SlideShare a Scribd company logo
BÜROTEX GmbH
                Vishal Sharma
          Information Security
Consultant/Solution Developer
RISK
It is the uncertainty of outcome whether
positive opportunity or negative threat.

Some commonly Known terms:

   Asset : It is something which should be protected

   Asset Valuation: It is a value assigned to an asset
    based on actual cost and nonmonetary expenses
   Threats : Any occurrence that could cause an undesirable
    or unwanted outcome for an organization for a specific threat


   Vulnerability: The absence of weakness of a safeguard
    or countermeasure


   Exposure: It is being susceptible to asset loss because of
    a threat
   Safeguard: A safeguard or a countermeasure, is
    anything that removes a vulnerability


   Attack: An exploitation of a vulnerability by a threat
    agent


   Breach : The occurrence of a security mechanism being
    bypassed
Threats
               • Exploits

Assets                       Vulnerabilities
• Whch are                   • Which
  endangered
                               results in
  by




Safeguard
                              Exposure
• Which
                              • Which is
  protects
               Risk
               • Which is
                 mitigated
                 by
Factors for Asset Valuation:

   Purchase Cost
   Development Cost
   Administrative Cost
   Maintaining or Upkeep Cost
   Cost in Acquiring asset
   Cost to protect or sustain asset
   Value to Owners and users
   Value to Competitors
   Intellectual property or equity Value
   Market valuation
   Replacement Cost
   Productivity enhancement or degradation
   Operational cost of asset presence and Loss
   Liability of asset loss
   Usefulness
Next logical step is to calculate Threats:

   Viruses
   Cascade errors and Dependency Faults
   Criminal activities by authorized users
   Movements
   Intentional Attacks
   Reorganization
   Authorized user illness
   Hackers
   User errors
   Natural Disasters
   Physical Damage
   Misuse of data, resource, or services
   Changes or compromises to data
    classification or security policies
   Government, political, or military intrusions
    or restrictions
   Processing errors, buffer overflows
   Personal privilege abuse
   Temperature extremes
   Energy anomalies
   Loss of data
   Information Warfare
   Bankruptcy or alteration/ interruption of
    business activity
   Coding/programming errors
   Intruders
   Environmental factors
   Equipment Failures
   Physical Theft
   Social Engineering
Risk Analysis

   Quantitative : It results in Concrete Probability
    Percentage


   Qualitative: This is more scenario based, it requires:
       Brainstorming
       Delphi Technique
   Story boarding
   Focus groups
   Surveys
   Questionnaires
   Checklists
   One-on-one Meetings
   Interviews
Quantative Analysis, major steps involved:

   Countermeasures for each threat

   Calculate the changes to Aro and ALE based on
    applied counter measure

   Perform a cost benefit analysis of each counter
    measure for each asset
 AV : Inventory assets and sign a Value
 EF : Calculate exposure factors, possible threat

        of each individual asset
 SLE: Single Loss Expectancy,

 ARO: Annualized rate of occurrence

 ALE: Annualized Loss expectancy
Cost Functions

   Exposure factors : % loss, if specific asset were
  violated by a realized risk
 SLE : AV*EF
   ARO : It could be derived from historical records,
  statistical analysis or guess work. Basically it‘s a
  probability determination
 ALE : SLE*ARO
   ACS : Annual cost of safeguard, € per year, which
    involves following factors:

    Cost of   purchase, development and licensing
    Cost of   implementation and customization
    Cost of   annual operation, maintenance, administration and
    so on
    Cost of   annual repairs and upgrades
Productivity improvement or loss
    Changes to environment
    Cost of testing and evaluation


   Value or benefit of a safe guard:   =(ALE1-ALE2) – ACS
Note :

    Value of safeguard to the Company =
    (ALE before Safegaurd –
    ALE after implementing safeguard) –
    (Annual cost of Safeguard)
Thank You

More Related Content

What's hot

Ch07 Managing Risk
Ch07 Managing RiskCh07 Managing Risk
Ch07 Managing Risk
phanleson
 
Generic_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_ProceduresGeneric_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_Procedures
Samuel Loomis
 

What's hot (14)

Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management
 
L008 Disaster Recovery Plan (2016)
L008 Disaster Recovery Plan (2016)L008 Disaster Recovery Plan (2016)
L008 Disaster Recovery Plan (2016)
 
Presenting Metrics to the Executive Team
Presenting Metrics to the Executive TeamPresenting Metrics to the Executive Team
Presenting Metrics to the Executive Team
 
Osprey Bank Risk
Osprey Bank RiskOsprey Bank Risk
Osprey Bank Risk
 
Strategy Insights - How to Quantify IT Risks
Strategy Insights - How to Quantify IT Risks Strategy Insights - How to Quantify IT Risks
Strategy Insights - How to Quantify IT Risks
 
Cybersecurity Risk Management Framework Strategy Workshop
Cybersecurity Risk Management Framework Strategy WorkshopCybersecurity Risk Management Framework Strategy Workshop
Cybersecurity Risk Management Framework Strategy Workshop
 
Ch07 Managing Risk
Ch07 Managing RiskCh07 Managing Risk
Ch07 Managing Risk
 
Chaiyakorn
ChaiyakornChaiyakorn
Chaiyakorn
 
Generic_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_ProceduresGeneric_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_Procedures
 
Insurance
InsuranceInsurance
Insurance
 
Risks in cc
Risks in ccRisks in cc
Risks in cc
 
Master Class Cyber Compliance IE Law School IE Busines School
Master Class Cyber Compliance IE Law School IE Busines SchoolMaster Class Cyber Compliance IE Law School IE Busines School
Master Class Cyber Compliance IE Law School IE Busines School
 
Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offering
 
Business cases for software security
Business cases for software securityBusiness cases for software security
Business cases for software security
 

Viewers also liked (7)

Deepak Jaiswal Resume2
Deepak Jaiswal Resume2Deepak Jaiswal Resume2
Deepak Jaiswal Resume2
 
Ict homework
Ict homeworkIct homework
Ict homework
 
Risø energy report 10
Risø energy report 10Risø energy report 10
Risø energy report 10
 
Presentation Guaraní Partnership
Presentation Guaraní PartnershipPresentation Guaraní Partnership
Presentation Guaraní Partnership
 
Open Data und interaktive Datenvisualisierungen
Open Data und interaktive DatenvisualisierungenOpen Data und interaktive Datenvisualisierungen
Open Data und interaktive Datenvisualisierungen
 
RA FACE 2011
RA FACE 2011RA FACE 2011
RA FACE 2011
 
Sexualidad segun el plan de dios
Sexualidad segun el plan de diosSexualidad segun el plan de dios
Sexualidad segun el plan de dios
 

Similar to Risk Management

CHAPTER 1Risk Management FundamentalsCopyright © 202
CHAPTER 1Risk Management FundamentalsCopyright © 202CHAPTER 1Risk Management FundamentalsCopyright © 202
CHAPTER 1Risk Management FundamentalsCopyright © 202
EstelaJeffery653
 
Convergence innovative integration of security
Convergence   innovative integration of securityConvergence   innovative integration of security
Convergence innovative integration of security
ciso_insights
 
Tips for IT Risk Management Prof. Hernan Huwyler Information Security Institute
Tips for IT Risk Management Prof. Hernan Huwyler Information Security InstituteTips for IT Risk Management Prof. Hernan Huwyler Information Security Institute
Tips for IT Risk Management Prof. Hernan Huwyler Information Security Institute
Hernan Huwyler, MBA CPA
 
1. security management practices
1. security management practices1. security management practices
1. security management practices
7wounders
 
Rational application-security-071411
Rational application-security-071411Rational application-security-071411
Rational application-security-071411
Scott Althouse
 
Smart security solutions for SMBs
Smart security solutions for SMBsSmart security solutions for SMBs
Smart security solutions for SMBs
Jyothi Satyanathan
 

Similar to Risk Management (20)

Testing
TestingTesting
Testing
 
Risk Assessment And Management
Risk Assessment And ManagementRisk Assessment And Management
Risk Assessment And Management
 
CHAPTER 1Risk Management FundamentalsCopyright © 202
CHAPTER 1Risk Management FundamentalsCopyright © 202CHAPTER 1Risk Management FundamentalsCopyright © 202
CHAPTER 1Risk Management FundamentalsCopyright © 202
 
Cissp combined notes
Cissp combined notesCissp combined notes
Cissp combined notes
 
Convergence innovative integration of security
Convergence   innovative integration of securityConvergence   innovative integration of security
Convergence innovative integration of security
 
Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016
 
RiskWatch for Financial Institutions™
RiskWatch for Financial Institutions™RiskWatch for Financial Institutions™
RiskWatch for Financial Institutions™
 
Core.co.enterprise.deck.06.16.10
Core.co.enterprise.deck.06.16.10Core.co.enterprise.deck.06.16.10
Core.co.enterprise.deck.06.16.10
 
Tips for IT Risk Management Prof. Hernan Huwyler Information Security Institute
Tips for IT Risk Management Prof. Hernan Huwyler Information Security InstituteTips for IT Risk Management Prof. Hernan Huwyler Information Security Institute
Tips for IT Risk Management Prof. Hernan Huwyler Information Security Institute
 
Security architecture frameworks
Security architecture frameworksSecurity architecture frameworks
Security architecture frameworks
 
RiskWatch for Physical & Homeland Security™
RiskWatch for Physical & Homeland Security™RiskWatch for Physical & Homeland Security™
RiskWatch for Physical & Homeland Security™
 
File000170
File000170File000170
File000170
 
Risk Assessment Methodologies
Risk Assessment MethodologiesRisk Assessment Methodologies
Risk Assessment Methodologies
 
1. security management practices
1. security management practices1. security management practices
1. security management practices
 
SecurityExchange2009-Key Note
SecurityExchange2009-Key NoteSecurityExchange2009-Key Note
SecurityExchange2009-Key Note
 
Challenges in implementating cyber security
Challenges in implementating cyber securityChallenges in implementating cyber security
Challenges in implementating cyber security
 
Application Security Review 5 Dec 09 Final
Application Security Review 5 Dec 09 FinalApplication Security Review 5 Dec 09 Final
Application Security Review 5 Dec 09 Final
 
Rational application-security-071411
Rational application-security-071411Rational application-security-071411
Rational application-security-071411
 
TrustedAgent GRC for Vulnerability Management and Continuous Monitoring
TrustedAgent GRC for Vulnerability Management and Continuous MonitoringTrustedAgent GRC for Vulnerability Management and Continuous Monitoring
TrustedAgent GRC for Vulnerability Management and Continuous Monitoring
 
Smart security solutions for SMBs
Smart security solutions for SMBsSmart security solutions for SMBs
Smart security solutions for SMBs
 

Recently uploaded

678020731-Sumas-y-Restas-Para-Colorear.pdf
678020731-Sumas-y-Restas-Para-Colorear.pdf678020731-Sumas-y-Restas-Para-Colorear.pdf
678020731-Sumas-y-Restas-Para-Colorear.pdf
CarlosHernanMontoyab2
 
Accounting and finance exit exam 2016 E.C.pdf
Accounting and finance exit exam 2016 E.C.pdfAccounting and finance exit exam 2016 E.C.pdf
Accounting and finance exit exam 2016 E.C.pdf
YibeltalNibretu
 
Additional Benefits for Employee Website.pdf
Additional Benefits for Employee Website.pdfAdditional Benefits for Employee Website.pdf
Additional Benefits for Employee Website.pdf
joachimlavalley1
 

Recently uploaded (20)

NCERT Solutions Power Sharing Class 10 Notes pdf
NCERT Solutions Power Sharing Class 10 Notes pdfNCERT Solutions Power Sharing Class 10 Notes pdf
NCERT Solutions Power Sharing Class 10 Notes pdf
 
678020731-Sumas-y-Restas-Para-Colorear.pdf
678020731-Sumas-y-Restas-Para-Colorear.pdf678020731-Sumas-y-Restas-Para-Colorear.pdf
678020731-Sumas-y-Restas-Para-Colorear.pdf
 
Benefits and Challenges of Using Open Educational Resources
Benefits and Challenges of Using Open Educational ResourcesBenefits and Challenges of Using Open Educational Resources
Benefits and Challenges of Using Open Educational Resources
 
Supporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptxSupporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptx
 
Danh sách HSG Bộ môn cấp trường - Cấp THPT.pdf
Danh sách HSG Bộ môn cấp trường - Cấp THPT.pdfDanh sách HSG Bộ môn cấp trường - Cấp THPT.pdf
Danh sách HSG Bộ môn cấp trường - Cấp THPT.pdf
 
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
 
Students, digital devices and success - Andreas Schleicher - 27 May 2024..pptx
Students, digital devices and success - Andreas Schleicher - 27 May 2024..pptxStudents, digital devices and success - Andreas Schleicher - 27 May 2024..pptx
Students, digital devices and success - Andreas Schleicher - 27 May 2024..pptx
 
Sectors of the Indian Economy - Class 10 Study Notes pdf
Sectors of the Indian Economy - Class 10 Study Notes pdfSectors of the Indian Economy - Class 10 Study Notes pdf
Sectors of the Indian Economy - Class 10 Study Notes pdf
 
Basic Civil Engineering Notes of Chapter-6, Topic- Ecosystem, Biodiversity G...
Basic Civil Engineering Notes of Chapter-6,  Topic- Ecosystem, Biodiversity G...Basic Civil Engineering Notes of Chapter-6,  Topic- Ecosystem, Biodiversity G...
Basic Civil Engineering Notes of Chapter-6, Topic- Ecosystem, Biodiversity G...
 
How to Break the cycle of negative Thoughts
How to Break the cycle of negative ThoughtsHow to Break the cycle of negative Thoughts
How to Break the cycle of negative Thoughts
 
50 ĐỀ LUYỆN THI IOE LỚP 9 - NĂM HỌC 2022-2023 (CÓ LINK HÌNH, FILE AUDIO VÀ ĐÁ...
50 ĐỀ LUYỆN THI IOE LỚP 9 - NĂM HỌC 2022-2023 (CÓ LINK HÌNH, FILE AUDIO VÀ ĐÁ...50 ĐỀ LUYỆN THI IOE LỚP 9 - NĂM HỌC 2022-2023 (CÓ LINK HÌNH, FILE AUDIO VÀ ĐÁ...
50 ĐỀ LUYỆN THI IOE LỚP 9 - NĂM HỌC 2022-2023 (CÓ LINK HÌNH, FILE AUDIO VÀ ĐÁ...
 
The Challenger.pdf DNHS Official Publication
The Challenger.pdf DNHS Official PublicationThe Challenger.pdf DNHS Official Publication
The Challenger.pdf DNHS Official Publication
 
The Art Pastor's Guide to Sabbath | Steve Thomason
The Art Pastor's Guide to Sabbath | Steve ThomasonThe Art Pastor's Guide to Sabbath | Steve Thomason
The Art Pastor's Guide to Sabbath | Steve Thomason
 
How libraries can support authors with open access requirements for UKRI fund...
How libraries can support authors with open access requirements for UKRI fund...How libraries can support authors with open access requirements for UKRI fund...
How libraries can support authors with open access requirements for UKRI fund...
 
Salient features of Environment protection Act 1986.pptx
Salient features of Environment protection Act 1986.pptxSalient features of Environment protection Act 1986.pptx
Salient features of Environment protection Act 1986.pptx
 
The geography of Taylor Swift - some ideas
The geography of Taylor Swift - some ideasThe geography of Taylor Swift - some ideas
The geography of Taylor Swift - some ideas
 
Accounting and finance exit exam 2016 E.C.pdf
Accounting and finance exit exam 2016 E.C.pdfAccounting and finance exit exam 2016 E.C.pdf
Accounting and finance exit exam 2016 E.C.pdf
 
Additional Benefits for Employee Website.pdf
Additional Benefits for Employee Website.pdfAdditional Benefits for Employee Website.pdf
Additional Benefits for Employee Website.pdf
 
Chapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptxChapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptx
 
Fish and Chips - have they had their chips
Fish and Chips - have they had their chipsFish and Chips - have they had their chips
Fish and Chips - have they had their chips
 

Risk Management

  • 1. BÜROTEX GmbH Vishal Sharma Information Security Consultant/Solution Developer
  • 2. RISK It is the uncertainty of outcome whether positive opportunity or negative threat. Some commonly Known terms:  Asset : It is something which should be protected  Asset Valuation: It is a value assigned to an asset based on actual cost and nonmonetary expenses
  • 3. Threats : Any occurrence that could cause an undesirable or unwanted outcome for an organization for a specific threat  Vulnerability: The absence of weakness of a safeguard or countermeasure  Exposure: It is being susceptible to asset loss because of a threat
  • 4. Safeguard: A safeguard or a countermeasure, is anything that removes a vulnerability  Attack: An exploitation of a vulnerability by a threat agent  Breach : The occurrence of a security mechanism being bypassed
  • 5. Threats • Exploits Assets Vulnerabilities • Whch are • Which endangered results in by Safeguard Exposure • Which • Which is protects Risk • Which is mitigated by
  • 6. Factors for Asset Valuation:  Purchase Cost  Development Cost  Administrative Cost  Maintaining or Upkeep Cost  Cost in Acquiring asset  Cost to protect or sustain asset  Value to Owners and users
  • 7. Value to Competitors  Intellectual property or equity Value  Market valuation  Replacement Cost  Productivity enhancement or degradation  Operational cost of asset presence and Loss  Liability of asset loss  Usefulness
  • 8. Next logical step is to calculate Threats:  Viruses  Cascade errors and Dependency Faults  Criminal activities by authorized users  Movements  Intentional Attacks  Reorganization
  • 9. Authorized user illness  Hackers  User errors  Natural Disasters  Physical Damage  Misuse of data, resource, or services  Changes or compromises to data classification or security policies  Government, political, or military intrusions or restrictions
  • 10. Processing errors, buffer overflows  Personal privilege abuse  Temperature extremes  Energy anomalies  Loss of data  Information Warfare  Bankruptcy or alteration/ interruption of business activity
  • 11. Coding/programming errors  Intruders  Environmental factors  Equipment Failures  Physical Theft  Social Engineering
  • 12. Risk Analysis  Quantitative : It results in Concrete Probability Percentage  Qualitative: This is more scenario based, it requires: Brainstorming Delphi Technique
  • 13. Story boarding  Focus groups  Surveys  Questionnaires  Checklists  One-on-one Meetings  Interviews
  • 14. Quantative Analysis, major steps involved:  Countermeasures for each threat  Calculate the changes to Aro and ALE based on applied counter measure  Perform a cost benefit analysis of each counter measure for each asset
  • 15.  AV : Inventory assets and sign a Value  EF : Calculate exposure factors, possible threat of each individual asset  SLE: Single Loss Expectancy,  ARO: Annualized rate of occurrence  ALE: Annualized Loss expectancy
  • 16. Cost Functions  Exposure factors : % loss, if specific asset were violated by a realized risk  SLE : AV*EF  ARO : It could be derived from historical records, statistical analysis or guess work. Basically it‘s a probability determination  ALE : SLE*ARO
  • 17. ACS : Annual cost of safeguard, € per year, which involves following factors: Cost of purchase, development and licensing Cost of implementation and customization Cost of annual operation, maintenance, administration and so on Cost of annual repairs and upgrades
  • 18. Productivity improvement or loss Changes to environment Cost of testing and evaluation  Value or benefit of a safe guard: =(ALE1-ALE2) – ACS
  • 19. Note : Value of safeguard to the Company = (ALE before Safegaurd – ALE after implementing safeguard) – (Annual cost of Safeguard)