Risk Assessment - PowerPoint PPT Presentation

1 / 47
About This Presentation
Title:

Risk Assessment

Description:

Define the Purpose of the Assessment. What is the general situation? ... Define Relationships. How will individuals, groups, etc., work together performing the ... – PowerPoint PPT presentation

Number of Views:357
Avg rating:3.0/5.0
Slides: 48
Provided by: cis51
Category:

less

Transcript and Presenter's Notes

Title: Risk Assessment


1
Lesson 3
  • Risk Assessment
  • and
  • Risk Mitigation

2
Objective 4
  • At the end of Lesson 3, you will be able to
    describe
  • several approaches to risk assessment,
  • considerations in developing and selecting
    countermeasures,
  • the importance of the management decision, and
  • reasons why risk management is really an art
    instead of a science

3
The Variable Nature of the Elements of Risk
4
Risk is Commonplace
5
Qualitative Data
This is not a nice day
  • Description of
  • qualities,
  • elements, or
  • ingredients of a variable

6
Quantitative Data
  • Allows the variable to be measured
  • Numerical values may be assigned based on
    measured observations

o
Temp 75 F Humid 45 Bar 29.35"
7
Purpose of Risk Assessment(Bottom Line)
  • Permit managers to make reasoned decisions
    regarding risk to the organizations mission

8
Using Risk Management Terms -The Catcher at Risk
9
Risk Assessment - Questions to Be Answered
  • What is the relationship of the system to the
    customers mission?
  • What are all of the undesirable events that could
    happen and affect the mission?
  • How could they happen?
  • Realistically, what are the chances of them
    happening?
  • Suppose such an event happens, how much damage
    could be done?

10
Performing a Risk Assessment
  • Define the purpose of the assessment
  • Identify the product or system
  • Select assessment approach
  • Gather information
  • Develop attack scenarios
  • Estimate risk parameters
  • Produce assessment report

11
Define the Purpose of the Assessment
  • What is the general situation?
  • What decisions are to be made as a result of the
    risk assessment?
  • Who will make the decisions?

12
Identify and Bound the Product or System -
Decide on Scope or Depth of Assessment
13
Organize for the Assessment
  • Individual
  • Individuals
  • Group or team of individuals
  • Groups

14
Define Relationships
  • How will individuals, groups, etc., work together
    performing the tasks of
  • data collection
  • analysis
  • synthesis
  • conclusions
  • recommendations

15
What do Analysts do?
  • Identify threats and their characteristics
  • Gather and exchange information
  • Develop attack scenarios
  • Confidentiality
  • Integrity
  • Availability
  • Postulate potential consequences
  • Impact on organization's mission
  • Estimate risk parameters

16
Information Sources
  • Knowledge of Individual Members
  • Computer Emergency Response Team Coordination
    Center, etc.
  • Outside Experts
  • Systems Administrators, Manager, etc.
  • Users
  • Threat Assessments and other Reports

17
Threat Characteristics
Capability
(Given Capable)
Likelihood of Attack
Likelihood of Success
(Threat Value)
(Given Attempted and Capable)
Motivation
Willingness
18
Threat Sources
  • Nature - Historical
  • Unintentional human error - Historical
  • Technological failure - Historical
  • Adversarial - Threat Assessment

19
Adversarial Threat Characteristics
  • Objectives - As opposed to ours
  • Intentions
  • Motivation to act
  • Willingness to accept risk
  • Willingness to accept cost
  • Technical capability
  • Resources

20
Gather and Exchange Information
  • Define What the System Does
  • Define the Environment
  • Determine Data Sensitivity
  • Identify System Users
  • Identify vulnerabilities

21
Gather Information
  • How does the system support the mission?

22
Gather Information
  • Define the Environment

23
Gather Information
  • Determine Data Sensitivity
  • including its value to an adversary and
  • value to the mission

24
Gather Information
  • Identify System Users
  • and their need for the system and its information

25
Gather Information
  • Identify Potential Vulnerabilities

26
Develop Attack Scenarios
  • THREAT AGENTS
  • - Adversarial
  • - Nature
  • - Human error
  • - Technological failure
  • TARGETS
  • - Confidentiality
  • - Integrity
  • - Availability
  • - Others

27
Avenues of Attack
  • Confidentiality Integrity Availability
  • Network Connect Public Switch Public Power
  • Application SW Communications Local Power
  • Firewall UPS
  • Remote Access
  • Physical Access
  • Insiders
  • Crypto
  • TEMPEST

28
Determine Potential Consequences
  • Impact on information system,
  • resulting in impact on organization's mission

29
Estimate Risk Parameters
  • Likelihood of Success
  • that a credible threat exists,
  • with capability to attack, and
  • the willingness and intention to do so
  • Consequences
  • the degree of damage resulting from an attack

30
Assessing Risk
31
Attack Scenario No. 1
Coalition Force ISs heavily dependent upon
Internet, few security features, lack procedural
discipline.
U.S. Forces IS
  • Coalition
  • Force IS

32
Estimate of RiskAttack Scenario 1
Y-
CONSEQUENCE
Hi
o
A-1
Med
Lo
Lo
Med
Hi
X-
LIKELIHOOD OF SUCCESS
33
Estimate of RiskAttacks 1 thru 8
Y-
CONSEQUENCE
Hi
o
o
o
o
A-5
A-1/3/4
Med
o
o
A-2/7
Lo
o
o
A-6
A-8
Lo
Med
Hi
X-
LIKELIHOOD OF SUCCESS
34
Rating Overlay
Hi
H
H
M
Med
H
M
M
Lo
M
M
L
Lo
Med
Hi
35
Likelihood of SuccessAttack Scenario 1
Y-
CONSEQUENCE
Hi
o
o
o
o
A-5
H
H
M
A-1/3/4
Med
o
o
H
M
M
A-2/7
Lo
o
o
A-6
A-8
M
M
L
Lo
Med
Hi
X-
LIKELIHOOD OF SUCCESS
36
Risk Assessment Methodology
  • Aids Decision Makers
  • Promotes Discussion
  • Focus on Most Serious Problems
  • Early Identification of Risk
  • Highlights Recurring Problems
  • Aids Concurrent Engineering

37
Risk Mitigation
COUNTERMEASURE
MGR
RISK
38
Countermeasure Considerations
  • What is the cost Vs. benefit?
  • Are we creating another vulnerability?
  • Are people involved? If so, will they
    participate?
  • How long is the countermeasure needed?
  • How long will the countermeasure be effective?

39
Cost Vs.. Benefit
  • Cost in
  • dollars
  • time to implement
  • impact on operations

Results
40
The Catcher at Risk
41
Risk Mitigation - At What Cost?
42
Creating New Vulnerabilities
  • Law of unanticipated consequences

New Vulnerability
Risk Analyst
43
People Considerations
  • Are people involved? Will they participate in
    the solution?

COUNTERMEASURE
USER
44
Time Consideration
  • How long is the countermeasure needed?

45
Time Consideration
  • How long will the countermeasure be effective?

46
Risk Assessment Reality
  • Are we sure of the threat?
  • Have we identified all vulnerabilities?
  • Have we considered all possible attacks?
  • Is our estimate of consequence correct?
  • Is all of this art or science?

47
Never Ending Cycle
ASSESSING
MITIGATING
RISK
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Risk Assessment" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!