all consequences, particularly consequential

20. Monitor
 The last step in the risk management cycle is monitoring the outcomes of the
risk treatment plan.
 Monitoring frequency depends on the threat type; rapidly changing threats
require frequent checks, while others need occasional monitoring.
 The cycle should be periodically repeated to account for disappearing threats
and emerging ones.
 Monitoring intervals are determined by the organization's risk appetite and
may be outlined in a risk management strategy or policy document.

21. Approaches to risk assessment
Qualitative
 Qualitative risk assessment, though subjective, is valuable when hard data is
scarce. Establishing clear definitions for risk levels like 'high', 'medium', and
'low' ensures rationality and ease of justification in the assessment process.
 Quantitative risk assessments rely on statistical evidence to gauge both
impact and likelihood, such as using data from antivirus vendors for virus
attack risks.
 While statistical information is widely available, it should be approached
cautiously due to the potential for manipulation or misinterpretation.

22. One possible rating framework for risk
assessment

23. Software tools
 Various software tools exist for conducting risk assessments, but the book
refrains from endorsing any specific ones, encouraging readers to explore
and determine which suits their needs best.
 It warns against overcomplicating the process with elaborate analyses,
suggesting that a simple spreadsheet-based tool can often suffice and be
more adaptable to organizational needs
 Simplifying the process helps make the results more understandable to a
wider audience, avoiding the perception of risk assessment as a mysterious
or inaccessible practice.

24. Questionnaire
 When conducting a risk assessment, preparing a questionnaire helps gather
information from relevant areas of the organization.
 Starting with open-ended questions about processes and procedures can
reveal crucial details and potential points of failure.
 Subsequently, closed questions delve deeper to uncover facts and figures,
aiding in a detailed analysis of potential risks.
 While some information may seem trivial initially, it could be essential for
building a business case to secure funding for risk mitigation measures.

25. Identifying and accounting for the value of
information assets
 Before conducting a risk assessment on an organization's information, it's
essential to identify and document each information asset.
 Information from questionnaires aids in listing responsibilities for collecting
and storing data, its location, usage, backup procedures, and the role of
individuals as information assets.
 Assessing the value of information assets involves considering their
function, downtime tolerance, recovery difficulty, and frequency of changes.
 Key questions include assessing the potential loss or impact on the
organization if the asset becomes unavailable.

26. Information classification policies
 Information classification categorizes data based on its sensitivity and
access restrictions.
 Public domain information like product lists typically have a low
classification, while customer account details may be labeled as confidential.
 Highly critical information, such as documents related to mergers or
acquisitions, may have a higher classification level, like 'highly confidential'
or 'secret.'
 Companies can define multiple classification levels, but simplicity is crucial.
 Each information asset must align with the classification policy, and assets
not marked as 'unmarked' or 'unrestricted' must be labeled accordingly.
 The policy should outline procedures for handling, storing, and disposing of
protectively marked information.

27. Assessing the risks in business terms
 When conducting risk assessments, it's crucial to avoid using complex risk
management terminology, especially when communicating with individuals
unfamiliar with the jargon.
 Instead, risk assessors should articulate outcomes in language easily
understood by managers within the organization, tailoring the terminology to
suit different departments' specific contexts
 This approach optimizes impact and buy-in, ensuring assessments focus on
areas recognized by individual departments to avoid wasted efforts.

28. Balancing the cost of information
security against the potential losses
 After conducting risk assessments, recommendations for mitigating higher-
level risks are provided, accompanied by rough cost estimates to present a
balanced perspective for decision-makers.
 Decision-making regarding risk mitigation depends on factors such as
anticipated losses, cost of controls, and organizational risk appetite.
 Some cases may require detailed cost breakdowns, and legal or regulatory
requirements may also influence decision-making.
 Experienced risk managers anticipate such complexities but must also
consider non-financial factors in risk treatment decisions.

29. The role of management in accepting
risk
 Organizations must differentiate between accepting and ignoring risk,
ensuring conscious decisions with thorough documentation.
 It's best practice to have multiple managers, especially one from a different
discipline, sign off on high-impact risks to provide objective confirmation.
 Regular review of accepted risks is essential to ensure alignment with the
organization's risk appetite and to account for any changes in threat, impact,
or likelihood.

30. Contribution to risk registers (e.g. Turn
bull conformance)
 Risk registers are essential for formal documentation of all identified risks,
providing visibility to authorized observers such as auditors.
 They facilitate ongoing monitoring of risk status and serve as management
reports on risk mitigation progress.
 Key components of a risk register include details of the threat, assessed
impact and likelihood, overall risk, recommended treatment, responsible
party, and expected completion date
 Regular review and updates, typically monthly or quarterly, ensure alignment
with external changes and regulatory requirements.

31. END OF THE
PRESENTATION
THANK YOU!!