Download as KEY, PPTX
Uploaded byPhilip Beyer
Risk Explained... in 5 Minutes or Less
The document discusses risk analysis in the context of information security, emphasizing the components of threats, vulnerabilities, and risks. It highlights the importance of understanding asset risk and deriving risk values based on probability, frequency, and magnitude. Additionally, it critiques approaches to risk assessment that rely solely on best practices without a repeatable framework.
More Related Content
Similar to Risk Explained... in 5 Minutes or Less
Risk Explained... in 5 Minutes or Less
- 1. Risk Explained ...in 5 Minutes or Less
- 2. About @pjbeyer Austin ISSA allthingsphil.com President Texas Education Agency Information Security Officer Factor Analysis of Information Risk
- 3. photo credit: DennisYang (flickr.com)
- 4. photo credit: KateMereand-Sinha (flickr.com)
- 5. photo credit: TomBech (flickr.com)
- 6. photo credit: dfinnecy(flickr.com)
- 7. The Bald Tire Scenario Analysis Identify the components in this scenario: THREATS VULNERABILITIES RISKS @pjbeyer allthingsphil.com
- 8. Asset Risk depends on the ASSET How many ASSETS did you consider? The ASSET is the bald tire @pjbeyer allthingsphil.com
- 9. Threat Risk depends on the THREAT How many THREATS did you consider? The THREAT is the earth and the force of gravity that it applies @pjbeyer allthingsphil.com
- 10. Vulnerability Risk depends on VULNERABILITY How did you consider VULNERABILITY? Vulnerability depends on the THREAT The potential VULNERABILITY is the frayed rope @pjbeyer allthingsphil.com
- 11. Risk the probable frequency and probable magnitude of future loss @pjbeyer allthingsphil.com
- 12. Risk Analysis Risk is a derived value Risk is a probability issue Risk has both a frequency and a magnitude component The fundamental nature of Risk is universal, regardless of context @pjbeyer allthingsphil.com
- 13. Probability Possible Probable Predictable photo credit: Wally Gobetz (flickr.com) @pjbeyer
- 14. Shaman or Scientist You might be a Security Shaman if you... Assign risk based solely on "industry best practices" Don't use a framework which yields repeatable risk analysis results Can't rationally explain your risk analysis @pjbeyer allthingsphil.com
- 15. Taxonomy Risk Loss Event Loss Frequency Magnitude Threat Event Secondary Vulnerability Primary LM Frequency Risk Threat Capability Resistance Strength
- 16. Vulnerability Threat Resistance Capability Strength @pjbeyer allthingsphil.com
- 17. Loss Event Frequency Threat Event Vulnerability Frequency @pjbeyer allthingsphil.com
- 18. Loss Magnitude Primary Loss Secondary Magnitude Risk @pjbeyer allthingsphil.com
- 19. Risk Loss Event Loss Frequency Magnitude @pjbeyer allthingsphil.com
- 20. FAIR Don't be a Security Shaman! Factor Analysis of Information Risk fairwiki.riskmanagementinsight.com @pjbeyer allthingsphil.com
- 21. This work islicensed under a Creative Commons Attribution-NonCommercial- ShareAlike 3.0 Unported License
Editor's Notes
- #2 Risk is commonly misunderstood in the security community.\nLet's explain Risk in terms of its components, look at a taxonomy, and introduce scientific risk analysis.\n
- #3 \n\n
- #4 The Bald Tire Scenario #1\nPicture in your mind a bald car tire. Imagine that it’s so bald you can hardly tell that it ever had tread. How much risk is there?\n
- #5 The Bald Tire Scenario #2\nNext, imagine that the bald tire is tied to a rope hanging from a tree branch. How much risk is there?\n
- #6 The Bald Tire Scenario #3\nNext, imagine that the rope is frayed about halfway through, just below where it’s tied to the tree branch. How much risk is there?\n
- #7 The Bald Tire Scenario #4\nFinally, imagine that the tire swing is suspended over an 80-foot cliff with sharp rocks below. How much risk is there?\n
- #8 Now, identify the following components within the scenario. What were the:\n- Threats\n- Vulnerabilities\n- Risks\n
- #9 Risk can't be calculated without identifying the asset.\nThis scenario only includes a single asset.\nWhat asset assumptions did you make at each step of the scenario?\n\nIn the context of information risk, we can define Asset as any data, device, or other component of the environment that supports information-related activities, which can be illicitly accessed, used, disclosed, altered, destroyed, and/or stolen, resulting in loss.\n
- #10 A threat acts against an asset in a manner that can result in harm.\nDifferent threats have different capabilities.\nConsider the same scenario with a squirrel intent on gnawing through the rope.\n\nA reasonable definition for Threat is anything (e.g., object, substance, human, etc.) that is capable of acting against an asset in a manner that can result in harm. A tornado is a threat, as is a flood, as is a hacker. The key consideration is that threats apply the force (water, wind, exploit code, etc.) against an asset that can cause a loss event to occur.\n
- #11 An asset is vulnerable to a threat.\nVulnerability is a derived value.\nCalculating vulnerability has everything to do with the threat.\nConsider the same scenario with a frayed steel cable.\n\nYou may have wondered why “potential” is emphasized when I identified the frayed rope as a potential vulnerability. The reason it’s only a potential vulnerability is that we first have to ask the question, “Vulnerable to what?” If our frayed rope still had a tensile strength of 2000 pounds per square inch, its vulnerability to the weight of a tire would, for all practical purposes, be virtually zero. If our scenario had included a squirrel gnawing on the frayed rope, then he also would be considered a threat, and the rope’s hardness would determine its vulnerability to that threat. A steel cable (even a frayed one) would not be particularly vulnerable to our furry friend. The point is that vulnerability is always dependent upon the type and level of force being applied.\n
- #12 Risk depends on threat, vulnerability, and asset characteristics.\nRisk is a derived value.\nCalculating risk has everything to do with how you frame the scenario.\n\nThe following definition applies regardless of whether you’re talking about investment risk, market risk, credit risk, information risk, or any of the other commonly referenced risk domains:\n\nRisk: the probable frequency and probable magnitude of future loss\n\nIn other words “how frequently something bad is likely to happen, and how much loss is likely to result.” As stated above, these probabilities are derived from the combination of threat, vulnerability, and asset characteristics.\n
- #13 Risk is a derived value... Let that sink in.\nProbability, frequency, and magnitude are all involved.\nInformation risk is no different from any other risk domain in business, government, or life.\n
- #14 What is probability?\nIt is POSSIBLE that an Alaskan Brown Bear will come through that door and maul me right now. However, it is not PROBABLE.\nI'm very confident that the PROBABILITY of rolling snake eyes on a pair of 6-sided dice is 1 in 36. I'm not at all confident in the PREDICTABILITY of when that roll will occur.\n\nPossibility is a binary condition, either something is possible, or it's not.\nProbability reflects the continuum between absolute certainty and impossibility.\nPredictability is a level of confidence in a forecast about what will happen.\n
- #15 A shaman prescribes a remedy based upon what his forefathers have passed down to him.\nSome shamans may be extremely intuitive and great at what they do, but they are artists, not scientists.\nA shaman can't credibly explain why the cure works.\n\nScientific analysis leads to deeper understanding.\nThe scientific method is: define the problem; substantiate a theory; propose and test a hypothesis; come to a conclusion; learn something.\n\nBest practices are often based on long-held shamanistic solutions, tend to be one-size-fits-all, may evolve more slowly than the conditions in which they're used, and can too often be used as a crutch (e.g. "I can't explain why, so I'll just point to the fact that everyone else is doing it this way.").\n
- #16 Don't be a Security Shaman!\nDerive your Risk!\n
- #17 Don't be a Security Shaman!\nDerive the Vulnerability of your Assets!\n
- #18 Don't be a Security Shaman!\nDerive the frequency of your Loss Events!\n
- #19 Don't be a Security Shaman!\nDerive the Magnitude of a probable Loss!\n
- #20 Don't be a Security Shaman!\nDerive your Risk!\n
- #21 \n\n
- #22 \n\n