Transcript Risk Assessment and Risk Management

Risk Assessment and Risk
Management
James Taylor
COSC 316
Spring 2008
Summary Of Objectives
 Explain the meaning of risk assessment and management.
 The Various Steps
 Reviewing the Risks.
 Summary.
 Questions.
What is Risk Assessment
and Management?
• Risk assessment is a common first step in a risk
management process and in most UNIX system a first step
in improving security. Risk assessment is the determination
of quantitative or qualitative value of risk related to a
concrete situation and a recognized threat. In most Unix
system it basically asking yourself as to the following
• What am I trying to protect and how much is it worth to me?
• What do I need to protect against?
• How much time, effort and money am I willing to expend to obtain
adequate protection?
Steps in Risk Assessment and
Management
• Identifying assets and their value
• Identifying threats
• Calculating risks
Step 1. Identifying Assets.
• To identify assets one has to draw up a list of items you will need to
protect the system and usually all based on your business plan and
common sense. These will include tangible and intangible items.
The list should include everything you consider to be of value.
• In this case Tangible items like;
Computers, proprietary data, backups and archives, manual,
printouts, commercial software, commercial equipments,
personnel records and audit records will be listed.
– And Intangibles such as:
Safety and health of personnel, privacy of users, personnel
passwords, public image and reputation, customer, processing
availability and configuration information will be listed.
Step 2. Identifying Threats
This is definitely the right thing to do after identifying the
assets of the company, this is by threats to your assets.
These threats could be environmental, threats from
personnel or outsiders or might include rare but possible
events such as structural failures, below are list of some
examples;
• Environmental threats includes: flooding, lightening strikes
• Personnel and outside threat includes:
Illness of key people in the company, simultaneous illness of many
personnel (e.g.. Flu epidemic), loss of phone/network services, loss
of utilities (phone, water, electricity) for a short time, loss or
resignation of key personnel, theft of disks or tapes
Step 3. Calculating Risks
• Calculating risk involves using a cost –benefit analysis, a
process of assigning cost to each possible loss, determining
the cost of defending against it, determining the probability that
the loss will occur and then determining if the cost of
defending against the risk outweighs the benefits. This will help
list the following;
• The cost of loss
• The probability of loss
• The cost of prevention
1. The cost of loss
• It is usually very difficult to determine the cost of loss, in that one
could use a simple cost calculation to consider the cost of repairing
or replacing a particular item or a more sophisticated cost
calculation to consider the cost of out of service equipments, costs
of added training, the cost to a company’s reputation and even the
cost to a company’s clients.
• Normally assigning a cost range to each item is sufficient. For
instance, the loss of a dozen blank diskettes may be classed as
under $500 while a destructive fire in your computer room might be
classed as over $1000000.
2. The Probability of a Loss
This is important because after identifying the threats it is
important to also estimate the probability or likelihood of
each occurring so it better to usually estimate on year to
year basis.
• Quantifying the threat of a risk is hard work but one can obtain
estimates from third parties such as insurance companies, if the
events happens on a regular basis, you can estimate it based on
your records. Industry organizations may have collected statistics or
published reports.
3. Cost of Prevention
• Now finally you need to calculate the cost of prevention each kind of
loss. For instance;
•
The cost to recover from a momentary power failure is probably only
that of personnel downtime and the time necessary to reboot.
However, the cost of prevention may be that of buying and installing
UPS.
•
Deriving these costs may reveal secondary costs and credits that
should also be factored in. For instance, installing a better firesuppression system may result in yearly decrease in your fire
insurance premiums and give you a tax benefit for capital
depreciation.
Reviewing Your Risks
• Risk assessment should not be done only once and then
forgotten. Instead, you should update your assessment
periodically. In addition, the threat assessment portion
should be redone whenever you have a significant
change in operation or structure. Thus id you recognize,
move to a new building, switch vendors, or undergo
other major changes, you should reassess the threats
and potential losses.
Summary
• In a null shell practical security is often a question of
management and administration than it is one of
technical skill but consequently security must be a
priority of your organization’s management.
References:
• Practical Unix and Internet security
• Author: O Reilly
• http://www.wikibon.org/Calculating_business_benefits
• http://www.usc.edu/hsc/info/pr/ccr/03winter/risks.html
• http://www.pubmedcentral.nih.gov/articlerender.fcgi?artid=1124077
Questions