Risk Management: Computer Security Lectures 2014/15 S1

This video is part of the computer/information/cyber security and ethical hacking lecture series; by Z. Cliffe Schreuders at Leeds Beckett University. Laboratory work sheets, slides, and other open educational resources are available at http://z.cliffe.schreuders.org.

The slides themselves are creative commons licensed CC-BY-SA, and images used are licensed as individually attributed.

Topics covered in this lecture include:
Security Risk Management
Risk can be defined as “the possibility of loss or injury”
Security investments aim to mitigate risk, and are a trade off
They also involve risk, and cost money
People are often not naturally good at judging risk
Cognitive biases affect risk judgement
Security theatre: May make us feel secure, but not actually provide cost-effective security
Therefore, it helps to be aware of these biases, and where possible use hard figures for decision making
Recommended Viewing: Bruce Schneier – Reconceptualising Security http://www.youtube.com/watch?feature=player_embedded&v=CGd_M_CpeDI
Risk Management
Risk management is the art and science of identifying, analysing, and responding to risk
Organisations need to manage lots of types of risk
Organisational Risk
Managing risk is not an exact science
Involves:
Judgements
Strategic planning
Operation
Risk management success
Risk Management Standards
ISO/IEC 27005:2011 “Information technology -- Security techniques -- Information security risk management”
NIST SP 800-39, “Managing Information Security Risk”
Risk management steps
Frame: Strategic planning
Assess: Assess possible risks to the organisation
Respond: Plan response to risks
Monitor: Monitor risk management (continual)
Case study
Strategic planning
Risk tolerance
Priorities and tradeoffs
Governance: how risk is managed and organised
Enterprise Architecture
Information Security Architecture
Information security requirements gathering
Risk assessment
Document risks
Identify threats and vulnerabilities
Technical and non-technical
Identify the impact of threats exploiting vulnerabilities
Determine the likelihood of harm
Risk magnitude = Impact * Likelihood
Risk identification techniques: Brainstorming, Interviewing, Source analysis, Problem analysis, Common-risk checking, Objectives-based, Taxonomy-based risk identification, Risk breakdown structure, Attack trees
Risk assessment: likelihood
Likelihood – Quantitatively: hard numbers
Accuracy can improve management of risk
Statistical analysis to determine probabilities
Qualitatively: subjective judgement
Probability/impact matrix
Can be used qualitatively (using personal or expert judgement)
Risk assessment: magnitude
Risk magnitude = likeliness * impact
Likeliness or impact, may be on a scale (for example, 1 to 10) or based on quantitative data (more advanced statistics using the available data)
Annual Loss Expectancy (ALE), AKA Estimated Annual Cost (EAC)
ALE = Impact (£/$ loss per event) * likeliness
Costs can include direct and indirect:
Risk examples
Plan response to risk
Choose appropriate courses of action, and implement risk response
Risk can be: accepted, avoided, mitigated, shared, or transferred...
Evaluating the alternatives
Plan response to risk
Total cost of ownership (TCO)
It may only make sense to mitigate the risk if the TCO of doing so is less than the ALE
Decision trees can help when evaluating alternatives
Estimated monetary value (EMV) can show how much money the organisation looses (or perhaps gains) in each case
Decision trees show the likelihood of outcomes of alternative approaches
Finally, decide what should be done about each risk
Plan how risk is monitored
Verify that measures are implemented, and any legal requirements and standards are met
Measure effectiveness of risk management
Security assessments (measuring security)

Видео Risk Management: Computer Security Lectures 2014/15 S1 канала Z. Cliffe Schreuders