An Overview of Risk Management - Utica College · An Overview of Risk Management (cont’d)...
Transcript of An Overview of Risk Management - Utica College · An Overview of Risk Management (cont’d)...
![Page 1: An Overview of Risk Management - Utica College · An Overview of Risk Management (cont’d) Information security, management and users, information technology all must work together](https://reader034.fdocuments.in/reader034/viewer/2022042116/5e93ff6b7cedb55bbc3d9429/html5/thumbnails/1.jpg)
1
2
3
Introduction
Risk management: process of identifying and controlling risks facing an organization
Risk identification: process of examining an organization’s current information technology security situation
Risk assessment: assign a risk rating to each asset
Risk control: applying controls to reduce risks to an organizations data and information systems
4
An Overview of Risk Management
Know yourself: identify, examine, and understand the information and systems currently in place
Know the enemy: identify, examine, and understand threats facing the organization
Responsibility of each community of interest within an organization to manage risks that are encountered
5
An Overview of Risk Management (cont’d)
Information security, management and users, information technology all must work together
Periodical Management review:
Verify completeness/accuracy of asset inventory
Review and verify threats as well as controls and mitigation strategies
Review cost effectiveness of each control
Verify effectiveness of controls deployed
6
Risk Identification
Steps:Plan and organize the processCategorize system componentsInventory and categorize assetsIdentify threatsSpecify vulnerable assets
![Page 2: An Overview of Risk Management - Utica College · An Overview of Risk Management (cont’d) Information security, management and users, information technology all must work together](https://reader034.fdocuments.in/reader034/viewer/2022042116/5e93ff6b7cedb55bbc3d9429/html5/thumbnails/2.jpg)
2
7
Risk Identification
Risk identification begins with the process of self-examination
Managers identify the organization’s information assets, classify them into useful groups, and prioritize them by their overall importance
8
Creating an Inventory of Information Assets
Identify information assets, including people, procedures, data and information, software, hardware, and networking elements
Should be done without pre-judging value of each asset
Values will be assigned later in the process
9
Table 4-1 - Categorizing Components
10
Identifying Hardware, Software, and Network Assets
Whether automated or manual, the inventory process requires a certain amount of planning
Determine which attributes of each of these information assets should be tracked
Will depend on the needs of the organization and its risk management efforts
11
Attributes for Assets
When deciding which attributes to track for each information asset, consider the following list of potential attributes:
NameIP addressMAC addressAsset typeSerial numberManufacturer nameManufacturer’s model or part numberSoftware version, update revision, or FCO numberPhysical locationLogical locationControlling entity
12
People, Procedures, and Data Asset Identification
More difficult to identify
Responsibility for identifying, describing, and evaluating these information assets should be assigned to managers who possess the necessary knowledge, experience, and judgment
![Page 3: An Overview of Risk Management - Utica College · An Overview of Risk Management (cont’d) Information security, management and users, information technology all must work together](https://reader034.fdocuments.in/reader034/viewer/2022042116/5e93ff6b7cedb55bbc3d9429/html5/thumbnails/3.jpg)
3
13
Suggested Attributes for People, Procedures, and Data Assets
PeoplePosition name/number/IDSupervisor name/number/IDSecurity clearance levelSpecial skills
ProceduresDescriptionIntended purposeSoftware/hardware/networking elements to which it is tied Location where it is stored for referenceLocation where it is stored for update purposes
14
Suggested Attributes for People, Procedures, and Data Assets
DataClassification
Owner/creator/manager
Size of data structure
Data structure used
Online or offline
Location
Backup procedures
15
Classifying and Categorizing Assets
Once initial inventory is assembled, determine whether its asset categories are meaningful
Inventory should also reflect sensitivity and security priority assigned to each information asset
A classification scheme categorizes these information assets based on their sensitivity and security needs
16
Classifying and Categorizing Assets (Continued)
Each of these categories designates level of protection needed for a particular information asset
Some asset types, such as personnel, may require an alternative classification scheme that would identify the clearance needed to use the asset type
Classification categories must be comprehensive and mutually exclusive
17
Information Asset Classification
Many organizations have data classification schemes (e.g., confidential, internal, public data)
Classification of components must be specific to allow determination of priority levels
Categories must be comprehensive and mutually exclusive
Information owners responsible for classifying their information assets
Information classifications must be reviewed periodically
Corresponds to security clearance level
18
Management ofClassified Information Assets
Managing an information asset includes considering the storage, distribution, portability, and destruction of that information asset
Information asset that has a classification designation other than unclassified or public:
Must be clearly marked as such
Must be available only to authorized individuals
![Page 4: An Overview of Risk Management - Utica College · An Overview of Risk Management (cont’d) Information security, management and users, information technology all must work together](https://reader034.fdocuments.in/reader034/viewer/2022042116/5e93ff6b7cedb55bbc3d9429/html5/thumbnails/4.jpg)
4
19
Management ofClassified Information Assets
To maintain confidentiality of classified documents, managers can implement a clean desk policy
When copies of classified information are no longer valuable or too many copies exist, care should be taken to destroy them properly to discourage dumpster diving
20
Military Data Classification Cover Sheets
21 22
Assessing Values for Information Assets
As each information asset is identified, categorized, and classified, assign a relative value Relative values are comparative judgments made to ensure that the most valuable information assets are given the highest priority, for example:
Which information asset is the most critical to the success of the organization? Which information asset generates the most revenue? Which information asset generates the highest profitability? Which information asset is the most expensive to replace? Which information asset is the most expensive to protect? Which information asset’s loss or compromise would be the most embarrassing or cause the greatest liability?
23
Listing Assets in Order of Importance
The final step in the asset identification process is to list the assets in order of importance
Can be achieved by using a weighted factor analysis sheet
24
Table 4-2 – Example Weighted Factor Analysis
![Page 5: An Overview of Risk Management - Utica College · An Overview of Risk Management (cont’d) Information security, management and users, information technology all must work together](https://reader034.fdocuments.in/reader034/viewer/2022042116/5e93ff6b7cedb55bbc3d9429/html5/thumbnails/5.jpg)
5
25
Threat Identification
Each threat presents a unique challenge to information security
Must be handled with specific controls that directly address particular threat and threat agent’s attack strategy
Before threats can be assessed in risk identification process, each threat must be further examined to determine its potential to affect targeted information asset
In general, referred to as threat assessment
26
Threats to Information Security
27
Weighted Ranking of Threat-Driven Expenditures
Top Threat-Driven Expenses RatingDeliberate software attacks 12.7Acts of human error or failure 7.6Technical software failures or errors 7.0Technical hardware failures or errors 6.0Quality-of-service deviations from service providers 4.9Deliberate acts of espionage or trespass 4.7Deliberate acts of theft 4.1Deliberate acts of sabotage or vandalism 4.0Technological obsolescence 3.3Forces of nature 3.0Compromises to intellectual property 2.2Deliberate acts of information extortion 1.0
28
Vulnerability Assessment
Once you have identified the information assets of the organization and documented some threat assessment criteria, you can begin to review every information asset for each threat
Leads to creation of list of vulnerabilities that remain potential risks to organization
Vulnerabilities are specific avenues that threat agents can exploit to attack an information assetAt the end of the risk identification process, a list of assets and their vulnerabilities has been developed
This list serves as starting point for next step in the risk management process—risk assessment
29
Risk Assessment
The goal at this point is to create a method to evaluate relative risk of each listed vulnerability
30
Risk Assessment
Steps:Assign value to attack on assetsAssess likelihood of attack on vulnerabilitiesCalculate relative risk factor to assetsReview possible controlsDocument findings
![Page 6: An Overview of Risk Management - Utica College · An Overview of Risk Management (cont’d) Information security, management and users, information technology all must work together](https://reader034.fdocuments.in/reader034/viewer/2022042116/5e93ff6b7cedb55bbc3d9429/html5/thumbnails/6.jpg)
6
31
Risk Estimate Factors
Risk isThe likelihood of the occurrence of a vulnerability
Multiplied byThe value of the information asset
MinusThe percentage of risk mitigated by current controls
PlusThe uncertainty of current knowledge of the vulnerability
32
Likelihood
Likelihood is the overall rating - often a numerical value on a defined scale (such as 0.1 – 1.0) - of the probability that a specific vulnerability will be exploited
Can also use a weighted score, i.e. 1-100, low-med-high, etc
33
Valuation of Information Assets
Assign weighted scores for value of each asset; actual number used can vary with needs of organization
Can use the one from Risk Identification with some refinement if necessary
34
Percentage of Risk Mitigated by Current Controls
If a vulnerability is fully managed by an existing control, it can be set aside
If it is partially controlled, estimate what percentage of the vulnerability has been controlled
35
Uncertainty
It is not possible to know everything about every vulnerability
The degree to which a current control can reduce risk is also subject to estimation error
Uncertainty is an estimate made by the manager using judgment and experience
36
Risk Determination Example
Asset A has a value of 20 and has one vulnerability, which has a likelihood of 1.0 with no current controls
Your assumptions and data are 75% accurateAsset B has a value of 90 and has two vulnerabilities
Vulnerability #2 has a likelihood of 0.4 with a current control that addresses 50% of its riskVulnerability # 3 has a likelihood of 0.1 with no current controls
Your assumptions and data are 80% accurate
![Page 7: An Overview of Risk Management - Utica College · An Overview of Risk Management (cont’d) Information security, management and users, information technology all must work together](https://reader034.fdocuments.in/reader034/viewer/2022042116/5e93ff6b7cedb55bbc3d9429/html5/thumbnails/7.jpg)
7
37
Risk Determination Example
Resulting ranked list of risk ratings for the three vulnerabilities is as follows:
Asset A: Vulnerability 1 rated as 25 = (20 × 1.0) –0% + 25%
Asset B: Vulnerability 2 rated as 25.2= (90 × 0.4) –50% + 20%
Asset B: Vulnerability 3 rated as 10.8 = (90 × 0.1) –0 % + 20%
38
Identify Possible Controls
For each threat and its associated vulnerabilities that have risk of being exploited, create a preliminary list of control ideas
Three general categories of controls exist:
Policies
Programs
Education, training, and awareness programs.
Technical controls
39
Documenting the Results of Risk Assessment
The goal of the risk management process:Identify information assets and their vulnerabilities Rank them according to the need for protection
In preparing this list, wealth of factual information about the assets and the threats they face is collectedAlso, information about the controls that are already in place is collectedThe final summarized document is the ranked vulnerability risk worksheet
40
Ranked Vulnerability Risk Worksheet
What’s the assumption made in this worksheet?
41
Documenting the Results of Risk Assessment (Continued)
By the end of risk assessment, you should have three deliverables
Information asset classification worksheet
Weighted factor analysis worksheet
Ranked vulnerability risk worksheet
Risk Control
![Page 8: An Overview of Risk Management - Utica College · An Overview of Risk Management (cont’d) Information security, management and users, information technology all must work together](https://reader034.fdocuments.in/reader034/viewer/2022042116/5e93ff6b7cedb55bbc3d9429/html5/thumbnails/8.jpg)
8
43
Introduction
The primary goal of risk control is to reduce risk to an acceptable level
What level is acceptable?It is impossible to design and deploy a totally risk-free environmentRisk control is often achieved by applying safeguards
Safeguard: anything that removes a vulnerability or protects against one or more specific threats.
44
45
Risk Control Strategies
An organization must choose one of four basic strategies to control risks :
Avoidance: applying safeguards that eliminate or reduce the remaining uncontrolled risks for the vulnerability Transference: shifting the risk to other areas or to outside entities Mitigation: reducing the impact should the vulnerability be exploitedAcceptance: understanding the consequences and accept the risk without control or mitigation
46
Avoidance
Avoidance is the risk control strategy that attempts to prevent the exploitation of the vulnerability
Avoidance is accomplished through:
Application of policy
Application of training and education
Countering threats
Implementation of technical security controls and safeguards
47
Transference
Transference is the control approach that attempts to shift the risk to other assets, other processes, or other organizations
May be accomplished by Rethinking how services are offered
Revising deployment models
Outsourcing to other organizations
Purchasing insurance
Implementing service contracts with providers
48
Mitigation
Reduce riskby means of planning and preparation, the damage caused by the exploitation of vulnerability
This approach includes three types of plans: Disaster recovery plan (DRP)Incident response plan (IRP)Business continuity plan (BCP)
Mitigation depends upon the ability to detect and respond to an attack as quickly as possible
![Page 9: An Overview of Risk Management - Utica College · An Overview of Risk Management (cont’d) Information security, management and users, information technology all must work together](https://reader034.fdocuments.in/reader034/viewer/2022042116/5e93ff6b7cedb55bbc3d9429/html5/thumbnails/9.jpg)
9
49
Summaries of Mitigation Plans
50
Acceptance
Acceptance of risk is the choice to do nothing to protect an information asset and to accept the outcome from any resulting exploitation.
It also means that management has agreed to accept the consequences and the loss if the risk is realized.
This control, or lack of control, assumes that it may be a prudent business decision to
Examine alternatives
Conclude the cost of protecting an asset does not justify the security expenditure
51
Acceptance (Continued)
Only valid use of acceptance strategy occurs when organization has:
Determined level of risk to information assetAssessed probability of attack and likelihood of a successful exploitation of vulnerabilityApproximated ARO of the exploitEstimated potential loss from attacksPerformed a thorough cost benefit analysisEvaluated controls using each appropriate type of feasibilityDecided that the particular asset did not justify the cost of protection
Usually require a sign-off letter.
52
Risk Control Strategy Selection
Risk control involves selecting one of the four risk control strategies for the vulnerabilities present within the organization
If the loss is within the range of losses the organization can absorb, or if the attacker’s gain is less than expected costs of the attack, the organization may choose to accept the risk
Otherwise, one of the other control strategies will have to be selected
53
Risk Handling Action Points
54
Risk Control Strategy Selection
Some rules:When a vulnerability exists: Implement security controls to reduce the likelihood of a vulnerability being exercisedWhen a vulnerability can be exploited: Apply layered controls to minimize the risk or prevent occurrenceWhen the attacker’s potential gain is greater than the costs of attack: Apply protections to increase the attacker’s cost, or reduce the attacker’s gain, using technical or managerial controlsWhen potential loss is substantial: Apply design controls to limit the extent of the attack, thereby reducing the potential for loss
![Page 10: An Overview of Risk Management - Utica College · An Overview of Risk Management (cont’d) Information security, management and users, information technology all must work together](https://reader034.fdocuments.in/reader034/viewer/2022042116/5e93ff6b7cedb55bbc3d9429/html5/thumbnails/10.jpg)
10
55
Evaluation, Assessment, And Maintenance Of Risk Controls
Once a control strategy has been selected and implemented
Effectiveness of controls should be monitored and measured on an ongoing basis to determine its effectiveness
Accuracy of estimated risk that will remain after all planned controls are in place
56
The Risk Control Cycle
57
Feasibility Studies and Cost Benefit Analysis
Before deciding on the strategy for a specific vulnerability, all readily accessible information about the consequences of the vulnerability must be explored
“What are the advantages of implementing a control as opposed to the disadvantages of implementing the control?”
Number of ways to determine advantage or disadvantage of a specific control
Primary means are based on the value of information assets that control is designed to protect
58
Cost Benefit Analysis (CBA)
Economic Feasibility: criterion most commonly used when evaluating a project that implements information security controls and safeguards A primary goal is to ensure that only cost-effective safeguards are deployed.Organizations are urged to begin a cost benefit analysis by evaluating
Worth of the information assets to be protected Loss in value if those information assets are compromised
59
Cost
Just as it is difficult to determine the value of information, it is difficult to determine the cost of safeguarding itSome of the items that affect the cost of a control or safeguard include:
Cost of purchase, development, and licensingCost of implementation and customizationCost of annual operation, maintenance, administration, and so onCost of annual repairs and upgradesProductivity improvement or lossChanges to environmentCost of testing and evaluationTraining fees
60
Benefit
Benefit is the value to the organization of using controls to prevent losses associated with a specific vulnerabilityUsually determined by
Valuing the information asset or assets exposed by vulnerability Determining how much of that value is at risk and how much risk there is for the assetDetermining the annualized loss expectancy (ALE)
Benefit is expressed as the reduction in ALE due to implementation of the control/safeguard
![Page 11: An Overview of Risk Management - Utica College · An Overview of Risk Management (cont’d) Information security, management and users, information technology all must work together](https://reader034.fdocuments.in/reader034/viewer/2022042116/5e93ff6b7cedb55bbc3d9429/html5/thumbnails/11.jpg)
11
61
Asset Valuation
Asset valuation is the process of assigning financial value or worth to each information asset
Actual costNon-monetary expenses
62
Asset Valuation (Cont’d)
63
SLE
Single loss expectancy (SLE): the cost associated with a single realized risk against specific asset
Based on asset value and expected percentage of loss that would occur from a particular attack:
SLE = asset value (AV) x exposure factor (EF)Where EF = the percentage loss if a specific asset were violated by a realized riskExample, if an asset is valued at $20,000, and it has an EF of 45% for a specific threat, then the SLE of the threat for that asset is _____.
This information is usually estimated64
ARO
Annualized Rate of Occurrence: the expected frequency with which a specific threat or risk will occur within a single yearNeeds estimation
Learn from historyGuessworkStatistical analysis
65
ALE
Annualized loss expectancy: the possible yearly cost of all instances of a specific realized threat against a specific assetALE=SLE*ARO
66
The Cost Benefit Analysis (CBA) Formula
CBA determines whether or not a control alternative is worth its associated cost
CBAs may be calculated
Before a control or safeguard is implemented to determine if the control is worth implementingOR
After controls have been implemented and have been functioning for a time:
CBA = ALE(prior) – ALE(post) – ACS
![Page 12: An Overview of Risk Management - Utica College · An Overview of Risk Management (cont’d) Information security, management and users, information technology all must work together](https://reader034.fdocuments.in/reader034/viewer/2022042116/5e93ff6b7cedb55bbc3d9429/html5/thumbnails/12.jpg)
12
67
The Cost Benefit Analysis (CBA) Formula
ALE(prior to control) is the annualized loss expectancy of the risk before the implementation of the control
ALE(post control) is the ALE examined after the control has been in place for a period of time
ACS is the annual cost of the safeguard
68
Example 1
A computer is susceptible to hacker attack. If the hacker attack were successful, it will cause a financial loss of $5,000. Assume hacker attacks happen once per six month. Calculate ARO, SLE, and ALEA new firewall is installed on the computer, now the hacker attack happens once every two years. The financial loss is the same if the attack happens. Calculate ARO, SLE, ALEThe cost of the firewall is $6,000. (treat this as the Annual Cost) Is this control (firewall) economically feasible according to cost-benefit analysis
69
Example 2
A company is considering install Intrusion Detection system (IDS). Currently intrusion (hacker attack) happens once every month on average. Each time will cost about $10,000. The IDS will be able to detect 90% of the intrusions. When an intrusion is detected, the average financial loss due to that intrusion will be reduced to $2,000. The cost for the IDS is $50,000. Use CBA to decide whether the IDS is economically feasible.
70
CBA discussion
It is a daunting job to calculate EF, SLE, ARO, and ALE for every asset and every threat/riskFortunately, there are quantitative risk assessment tools available.
71
Other Feasibility Approaches
Organizational feasibility analysis examines how well proposed information security alternatives will contribute to operation of an organizationOperational feasibilityTechnical feasibility examines whether or not the organization has or can acquire the technology to implement and support the alternativesPolitical feasibility defines what can and cannot occur based on the consensus and relationships between the communities of interest
72
Benchmarking
Benchmarking is an activity where organizations continuously engage in self--study and compare themselves with the leaders in their field so they can identify, adapt, and apply significantly better practices. Benchmarking:
Seeking out and studying practices of other organizations that produce desired results Measuring differences between how organizations conduct business
When benchmarking, an organization typically uses one of two measures to compare practices:
Metrics-based measures are comparisons based on numerical standardsProcess-based measures are generally less focused on numbers and are more strategic
![Page 13: An Overview of Risk Management - Utica College · An Overview of Risk Management (cont’d) Information security, management and users, information technology all must work together](https://reader034.fdocuments.in/reader034/viewer/2022042116/5e93ff6b7cedb55bbc3d9429/html5/thumbnails/13.jpg)
13
73
Benchmarking Steps
Self-assessment. Decide what to benchmark.
Comparison.Decide who to benchmark.
Analysis and Adaptation. Ask why you are getting your results and why others are getting better results.
Implementation.Think carefully about what enablers (e.g., resources, schedule changes) are needed.
Feedback. Carefully monitor and measure the results of your innovation and recalibrate if necessary.
74
Benchmarking (Continued)
In the field of information security, two categories of benchmarks are used:
Standards of due care and due diligence, and
Best practices
75
Due Care and Due Diligence
For legal reasons, an organization may be forced to adopt a certain minimum level of security
When organizations adopt levels of security for legal defense, they may need to show that they have done what any prudent organization would do in similar circumstances
Called standard of due care
Due diligence is demonstration that organization is persistent in ensuring implemented standards continue to provide required level of protection
76
Best Business Practices
Best business practices: security efforts that seek to provide a superior level of performance
Are among the best in the industry, balancing access to information with adequate protection, while maintaining a solid degree of fiscal responsibility
Companies with best practices may not be the best in every area
May simply have established an extremely high quality or successful security effort in one or more area
http://fasp.nist.gov
77
The Gold Standard
Even the best business practices are not sufficient for some organizationsThese organizations aspire to set the standard by implementing the most protective, supportive, and yet fiscally responsible standards they canThe gold standard is a defining level of performance that demonstrates a company’s industrial leadership, quality, and concern for the protection of informationSeeking the gold standard is a method of striving for excellence
78
Applying Best Practices
When considering best practices for adoption, address the following questions:
Does your organization resemble the organization that is implementing the best practice under consideration?Is your organization in a similar industry? Does your organization face similar challenges? Is your organizational structure similar to the organization from which you are modeling the best practices? Can your organization expend resources that are in line with therequirements of the best practice? Is your organization in a similar threat environment as the one cited in the best practice?
![Page 14: An Overview of Risk Management - Utica College · An Overview of Risk Management (cont’d) Information security, management and users, information technology all must work together](https://reader034.fdocuments.in/reader034/viewer/2022042116/5e93ff6b7cedb55bbc3d9429/html5/thumbnails/14.jpg)
14
79
Problems with Benchmarking and Best Practices
Organizations don’t talk to each other
No two organizations are identical
Best practices are a moving target
Simply knowing what was going on a few years ago does not necessarily indicate what to do next
80
Baselining
Baselining is the analysis of measures against established standards
In information security, baselining is the comparison of security activities and events against the organization’s future performance
The information gathered for an organization’s first risk assessment becomes the baseline for future comparisons
81
Risk Appetite
Risk appetite defines the quantity and nature of risk that organizations are willing to accept, as they evaluate the trade-offs between perfect security and unlimited accessibility
Reasoned approach to risk is one that balances expense against possible losses if exploited
82
Residual Risk
When vulnerabilities have been controlled as much as possible, there is often remaining risk that has not been completely accounted for residual risk
83
Residual Risk
The significance of residual risk must be judged within the context of an organization’s risk appetite
The goal of information security is not to bring residual risk to zero, but to bring it in line with an organization’s risk appetite
84
Documenting Results
When risk management program has been completed, series of proposed controls are prepared
Each justified by one or more feasibility or rationalization approaches
At minimum, each information asset-threat pair should have a documented control strategy that
Clearly identifies any residual risk remaining after the proposed strategy has been executed
![Page 15: An Overview of Risk Management - Utica College · An Overview of Risk Management (cont’d) Information security, management and users, information technology all must work together](https://reader034.fdocuments.in/reader034/viewer/2022042116/5e93ff6b7cedb55bbc3d9429/html5/thumbnails/15.jpg)
15
85
Documenting Results
Some organizations document outcome of control strategy for each information asset-threat pair in an action plan
Includes:
Concrete tasks, each with accountability assigned to an organizational unit or to an individual
86
Qualitative Measures
Quantitative assessment performs asset valuation with actual values or estimates
An organization could determine that it cannot put specific numbers on these values
Organizations could use qualitative assessments instead.
More scenario based
Rank threats on a scale to evaluate their risks, costs and effects
87
Qualitative Risk Analysis
BrainstormingDelphi techniqueStoryboardingFocus groupsSurveysQuestionnairesChecklistsOne-on-one meetingsInterviews
88
Scenarios
Basic process for all qualitative mechanisms is to create scenariosA scenario is a written description of a single major threat.
Focus on how a threat would be instigated and what effects it could have on the organization, IT infrastructure and specific assets.Generally one page eachAssign a threat level to the scenario, a loss potential and the advantages of each safeguard.
89
Delphi Technique
An anonymous feedback and response processElicit honest and uninfluenced responses from all participants
Round-by-roundEach participant writes down response on paper anonymouslyResults are compiled and presented to the group for evaluation
Until reach consensus
90
The usefulness and validity of a qualitative measure is improved as the number and diversity of the participants in the evaluation increases.
One or more persons from each levelOne or more from each major department, division, or branch
![Page 16: An Overview of Risk Management - Utica College · An Overview of Risk Management (cont’d) Information security, management and users, information technology all must work together](https://reader034.fdocuments.in/reader034/viewer/2022042116/5e93ff6b7cedb55bbc3d9429/html5/thumbnails/16.jpg)
16
91
Comparison of Quantitative and Qualitative