Risk Assessment
-
Upload
sahilbatra6151 -
Category
Documents
-
view
43 -
download
2
description
Transcript of Risk Assessment
1
Risk Management
Lecture 21
Lecture 2
All content “lives” in the form of thinkingOnly those who can “think” through the content, have itAll content “dies” when one tries to learn it without thinking it throughOnly through thinking can learners “take possession” of content @ make it theirsOnly to the extent that a learner asks genuine questions and seeks answers to them, is a learner taking content seriously and thinking it through!
© Paul, R. & Elder, L.
Risks vs. concerns vs. problems
A risk is an event/uncertainty which causes a failure to execute the plan as expected
This requires that a plan be in placeIf you don’t yet have a plan you have a concern
Lecture 23 Lecture 83
If you don t yet have a plan, you have a concern“I don’t know where we’re going to get developers”“We need to bid $X to win, but the true cost is $XX
If a risk comes true, then you have a problem“I didn’t get Dan, and he was key to the effort”
2
Pure vs speculative riskPure risk exists when there is certainty as to
whether loss will occurNo possibility of gain is presented ⎯ only the potential
for loss
Speculative risk exists when there is
Lecture 24 Lecture 84
Speculative risk exists when there is uncertainty about an event that can produce either a profit or a loss
Both pure and speculative risks may be present in some situations
Subjective vs Objective Risk
Subjective risk refers to the mental state of an individual who experiences doubt or worry as to the outcome of a given event It is essentially the psychological uncertainty that
Lecture 25 Lecture 85
arises from an individual’s mental attitude or state of mind
Objective risk differs from subjective risk in the sense that it is more precisely observable and therefore measurable It is the probable variation of actual from
expected experience
Static vs dynamic risk
A risk that arises from the normal course of business activities and does not involve changes in the environment or technology.Static risk can only result in a loss
Lecture 26
Static risk can only result in a lossA risk that arises from the continuous change
that exists in the business or economic environment or in technology. Dynamic risk can produce a gain (or savings) as
well as a loss (or expenses).
Lecture 86
3
Types of risk – summary
Pure risk – loss onlySpeculative risk – loss and gain possibleDynamic risk – changes environment or technology (loss or gain)Static risk – no change in environment or technology (loss only)Subjective risk – psychological uncertaintyObjective risk – observable and measurable (probable variation
Lecture 2
j (pfrom expected experience)
Particular risk – exposure to loss from specific individual eventsFundamental risk – exposure to loss involving a large group of people
from "generic" phenomena (earthquake, inflation, etc.)Financial risk – probable loss inherent in financing methodsNon financial risk – probable loss based on other than financial lending
methodsProbability of loss – finance term, meaning the failure to achieve the
expected resultLaw of large numbers – a theorem stating that as the number of trials of a
random process increases, the difference (as percentage) between the expected and actual result decreases
7
Risk Management Ownership
Each organisation owns its risksEach organisation has its own information security risks
Each organisation must characterise its
Lecture 28
Each organisation must characterise its risksEach organisation must analyse its risksEach organisation must manage its risks
Use quantitative or qualitative terms (e.g. earnings at risk vs. reputation risk), and consider risk tolerance (range of acceptable variation).
Key questions:
Lecture 29
•What risks will the organization not accept? (e.g. environmental or quality compromises)
•What risks will the organization take on new initiatives? (e.g. new product lines)
•What risks will the organization accept for competing objectives?(e.g. gross profit vs. market share?)
Source: COSO
4
The Importance of knowing
When something goes wrong, IT must be able to answer:
“What is the problem and where did it
Lecture 210
originate?”
“Who is impacted in our business?”
“What action must we take to resolve the problem?”
“How can we prevent this in the future?”
Without answers to these questions…
IT will be less trusted, less cost-effective, and unable to quantify or manage risk
The Challenge in IT
Development
Deployment
Lecture 211
Operation
IT system risks
Technical
Organisational
new IT system works technically
workers will use it correctly
Lecture 212
Organisational
Business
workers will use it correctly
benefits achieved are cost-justified
5
Risk management
Coordinated activities to direct and control an organisation with regard to risk
ISO/IEC 27000:2009
Should be a systematic and formal processG ll i l dGenerally includes
Risk governanceRisk assessmentRisk treatmentRisk acceptanceRisk communication
Lecture 213
Strategic IT security and risk managementEffective IT security strategy needs a holistic security-conscious environment in entire organisation and commitment to:
Ensuring stakeholders’ confidence and trust
Lecture 214
Ensuring stakeholders confidence and trustMaintaining the confidentiality of personal and financial informationSafeguarding sensitive business information from unauthorised disclosure
Risk adentification
Risk management components
Risk assessment Risk analysis
Risk prioritisation
Lecture 21515
Risk Management
Risk treatment
Risk prioritisation
Risk reduction
Emergency planning
Implementation
6
Effect of risk management
Managing risk effectively can have a positive impact on reputation and shareholder value…
Lecture 216
~ PricewaterhouseCoopers' Global CEO Survey, January, 2005
Of more than 1,300 CEOs, 43 percent consider governance, risk management and compliance (GRC) a value driver and a source of competitive advantage; 56% believe that it has a positive effect on reputation and brand.
7 aspects of inadequate IT risk managementPiecemeal approachCommunication failureSurprises and reactivityC d
Lecture 217
Career damageEvolving, moving subjectsCreeping goalsConsistent competitive underperformance
Governing risk
Setting the boundaries within which an organisation will operateHigh and low limits of risk
risk appetite and risk tolerance
Lecture 218
7
Key risk governance activities…DETERMINE RISK APPETITERisk appetite is the amount of risk — on a
broad level — an entity is willing to accept in pursuit of value.
Lecture 219
DETERMINE RISK TOLERANCEThe acceptable level of variation relative to
achievement of a specific objectiveThe level of risk an organisation is prepared to
be exposed to before it decides that action is necessary
Source: COSO
Ensuring use of IT security and risk management strategyIntegrated approach to prevention, detection and management of attacks Holistic approach to security planning Necessary resources for comprehensive
Lecture 220
Necessary resources for comprehensive security plan involving
technology, strategy, people & culture, structure & systems and processes
Ensuring use of IT security and risk management strategyManagement commitment paramount in the protection of IT resources People, not technology, are often the
k i IT it
Lecture 221
weakness in IT security An otherwise secure IT system will fail if those who use it do not follow the security strategy and plans
8
Risk AssessmentThe process to
Identifythreatsvulnerabilities
Analyse
Lecture 222
Analyseexisting controlslikelihoodimpact
Evaluatecost of
exposureprotection
Prioritise risks
Risk Assessment
Lecture 223NIST SP 800-30
Risk context
Establishobjectivestype of assessmentb d iboundaries
what is in, what is out
assessment validityreliability
liability of assessor
Lecture 224
9
Risk identificationThreat
Potential cause of an unwanted incident, which may result in harm to a system or organisation
ISO/IEC 27000:2009
The potential for a threat source to exercise ( id t ll t i i t ti ll l it)
Lecture 225
(accidentally trigger or intentionally exploit) a specific vulnerability
NIST SP 800-30
VulnerabilityWeakness of an asset or control that can be exploited by a threat
ISO/IEC 27000:2009
A flaw or weakness in system security procedures, design, implementation, or internal controls
NIST SP 800-30
Risk analysis
Existing controlsA countermeasure or safeguard to manage risk
LikelihoodLikelihoodProbability of a risk eventuating
ImpactAdverse change to the level of business objectives achieved
ISO/IEC 27000:2009
Lecture 226
Fundamental Risk Model
“Jacobson’s Window”
ces Hig
h
Lecture 227Robert Jacobson, 1997
Low HighConsequences
LowO
ccur
renc
10
Two Inconsequential Risk Classes
ces Doesn’t happen
Hig
h
Lecture 228
Low HighConsequences
LowO
ccur
renc
Don’t Care
Two Significant Risk Classes
nces
Power transient,minor sw bug,
keystroke error,….
Hig
h
Lecture 229
Low HighConsequences
LowO
ccur
re
Major fire,long power outage,
flooding,cash fraud,
….
Example:Impact analysisWeb site normally runs 7 days/week, 24 hours/day, generating $2000/hr in revenue from customer orders. Annual value (revenue) $17520 000
Lecture 230
(revenue) $17520,000Immediate financial impact of losing asset: unavailable for 6 hoursCalculated exposure .000685% per yearDirectly attributable losses - $12000
11
Example:Impact analysis (cont’d)
Indirect business impact of losing asset:Eg $10000 on advertising to counteract
Lecture 231
negative publicity +Loss of 0.1 of 1 % of annual sales or $17520Therefore, total indirect loss: $27520
Risk evaluation
cost ofexposureprotection
Lecture 232
Risk assessment definitions
Exposure Factor: percentage of asset loss caused by identified threat
Single Loss Expectancy (SLE): Asset value x exposure factor
Lecture 233
Annualised rate of occurrence (ARO): estimated frequency a threat will occur within a year
Annualised loss expectancy (ALE): SLE x ARO
13
Business continuity management (BCM)BCM is part of risk management and it:
Identifies those risks that have the potential to interrupt the normal course of business operationsImplements preventive controls to prevent
Lecture 237
Implements preventive controls to prevent occurrence of such risksDevelops corrective controls for coping should the preventive controls fail and the risk eventuates
Summary
The strategic risk management process involves:
Establishing the business contextIdentifying, analysing and evaluating the risks
Lecture 238
Identifying, analysing and evaluating the risks the business facesDesigning and implementing preventive and corrective controlsMonitoring and reviewing the strategy to ensure its effectiveness and that it responds to changes