Risk
- 1. JW
T
John Wilson
Copyright © 2004 T. John Wilson & Associates P/L
- 2. JW
T
W hat is R isk ?
Risk is a function of the likelihood of a given threat-source’s
exercising a particular potential vulnerability, and the
resulting impact of that adverse event on the organisation.
Risk
Level of Danger
Chances of that
from
event occurring
an adverse event
Copyright © 2004 T. John Wilson & Associates P/L
- 3. JW
T
D ifferent A spects of R isk
Risk
Risk Risk Risk
Analysis Assessment Management
Copyright © 2004 T. John Wilson & Associates P/L
- 4. R isk A nalysis JW
T
Supported by AS/NZ 4360:1995 Risk Management
Approaches to Risk Analysis can be broken down
into two main categories:
Quantitative Risk Analysis
Qualitative Risk Analysis
Copyright © 2004 T. John Wilson & Associates P/L
- 5. Q uantitative R isk A nalysis JW
T
2 Elements:
The probability of an event occurring & the likely loss
Quantitative Risk Analysis makes use of a single
figure produced from these elements, called:
Annual Loss Expectancy (ALE) or
Estimated Annual Cost (EAC)
For an event this is calculated by multiplying the
potential loss by the probability.
It is therefore possible to rank events in order of risk
(ALE),and make decisions based upon this
Problems with this approach tend to relate to
unreliability and inaccuracy of data.
Copyright © 2004 T. John Wilson & Associates P/L
- 6. Q ualitative R isk A nalysis JW
T
By far the most widely used approach to risk analysis
Probability data is not required & only estimated
potential loss is used
Most qualitative methodologies use a number of
interrelated elements:
Threats – things that can go wrong
Vulnerabilities – things that make an attack more likely to have
some success or impact
Controls – countermeasures for vulnerabilities – 4 types:
Deterrent Controls – reduce the likelihood of a deliberate attack
Preventative Controls – protect vulnerabilities & reduce impact
Corrective Controls – reduce the effect of an attack
Detective Controls – discover attacks & trigger corrective controls
Copyright © 2004 T. John Wilson & Associates P/L
- 7. JW
T
C ontrols – R elational M odel
Threat
Threat
Deterrent Corrective
Corrective
Deterrent Control
Control
Control
Creates Control
Reduces
Likelihood of
ATTACK
Discovers
Vulnerability
Vulnerability Decreases
Detective
Detective Protects
Results
Control
Control In
Triggers
Preventative
Preventative Reduces Impact
Impact
Control
Control
Copyright © 2004 T. John Wilson & Associates P/L
- 8. JW
T
Q u a lita tive M e th o d s (R e la tive )
Colloquial Expressions
High/Medium/Low
Major/Minor/None
Scenario Risk Analysis
Copyright © 2004 T. John Wilson & Associates P/L
- 9. JW
T
C olloquial E xpressions
Listening to what people say – and then …
Expressing complex relationships in those terms
It is not necessary to calculate figures …..
The argument in the Colloquial Expression is enough
Colloquial Expressions are easily understood
Examples: High/Medium/Low; Major/Minor/None
Copyright © 2004 T. John Wilson & Associates P/L
- 10. JW
T
H igh/M edium /Low
Likelihood HIGH MEDIUM LOW
Consequence
Serious Illness
Death
Injury
Results:
Risk of Serious Illness is High
Risk of Death is Medium
Risk of Injury is low
Copyright © 2004 T. John Wilson & Associates P/L
- 11. JW
T
H igh/M edium /Low
1 = High Risk, Urgent
Risk HIGH MEDIUM LOW 2 = Medium Risk, Urgent
Importance
3 = Low Risk, Urgent
4 = High Risk, Pressing
Urgent 1 2 3
5 = Medium Risk, Pressing
Pressing 4 5 6 6 = Low Risk, Pressing
Not Urgent 7 8 9 7 = High Risk, Not Urgent
8 = Medium Risk, Not Urgent
9 = Low, Risk, Not Urgent
Copyright © 2004 T. John Wilson & Associates P/L
- 12. S cenario R isk A nalysis JW
T
Incident Likelihood Loss Loss Risk
H/M/L H/M/L $$$ Rank
Description H H 20,000 7
Of Scenario
Useful when exploring “What if” scenarios
Can be useful to get a more complete understanding
Of actual risks that we face
Copyright © 2004 T. John Wilson & Associates P/L
- 13. JW
T
R isk A ssessm ent
To optimise risk control (treatment) procedures & contingency
decisions, management needs to have structured analytical
information on:
Relevant critical business activities (and associated ICT systems)
Critical timeframes for each activity
Tangible & intangible consequences should these activities be
unavailable
Minimum resources required to support each activity.
The consequences quantified over time, should business
activities be unavailable, provide the priorities for Recovery or
Continuity of these activities.
Copyright © 2004 T. John Wilson & Associates P/L
- 14. JW
In fo rm a tio n G a th e rin g T e c h n iq u e s T
Questionaires: The most reliable method of
gathering information on Risk
On-site Interviews: Allow observation of the
physical environment & operational security
Document Review: Policy documents; security-
related documentation; auditors reports etc.
Copyright © 2004 T. John Wilson & Associates P/L
- 15. Q uestionnaires JW
T
Should define the scope of the risk assessment
Should be tailored to suit the organisation’s core
business
Should include questions on historical experiences
Should be completed by key personnel, with key
responsibilities
Copyright © 2004 T. John Wilson & Associates P/L
- 16. R isk A ssessm ent R eports JW
T
The following Risk Assessment Reports should be
created (in that order):
Assessment Boundary Definition
List of Identified Systems at risk
List of Identified Threats and Vulnerabilities
List of Current and Planned Controls
Likelihood Determination Report
Impact Rating Report
Risks & Associated Risk Levels
Recommended Controls
Risk Assessment Report (Results Documentation)
Copyright © 2004 T. John Wilson & Associates P/L
- 17. B u sin e ss Im p a c t A n a lysis JW
T
(A step - by - step A pproac h)
1. Document gross revenue & net profit for the year – this sets the
upper boundary for business losses.
2. Define your business critical systems – track in a spreadsheet –
revenue data can be included if desired.
3. Classify each system as critical, important or non-critical –
interview operators re impact of outages – short/medium/long.
4. Document system cross-dependencies.
5. Estimate financial impacts associated with each system.
6. Estimate the cost to identify, remediate, recover & resume
operations for each system – include labour, HW/SW costs.
7. Identify the Maximum Acceptable Outage (MAO) for each system.
Copyright © 2004 T. John Wilson & Associates P/L
- 18. R isk M itigation JW
T
( U sing R isk A ssessm e nt R ep ort as In p ut )
Step 1: Prioritize Actions from High to Low
Step 2: Evaluate Recommended Control Options –
Feasibility/Effectiveness
Step 3: Conduct Cost-Benefit Analysis –
Implementing/Not Implementing
Step 4: Select Controls
Step 5: Assign Responsibility – List of responsible
persons
Step 6: Develop Safeguard Implementation Plan – List of
Mitigation Controls with Implementation Timeline
Step 7: Implement Selected Controls
Copyright © 2004 T. John Wilson & Associates P/L
- 19. B usiness C ontinuity P lanning JW T
Section 9 of AS/NZS Information Security Management Standard
4444:1996 says there should be a BCP process to cover the
following:
Identification & prioritization of critical business processes
Determination of the potential impact of various types of disaster
on business activities – Risk Assessment
Identification & agreement on all responsibilities & emergency
arrangements.
Documentation of agreed procedures and processes.
Appropriate education of staff in executing these.
Testing of the plans.
Ongoing updating of the plans.
Copyright © 2004 T. John Wilson & Associates P/L
- 20. S um m ary JW
T
Good Risk Assessment & Management
is
foundational and a prerequisite to good
Business Continuity Planning
Copyright © 2004 T. John Wilson & Associates P/L