RiskManagement · •Introduction to risk management •Risk management frameworks –ISO standards...
Transcript of RiskManagement · •Introduction to risk management •Risk management frameworks –ISO standards...
![Page 1: RiskManagement · •Introduction to risk management •Risk management frameworks –ISO standards –NIST guidelines •The risk assessment process –NIST guidelines –qualitative](https://reader034.fdocuments.us/reader034/viewer/2022050202/5f55b1fac784ac15714e0cd8/html5/thumbnails/1.jpg)
Pattern Recognitionand Applications Lab
Universityof Cagliari, Italy
Department of Electrical and Electronic Engineering
Risk Management
Giorgio Fumera
Cybersecurity – Spring semester 2020-2021
![Page 2: RiskManagement · •Introduction to risk management •Risk management frameworks –ISO standards –NIST guidelines •The risk assessment process –NIST guidelines –qualitative](https://reader034.fdocuments.us/reader034/viewer/2022050202/5f55b1fac784ac15714e0cd8/html5/thumbnails/2.jpg)
http://pralab.diee.unica.it
Outline
• Introduction to risk management• Risk management frameworks
– ISO standards– NIST guidelines
• The risk assessment process– NIST guidelines– qualitative and quantitative risk assessment– risk assessment techniques
• Risk treatment• Data collection and processing for risk assessment• Real-world examples of risk assessment
1
![Page 3: RiskManagement · •Introduction to risk management •Risk management frameworks –ISO standards –NIST guidelines •The risk assessment process –NIST guidelines –qualitative](https://reader034.fdocuments.us/reader034/viewer/2022050202/5f55b1fac784ac15714e0cd8/html5/thumbnails/3.jpg)
http://pralab.diee.unica.it
Resources
2
PART THREE – Management IssuesCh. 14 IT Security Management
and Risk Assessment
Ch. 10 Management and IncidentsPar. 10.4 Risk Analysis
• ISO standards (available through the Faculty library)• NIST documents
![Page 4: RiskManagement · •Introduction to risk management •Risk management frameworks –ISO standards –NIST guidelines •The risk assessment process –NIST guidelines –qualitative](https://reader034.fdocuments.us/reader034/viewer/2022050202/5f55b1fac784ac15714e0cd8/html5/thumbnails/4.jpg)
http://pralab.diee.unica.it
Introduction to Risk Management
3
![Page 5: RiskManagement · •Introduction to risk management •Risk management frameworks –ISO standards –NIST guidelines •The risk assessment process –NIST guidelines –qualitative](https://reader034.fdocuments.us/reader034/viewer/2022050202/5f55b1fac784ac15714e0cd8/html5/thumbnails/5.jpg)
http://pralab.diee.unica.it
What is risk?
A concept inherently present in every human activity
Non-technical definition of "risk" (Oxford Dictionary of English)A situation involving exposure to danger:all outdoor activities carry an element of risk– the possibility that something unpleasant or unwelcome will happen:
reduce the risk of heart disease
4
![Page 6: RiskManagement · •Introduction to risk management •Risk management frameworks –ISO standards –NIST guidelines •The risk assessment process –NIST guidelines –qualitative](https://reader034.fdocuments.us/reader034/viewer/2022050202/5f55b1fac784ac15714e0cd8/html5/thumbnails/6.jpg)
http://pralab.diee.unica.it
What is risk?
A concept inherently present in every human activity
Non-technical definition of "risk" (Oxford Dictionary of English)A situation involving exposure to danger:all outdoor activities carry an element of risk– the possibility that something unpleasant or unwelcome will happen:
reduce the risk of heart disease
Examples from everyday life activities– walking along or crossing a road– driving a motorcycle– choosing a master course– ...
5
![Page 7: RiskManagement · •Introduction to risk management •Risk management frameworks –ISO standards –NIST guidelines •The risk assessment process –NIST guidelines –qualitative](https://reader034.fdocuments.us/reader034/viewer/2022050202/5f55b1fac784ac15714e0cd8/html5/thumbnails/7.jpg)
http://pralab.diee.unica.it
What is risk?
A concept inherently present in every human activity
Technical definition of "risk" (Oxford Dictionary of English)A situation involving exposure to danger:all outdoor activities carry an element of risk– the possibility that something unpleasant or unwelcome will happen:
reduce the risk of heart disease– a possibility of harm or damage against which something is insured:
all-risks insurance for professional photographers– the possibility of financial loss:
the Bank is rigorous when it comes to analysing and evaluating risk
6
![Page 8: RiskManagement · •Introduction to risk management •Risk management frameworks –ISO standards –NIST guidelines •The risk assessment process –NIST guidelines –qualitative](https://reader034.fdocuments.us/reader034/viewer/2022050202/5f55b1fac784ac15714e0cd8/html5/thumbnails/8.jpg)
http://pralab.diee.unica.it
What is risk?
A concept inherently present in every human activity
A situation involving exposure to danger:all outdoor activities carry an element of risk– the possibility that something unpleasant or unwelcome will happen:
reduce the risk of heart disease– a possibility of harm or damage against which something is insured:
all-risks insurance for professional photographers– the possibility of financial loss:
the Bank is rigorous when it comes to analysing and evaluating risk
risk is always related to uncertainty on future events
7
![Page 9: RiskManagement · •Introduction to risk management •Risk management frameworks –ISO standards –NIST guidelines •The risk assessment process –NIST guidelines –qualitative](https://reader034.fdocuments.us/reader034/viewer/2022050202/5f55b1fac784ac15714e0cd8/html5/thumbnails/9.jpg)
http://pralab.diee.unica.it
Dealing with risk
8
Examples from everyday life activities– walking along or crossing a road– driving a motorcycle– choosing a master course– ...
Avoiding risk entirely is not possible
Risk can only be reduced or mitigated,at some cost
![Page 10: RiskManagement · •Introduction to risk management •Risk management frameworks –ISO standards –NIST guidelines •The risk assessment process –NIST guidelines –qualitative](https://reader034.fdocuments.us/reader034/viewer/2022050202/5f55b1fac784ac15714e0cd8/html5/thumbnails/10.jpg)
http://pralab.diee.unica.it
Organizations' view of risks
• Private organizations (companies, industry, financial institutions, etc.)
• Public organizations/services (education system, health system, etc.)
• Cross-sector organizations: critical infrastructures(transports, communications, energy, etc.)
• States (health, climate change, pollution, etc.)
9
organization'sassets
risk mitigation actions
undesired events
![Page 11: RiskManagement · •Introduction to risk management •Risk management frameworks –ISO standards –NIST guidelines •The risk assessment process –NIST guidelines –qualitative](https://reader034.fdocuments.us/reader034/viewer/2022050202/5f55b1fac784ac15714e0cd8/html5/thumbnails/11.jpg)
http://pralab.diee.unica.it
Assets and risks in different sectors
• Enterprises• Industry• Financial institutions• Process plants (e.g., nuclear and chemical plants)• Civil engineering (buildings, infrastructures)• Environmental engineering• Transports• Aerospace• Military• Energy• Communications• Health system• ...
10
![Page 12: RiskManagement · •Introduction to risk management •Risk management frameworks –ISO standards –NIST guidelines •The risk assessment process –NIST guidelines –qualitative](https://reader034.fdocuments.us/reader034/viewer/2022050202/5f55b1fac784ac15714e0cd8/html5/thumbnails/12.jpg)
http://pralab.diee.unica.it
The main elements of risk analysis
11
consequences
organization'sassets
likelihood
undesired event
level of risk
risk mitigation actionsdecision-making:top management or political level
![Page 13: RiskManagement · •Introduction to risk management •Risk management frameworks –ISO standards –NIST guidelines •The risk assessment process –NIST guidelines –qualitative](https://reader034.fdocuments.us/reader034/viewer/2022050202/5f55b1fac784ac15714e0cd8/html5/thumbnails/13.jpg)
http://pralab.diee.unica.it
Risk management initiatives
Risk management initiatives have been undertaken over the years in many sectors
– involvement of public and private bodies– normative outcomes: regulations, standards, guidelines– technical outcomes: methodolgies, techniques
Examples– nuclear field: International Atomic Energy Agency (IAEA)– banking: Basel Committee– industry: International Organization for Standards (ISO)
National Institute of Standards and Technology (NIST)
12
![Page 14: RiskManagement · •Introduction to risk management •Risk management frameworks –ISO standards –NIST guidelines •The risk assessment process –NIST guidelines –qualitative](https://reader034.fdocuments.us/reader034/viewer/2022050202/5f55b1fac784ac15714e0cd8/html5/thumbnails/14.jpg)
http://pralab.diee.unica.it
Risk management: historical notes
Enterprise sector (1900's –):– beginning of the 20th cent.: management model in the financial sector– 1950's: application to the insurance sector (USA)
– 1960's: application to engineering & construction companies
– 1990's: Enterprise Risk Management model –global, integrated view into organizations' life
– 2009: formalization in the ISO 31000 standard
Banking sector (1974 –)– beginning of the 20th cent.: management model in the financial sector– 1974: Basel Committee (Banking Regulations and Supervisory Practices)
– 1988 – 2017: Basel accords
13
![Page 15: RiskManagement · •Introduction to risk management •Risk management frameworks –ISO standards –NIST guidelines •The risk assessment process –NIST guidelines –qualitative](https://reader034.fdocuments.us/reader034/viewer/2022050202/5f55b1fac784ac15714e0cd8/html5/thumbnails/15.jpg)
http://pralab.diee.unica.it
Risk management: historical notes
Industrial sectors (1950's –):
– chemical plants
EC (European Commission) Seveso Directive – Technological Disaster Risk Reduction (1982)
http://ec.europa.eu/environment/seveso/index.htm
– aerospaceNASA (National Aeronautics and Space Administration, USA)
1986: Space Shuttle Challenger disaster
https://sma.nasa.gov/sma-disciplines/risk-management
– nuclear plants
IAEA (International Atomic Energy Agency), https://www.iaea.org
1986: Chernobyl accident
14
![Page 16: RiskManagement · •Introduction to risk management •Risk management frameworks –ISO standards –NIST guidelines •The risk assessment process –NIST guidelines –qualitative](https://reader034.fdocuments.us/reader034/viewer/2022050202/5f55b1fac784ac15714e0cd8/html5/thumbnails/16.jpg)
http://pralab.diee.unica.it
Cybersecurity risks
15
Risks related to information systems
Who is affected by cybersecurity risks?– organizations that develop and provide ICT products and services– individuals and organizations that use ICT products and services
EnterprisesIndustryFinancial institutionsProcess plantsCivil engineeringEnvironmental engineeringTransports
AerospaceMilitaryEnergyCommunicationsHealth system...
![Page 17: RiskManagement · •Introduction to risk management •Risk management frameworks –ISO standards –NIST guidelines •The risk assessment process –NIST guidelines –qualitative](https://reader034.fdocuments.us/reader034/viewer/2022050202/5f55b1fac784ac15714e0cd8/html5/thumbnails/17.jpg)
http://pralab.diee.unica.it
Cybersecurity risks: an example
16
Industrial automation and control systems
Supervisory Control And
Data Acquisition
Manufactory Execution
System
Enterprise Resource
Planning
Programmable Logic
Controller
Abdo et al., A safety/security risk analysis approach of Industrial Control Systems,
Computers & Security 72 (2018) 175–195
![Page 18: RiskManagement · •Introduction to risk management •Risk management frameworks –ISO standards –NIST guidelines •The risk assessment process –NIST guidelines –qualitative](https://reader034.fdocuments.us/reader034/viewer/2022050202/5f55b1fac784ac15714e0cd8/html5/thumbnails/18.jpg)
http://pralab.diee.unica.it
Risk management in cybersecurity
A still evolving field, building on results from other sectors– principles– frameworks– standards– methodologies– specific techniques
The main actors involved:– International Organization for Standards (ISO)– National Institute of Standards and Technology (NIST)
17
![Page 19: RiskManagement · •Introduction to risk management •Risk management frameworks –ISO standards –NIST guidelines •The risk assessment process –NIST guidelines –qualitative](https://reader034.fdocuments.us/reader034/viewer/2022050202/5f55b1fac784ac15714e0cd8/html5/thumbnails/19.jpg)
http://pralab.diee.unica.it
The risk management process
18
April 16, 2018 Cybersecurity Framework Version 1.1
This publication is available free of charge from: https://doi.org/10.6028/NIST.CSWP.04162018 12
2.4 Coordination of Framework Implementation
Figure 2 describes a common flow of information and decisions at the following levels within an organization:
x Executive x Business/Process x Implementation/Operations
The executive level communicates the mission priorities, available resources, and overall risk tolerance to the business/process level. The business/process level uses the information as inputs into the risk management process, and then collaborates with the implementation/operations level to communicate business needs and create a Profile. The implementation/operations level communicates the Profile implementation progress to the business/process level. The business/process level uses this information to perform an impact assessment. Business/process level management reports the outcomes of that impact assessment to the executive level to inform the organization’s overall risk management process and to the implementation/operations level for awareness of business impact.
Figure 2: Notional Information and Decision Flows within an Organization An example for the enterprise sector (NIST Cybersecurity Framework, 2018)
Risk management: fundamental component of any organizationBroad involvement of all organizational levels
![Page 20: RiskManagement · •Introduction to risk management •Risk management frameworks –ISO standards –NIST guidelines •The risk assessment process –NIST guidelines –qualitative](https://reader034.fdocuments.us/reader034/viewer/2022050202/5f55b1fac784ac15714e0cd8/html5/thumbnails/20.jpg)
http://pralab.diee.unica.it
International Organization for Standards (ISO)
https://www.iso.orgMain facts
– worldwide federation of national standard bodies– develops and publishes international standards for most industry sectors – some standards can be certified by external certification bodies– liasies with other governmental and non-governmental organizations– collaborates with the International Electrotechnical Commission (IEC) on
electrotechnical standardization matters– ISO standards are not available for free
How to consult ISO standards at UNICA– free access provided by the Faculty Library (computer room) to UNICA
students, through UNI – Ente Nazionale Italiano di Normazionehttps://www.uni.com (ask the Library staff for instructions)
– requires UNICA student's account– documents are only available for consultation
19
![Page 21: RiskManagement · •Introduction to risk management •Risk management frameworks –ISO standards –NIST guidelines •The risk assessment process –NIST guidelines –qualitative](https://reader034.fdocuments.us/reader034/viewer/2022050202/5f55b1fac784ac15714e0cd8/html5/thumbnails/21.jpg)
http://pralab.diee.unica.it
National Institute of Standards and Technology (NIST)
https://www.nist.gov/
Main facts– founded in 1901– part of the U.S. Department of Commerce– industry-related standards, guidelines and best practices– all NIST documents are publicly available
20