Post on 18-Jul-2015
Project risk analysis has a broad range of applications, just as the definition of a project is broad. Project risk analysis is concerned with the assessment of the risks and uncertainties that threaten a project.
What is Project?A temporary endeavor undertaken to create a
unique product of service.In the broadest sense a project is specific, finite
task to accomplished; whether large or small scale; long or short run.
What is Risk?The probability that a particular threat will exploit a particular vulnerability.
Risk analysis is the review of the risks associated with a particular event or action. It is applied to projects, information technology, security issues and any action where risks may be analyzed on a quantitative and qualitative basis. Risk analysis is a component of risk management.
6
Risk Management Cycle
Slide #7
Risk Analysis
1. Calculate the (quantitative) likelihood of each identified hazard
2. Calculate the (quantitative) consequences that are expected to occur for each hazard
3. Develop a locally-tailored qualitative system of measurement
4. Translate all quantitative data into qualitative measures
8
Who should be Involved?
Security ExpertsInternal domain expertsManagers responsible for implementing
controls
Slide #9
Assets
Identify Assets
Critical Assets
Identify AssetsPhysical Assets
Buildings, computersLogical Assets
Intellectual property, reputation
Slide #11
Critical AssetsPeople and skillsGoodwillHardware/SoftwareDocumentationPhysical plantMoney
Slide #12
ThreatsAn expression of intention to inflict evil
injury or damageAttacks against key security services
Confidentiality, integrity, availability
Slide #13
VulnerabilitiesFlaw or weakness in system that can be
exploited to violate system integrity.Security ProceduresDesignImplementation
Threats trigger vulnerabilitiesAccidentalMalicious
Slide #14
Controls/CountermeasuresMechanisms or procedures for
mitigating vulnerabilitiesPreventDetectRecover
Understand cost and coverage of controlControls follow vulnerability and threat
analysisSlide #15
Risk/Control Trade OffsOnly Safe Asset is a Dead Asset
Asset that is completely locked away is safe, but useless
Trade-off between safety and availablityDo not waste effort on efforts with low loss
valueDon’t spend resources to protect garbage
Control only has to be good enough, not absoluteMake it tough enough to discourage enemy Slide #16
Types of Risk AnalysisQuantitative
Assigns real numbers to costs of safeguards and damageAnnual loss exposure (ALE)Probability of event occurringCan be unreliable/inaccurate
Qualitative Judges an organization’s risk to threatsBased on judgment, intuition, and experienceRanks the seriousness of the threats for the sensitivity of the
assertsSubjective, lacks hard numbers to justify return on investment
Slide #17
Quantitative vs. QualitativeQuantitative Analysis
Uses mathematical/ statistical data to derive numerical descriptions of risk
More precise analysisMore difficult to
perform
QualitativeUses defined terms
(words) to describe and categorize risk
Less precise analysisEasier to perform
Session 18
ConsequenceDeaths/Fatalities (Human)Injuries (Human)Damages (Cost, reported in US dollars)
Session 18
Direct Losses
FatalitiesInjuriesRepair and replacement of damaged or
destroyed public and private structuresRelocation costs/temporary housingLoss of business inventory/agricultureLoss of income/rental costsCommunity response costsCleanup costs
20
Indirect Losses
Loss of incomeInput/output losses of businessesReductions in business /personal spending
– “ripple effects”Loss of institutional knowledgeMental illnessBereavement
Tangible Losses
Cost of building repair/replacementResponse costsLoss of inventoryLoss of income
22
Intangible Losses
Cultural lossesStressMental illnessSentimental ValueEnvironmental LossesFatalities/Injuries
23
Quantitative Analysis Outline1. Identify and value assets2. Determine vulnerabilities and impact3. Estimate likelihood of exploitation4. Compute Annual Loss Exposure 5. Survey applicable controls and their
costs6. Project annual savings from control
QuantitativeRisk = Risk-impact x Risk-Probability
Loss of car: risk-impact is cost to replace car, e.g. $10,000
Probability of car loss: 0.10 Risk = 10,000 x 0.10 = 1,000
General measured per yearAnnual Loss Exposure (ALE)
Slide #25
Qualitative Risk AnalysisGenerally used in Information Security
Hard to make meaningful valuations and meaningful probabilities
Relative ordering is faster and more importantMany approaches to performing qualitative
risk analysisSame basic steps as quantitative analysis
Still identifying asserts, threats, vulnerabilities, and controls
Just evaluating importance differently
Slide #26
Problem IdentifyStep 1: Identify Scope
Bound the problemStep 2: Assemble team
Include subject matter experts, management in charge of implementing, users
Step 3: Identify ThreatsPick from lists of known threatsBrainstorm new threatsMixing threats and vulnerabilities here...
Slide #27
Threat prioritizationPrioritize threats for each assert
Likelihood of occurrenceDefine a fixed threat rating
Associate a rating with each threatApproximation to the risk probability in
quantitative approach
Slide #28
Loss ImpactWith each threat determine loss impactDefine a fixed ranking
Used to prioritize damage to asset from threat
Slide #29
Changes in Human Activities
Population GrowthEconomic GrowthTechnological InnovationSocial ExpectationsGrowing Interdependence
30
In project risk analysis can understand that project may be risk or not. what ever the risk it may be high or low the investor take decision.
31