​Risk management (formal)

• ​Risk analysis

• ​Risk treatment

• ​Regularly repeat Risk Analysis

​Risk analysis types

• ​Quantitative -> represnt risk in terms of financial impact

• ​Qualitative -> represent the risk in terms of magnitude where the magnitudes are defined (high significant financial, reputaional and operational harm)

​quantitative risk analysis

• ​SLE = AV X EF

• ​SLE = asset value x exposure factor (loss in asset value if a compromise occurs)

• ​single loss expectancy = asset value X exposure factor

​Quantitative risk analysis

• ​Ale = ARO X SLE

• ​Annualized loss expectancy = annualized rate of occurrence x single loss expectancy

• ​annualized loss expectancy(ALE) (total expected loss per year)

• ​Annualized rate of occurrence (ARO) probability of occurrence in one year but is a function of quantity

• ​Risk analysis: if $1,000 x 10% = $100 in losses Don't spend more than $100 on security controls or it would have been better to just take the risk

​Quantitative risk analysis

• ​The analysis is difficult because threats change

• ​security control capabilities change frequently

• ​asset value changes every day

• ​factoring in the cost of treating the compromise is difficult

• ​time consuming may exceed the cost of security controls

• ​impact rarely purely financial

• ​not used

​Qualitative risk analysis

• ​represent the risk in terms of magnitude

• ​define what the magnitudes mean to the organization

• ​determine risk threshold (tolerance) and treat risks exceeding threshold

• ​repeat quickly and frequently

​Risk treatment

• After determining the risks

• form of risk treatment

  • risk acceptance

  • risk transference

  • risk reduction ​

  • ​do nothing -> means risk acceptance

​Risk avoidance

• ​partial - avoids specific threat sources or threat actions

• ​full - avoids all threats sources and actions

• ​appropriate for high risks

Risk transference

• ​shift the risk to an external organization (buy insurance)

• ​outsource the information system

  • ​colocation, managed servers, or cloud providers

• ​Avoid increasing risks by choosing the wrong vendor

​Risk reduction

• ​Design and implement security controls

• ​Estimate the residual risk

• ​design and implement additonal security controls, repeatedly, until risk acceptance is appropriate

• ​closely monitor the risk, as risks will shift over time (usually increase)

• ​closely monitor the risk, as risks will shift over time

​Risk acceptance

• ​should be documented, particularly in compliance-oriented environments

• ​appropriate for low risks

• ​tends to make security management the good guys