SlideShare a Scribd company logo

Risks threats and vulnerabilities

Manish Chaurasia
Manish Chaurasia

Slide about risk thread and vulnerabilities

Software
1 of 28
Download to read offline
Risks Threats and Vulnerabilities The Fundamentals of R-T-A
Agenda • Analysis vs. Assessment • Risks • Threats • Vulnerability • The Flow of R-T-A
Analysis vs. Assessment • An assessment is more of a general comparison of something to a standard, or between two something; which is better, more correct, which is closer to the color teal. • An analysis requires deep scrutiny and calculated measuring and recording of criteria. • An assessment is not exact, an analysis is more precise and less general than an assessment.
HAZARDS • Existing condition or possible (under current conditions) situation that has the potential to generate a disaster • Natural hazards – naturally occurring phenomena – weather, topographic, geological, hydrological, etc. • Human systems developed – caused by human activity, infrastructure, transportation, etc. • Conflict based – civil war, terrorism, nuclear war, etc.
HAZARDS - Examples • Hurricanes and tornadoes during their seasons • Earthquakes • High hazard, poorly maintained dams • Airlines with abysmal safety records • Power production systems with either dangerous technologies or poorly maintained transmission systems
Disasters • The Highest DEGREE of any HAZARD…
Risk • The probability that a particular threat will exploit a particular vulnerability • Need to systematically understand risks to a system and decide how to control them. • Risk = Probability x Impact
Examples of Risk • Overreliance on security monitoring software • Inadequate system logging • Technology innovations that outpace security • Outdated operating systems • Lack of encryption • Data on user-owned mobile devices • IT “diplomatic immunity” within your organization • Lack of management support • Challenges recruiting and retaining qualified IT staff • Segregation of duties
Threat • An expression of intention to inflict evil injury or damage • Attacks against key security services – Confidentiality, integrity, availability • The operationalization of vulnerability, expected impact of a developing hazard, and the probability that impact will work against your vulnerabilities • Threat means something bad is coming your way – high threat means it is highly likely to hit you and it will be very bad
Slide #10 Example Threat List •T01 Access (Unauthorized to System - logical) •T02 Access (Unauthorized to Area - physical) •T03 Airborne Particles (Dust) •T04 Air Conditioning Failure •T05 Application Program Change (Unauthorized) •T06 Bomb Threat •T07 Chemical Spill •T08 Civil Disturbance •T09 Communications Failure •T10 Data Alteration (Error) •T11 Data Alteration (Deliberate) •T12 Data Destruction (Error) •T13 Data Destruction (Deliberate) •T14 Data Disclosure (Unauthorized) •T15 Disgruntled Employee •T16 Earthquakes •T17 Errors (All Types) •T18 Electro-Magnetic Interference •T19 Emanations Detection •T20 Explosion (Internal) •T21 Fire, Catastrophic •T22 Fire, Major •T23 Fire, Minor •T24 Floods/Water Damage •T25 Fraud/Embezzlement •T26 Hardware Failure/Malfunction •T27 Hurricanes •T28 Injury/Illness (Personal) •T29 Lightning Storm •T30 Liquid Leaking (Any) •T31 Loss of Data/Software •T32 Marking of Data/Media Improperly •T33 Misuse of Computer/Resource •T34 Nuclear Mishap •T35 Operating System Penetration/Alteration •T36 Operator Error •T37 Power Fluctuation (Brown/Transients) •T38 Power Loss •T39 Programming Error/Bug •T40 Sabotage •T41 Static Electricity •T42 Storms (Snow/Ice/Wind) •T43 System Software Alteration •T44 Terrorist Actions •T45 Theft (Data/Hardware/Software) •T46 Tornado •T47 Tsunami (Pacific area only) •T48 Vandalism •T49 Virus/Worm (Computer) •T50 Volcanic Eruption
Slide #11 Characterize Threat-Sources Blackmail Malicious code Input of falsified data System bugs Ego, Revenge, Monetary gain Insider Information warfare System attack System tampering Blackmail, Destruction, Revenge Terrorist Hacking Social engineering System intrusion Unauthorized access Challenge, ego, rebellion Hacker Threat ActionsMotivationThreat-source
VULNERABILITIES • If you have a hazard you may or may not be vulnerable to it – Live in the flood plain – vulnerable to floods – Live on high ground – not vulnerable to floods • Vulnerability is an assessment of how well or how poorly protected you are against an event • Vulnerabilities are flaws / weaknesses in any system which can be utilized to generate “Threat”
Slide #13 Vulnerabilities • Flaw or weakness in system that can be exploited to violate system integrity. – Security Procedures – Design – Implementation • Threats trigger vulnerabilities – Accidental – Malicious
VULNERABILITIES • Vulnerabilities may be reduced by mitigation measures (building construction, land use control, maintenance, etc.) • Or by the level of preparedness you have achieved (well trained and equipped emergency teams, plans, exercises, etc.)
Factors influencing VULNERABILITY • Three factors may influence the determination of vulnerability – Criticality – how important is the asset or function that is subject to impact – Exposure – to how much of the force of the event is the resource exposed – Time – does vulnerability fluctuate over time of day, month, season?
Examples of Vulnerabilities •Physical •V01 Susceptible to unauthorized building access •V02 Computer Room susceptible to unauthorized access •V03 Media Library susceptible to unauthorized access •V04 Inadequate visitor control procedures •(and 36 more) •Administrative •V41 Lack of management support for security •V42 No separation of duties policy •V43 Inadequate/no computer security plan policy •V47 Inadequate/no emergency action plan •(and 7 more) •Personnel •V56 Inadequate personnel screening •V57 Personnel not adequately trained in job •... •Software •V62 Inadequate/missing audit trail capability •V63 Audit trail log not reviewed weekly •V64 Inadequate control over application/program changes Communications •V87 Inadequate communications system •V88 Lack of encryption •V89 Potential for disruptions •... •Hardware •V92 Lack of hardware inventory •V93 Inadequate monitoring of maintenance personnel •V94 No preventive maintenance program •… •V100 Susceptible to electronic emanations
IMPACT • Assessment of interaction of hazard effects with your vulnerabilities • Scalar based on the two key variables – hazard strength and vulnerability level • Will be hazard specific in aggregate (hurricane impacts), but may be functionally common to a variety of hazards in the specific (power loss)
IMPACT HIGH Strong Hazard High Vulnerability MODERATE Strong Hazard Low Vulnerability MODERATE Weak Hazard High Vulnerability LOW Weak Hazard Low Vulnerability
Factors influencing IMPACT • Two other factors are related to impact –Magnitude – the absolute size and power of the event –Intensity – the measurement of the effects of the event – how it is felt • All else being equal an event with greater magnitude will tend to be a more intense event and generate greater impacts
CONSEQUENCES • Result of the interaction of the Impact of the event with other systems – Political, – Social and cultural, – Economic, etc. • May set the stage for either: – Future events, or – Vulnerability reduction through mitigation and preparedness
CONSEQUENCES • The border between consequence and impact is fuzzy, but – Impacts tend to be directly related to the effects of the event, consequences more second order – Impacts tend to be shorter term (hours to decades), consequences longer term (weeks to centuries) – Although coupled to impacts, consequences are neither automatic nor irreversible – Consequences tend to be more human-centric, impacts more event-centric – we make the consequences, the event makes the impact
PROBABILITY • A mathematical assessment of how likely it is that a specific event will occur • Based on a wide variety of factors – history, global warming, infrastructure and demographic changes, new industries, changes in your activities and processes, etc.
PROBABILITY • Expressed in a variety of ways: – This year we expect 14 named tropical storms, 8 hurricanes, 3 great hurricanes … (an assessment of general level) – There is a 45% chance of … (a numerical assessment) – A 500 year flood … (a statement of cycles) – And then there is likelihood: “I think it is highly likely that …” (a qualitative assessment)
LIKELIHOOD • An inexact, qualitative statement of how one assesses probability • Generally expressed in broad bands that cover a range of probability values – High – “likely” – Low – “unlikely” • Easily understood, but also misleading – likely is interpreted as “yes, it will,” unlikely as “no, it will not”
THE FLOW HAZARD VULNERABILITY THREAT IMPACT PROBABILITY ^ ^ RISK CONSEQUENCE
Here are some important characteristics of the three components: • Threats (effects) generally can NOT be controlled. One can’t stop the efforts of an international terrorist group, prevent a hurricane, or tame a tsunami in advance. Threats need to be identified, but they often remain outside of your control. • Risk CAN be mitigated Risk can be managed to either lower vulnerability or the overall impact on the business. • Vulnerability CAN be treated Weaknesses should be identified and proactive measures taken to correct identified vulnerabilities.
Risks threats and vulnerabilities

Recommended

Security risk management
Security risk managementSecurity risk management
Security risk management
G Prachi
 
Asset, Vulnerability, Threat, Risk & Control
Asset, Vulnerability, Threat, Risk & ControlAsset, Vulnerability, Threat, Risk & Control
Asset, Vulnerability, Threat, Risk & Control
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessment
primeteacher32
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
PECB
 
Security policies
Security policiesSecurity policies
Security policies
Nishant Pahad
 
Information security management
Information security managementInformation security management
Information security managementUMaine
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
Krutarth Vasavada
 
Physical Security Presentation
Physical Security PresentationPhysical Security Presentation
Physical Security PresentationWajahat Rajab
 

Recommended

Security risk management
Security risk managementSecurity risk management
Security risk management
G Prachi
 
Asset, Vulnerability, Threat, Risk & Control
Asset, Vulnerability, Threat, Risk & ControlAsset, Vulnerability, Threat, Risk & Control
Asset, Vulnerability, Threat, Risk & Control
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessment
primeteacher32
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
PECB
 
Security policies
Security policiesSecurity policies
Security policies
Nishant Pahad
 
Information security management
Information security managementInformation security management
Information security managementUMaine
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
Krutarth Vasavada
 
Physical Security Presentation
Physical Security PresentationPhysical Security Presentation
Physical Security PresentationWajahat Rajab
 
Types of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsTypes of Threat Actors and Attack Vectors
Types of Threat Actors and Attack Vectors
LearningwithRayYT
 
Physical security.ppt
Physical security.pptPhysical security.ppt
Physical security.ppt
Faheem Ul Hasan
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
Dam Frank
 
Basics of Information System Security
Basics of Information System SecurityBasics of Information System Security
Basics of Information System Security
chauhankapil
 
Information security management system
Information security management systemInformation security management system
Information security management systemArani Srinivasan
 
Cyber security fundamentals
Cyber security fundamentalsCyber security fundamentals
Cyber security fundamentals
Cloudflare
 
Information security
Information securityInformation security
Information security
LJ PROJECTS
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standards
primeteacher32
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
Priyanka Aash
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management
Ersoy AKSOY
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in Depth
Dilum Bandara
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
Sam Bowne
 
information security management
information security managementinformation security management
information security management
Gurpreetkaur838
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Information security
Information securityInformation security
Information security
Lusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
Netpluz Asia Pte Ltd
 
Need for security
Need for securityNeed for security
Need for security
University of Central Punjab
 
Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security Awareness
Ramiro Cid
 
Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30
timmcguinness
 
Disaster vulnerability, risk and capacity
Disaster vulnerability, risk and capacityDisaster vulnerability, risk and capacity
Disaster vulnerability, risk and capacity
Islamic University of Bangladesh
 

More Related Content

What's hot

Types of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsTypes of Threat Actors and Attack Vectors
Types of Threat Actors and Attack Vectors
LearningwithRayYT
 
Physical security.ppt
Physical security.pptPhysical security.ppt
Physical security.ppt
Faheem Ul Hasan
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
Dam Frank
 
Basics of Information System Security
Basics of Information System SecurityBasics of Information System Security
Basics of Information System Security
chauhankapil
 
Information security management system
Information security management systemInformation security management system
Information security management systemArani Srinivasan
 
Cyber security fundamentals
Cyber security fundamentalsCyber security fundamentals
Cyber security fundamentals
Cloudflare
 
Information security
Information securityInformation security
Information security
LJ PROJECTS
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standards
primeteacher32
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
Priyanka Aash
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management
Ersoy AKSOY
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in Depth
Dilum Bandara
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
Sam Bowne
 
information security management
information security managementinformation security management
information security management
Gurpreetkaur838
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
Netpluz Asia Pte Ltd
 
Need for security
Need for securityNeed for security
Need for security
University of Central Punjab
 
Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security Awareness
Ramiro Cid
 

What's hot (20)

Types of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsTypes of Threat Actors and Attack Vectors
Types of Threat Actors and Attack Vectors
 
Physical security.ppt
Physical security.pptPhysical security.ppt
Physical security.ppt
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
 
Basics of Information System Security
Basics of Information System SecurityBasics of Information System Security
Basics of Information System Security
 
Information security management system
Information security management systemInformation security management system
Information security management system
 
Cyber security fundamentals
Cyber security fundamentalsCyber security fundamentals
Cyber security fundamentals
 
Information security
Information securityInformation security
Information security
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standards
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in Depth
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
 
information security management
information security managementinformation security management
information security management
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
Information security
Information securityInformation security
Information security
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
 
Need for security
Need for securityNeed for security
Need for security
 
Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security Awareness
 

Viewers also liked

Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30
timmcguinness
 
Disaster vulnerability, risk and capacity
Disaster vulnerability, risk and capacityDisaster vulnerability, risk and capacity
Disaster vulnerability, risk and capacity
Islamic University of Bangladesh
 
Natural hazards and disaster management
Natural hazards and disaster managementNatural hazards and disaster management
Natural hazards and disaster management
Eternal University Baru Sahib, HP, India
 
Hazards & Types Of Disasters
Hazards & Types Of DisastersHazards & Types Of Disasters
Hazards & Types Of DisastersAbdullah Sachwani
 
Disaster Mitigation and Management
Disaster Mitigation and ManagementDisaster Mitigation and Management
Disaster Mitigation and ManagementJNTU
 
Disaster management ppt
Disaster management pptDisaster management ppt
Disaster management pptAniket Pingale
 

Viewers also liked (6)

Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30
 
Disaster vulnerability, risk and capacity
Disaster vulnerability, risk and capacityDisaster vulnerability, risk and capacity
Disaster vulnerability, risk and capacity
 
Natural hazards and disaster management
Natural hazards and disaster managementNatural hazards and disaster management
Natural hazards and disaster management
 
Hazards & Types Of Disasters
Hazards & Types Of DisastersHazards & Types Of Disasters
Hazards & Types Of Disasters
 
Disaster Mitigation and Management
Disaster Mitigation and ManagementDisaster Mitigation and Management
Disaster Mitigation and Management
 
Disaster management ppt
Disaster management pptDisaster management ppt
Disaster management ppt
 

Similar to Risks threats and vulnerabilities

Cs461 06.risk analysis (1)
Cs461 06.risk analysis (1)Cs461 06.risk analysis (1)
Cs461 06.risk analysis (1)
neeraj.sihag
 
Introduction to ERA by arup das
Introduction to ERA by arup dasIntroduction to ERA by arup das
Introduction to ERA by arup das
Arup8
 
Appendix D Hazard Analysis ProcessInstructor GuideAppendix .docx
Appendix D Hazard Analysis ProcessInstructor GuideAppendix .docxAppendix D Hazard Analysis ProcessInstructor GuideAppendix .docx
Appendix D Hazard Analysis ProcessInstructor GuideAppendix .docx
justine1simpson78276
 
Objects At Heights Webinar
Objects At Heights WebinarObjects At Heights Webinar
Objects At Heights Webinar
TENAQUIP
 
SAFETY MANAGAMENT PLAN –
SAFETY MANAGAMENT PLAN –SAFETY MANAGAMENT PLAN –
SAFETY MANAGAMENT PLAN –
AMIT SAHU
 
Ppt for IMPROVEMENT OF SAFETY THROUGH SAFETY MANAGAMENT PLAN – office p...
Ppt for IMPROVEMENT OF SAFETY THROUGH SAFETY MANAGAMENT PLAN – office p...Ppt for IMPROVEMENT OF SAFETY THROUGH SAFETY MANAGAMENT PLAN – office p...
Ppt for IMPROVEMENT OF SAFETY THROUGH SAFETY MANAGAMENT PLAN – office p...
AMIT SAHU
 
Post disaster mangement
Post disaster mangementPost disaster mangement
Post disaster mangement
9159781447
 
Hazards Risk and Perils, a complete explanation .
Hazards Risk and Perils, a complete explanation .Hazards Risk and Perils, a complete explanation .
Hazards Risk and Perils, a complete explanation .
Sagar Garg
 
Know4DRR miozzo
Know4DRR miozzoKnow4DRR miozzo
Know4DRR miozzo
know4drr
 
Topic 3 swiss cheese model
Topic 3 swiss cheese modelTopic 3 swiss cheese model
Topic 3 swiss cheese model
Basitali Nevarekar
 
Prediction modeling
Prediction modelingPrediction modeling
Prediction modeling
Ashok Govindarajan
 
REACT INTERNATIONAL TRAINING - DISASTER BASICS - R.GOSWAMI - 2019-04-28.pdf
REACT INTERNATIONAL TRAINING - DISASTER BASICS - R.GOSWAMI - 2019-04-28.pdfREACT INTERNATIONAL TRAINING - DISASTER BASICS - R.GOSWAMI - 2019-04-28.pdf
REACT INTERNATIONAL TRAINING - DISASTER BASICS - R.GOSWAMI - 2019-04-28.pdf
REACT International, Inc.
 
Cascading Disasters
Cascading DisastersCascading Disasters
Cascading Disasters
Prof. David E. Alexander (UCL)
 
2016-04-28 - VU Amsterdam - testing safety critical systems
2016-04-28 - VU Amsterdam - testing safety critical systems2016-04-28 - VU Amsterdam - testing safety critical systems
2016-04-28 - VU Amsterdam - testing safety critical systems
Jaap van Ekris
 
Crowd fencing
Crowd fencingCrowd fencing
Crowd fencing
Kyoung-Sook Kim
 
Cyber Terrorism
Cyber TerrorismCyber Terrorism
Cyber Terrorism
Sai praveen Seva
 
Testing Safety Critical Systems (10-02-2014, VU amsterdam)
Testing Safety Critical Systems (10-02-2014, VU amsterdam)Testing Safety Critical Systems (10-02-2014, VU amsterdam)
Testing Safety Critical Systems (10-02-2014, VU amsterdam)
Jaap van Ekris
 
Business continuity overview
Business continuity overviewBusiness continuity overview
Business continuity overview
Rod Davis
 
The Evolution of Advanced Persistent Threats_The Current Risks and Mitigation...
The Evolution of Advanced Persistent Threats_The Current Risks and Mitigation...The Evolution of Advanced Persistent Threats_The Current Risks and Mitigation...
The Evolution of Advanced Persistent Threats_The Current Risks and Mitigation...
Lumension
 

Similar to Risks threats and vulnerabilities (20)

Cs461 06.risk analysis (1)
Cs461 06.risk analysis (1)Cs461 06.risk analysis (1)
Cs461 06.risk analysis (1)
 
Introduction to ERA by arup das
Introduction to ERA by arup dasIntroduction to ERA by arup das
Introduction to ERA by arup das
 
Appendix D Hazard Analysis ProcessInstructor GuideAppendix .docx
Appendix D Hazard Analysis ProcessInstructor GuideAppendix .docxAppendix D Hazard Analysis ProcessInstructor GuideAppendix .docx
Appendix D Hazard Analysis ProcessInstructor GuideAppendix .docx
 
Objects At Heights Webinar
Objects At Heights WebinarObjects At Heights Webinar
Objects At Heights Webinar
 
SAFETY MANAGAMENT PLAN –
SAFETY MANAGAMENT PLAN –SAFETY MANAGAMENT PLAN –
SAFETY MANAGAMENT PLAN –
 
Ppt for IMPROVEMENT OF SAFETY THROUGH SAFETY MANAGAMENT PLAN – office p...
Ppt for IMPROVEMENT OF SAFETY THROUGH SAFETY MANAGAMENT PLAN – office p...Ppt for IMPROVEMENT OF SAFETY THROUGH SAFETY MANAGAMENT PLAN – office p...
Ppt for IMPROVEMENT OF SAFETY THROUGH SAFETY MANAGAMENT PLAN – office p...
 
Post disaster mangement
Post disaster mangementPost disaster mangement
Post disaster mangement
 
Hazards Risk and Perils, a complete explanation .
Hazards Risk and Perils, a complete explanation .Hazards Risk and Perils, a complete explanation .
Hazards Risk and Perils, a complete explanation .
 
Know4DRR miozzo
Know4DRR miozzoKnow4DRR miozzo
Know4DRR miozzo
 
Topic 3 swiss cheese model
Topic 3 swiss cheese modelTopic 3 swiss cheese model
Topic 3 swiss cheese model
 
Prediction modeling
Prediction modelingPrediction modeling
Prediction modeling
 
REACT INTERNATIONAL TRAINING - DISASTER BASICS - R.GOSWAMI - 2019-04-28.pdf
REACT INTERNATIONAL TRAINING - DISASTER BASICS - R.GOSWAMI - 2019-04-28.pdfREACT INTERNATIONAL TRAINING - DISASTER BASICS - R.GOSWAMI - 2019-04-28.pdf
REACT INTERNATIONAL TRAINING - DISASTER BASICS - R.GOSWAMI - 2019-04-28.pdf
 
Cascading Disasters
Cascading DisastersCascading Disasters
Cascading Disasters
 
Network security
Network securityNetwork security
Network security
 
2016-04-28 - VU Amsterdam - testing safety critical systems
2016-04-28 - VU Amsterdam - testing safety critical systems2016-04-28 - VU Amsterdam - testing safety critical systems
2016-04-28 - VU Amsterdam - testing safety critical systems
 
Crowd fencing
Crowd fencingCrowd fencing
Crowd fencing
 
Cyber Terrorism
Cyber TerrorismCyber Terrorism
Cyber Terrorism
 
Testing Safety Critical Systems (10-02-2014, VU amsterdam)
Testing Safety Critical Systems (10-02-2014, VU amsterdam)Testing Safety Critical Systems (10-02-2014, VU amsterdam)
Testing Safety Critical Systems (10-02-2014, VU amsterdam)
 
Business continuity overview
Business continuity overviewBusiness continuity overview
Business continuity overview
 
The Evolution of Advanced Persistent Threats_The Current Risks and Mitigation...
The Evolution of Advanced Persistent Threats_The Current Risks and Mitigation...The Evolution of Advanced Persistent Threats_The Current Risks and Mitigation...
The Evolution of Advanced Persistent Threats_The Current Risks and Mitigation...
 

More from Manish Chaurasia

Top 5 divine pilgrim places to visit in india
Top 5 divine pilgrim places to visit in indiaTop 5 divine pilgrim places to visit in india
Top 5 divine pilgrim places to visit in india
Manish Chaurasia
 
Top 5 exotic aquariums in india
Top 5 exotic aquariums in indiaTop 5 exotic aquariums in india
Top 5 exotic aquariums in india
Manish Chaurasia
 
Top 5 not to miss museums in india
Top 5 not to miss museums in indiaTop 5 not to miss museums in india
Top 5 not to miss museums in india
Manish Chaurasia
 
Top 5 beaches in india
Top 5 beaches in indiaTop 5 beaches in india
Top 5 beaches in india
Manish Chaurasia
 
Top 5 big and famous fairs in india.
Top 5 big and famous fairs in india.Top 5 big and famous fairs in india.
Top 5 big and famous fairs in india.
Manish Chaurasia
 
Top 5 chilly places to visit in india !
Top 5 chilly places to visit in india !Top 5 chilly places to visit in india !
Top 5 chilly places to visit in india !
Manish Chaurasia
 
Top 5 less crowded tourist places in india.
Top 5 less crowded tourist places in india.Top 5 less crowded tourist places in india.
Top 5 less crowded tourist places in india.
Manish Chaurasia
 
Shortcut keys-for-windows-10
Shortcut keys-for-windows-10Shortcut keys-for-windows-10
Shortcut keys-for-windows-10
Manish Chaurasia
 
It strategy lecture
It strategy lectureIt strategy lecture
It strategy lecture
Manish Chaurasia
 
Importance of IT
Importance of ITImportance of IT
Importance of IT
Manish Chaurasia
 
porter Five force analysis
porter Five force analysisporter Five force analysis
porter Five force analysis
Manish Chaurasia
 
4 E of corporate strategy
4 E of corporate strategy 4 E of corporate strategy
4 E of corporate strategy
Manish Chaurasia
 
Campus recruitmen book
Campus recruitmen bookCampus recruitmen book
Campus recruitmen book
Manish Chaurasia
 
General Packet Radio Service
General Packet Radio ServiceGeneral Packet Radio Service
General Packet Radio Service
Manish Chaurasia
 
What are policies procedures guidelines standards
What are policies procedures guidelines standardsWhat are policies procedures guidelines standards
What are policies procedures guidelines standards
Manish Chaurasia
 
Synopsis on social networking
Synopsis on social networkingSynopsis on social networking
Synopsis on social networking
Manish Chaurasia
 
Case study olx
Case study olxCase study olx
Case study olx
Manish Chaurasia
 
Cost of-poor-quality - juran institute
Cost of-poor-quality - juran instituteCost of-poor-quality - juran institute
Cost of-poor-quality - juran institute
Manish Chaurasia
 
introduction to quality
introduction to quality introduction to quality
introduction to quality
Manish Chaurasia
 
defect tracking and management
defect tracking and management defect tracking and management
defect tracking and management
Manish Chaurasia
 

More from Manish Chaurasia (20)

Top 5 divine pilgrim places to visit in india
Top 5 divine pilgrim places to visit in indiaTop 5 divine pilgrim places to visit in india
Top 5 divine pilgrim places to visit in india
 
Top 5 exotic aquariums in india
Top 5 exotic aquariums in indiaTop 5 exotic aquariums in india
Top 5 exotic aquariums in india
 
Top 5 not to miss museums in india
Top 5 not to miss museums in indiaTop 5 not to miss museums in india
Top 5 not to miss museums in india
 
Top 5 beaches in india
Top 5 beaches in indiaTop 5 beaches in india
Top 5 beaches in india
 
Top 5 big and famous fairs in india.
Top 5 big and famous fairs in india.Top 5 big and famous fairs in india.
Top 5 big and famous fairs in india.
 
Top 5 chilly places to visit in india !
Top 5 chilly places to visit in india !Top 5 chilly places to visit in india !
Top 5 chilly places to visit in india !
 
Top 5 less crowded tourist places in india.
Top 5 less crowded tourist places in india.Top 5 less crowded tourist places in india.
Top 5 less crowded tourist places in india.
 
Shortcut keys-for-windows-10
Shortcut keys-for-windows-10Shortcut keys-for-windows-10
Shortcut keys-for-windows-10
 
It strategy lecture
It strategy lectureIt strategy lecture
It strategy lecture
 
Importance of IT
Importance of ITImportance of IT
Importance of IT
 
porter Five force analysis
porter Five force analysisporter Five force analysis
porter Five force analysis
 
4 E of corporate strategy
4 E of corporate strategy 4 E of corporate strategy
4 E of corporate strategy
 
Campus recruitmen book
Campus recruitmen bookCampus recruitmen book
Campus recruitmen book
 
General Packet Radio Service
General Packet Radio ServiceGeneral Packet Radio Service
General Packet Radio Service
 
What are policies procedures guidelines standards
What are policies procedures guidelines standardsWhat are policies procedures guidelines standards
What are policies procedures guidelines standards
 
Synopsis on social networking
Synopsis on social networkingSynopsis on social networking
Synopsis on social networking
 
Case study olx
Case study olxCase study olx
Case study olx
 
Cost of-poor-quality - juran institute
Cost of-poor-quality - juran instituteCost of-poor-quality - juran institute
Cost of-poor-quality - juran institute
 
introduction to quality
introduction to quality introduction to quality
introduction to quality
 
defect tracking and management
defect tracking and management defect tracking and management
defect tracking and management
 

Recently uploaded

top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownload
vrstrong314
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
Globus
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Globus
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Globus
 
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns
 
RISE with SAP and Journey to the Intelligent Enterprise
RISE with SAP and Journey to the Intelligent EnterpriseRISE with SAP and Journey to the Intelligent Enterprise
RISE with SAP and Journey to the Intelligent Enterprise
Srikant77
 
How to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good PracticesHow to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good Practices
Globus
 
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamOpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
takuyayamamoto1800
 
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Globus
 
Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessAccelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with Platformless
WSO2
 
BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024
Ortus Solutions, Corp
 
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteAI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
Google
 
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Mind IT Systems
 
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Shahin Sheidaei
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
Globus
 
Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"
Donna Lenk
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
wottaspaceseo
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
NYGGS Automation Suite
 
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
Juraj Vysvader
 
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar
 

Recently uploaded (20)

top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownload
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisProviding Globus Services to Users of JASMIN for Environmental Data Analysis
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
 
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology Solutions
 
RISE with SAP and Journey to the Intelligent Enterprise
RISE with SAP and Journey to the Intelligent EnterpriseRISE with SAP and Journey to the Intelligent Enterprise
RISE with SAP and Journey to the Intelligent Enterprise
 
How to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good PracticesHow to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good Practices
 
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamOpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
 
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...
 
Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessAccelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with Platformless
 
BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024BoxLang: Review our Visionary Licenses of 2024
BoxLang: Review our Visionary Licenses of 2024
 
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteAI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
 
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
 
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
 
Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
 
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
 
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBroker
 

Risks threats and vulnerabilities

  • 1. Risks Threats and Vulnerabilities The Fundamentals of R-T-A
  • 2. Agenda • Analysis vs. Assessment • Risks • Threats • Vulnerability • The Flow of R-T-A
  • 3. Analysis vs. Assessment • An assessment is more of a general comparison of something to a standard, or between two something; which is better, more correct, which is closer to the color teal. • An analysis requires deep scrutiny and calculated measuring and recording of criteria. • An assessment is not exact, an analysis is more precise and less general than an assessment.
  • 4. HAZARDS • Existing condition or possible (under current conditions) situation that has the potential to generate a disaster • Natural hazards – naturally occurring phenomena – weather, topographic, geological, hydrological, etc. • Human systems developed – caused by human activity, infrastructure, transportation, etc. • Conflict based – civil war, terrorism, nuclear war, etc.
  • 5. HAZARDS - Examples • Hurricanes and tornadoes during their seasons • Earthquakes • High hazard, poorly maintained dams • Airlines with abysmal safety records • Power production systems with either dangerous technologies or poorly maintained transmission systems
  • 6. Disasters • The Highest DEGREE of any HAZARD…
  • 7. Risk • The probability that a particular threat will exploit a particular vulnerability • Need to systematically understand risks to a system and decide how to control them. • Risk = Probability x Impact
  • 8. Examples of Risk • Overreliance on security monitoring software • Inadequate system logging • Technology innovations that outpace security • Outdated operating systems • Lack of encryption • Data on user-owned mobile devices • IT “diplomatic immunity” within your organization • Lack of management support • Challenges recruiting and retaining qualified IT staff • Segregation of duties
  • 9. Threat • An expression of intention to inflict evil injury or damage • Attacks against key security services – Confidentiality, integrity, availability • The operationalization of vulnerability, expected impact of a developing hazard, and the probability that impact will work against your vulnerabilities • Threat means something bad is coming your way – high threat means it is highly likely to hit you and it will be very bad
  • 10. Slide #10 Example Threat List •T01 Access (Unauthorized to System - logical) •T02 Access (Unauthorized to Area - physical) •T03 Airborne Particles (Dust) •T04 Air Conditioning Failure •T05 Application Program Change (Unauthorized) •T06 Bomb Threat •T07 Chemical Spill •T08 Civil Disturbance •T09 Communications Failure •T10 Data Alteration (Error) •T11 Data Alteration (Deliberate) •T12 Data Destruction (Error) •T13 Data Destruction (Deliberate) •T14 Data Disclosure (Unauthorized) •T15 Disgruntled Employee •T16 Earthquakes •T17 Errors (All Types) •T18 Electro-Magnetic Interference •T19 Emanations Detection •T20 Explosion (Internal) •T21 Fire, Catastrophic •T22 Fire, Major •T23 Fire, Minor •T24 Floods/Water Damage •T25 Fraud/Embezzlement •T26 Hardware Failure/Malfunction •T27 Hurricanes •T28 Injury/Illness (Personal) •T29 Lightning Storm •T30 Liquid Leaking (Any) •T31 Loss of Data/Software •T32 Marking of Data/Media Improperly •T33 Misuse of Computer/Resource •T34 Nuclear Mishap •T35 Operating System Penetration/Alteration •T36 Operator Error •T37 Power Fluctuation (Brown/Transients) •T38 Power Loss •T39 Programming Error/Bug •T40 Sabotage •T41 Static Electricity •T42 Storms (Snow/Ice/Wind) •T43 System Software Alteration •T44 Terrorist Actions •T45 Theft (Data/Hardware/Software) •T46 Tornado •T47 Tsunami (Pacific area only) •T48 Vandalism •T49 Virus/Worm (Computer) •T50 Volcanic Eruption
  • 11. Slide #11 Characterize Threat-Sources Blackmail Malicious code Input of falsified data System bugs Ego, Revenge, Monetary gain Insider Information warfare System attack System tampering Blackmail, Destruction, Revenge Terrorist Hacking Social engineering System intrusion Unauthorized access Challenge, ego, rebellion Hacker Threat ActionsMotivationThreat-source
  • 12. VULNERABILITIES • If you have a hazard you may or may not be vulnerable to it – Live in the flood plain – vulnerable to floods – Live on high ground – not vulnerable to floods • Vulnerability is an assessment of how well or how poorly protected you are against an event • Vulnerabilities are flaws / weaknesses in any system which can be utilized to generate “Threat”
  • 13. Slide #13 Vulnerabilities • Flaw or weakness in system that can be exploited to violate system integrity. – Security Procedures – Design – Implementation • Threats trigger vulnerabilities – Accidental – Malicious
  • 14. VULNERABILITIES • Vulnerabilities may be reduced by mitigation measures (building construction, land use control, maintenance, etc.) • Or by the level of preparedness you have achieved (well trained and equipped emergency teams, plans, exercises, etc.)
  • 15. Factors influencing VULNERABILITY • Three factors may influence the determination of vulnerability – Criticality – how important is the asset or function that is subject to impact – Exposure – to how much of the force of the event is the resource exposed – Time – does vulnerability fluctuate over time of day, month, season?
  • 16. Examples of Vulnerabilities •Physical •V01 Susceptible to unauthorized building access •V02 Computer Room susceptible to unauthorized access •V03 Media Library susceptible to unauthorized access •V04 Inadequate visitor control procedures •(and 36 more) •Administrative •V41 Lack of management support for security •V42 No separation of duties policy •V43 Inadequate/no computer security plan policy •V47 Inadequate/no emergency action plan •(and 7 more) •Personnel •V56 Inadequate personnel screening •V57 Personnel not adequately trained in job •... •Software •V62 Inadequate/missing audit trail capability •V63 Audit trail log not reviewed weekly •V64 Inadequate control over application/program changes Communications •V87 Inadequate communications system •V88 Lack of encryption •V89 Potential for disruptions •... •Hardware •V92 Lack of hardware inventory •V93 Inadequate monitoring of maintenance personnel •V94 No preventive maintenance program •… •V100 Susceptible to electronic emanations
  • 17. IMPACT • Assessment of interaction of hazard effects with your vulnerabilities • Scalar based on the two key variables – hazard strength and vulnerability level • Will be hazard specific in aggregate (hurricane impacts), but may be functionally common to a variety of hazards in the specific (power loss)
  • 18. IMPACT HIGH Strong Hazard High Vulnerability MODERATE Strong Hazard Low Vulnerability MODERATE Weak Hazard High Vulnerability LOW Weak Hazard Low Vulnerability
  • 19. Factors influencing IMPACT • Two other factors are related to impact –Magnitude – the absolute size and power of the event –Intensity – the measurement of the effects of the event – how it is felt • All else being equal an event with greater magnitude will tend to be a more intense event and generate greater impacts
  • 20. CONSEQUENCES • Result of the interaction of the Impact of the event with other systems – Political, – Social and cultural, – Economic, etc. • May set the stage for either: – Future events, or – Vulnerability reduction through mitigation and preparedness
  • 21. CONSEQUENCES • The border between consequence and impact is fuzzy, but – Impacts tend to be directly related to the effects of the event, consequences more second order – Impacts tend to be shorter term (hours to decades), consequences longer term (weeks to centuries) – Although coupled to impacts, consequences are neither automatic nor irreversible – Consequences tend to be more human-centric, impacts more event-centric – we make the consequences, the event makes the impact
  • 22. PROBABILITY • A mathematical assessment of how likely it is that a specific event will occur • Based on a wide variety of factors – history, global warming, infrastructure and demographic changes, new industries, changes in your activities and processes, etc.
  • 23. PROBABILITY • Expressed in a variety of ways: – This year we expect 14 named tropical storms, 8 hurricanes, 3 great hurricanes … (an assessment of general level) – There is a 45% chance of … (a numerical assessment) – A 500 year flood … (a statement of cycles) – And then there is likelihood: “I think it is highly likely that …” (a qualitative assessment)
  • 24. LIKELIHOOD • An inexact, qualitative statement of how one assesses probability • Generally expressed in broad bands that cover a range of probability values – High – “likely” – Low – “unlikely” • Easily understood, but also misleading – likely is interpreted as “yes, it will,” unlikely as “no, it will not”
  • 26.
  • 27. Here are some important characteristics of the three components: • Threats (effects) generally can NOT be controlled. One can’t stop the efforts of an international terrorist group, prevent a hurricane, or tame a tsunami in advance. Threats need to be identified, but they often remain outside of your control. • Risk CAN be mitigated Risk can be managed to either lower vulnerability or the overall impact on the business. • Vulnerability CAN be treated Weaknesses should be identified and proactive measures taken to correct identified vulnerabilities.