Dr. Benjamin Khookkhoo@nyit.edu

New York Institute of TechnologyNew York Institute of TechnologySchool of ManagementSchool of Management

1. Why should a Risk Assessment be conducted?2. When should a Risk Analysis be conducted?3. Who should conduct the Risk Analysis and

Risk Assessment?4. Who within the organization should conduct

the Risk Analysis and Risk Assessment?5. How long should a Risk Analysis or Risk

Assessment take?6. What can a Risk Analysis or Risk Assessment

Analyze?

7. What can the results of Risk Management tell an Organization?

8. Who should review the results of a Risk Analysis?

9. How is the success of the Risk Analysis measured?

1. Overview- RM used to balance operational & economic costs of protective measures (IS)

and achieve gains in mission capability.- made up of:

1. risk analysis2. risk assessment3. risk mitigation4. vulnerability assessment & controls

evaluation.

See Table 2.1 for definitions.

2. Risk Assessment as part of the business process

See Figure 2.1

Risk Management Activities mapped to the SDLC

See Table 2.2

3. Employee Roles and Responsibilities

See Table 2.3, Table 2.4 & Table 2.5 for examples.

4. Information Security Life Cycle

See Figure 2.2

5. Risk Analysis Process

6. Risk Assessment1. Asset Definition2. Threat Identification (See Table 2.6)3. Determine Probability of Occurrence4. Determine the Impact of the Threat

(See Figure 2.3 and Figure 2.4)5. Controls Recommended6. Documentation