Interactive Powerpoint_How to Master effective communication
Risk Management
1. BÜROTEX GmbH
Vishal Sharma
Information Security
Consultant/Solution Developer
2. RISK
It is the uncertainty of outcome whether
positive opportunity or negative threat.
Some commonly Known terms:
Asset : It is something which should be protected
Asset Valuation: It is a value assigned to an asset
based on actual cost and nonmonetary expenses
3. Threats : Any occurrence that could cause an undesirable
or unwanted outcome for an organization for a specific threat
Vulnerability: The absence of weakness of a safeguard
or countermeasure
Exposure: It is being susceptible to asset loss because of
a threat
4. Safeguard: A safeguard or a countermeasure, is
anything that removes a vulnerability
Attack: An exploitation of a vulnerability by a threat
agent
Breach : The occurrence of a security mechanism being
bypassed
5. Threats
• Exploits
Assets Vulnerabilities
• Whch are • Which
endangered
results in
by
Safeguard
Exposure
• Which
• Which is
protects
Risk
• Which is
mitigated
by
6. Factors for Asset Valuation:
Purchase Cost
Development Cost
Administrative Cost
Maintaining or Upkeep Cost
Cost in Acquiring asset
Cost to protect or sustain asset
Value to Owners and users
7. Value to Competitors
Intellectual property or equity Value
Market valuation
Replacement Cost
Productivity enhancement or degradation
Operational cost of asset presence and Loss
Liability of asset loss
Usefulness
8. Next logical step is to calculate Threats:
Viruses
Cascade errors and Dependency Faults
Criminal activities by authorized users
Movements
Intentional Attacks
Reorganization
9. Authorized user illness
Hackers
User errors
Natural Disasters
Physical Damage
Misuse of data, resource, or services
Changes or compromises to data
classification or security policies
Government, political, or military intrusions
or restrictions
10. Processing errors, buffer overflows
Personal privilege abuse
Temperature extremes
Energy anomalies
Loss of data
Information Warfare
Bankruptcy or alteration/ interruption of
business activity
12. Risk Analysis
Quantitative : It results in Concrete Probability
Percentage
Qualitative: This is more scenario based, it requires:
Brainstorming
Delphi Technique
13. Story boarding
Focus groups
Surveys
Questionnaires
Checklists
One-on-one Meetings
Interviews
14. Quantative Analysis, major steps involved:
Countermeasures for each threat
Calculate the changes to Aro and ALE based on
applied counter measure
Perform a cost benefit analysis of each counter
measure for each asset
15. AV : Inventory assets and sign a Value
EF : Calculate exposure factors, possible threat
of each individual asset
SLE: Single Loss Expectancy,
ARO: Annualized rate of occurrence
ALE: Annualized Loss expectancy
16. Cost Functions
Exposure factors : % loss, if specific asset were
violated by a realized risk
SLE : AV*EF
ARO : It could be derived from historical records,
statistical analysis or guess work. Basically it‘s a
probability determination
ALE : SLE*ARO
17. ACS : Annual cost of safeguard, € per year, which
involves following factors:
Cost of purchase, development and licensing
Cost of implementation and customization
Cost of annual operation, maintenance, administration and
so on
Cost of annual repairs and upgrades
18. Productivity improvement or loss
Changes to environment
Cost of testing and evaluation
Value or benefit of a safe guard: =(ALE1-ALE2) – ACS
19. Note :
Value of safeguard to the Company =
(ALE before Safegaurd –
ALE after implementing safeguard) –
(Annual cost of Safeguard)