SlideShare a Scribd company logo

Thinking on risk analysis

Ramiro Cid
Ramiro Cid

Some of you maybe made some risk analysis in the past, and maybe some others use to do risk analysis in a regular basis. Some people use Octave, CRAMM, NIST or other risk analysis methodologies, but… Have you ever though if you have a GAP in the way you use to do your analysis? Have you ever thought that you may have a lack of visibility in the way it makes your analysis? This presentation if focuses on the last question.

1 of 8
Download to read offline
ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Ramiro Cid | @ramirocid Thinking on risk analysis
ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid 2 Index 1. Introduction Page 3 2. Perceived and relevant universe Page 4 3. Reasons of the lack of visibility Page 5 4. What is the correct order so ? Page 6 5. So what steps do I have to follow in my risk analysis? Page 7
ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Introduction Some of you maybe made some risk analysis in the past, and maybe some others use to do risk analysis in a regular basis. Some people use Octave, CRAMM, NIST or other risk analysis methodologies, but… Have you ever though if you have a GAP in the way you use to do your analysis? Have you ever thought that you may have a lack of visibility in the way it makes your analysis? This presentation if focuses on the last question.
ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Perceived and relevant universe An observer (for example a person who is doing a risk analysis) have a BIG lack of visibility of the reality which is doing the analysis. In general ways we have something like this: The ONLY data present in the Risk Analysis is that the Observer consider them “RELEVANT” (green area in the graph)
ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Reasons of the lack of visibility The lack of visibility of the observer who is doing the analysis have multiple reasons, we can mention some usual causes: a. Lack of knowledge of the environment under analysis b. Lack of time to do a complete risk analysis in the correct way. c. Lack of knowledge about best practices on IT Security. d. Too focused on some aspects/domains of the environment but forgetting others.
ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid What is the correct order so ? First revise the vulnerabilities and later analyze related threats? or it would be better to create different scenarios and then to analyze the possible threats and our vulnerabilities in relation of them? For not limit our analysis, the best option is to do both analysis. As we could see in previous slides, the analysis of the observer is very limited so we need to try to open as much as possible our risk analysis to get a better result. VERY important: Not to limit our analysis !
ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid So what steps do I have to follow in my risk analysis? 1. Do the list of assets to analyze in our scope 2. Complete the list of threats in relation of each asset 3. Complete the list of vulnerabilities per each threat 4. Calculate the risk 5. Complete the list of controls to mitigate the risk 6. Estimate the residual risk or “risk-after-controls” (risk after to apply the controls) 7. Create different scenarios which could impact in our assets 8. Revise the vulnerabilities we have in relation of them 9. Estimate the possible impact The complete analysis: In both ways !
ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Questions ? Many thanks ! Ramiro Cid CISM, CGEIT, ISO 27001 LA, ISO 22301 LA, ITIL ramiro@ramirocid.com @ramirocid http://www.linkedin.com/in/ramirocid http://ramirocid.com http://es.slideshare.net/ramirocid http://www.youtube.com/user/cidramiro

Recommended

Cyber Security Resilience & Risk Aggregation
Cyber Security Resilience & Risk AggregationCyber Security Resilience & Risk Aggregation
Cyber Security Resilience & Risk Aggregation
Ramiro Cid
 
The relation between internet of things, critical infrastructure and cyber se...
The relation between internet of things, critical infrastructure and cyber se...The relation between internet of things, critical infrastructure and cyber se...
The relation between internet of things, critical infrastructure and cyber se...
Ramiro Cid
 
ISACA State of Cyber Security 2017
ISACA State of Cyber Security 2017ISACA State of Cyber Security 2017
ISACA State of Cyber Security 2017
ISACA
 
When thieves strike: Executive briefing on SWIFT attacks
When thieves strike: Executive briefing on SWIFT attacksWhen thieves strike: Executive briefing on SWIFT attacks
When thieves strike: Executive briefing on SWIFT attacks
Sangram Gayal
 
Strategies to Combat New, Innovative Cyber Threats - 2017
Strategies to Combat New, Innovative Cyber Threats - 2017Strategies to Combat New, Innovative Cyber Threats - 2017
Strategies to Combat New, Innovative Cyber Threats - 2017
PaladionNetworks01
 
5 Top Cyber Threats That Will Ruin Your Business
5 Top Cyber Threats That Will Ruin Your Business5 Top Cyber Threats That Will Ruin Your Business
5 Top Cyber Threats That Will Ruin Your Business
IndusfacePvtLtd
 
Security Awareness Training from KnowBe4
Security Awareness Training from KnowBe4Security Awareness Training from KnowBe4
Security Awareness Training from KnowBe4
Carol Montgomery Adams
 
Proofpoint Understanding Email Fraud in 2018
Proofpoint Understanding Email Fraud in 2018 Proofpoint Understanding Email Fraud in 2018
Proofpoint Understanding Email Fraud in 2018
Proofpoint
 

Recommended

Cyber Security Resilience & Risk Aggregation
Cyber Security Resilience & Risk AggregationCyber Security Resilience & Risk Aggregation
Cyber Security Resilience & Risk Aggregation
Ramiro Cid
 
The relation between internet of things, critical infrastructure and cyber se...
The relation between internet of things, critical infrastructure and cyber se...The relation between internet of things, critical infrastructure and cyber se...
The relation between internet of things, critical infrastructure and cyber se...
Ramiro Cid
 
ISACA State of Cyber Security 2017
ISACA State of Cyber Security 2017ISACA State of Cyber Security 2017
ISACA State of Cyber Security 2017
ISACA
 
When thieves strike: Executive briefing on SWIFT attacks
When thieves strike: Executive briefing on SWIFT attacksWhen thieves strike: Executive briefing on SWIFT attacks
When thieves strike: Executive briefing on SWIFT attacks
Sangram Gayal
 
Strategies to Combat New, Innovative Cyber Threats - 2017
Strategies to Combat New, Innovative Cyber Threats - 2017Strategies to Combat New, Innovative Cyber Threats - 2017
Strategies to Combat New, Innovative Cyber Threats - 2017
PaladionNetworks01
 
5 Top Cyber Threats That Will Ruin Your Business
5 Top Cyber Threats That Will Ruin Your Business5 Top Cyber Threats That Will Ruin Your Business
5 Top Cyber Threats That Will Ruin Your Business
IndusfacePvtLtd
 
Security Awareness Training from KnowBe4
Security Awareness Training from KnowBe4Security Awareness Training from KnowBe4
Security Awareness Training from KnowBe4
Carol Montgomery Adams
 
Proofpoint Understanding Email Fraud in 2018
Proofpoint Understanding Email Fraud in 2018 Proofpoint Understanding Email Fraud in 2018
Proofpoint Understanding Email Fraud in 2018
Proofpoint
 
Cisco 2018, Annual Cybersecurity Report
Cisco 2018, Annual Cybersecurity ReportCisco 2018, Annual Cybersecurity Report
Cisco 2018, Annual Cybersecurity Report
Geneva Business School Myanmar Campus
 
Avoiding The Seven Deadly Sins of IT
Avoiding The Seven Deadly Sins of ITAvoiding The Seven Deadly Sins of IT
Avoiding The Seven Deadly Sins of IT
Envision Technology Advisors
 
Ey giss-under-cyber-attack
Ey giss-under-cyber-attackEy giss-under-cyber-attack
Ey giss-under-cyber-attack
Комсс Файквэе
 
What is the Cybersecurity plan for tomorrow?
What is the Cybersecurity plan for tomorrow?What is the Cybersecurity plan for tomorrow?
What is the Cybersecurity plan for tomorrow?
Samvel Gevorgyan
 
Websecurity fundamentals for beginners
Websecurity fundamentals for beginnersWebsecurity fundamentals for beginners
Websecurity fundamentals for beginners
Samvel Gevorgyan
 
2017 Cybersecurity Predictions
2017 Cybersecurity Predictions2017 Cybersecurity Predictions
2017 Cybersecurity Predictions
PaloAltoNetworks
 
Cybersecurity: How to Use What We Already Know
Cybersecurity: How to Use What We Already KnowCybersecurity: How to Use What We Already Know
Cybersecurity: How to Use What We Already Know
jxyz
 
Space computing
Space computingSpace computing
Space computing
Ramiro Cid
 
Protecting Against Web Threats
Protecting Against Web ThreatsProtecting Against Web Threats
Protecting Against Web Threats
Kim Jensen
 
Infographic - Three steps to stopping advanced email threats
Infographic - Three steps to stopping advanced email threatsInfographic - Three steps to stopping advanced email threats
Infographic - Three steps to stopping advanced email threats
Proofpoint
 
Lecture #22: Web Privacy & Security Breach
Lecture #22: Web Privacy & Security BreachLecture #22: Web Privacy & Security Breach
Lecture #22: Web Privacy & Security Breach
Dr. Ramchandra Mangrulkar
 
The Top Five Cybersecurity Threats for 2018
The Top Five Cybersecurity Threats for 2018The Top Five Cybersecurity Threats for 2018
The Top Five Cybersecurity Threats for 2018
CheapSSLsecurity
 
2017 Data Breach Investigations Report
2017 Data Breach Investigations Report2017 Data Breach Investigations Report
2017 Data Breach Investigations Report
- Mark - Fullbright
 
Proofpoint Q3 - 2017 Email Fraud Threat Report
Proofpoint Q3 - 2017 Email Fraud Threat ReportProofpoint Q3 - 2017 Email Fraud Threat Report
Proofpoint Q3 - 2017 Email Fraud Threat Report
Proofpoint
 
The Anatomy of a Data Breach
The Anatomy of a Data BreachThe Anatomy of a Data Breach
The Anatomy of a Data Breach
David Hunt
 
Cyber attacks in 2021
Cyber attacks in 2021Cyber attacks in 2021
Cyber attacks in 2021
redteamacademypromo
 
Netwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech TalkNetwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech Talk
NetWatcher
 
Can you predict who will win the US election?
Can you predict who will win the US election?Can you predict who will win the US election?
Can you predict who will win the US election?
Samvel Gevorgyan
 
The only way to survive is to automate your SOC
The only way to survive is to automate your SOCThe only way to survive is to automate your SOC
The only way to survive is to automate your SOC
Roberto Sponchioni
 
How to Reduce Avenues of Attack: Using Intel to Plan for Cyber Threats in 2017
How to Reduce Avenues of Attack: Using Intel to Plan for Cyber Threats in 2017How to Reduce Avenues of Attack: Using Intel to Plan for Cyber Threats in 2017
How to Reduce Avenues of Attack: Using Intel to Plan for Cyber Threats in 2017
SurfWatch Labs
 
Internal audit training
Internal audit trainingInternal audit training
Internal audit trainingToyo Gustaman
 
Iso9001 risk based_thinking
Iso9001 risk based_thinkingIso9001 risk based_thinking
Iso9001 risk based_thinking
timdwill
 

More Related Content

What's hot

Cisco 2018, Annual Cybersecurity Report
Cisco 2018, Annual Cybersecurity ReportCisco 2018, Annual Cybersecurity Report
Cisco 2018, Annual Cybersecurity Report
Geneva Business School Myanmar Campus
 
Avoiding The Seven Deadly Sins of IT
Avoiding The Seven Deadly Sins of ITAvoiding The Seven Deadly Sins of IT
Avoiding The Seven Deadly Sins of IT
Envision Technology Advisors
 
Ey giss-under-cyber-attack
Ey giss-under-cyber-attackEy giss-under-cyber-attack
Ey giss-under-cyber-attack
Комсс Файквэе
 
What is the Cybersecurity plan for tomorrow?
What is the Cybersecurity plan for tomorrow?What is the Cybersecurity plan for tomorrow?
What is the Cybersecurity plan for tomorrow?
Samvel Gevorgyan
 
Websecurity fundamentals for beginners
Websecurity fundamentals for beginnersWebsecurity fundamentals for beginners
Websecurity fundamentals for beginners
Samvel Gevorgyan
 
2017 Cybersecurity Predictions
2017 Cybersecurity Predictions2017 Cybersecurity Predictions
2017 Cybersecurity Predictions
PaloAltoNetworks
 
Cybersecurity: How to Use What We Already Know
Cybersecurity: How to Use What We Already KnowCybersecurity: How to Use What We Already Know
Cybersecurity: How to Use What We Already Know
jxyz
 
Space computing
Space computingSpace computing
Space computing
Ramiro Cid
 
Protecting Against Web Threats
Protecting Against Web ThreatsProtecting Against Web Threats
Protecting Against Web Threats
Kim Jensen
 
Infographic - Three steps to stopping advanced email threats
Infographic - Three steps to stopping advanced email threatsInfographic - Three steps to stopping advanced email threats
Infographic - Three steps to stopping advanced email threats
Proofpoint
 
Lecture #22: Web Privacy & Security Breach
Lecture #22: Web Privacy & Security BreachLecture #22: Web Privacy & Security Breach
Lecture #22: Web Privacy & Security Breach
Dr. Ramchandra Mangrulkar
 
The Top Five Cybersecurity Threats for 2018
The Top Five Cybersecurity Threats for 2018The Top Five Cybersecurity Threats for 2018
The Top Five Cybersecurity Threats for 2018
CheapSSLsecurity
 
2017 Data Breach Investigations Report
2017 Data Breach Investigations Report2017 Data Breach Investigations Report
2017 Data Breach Investigations Report
- Mark - Fullbright
 
Proofpoint Q3 - 2017 Email Fraud Threat Report
Proofpoint Q3 - 2017 Email Fraud Threat ReportProofpoint Q3 - 2017 Email Fraud Threat Report
Proofpoint Q3 - 2017 Email Fraud Threat Report
Proofpoint
 
The Anatomy of a Data Breach
The Anatomy of a Data BreachThe Anatomy of a Data Breach
The Anatomy of a Data Breach
David Hunt
 
Cyber attacks in 2021
Cyber attacks in 2021Cyber attacks in 2021
Cyber attacks in 2021
redteamacademypromo
 
Netwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech TalkNetwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech Talk
NetWatcher
 
Can you predict who will win the US election?
Can you predict who will win the US election?Can you predict who will win the US election?
Can you predict who will win the US election?
Samvel Gevorgyan
 
The only way to survive is to automate your SOC
The only way to survive is to automate your SOCThe only way to survive is to automate your SOC
The only way to survive is to automate your SOC
Roberto Sponchioni
 
How to Reduce Avenues of Attack: Using Intel to Plan for Cyber Threats in 2017
How to Reduce Avenues of Attack: Using Intel to Plan for Cyber Threats in 2017How to Reduce Avenues of Attack: Using Intel to Plan for Cyber Threats in 2017
How to Reduce Avenues of Attack: Using Intel to Plan for Cyber Threats in 2017
SurfWatch Labs
 

What's hot (20)

Cisco 2018, Annual Cybersecurity Report
Cisco 2018, Annual Cybersecurity ReportCisco 2018, Annual Cybersecurity Report
Cisco 2018, Annual Cybersecurity Report
 
Avoiding The Seven Deadly Sins of IT
Avoiding The Seven Deadly Sins of ITAvoiding The Seven Deadly Sins of IT
Avoiding The Seven Deadly Sins of IT
 
Ey giss-under-cyber-attack
Ey giss-under-cyber-attackEy giss-under-cyber-attack
Ey giss-under-cyber-attack
 
What is the Cybersecurity plan for tomorrow?
What is the Cybersecurity plan for tomorrow?What is the Cybersecurity plan for tomorrow?
What is the Cybersecurity plan for tomorrow?
 
Websecurity fundamentals for beginners
Websecurity fundamentals for beginnersWebsecurity fundamentals for beginners
Websecurity fundamentals for beginners
 
2017 Cybersecurity Predictions
2017 Cybersecurity Predictions2017 Cybersecurity Predictions
2017 Cybersecurity Predictions
 
Cybersecurity: How to Use What We Already Know
Cybersecurity: How to Use What We Already KnowCybersecurity: How to Use What We Already Know
Cybersecurity: How to Use What We Already Know
 
Space computing
Space computingSpace computing
Space computing
 
Protecting Against Web Threats
Protecting Against Web ThreatsProtecting Against Web Threats
Protecting Against Web Threats
 
Infographic - Three steps to stopping advanced email threats
Infographic - Three steps to stopping advanced email threatsInfographic - Three steps to stopping advanced email threats
Infographic - Three steps to stopping advanced email threats
 
Lecture #22: Web Privacy & Security Breach
Lecture #22: Web Privacy & Security BreachLecture #22: Web Privacy & Security Breach
Lecture #22: Web Privacy & Security Breach
 
The Top Five Cybersecurity Threats for 2018
The Top Five Cybersecurity Threats for 2018The Top Five Cybersecurity Threats for 2018
The Top Five Cybersecurity Threats for 2018
 
2017 Data Breach Investigations Report
2017 Data Breach Investigations Report2017 Data Breach Investigations Report
2017 Data Breach Investigations Report
 
Proofpoint Q3 - 2017 Email Fraud Threat Report
Proofpoint Q3 - 2017 Email Fraud Threat ReportProofpoint Q3 - 2017 Email Fraud Threat Report
Proofpoint Q3 - 2017 Email Fraud Threat Report
 
The Anatomy of a Data Breach
The Anatomy of a Data BreachThe Anatomy of a Data Breach
The Anatomy of a Data Breach
 
Cyber attacks in 2021
Cyber attacks in 2021Cyber attacks in 2021
Cyber attacks in 2021
 
Netwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech TalkNetwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech Talk
 
Can you predict who will win the US election?
Can you predict who will win the US election?Can you predict who will win the US election?
Can you predict who will win the US election?
 
The only way to survive is to automate your SOC
The only way to survive is to automate your SOCThe only way to survive is to automate your SOC
The only way to survive is to automate your SOC
 
How to Reduce Avenues of Attack: Using Intel to Plan for Cyber Threats in 2017
How to Reduce Avenues of Attack: Using Intel to Plan for Cyber Threats in 2017How to Reduce Avenues of Attack: Using Intel to Plan for Cyber Threats in 2017
How to Reduce Avenues of Attack: Using Intel to Plan for Cyber Threats in 2017
 

Viewers also liked

Internal audit training
Internal audit trainingInternal audit training
Internal audit trainingToyo Gustaman
 
Iso9001 risk based_thinking
Iso9001 risk based_thinkingIso9001 risk based_thinking
Iso9001 risk based_thinking
timdwill
 
20150403 - TUV ME - ISO 9001 2015 and Risk Management - Linkdin
20150403 - TUV ME - ISO 9001 2015 and Risk Management - Linkdin20150403 - TUV ME - ISO 9001 2015 and Risk Management - Linkdin
20150403 - TUV ME - ISO 9001 2015 and Risk Management - Linkdin
Shibu Davies
 
Training of trainer
Training of trainerTraining of trainer
Training of trainer
Toyo Gustaman
 
Risk based thinking
Risk based thinkingRisk based thinking
Risk based thinking
Ramasubramanian S
 
Internal Audit 03-03-16
Internal Audit 03-03-16Internal Audit 03-03-16
Internal Audit 03-03-16
Lisa Barnes
 
ISO/TS 16949:2009 to IATF 16949:2016
ISO/TS 16949:2009 to IATF 16949:2016ISO/TS 16949:2009 to IATF 16949:2016
ISO/TS 16949:2009 to IATF 16949:2016
Toyo Gustaman
 
ISO 9001-2015 Revision Training Presentation
ISO 9001-2015 Revision Training PresentationISO 9001-2015 Revision Training Presentation
ISO 9001-2015 Revision Training Presentation
DQS Inc.
 
Introduction to ISO 9001:2015
Introduction to ISO 9001:2015Introduction to ISO 9001:2015
Introduction to ISO 9001:2015
ISSI (Information Security Systems International)
 
Positive Swiss Cheese Model
Positive Swiss Cheese ModelPositive Swiss Cheese Model
Positive Swiss Cheese Model
Peter Newsome
 
The new ISO 9001:2015
The new ISO 9001:2015The new ISO 9001:2015
The new ISO 9001:2015
Reza Seifollahy
 

Viewers also liked (11)

Internal audit training
Internal audit trainingInternal audit training
Internal audit training
 
Iso9001 risk based_thinking
Iso9001 risk based_thinkingIso9001 risk based_thinking
Iso9001 risk based_thinking
 
20150403 - TUV ME - ISO 9001 2015 and Risk Management - Linkdin
20150403 - TUV ME - ISO 9001 2015 and Risk Management - Linkdin20150403 - TUV ME - ISO 9001 2015 and Risk Management - Linkdin
20150403 - TUV ME - ISO 9001 2015 and Risk Management - Linkdin
 
Training of trainer
Training of trainerTraining of trainer
Training of trainer
 
Risk based thinking
Risk based thinkingRisk based thinking
Risk based thinking
 
Internal Audit 03-03-16
Internal Audit 03-03-16Internal Audit 03-03-16
Internal Audit 03-03-16
 
ISO/TS 16949:2009 to IATF 16949:2016
ISO/TS 16949:2009 to IATF 16949:2016ISO/TS 16949:2009 to IATF 16949:2016
ISO/TS 16949:2009 to IATF 16949:2016
 
ISO 9001-2015 Revision Training Presentation
ISO 9001-2015 Revision Training PresentationISO 9001-2015 Revision Training Presentation
ISO 9001-2015 Revision Training Presentation
 
Introduction to ISO 9001:2015
Introduction to ISO 9001:2015Introduction to ISO 9001:2015
Introduction to ISO 9001:2015
 
Positive Swiss Cheese Model
Positive Swiss Cheese ModelPositive Swiss Cheese Model
Positive Swiss Cheese Model
 
The new ISO 9001:2015
The new ISO 9001:2015The new ISO 9001:2015
The new ISO 9001:2015
 

Similar to Thinking on risk analysis

NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad AndrewsNTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
North Texas Chapter of the ISSA
 
ITD BSides PDX Slides
ITD BSides PDX SlidesITD BSides PDX Slides
ITD BSides PDX Slides
EricGoldstrom
 
We need Paper on Risk Assessment for the organization (NASA). Th.docx
We need Paper on Risk Assessment for the organization (NASA). Th.docxWe need Paper on Risk Assessment for the organization (NASA). Th.docx
We need Paper on Risk Assessment for the organization (NASA). Th.docx
celenarouzie
 
Relating Risk to Vulnerability
Relating Risk to Vulnerability Relating Risk to Vulnerability
Relating Risk to Vulnerability
Resolver Inc.
 
Rsc 05
Rsc 05Rsc 05
Rsc 05
PMInstituteIndia
 
Cisa domain 1
Cisa domain 1 Cisa domain 1
Cisa domain 1
Ismail aboulezz
 
The 2 sides and 4 stages of B2B competitive analysis (1).pptx
The 2 sides and 4 stages of B2B competitive analysis (1).pptxThe 2 sides and 4 stages of B2B competitive analysis (1).pptx
The 2 sides and 4 stages of B2B competitive analysis (1).pptx
Viewyonder
 
5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)
Michael Man
 
BSidesPGH - Never Surrender - Reducing Social Engineering Risk
BSidesPGH - Never Surrender - Reducing Social Engineering RiskBSidesPGH - Never Surrender - Reducing Social Engineering Risk
BSidesPGH - Never Surrender - Reducing Social Engineering Risk
Rob Ragan
 
Risk Management Insights in a World Gone Mad
Risk Management Insights in a World Gone MadRisk Management Insights in a World Gone Mad
Risk Management Insights in a World Gone Mad
Ivanti
 
Fail4Lib
Fail4LibFail4Lib
Fail4Lib
Jason Casden
 
Risk Management in Philanthropy - Winkelstein
Risk Management in Philanthropy - WinkelsteinRisk Management in Philanthropy - Winkelstein
Risk Management in Philanthropy - Winkelstein
CORE Group
 
Lean Six Sigma methodology
Lean Six Sigma methodologyLean Six Sigma methodology
Lean Six Sigma methodology
Ramiro Cid
 
Module 9 risk management & trading psychology
Module 9 risk management & trading psychologyModule 9 risk management & trading psychology
Module 9 risk management & trading psychology
Arjun Choudhary
 
Evading & Bypassing Anti-Malware applications using metasploit
Evading & Bypassing Anti-Malware applications using metasploitEvading & Bypassing Anti-Malware applications using metasploit
Evading & Bypassing Anti-Malware applications using metasploit
n|u - The Open Security Community
 
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
Izar Tarandach
 
Using Machine Learning in Anti Money Laundering - Part 1
Using Machine Learning in Anti Money Laundering - Part 1Using Machine Learning in Anti Money Laundering - Part 1
Using Machine Learning in Anti Money Laundering - Part 1
Naveen Grover
 
Comprehensive Overview Of Risk Management
Comprehensive Overview Of Risk ManagementComprehensive Overview Of Risk Management
Comprehensive Overview Of Risk Management
Andrew Valenti
 
Risk profiling
Risk profilingRisk profiling
Risk profiling
Jaume Jornet Rivas
 
Operational risk management_workshe_133_c0bd7b0452
Operational risk management_workshe_133_c0bd7b0452Operational risk management_workshe_133_c0bd7b0452
Operational risk management_workshe_133_c0bd7b0452
Mayank Ranjan
 

Similar to Thinking on risk analysis (20)

NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad AndrewsNTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
 
ITD BSides PDX Slides
ITD BSides PDX SlidesITD BSides PDX Slides
ITD BSides PDX Slides
 
We need Paper on Risk Assessment for the organization (NASA). Th.docx
We need Paper on Risk Assessment for the organization (NASA). Th.docxWe need Paper on Risk Assessment for the organization (NASA). Th.docx
We need Paper on Risk Assessment for the organization (NASA). Th.docx
 
Relating Risk to Vulnerability
Relating Risk to Vulnerability Relating Risk to Vulnerability
Relating Risk to Vulnerability
 
Rsc 05
Rsc 05Rsc 05
Rsc 05
 
Cisa domain 1
Cisa domain 1 Cisa domain 1
Cisa domain 1
 
The 2 sides and 4 stages of B2B competitive analysis (1).pptx
The 2 sides and 4 stages of B2B competitive analysis (1).pptxThe 2 sides and 4 stages of B2B competitive analysis (1).pptx
The 2 sides and 4 stages of B2B competitive analysis (1).pptx
 
5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)
 
BSidesPGH - Never Surrender - Reducing Social Engineering Risk
BSidesPGH - Never Surrender - Reducing Social Engineering RiskBSidesPGH - Never Surrender - Reducing Social Engineering Risk
BSidesPGH - Never Surrender - Reducing Social Engineering Risk
 
Risk Management Insights in a World Gone Mad
Risk Management Insights in a World Gone MadRisk Management Insights in a World Gone Mad
Risk Management Insights in a World Gone Mad
 
Fail4Lib
Fail4LibFail4Lib
Fail4Lib
 
Risk Management in Philanthropy - Winkelstein
Risk Management in Philanthropy - WinkelsteinRisk Management in Philanthropy - Winkelstein
Risk Management in Philanthropy - Winkelstein
 
Lean Six Sigma methodology
Lean Six Sigma methodologyLean Six Sigma methodology
Lean Six Sigma methodology
 
Module 9 risk management & trading psychology
Module 9 risk management & trading psychologyModule 9 risk management & trading psychology
Module 9 risk management & trading psychology
 
Evading & Bypassing Anti-Malware applications using metasploit
Evading & Bypassing Anti-Malware applications using metasploitEvading & Bypassing Anti-Malware applications using metasploit
Evading & Bypassing Anti-Malware applications using metasploit
 
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
 
Using Machine Learning in Anti Money Laundering - Part 1
Using Machine Learning in Anti Money Laundering - Part 1Using Machine Learning in Anti Money Laundering - Part 1
Using Machine Learning in Anti Money Laundering - Part 1
 
Comprehensive Overview Of Risk Management
Comprehensive Overview Of Risk ManagementComprehensive Overview Of Risk Management
Comprehensive Overview Of Risk Management
 
Risk profiling
Risk profilingRisk profiling
Risk profiling
 
Operational risk management_workshe_133_c0bd7b0452
Operational risk management_workshe_133_c0bd7b0452Operational risk management_workshe_133_c0bd7b0452
Operational risk management_workshe_133_c0bd7b0452
 

More from Ramiro Cid

Seminario sobre ciberseguridad
Seminario sobre ciberseguridadSeminario sobre ciberseguridad
Seminario sobre ciberseguridad
Ramiro Cid
 
Captación y registro de comunicaciones orales y de imagen
Captación y registro de comunicaciones orales y de imagenCaptación y registro de comunicaciones orales y de imagen
Captación y registro de comunicaciones orales y de imagen
Ramiro Cid
 
Passwords for sale
Passwords for salePasswords for sale
Passwords for sale
Ramiro Cid
 
Cyber security threats for 2017
Cyber security threats for 2017Cyber security threats for 2017
Cyber security threats for 2017
Ramiro Cid
 
¿Cuáles son los peligros a los que se enfrenta su sistema informático?
¿Cuáles son los peligros a los que se enfrenta su sistema informático?¿Cuáles son los peligros a los que se enfrenta su sistema informático?
¿Cuáles son los peligros a los que se enfrenta su sistema informático?
Ramiro Cid
 
Cloud Computing, IoT, BYOD Ha muerto el perímetro corporativo. ¿y ahora qué?
Cloud Computing, IoT, BYOD Ha muerto el perímetro corporativo. ¿y ahora qué?Cloud Computing, IoT, BYOD Ha muerto el perímetro corporativo. ¿y ahora qué?
Cloud Computing, IoT, BYOD Ha muerto el perímetro corporativo. ¿y ahora qué?
Ramiro Cid
 
IT Governance & ISO 38500
IT Governance & ISO 38500IT Governance & ISO 38500
IT Governance & ISO 38500
Ramiro Cid
 
EU General Data Protection Regulation
EU General Data Protection RegulationEU General Data Protection Regulation
EU General Data Protection Regulation
Ramiro Cid
 
Payment fraud
Payment fraudPayment fraud
Payment fraud
Ramiro Cid
 
Social engineering attacks
Social engineering attacksSocial engineering attacks
Social engineering attacks
Ramiro Cid
 
Drones and their use on critical infrastructure
Drones and their use on critical infrastructureDrones and their use on critical infrastructure
Drones and their use on critical infrastructure
Ramiro Cid
 
Internet of things, big data & mobility vs privacy
Internet of things, big data & mobility vs privacyInternet of things, big data & mobility vs privacy
Internet of things, big data & mobility vs privacy
Ramiro Cid
 
Internet of things
Internet of thingsInternet of things
Internet of things
Ramiro Cid
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
Ramiro Cid
 
Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security Awareness
Ramiro Cid
 
Risk optimization management inside it governance
Risk optimization management inside it governanceRisk optimization management inside it governance
Risk optimization management inside it governance
Ramiro Cid
 
Summit itSMF - Risk optimization management inside it governance
Summit itSMF - Risk optimization management inside it governanceSummit itSMF - Risk optimization management inside it governance
Summit itSMF - Risk optimization management inside it governance
Ramiro Cid
 
ISO 31000 Risk Management
ISO 31000 Risk ManagementISO 31000 Risk Management
ISO 31000 Risk Management
Ramiro Cid
 
ISO 22301 Business Continuity Management
ISO 22301 Business Continuity ManagementISO 22301 Business Continuity Management
ISO 22301 Business Continuity Management
Ramiro Cid
 
Ley Orgánica de Protección de datos - LOPD
Ley Orgánica de Protección de datos - LOPDLey Orgánica de Protección de datos - LOPD
Ley Orgánica de Protección de datos - LOPD
Ramiro Cid
 

More from Ramiro Cid (20)

Seminario sobre ciberseguridad
Seminario sobre ciberseguridadSeminario sobre ciberseguridad
Seminario sobre ciberseguridad
 
Captación y registro de comunicaciones orales y de imagen
Captación y registro de comunicaciones orales y de imagenCaptación y registro de comunicaciones orales y de imagen
Captación y registro de comunicaciones orales y de imagen
 
Passwords for sale
Passwords for salePasswords for sale
Passwords for sale
 
Cyber security threats for 2017
Cyber security threats for 2017Cyber security threats for 2017
Cyber security threats for 2017
 
¿Cuáles son los peligros a los que se enfrenta su sistema informático?
¿Cuáles son los peligros a los que se enfrenta su sistema informático?¿Cuáles son los peligros a los que se enfrenta su sistema informático?
¿Cuáles son los peligros a los que se enfrenta su sistema informático?
 
Cloud Computing, IoT, BYOD Ha muerto el perímetro corporativo. ¿y ahora qué?
Cloud Computing, IoT, BYOD Ha muerto el perímetro corporativo. ¿y ahora qué?Cloud Computing, IoT, BYOD Ha muerto el perímetro corporativo. ¿y ahora qué?
Cloud Computing, IoT, BYOD Ha muerto el perímetro corporativo. ¿y ahora qué?
 
IT Governance & ISO 38500
IT Governance & ISO 38500IT Governance & ISO 38500
IT Governance & ISO 38500
 
EU General Data Protection Regulation
EU General Data Protection RegulationEU General Data Protection Regulation
EU General Data Protection Regulation
 
Payment fraud
Payment fraudPayment fraud
Payment fraud
 
Social engineering attacks
Social engineering attacksSocial engineering attacks
Social engineering attacks
 
Drones and their use on critical infrastructure
Drones and their use on critical infrastructureDrones and their use on critical infrastructure
Drones and their use on critical infrastructure
 
Internet of things, big data & mobility vs privacy
Internet of things, big data & mobility vs privacyInternet of things, big data & mobility vs privacy
Internet of things, big data & mobility vs privacy
 
Internet of things
Internet of thingsInternet of things
Internet of things
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security Awareness
 
Risk optimization management inside it governance
Risk optimization management inside it governanceRisk optimization management inside it governance
Risk optimization management inside it governance
 
Summit itSMF - Risk optimization management inside it governance
Summit itSMF - Risk optimization management inside it governanceSummit itSMF - Risk optimization management inside it governance
Summit itSMF - Risk optimization management inside it governance
 
ISO 31000 Risk Management
ISO 31000 Risk ManagementISO 31000 Risk Management
ISO 31000 Risk Management
 
ISO 22301 Business Continuity Management
ISO 22301 Business Continuity ManagementISO 22301 Business Continuity Management
ISO 22301 Business Continuity Management
 
Ley Orgánica de Protección de datos - LOPD
Ley Orgánica de Protección de datos - LOPDLey Orgánica de Protección de datos - LOPD
Ley Orgánica de Protección de datos - LOPD
 

Recently uploaded

Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 

Recently uploaded (20)

Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 

Thinking on risk analysis

  • 1. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Ramiro Cid | @ramirocid Thinking on risk analysis
  • 2. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid 2 Index 1. Introduction Page 3 2. Perceived and relevant universe Page 4 3. Reasons of the lack of visibility Page 5 4. What is the correct order so ? Page 6 5. So what steps do I have to follow in my risk analysis? Page 7
  • 3. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Introduction Some of you maybe made some risk analysis in the past, and maybe some others use to do risk analysis in a regular basis. Some people use Octave, CRAMM, NIST or other risk analysis methodologies, but… Have you ever though if you have a GAP in the way you use to do your analysis? Have you ever thought that you may have a lack of visibility in the way it makes your analysis? This presentation if focuses on the last question.
  • 4. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Perceived and relevant universe An observer (for example a person who is doing a risk analysis) have a BIG lack of visibility of the reality which is doing the analysis. In general ways we have something like this: The ONLY data present in the Risk Analysis is that the Observer consider them “RELEVANT” (green area in the graph)
  • 5. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Reasons of the lack of visibility The lack of visibility of the observer who is doing the analysis have multiple reasons, we can mention some usual causes: a. Lack of knowledge of the environment under analysis b. Lack of time to do a complete risk analysis in the correct way. c. Lack of knowledge about best practices on IT Security. d. Too focused on some aspects/domains of the environment but forgetting others.
  • 6. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid What is the correct order so ? First revise the vulnerabilities and later analyze related threats? or it would be better to create different scenarios and then to analyze the possible threats and our vulnerabilities in relation of them? For not limit our analysis, the best option is to do both analysis. As we could see in previous slides, the analysis of the observer is very limited so we need to try to open as much as possible our risk analysis to get a better result. VERY important: Not to limit our analysis !
  • 7. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid So what steps do I have to follow in my risk analysis? 1. Do the list of assets to analyze in our scope 2. Complete the list of threats in relation of each asset 3. Complete the list of vulnerabilities per each threat 4. Calculate the risk 5. Complete the list of controls to mitigate the risk 6. Estimate the residual risk or “risk-after-controls” (risk after to apply the controls) 7. Create different scenarios which could impact in our assets 8. Revise the vulnerabilities we have in relation of them 9. Estimate the possible impact The complete analysis: In both ways !
  • 8. ramirocid.com ramiro@ramirocid.com Twitter: @ramirocid Questions ? Many thanks ! Ramiro Cid CISM, CGEIT, ISO 27001 LA, ISO 22301 LA, ITIL ramiro@ramirocid.com @ramirocid http://www.linkedin.com/in/ramirocid http://ramirocid.com http://es.slideshare.net/ramirocid http://www.youtube.com/user/cidramiro