Risk

JW
T

John Wilson

Copyright © 2004 T. John Wilson & Associates P/L

JW
T
W hat is R isk ?
 Risk is a function of the likelihood of a given threat-source’s
exercising a particular potential vulnerability, and the
resulting impact of that adverse event on the organisation.

Risk

Level of Danger
Chances of that
from
event occurring
an adverse event


JW
T
D ifferent A spects of R isk

Risk

Risk Risk Risk
Analysis Assessment Management


R isk A nalysis JW
T

Supported by AS/NZ 4360:1995 Risk Management
Approaches to Risk Analysis can be broken down
into two main categories:

Quantitative Risk Analysis
Qualitative Risk Analysis


Q uantitative R isk A nalysis JW
T

 2 Elements:
The probability of an event occurring & the likely loss
Quantitative Risk Analysis makes use of a single
figure produced from these elements, called:
Annual Loss Expectancy (ALE) or
Estimated Annual Cost (EAC)
For an event this is calculated by multiplying the
potential loss by the probability.
It is therefore possible to rank events in order of risk
(ALE),and make decisions based upon this
Problems with this approach tend to relate to
unreliability and inaccuracy of data.


Q ualitative R isk A nalysis JW
T

By far the most widely used approach to risk analysis
Probability data is not required & only estimated
potential loss is used
Most qualitative methodologies use a number of
interrelated elements:
Threats – things that can go wrong
Vulnerabilities – things that make an attack more likely to have
some success or impact
Controls – countermeasures for vulnerabilities – 4 types:
Deterrent Controls – reduce the likelihood of a deliberate attack
Preventative Controls – protect vulnerabilities & reduce impact
Corrective Controls – reduce the effect of an attack
Detective Controls – discover attacks & trigger corrective controls


JW
T
C ontrols – R elational M odel
Threat
Threat
Deterrent Corrective
Corrective
Deterrent Control
Control
Control
Creates Control
Reduces
Likelihood of
ATTACK

Discovers
Vulnerability
Vulnerability Decreases

Detective
Detective Protects
Results
Control
Control In

Triggers
Preventative
Preventative Reduces Impact
Impact
Control
Control


JW
T

Q u a lita tive M e th o d s (R e la tive )

Colloquial Expressions
High/Medium/Low
Major/Minor/None
Scenario Risk Analysis


JW
T
C olloquial E xpressions

 Listening to what people say – and then …
 Expressing complex relationships in those terms
 It is not necessary to calculate figures …..
 The argument in the Colloquial Expression is enough
 Colloquial Expressions are easily understood
 Examples: High/Medium/Low; Major/Minor/None


JW
T
H igh/M edium /Low
Likelihood HIGH MEDIUM LOW

Consequence

Serious Illness 

Death 

Injury 

Results:
Risk of Serious Illness is High
Risk of Death is Medium
Risk of Injury is low


JW
T

H igh/M edium /Low

 1 = High Risk, Urgent
Risk HIGH MEDIUM LOW  2 = Medium Risk, Urgent
Importance
 3 = Low Risk, Urgent
 4 = High Risk, Pressing
Urgent 1 2 3
 5 = Medium Risk, Pressing
Pressing 4 5 6  6 = Low Risk, Pressing
Not Urgent 7 8 9  7 = High Risk, Not Urgent
 8 = Medium Risk, Not Urgent
 9 = Low, Risk, Not Urgent


S cenario R isk A nalysis JW
T

Incident Likelihood Loss Loss Risk
H/M/L H/M/L $$$ Rank

Description H H 20,000 7
Of Scenario

 Useful when exploring “What if” scenarios
Can be useful to get a more complete understanding
Of actual risks that we face


JW
T

R isk A ssessm ent
 To optimise risk control (treatment) procedures & contingency
decisions, management needs to have structured analytical
information on:
Relevant critical business activities (and associated ICT systems)
Critical timeframes for each activity
Tangible & intangible consequences should these activities be
unavailable
Minimum resources required to support each activity.
The consequences quantified over time, should business
activities be unavailable, provide the priorities for Recovery or
Continuity of these activities.


JW
In fo rm a tio n G a th e rin g T e c h n iq u e s T

 Questionaires: The most reliable method of
gathering information on Risk

 On-site Interviews: Allow observation of the
physical environment & operational security

Document Review: Policy documents; security-
related documentation; auditors reports etc.


Q uestionnaires JW
T

Should define the scope of the risk assessment
Should be tailored to suit the organisation’s core
business

Should include questions on historical experiences
Should be completed by key personnel, with key
responsibilities


R isk A ssessm ent R eports JW
T

The following Risk Assessment Reports should be
created (in that order):
Assessment Boundary Definition
List of Identified Systems at risk
List of Identified Threats and Vulnerabilities
List of Current and Planned Controls
Likelihood Determination Report
Impact Rating Report
Risks & Associated Risk Levels
Recommended Controls
Risk Assessment Report (Results Documentation)


B u sin e ss Im p a c t A n a lysis JW
T
(A step - by - step A pproac h)

1. Document gross revenue & net profit for the year – this sets the
upper boundary for business losses.
2. Define your business critical systems – track in a spreadsheet –
revenue data can be included if desired.
3. Classify each system as critical, important or non-critical –
interview operators re impact of outages – short/medium/long.
4. Document system cross-dependencies.
5. Estimate financial impacts associated with each system.
6. Estimate the cost to identify, remediate, recover & resume
operations for each system – include labour, HW/SW costs.
7. Identify the Maximum Acceptable Outage (MAO) for each system.


R isk M itigation JW
T
( U sing R isk A ssessm e nt R ep ort as In p ut )

Step 1: Prioritize Actions from High to Low
Step 2: Evaluate Recommended Control Options –
Feasibility/Effectiveness
Step 3: Conduct Cost-Benefit Analysis –
Implementing/Not Implementing
Step 4: Select Controls
Step 5: Assign Responsibility – List of responsible
persons
Step 6: Develop Safeguard Implementation Plan – List of
Mitigation Controls with Implementation Timeline
Step 7: Implement Selected Controls


B usiness C ontinuity P lanning JW T

Section 9 of AS/NZS Information Security Management Standard
4444:1996 says there should be a BCP process to cover the
following:
 Identification & prioritization of critical business processes
 Determination of the potential impact of various types of disaster
on business activities – Risk Assessment
 Identification & agreement on all responsibilities & emergency
arrangements.
 Documentation of agreed procedures and processes.
 Appropriate education of staff in executing these.
 Testing of the plans.
 Ongoing updating of the plans.


S um m ary JW
T

Good Risk Assessment & Management
is

foundational and a prerequisite to good

Business Continuity Planning


Risk

More Related Content

Similar to Risk

Risk