You did not use the site, Click here to remain logged. Timeout: 60 second

Risk Management: Computer Security Lectures 2014/15 S1

253 lượt xem
Xuất bản 19/08/2015
This video is part of the computer/information/cyber security and ethical hacking lecture series; by Z. Cliffe Schreuders at Leeds Beckett University. Laboratory work sheets, slides, and other open educational resources are available at The slides themselves are creative commons licensed CC-BY-SA, and images used are licensed as individually attributed. Topics covered in this lecture include: Security Risk Management Risk can be defined as “the possibility of loss or injury” Security investments aim to mitigate risk, and are a trade off They also involve risk, and cost money People are often not naturally good at judging risk Cognitive biases affect risk judgement Security theatre: May make us feel secure, but not actually provide cost-effective security Therefore, it helps to be aware of these biases, and where possible use hard figures for decision making Recommended Viewing: Bruce Schneier – Reconceptualising Security Risk Management Risk management is the art and science of identifying, analysing, and responding to risk Organisations need to manage lots of types of risk Organisational Risk Managing risk is not an exact science Involves: Judgements Strategic planning Operation Risk management success Risk Management Standards ISO/IEC 27005:2011 “Information technology -- Security techniques -- Information security risk management” NIST SP 800-39, “Managing Information Security Risk” Risk management steps Frame: Strategic planning Assess: Assess possible risks to the organisation Respond: Plan response to risks Monitor: Monitor risk management (continual) Case study Strategic planning Risk tolerance Priorities and tradeoffs Governance: how risk is managed and organised Enterprise Architecture Information Security Architecture Information security requirements gathering Risk assessment Document risks Identify threats and vulnerabilities Technical and non-technical Identify the impact of threats exploiting vulnerabilities Determine the likelihood of harm Risk magnitude = Impact * Likelihood Risk identification techniques: Brainstorming, Interviewing, Source analysis, Problem analysis, Common-risk checking, Objectives-based, Taxonomy-based risk identification, Risk breakdown structure, Attack trees Risk assessment: likelihood Likelihood – Quantitatively: hard numbers Accuracy can improve management of risk Statistical analysis to determine probabilities Qualitatively: subjective judgement Probability/impact matrix Can be used qualitatively (using personal or expert judgement) Risk assessment: magnitude Risk magnitude = likeliness * impact Likeliness or impact, may be on a scale (for example, 1 to 10) or based on quantitative data (more advanced statistics using the available data) Annual Loss Expectancy (ALE), AKA Estimated Annual Cost (EAC) ALE = Impact (£/$ loss per event) * likeliness Costs can include direct and indirect: Risk examples Plan response to risk Choose appropriate courses of action, and implement risk response Risk can be: accepted, avoided, mitigated, shared, or transferred... Evaluating the alternatives Plan response to risk Total cost of ownership (TCO) It may only make sense to mitigate the risk if the TCO of doing so is less than the ALE Decision trees can help when evaluating alternatives Estimated monetary value (EMV) can show how much money the organisation looses (or perhaps gains) in each case Decision trees show the likelihood of outcomes of alternative approaches Finally, decide what should be done about each risk Plan how risk is monitored Verify that measures are implemented, and any legal requirements and standards are met Measure effectiveness of risk management Security assessments (measuring security)
Computer Security Software Genre Risk Quotation Subject Risk Management Industry Security Quotation Subject