I & II - Introduction to Value & Risk Mgt. & Process Summary

8/21/2019 I & II - Introduction to Value & Risk Mgt. & Process Summary

1/43

Risk

Management


2/43

Definition of risk

Risk means chance of injury or loss due touncertain danger, peril or hazard

A particular decision or course of action is said tobe subject to risk when there is a range ofpossible outcomes….

….then, objectively known probabilities can beattached to these outcomes


3/43

Risk vs uncertainty

Risk is, thus, distinguished from uncertainty,where there is a plurality of outcomes whereobjective probabilities cannot be assigned

any situations, which in practice are called !risky" are, on a strict definition, really subject touncertainty not risk


4/43

Definition of Risk

anagement #R$ %nvolves anticipating and&or identifying potential

risks and taking steps to avoid them or tomitigate the resulting harm

'he aim is to minimise the sum of(

) retained losses

) insurance or other risk transfers

) loss control e*penses


5/43

Risk Management

Internal Factors External Factors

R e g u l a t

i o n

I n d u

s t r yC u l t u r e

C o r p o r a t e H i s t o r y M a n

a g e m e n

t ’ s

R i s k T o

l e r a n c e

O r g a n i z a

t i o n a l

M a t u r i t y

Structure

Risk Mgmt Strategies are determined by both internal & external factorsRisk Tolerance or Appetite: he le!el of risk that management is comfortable "ith


6/43

Risk Management #rocessEstablishScope &

$oundaries

%dentification

nalysis

E!aluation

!oid Reduce ransfer Retain

ccept Residual Risk

R i s k C o m m u n i c a t i o

n

& M o n i t o r i n g

R i s k s s e s s m e n t

R i s k

r e a t m e n t

'hat assets & risks exist(

'hat does this risk cost('hat priorities shall "e set(

'hat controls can "e use(

'hat to in!estigate('hat to consider(


7/43

Risk ppetite

)o you operate your computer "ith or "ithout anti!irussoft"are(

)o you ha!e antispy"are(

)o you open emails "ith for"arded attachments from friendsor follo" *uestionable "eb links( Ha!e you e!er gi!en your bank account information to a

foreign emailer to make +++(

What is your risk appetite?%f liberal, is it due to risk acceptance or ignorance(Companies too ha!e risk appetites, decided after e!aluating risk


8/43

Continuous Risk Mgmt #rocess

%dentify & ssess Risks

)e!elop Risk

Mgmt #lan

%mplement RiskMgmt #lan

#roacti!e

Monitoring

Risk ppetite

Risks change "ith time as business & en!ironment changesControls degrade o!er time and are sub-ect to failureCountermeasures may open ne" risks


9/43

A builder"s definition of R

Risk is an uncertain event, feature, activity orsituation that can have a positive or negativeeffect on an object

R is a formal process that identifies, assesses,plans and manages the risk


10/43

+hy builders have R

-A risk aware organisation, capable of identifying andmanaging uncertainty in order to ma*imise opportunity deliver ma*. value/

-…%ts primary aim is to help ma*imise business value bydoing the right projects, right the first time./

R 0uality -and the successful identification, reduction,communication and control of risk are key issues andperformance drivers…./


11/43

+hy builders have R

'he group -assesses and manages risk to ensure that(

) the public, our employees and the environment aresafe from the potential hazards in our operations1

) that new essential assets are created to thema*imum obtainable benefit of their intended usersand the community at large1

) the potential for damage to our clients and the2roup"s corporate reputation and&or financial loss toour stakeholders is minimised/


12/43

R in 3uilding

4very activity&project faces full risk spectrum

'ied to health safety, environment, regulations,

labour #supply&law$, transport etc %n broad terms, risk can be divided(

strategic

operating financial

information


13/43

5trategic risks

Environmental

6atural&man madedisasters

7olitical

8aws&regulations

%ndustry

9ompetition :inancial markets

Organisational

9orporate objectives strategies

8eadership

anagement

%nvestor&credit

relations ;uman resources


14/43


15/43

R and risk control

Mgt process

%dentify and analyse

e*posure 4valuate alterative

5elect most promisingtechni0ue

%mplement choice onitor process and

change as necessary

Control

Avoidance 7revention Reduction #stop losses

or reduce damage$ 5egregation of loss

e*posures 9ontractual risk

transfer


16/43

Security E!aluation:

Risk ssessmentFi!e Steps include:./ ssign 0alues to ssets:

'here are the Cro"n 1e"els(

2/ )etermine 3oss due to hreats & 0ulnerabilities Confidentiality, %ntegrity, !ailability

4/ Estimate 3ikelihood of Exploitation 'eekly, monthly, . year, .5 years(

6/ Compute Expected 3oss 3oss 7 )o"ntime 8 Reco!ery 8 3iability 8 Replacement

Risk !posure 7 #robability9f0ulnerability +3oss;/ reat Risk

Sur!ey & Select ? =risk exposure

after reduction> @ =cost of risk reduction>


17/43

Step .:

)etermine 0alue of ssetsIdenti$y % &etermine 'alue o$ Assets (Cro)n *e)els+: ssets include:

%ARelated: %nformation@data, hard"are, soft"are, ser!ices,

documents, personnel 9ther: $uildings, in!entory, cash, reputation, sales opportunities

'hat is the !alue of this asset to the company( Ho" much of our income can "e attribute to this asset( Ho" much "ould it cost to reco!er this( Ho" much liability "ould "e be sub-ect to if the asset

"ere compromised( Helpful "ebsites: """/attrition/org


18/43

)etermine Cost of ssets

Sales

#roduct

#roduct $

#roduct C

Risk: Replacement Cost7Cost of loss of integrity7Cost of loss of a!ailability7Cost of loss of confidentiality7

Risk: Replacement Cost7Cost of loss of integrity7Cost of loss of a!ailability7

Cost of loss of confidentiality7

Risk: Replacement Cost7

Cost of loss of integrity7Cost of loss of a!ailability7Cost of loss of confidentiality7

angible + %ntangible: High@Med@3o"

Costs


19/43

Step .:

)etermine 0alue of ssetsAsset ,ame

- 'alue&irect "oss.Replacement

- 'alueConse/uential

Financial "oss

Con$identiality0Integrity0 and

A#aila1ility ,otes

Laptop $1,000 Mailings=$130 x#Cust

Reputation

= $9,000

Conf., Avail.Brea!"otiationLa

%&uip'e

nt

$10,000 $() per

*a+ in

Availailit+

-e.g., *ue to

'orkbook


20/43

Step 2: )etermine 3oss

)ue to hreats,atural: Flood, fire, cyclones,

rain@hail@sno", plagues andearth*uakes

2nintentional: Fire, "ater, building

damage@collapse, loss of utilityser!ices, and e*uipment failure

Intentional: Fire, "ater, theft,!andalism

Intentional0 non3physical: Fraud,

espionage, hacking, identitytheft, malicious code, socialengineering, phishing, denial ofser!ice


21/43

hreat gent ypes

4ackers5Crackers

Challenge, rebellion Bnauthoriedaccess

Criminals Financial gain,)isclosure@ destructionof info/

Fraud, computercrimes

Terrorists )estruction@ re!enge@extortion

)9S, info "arfare

Industry6pies

Competiti!e ad!antage %nfo theft, econ/exploitation

Insiders 9pportunity, personalissues

Fraud@ theft,mal"are, abuse


22/43

Step 2: )etermine hreats

)ue to 0ulnerabilitiesSystem

0ulnerabilities

7eha#ioral.)isgruntled employee,

uncontrolled processes,poor net"ork design,improperly configured

e*uipment

Misinterpretation.#oorlyAdefined

procedures,employee error,%nsufficient staff,

%nade*uate mgmt,%nade*uate compliance

enforcement

Coding8ro1lems.

Security ignorance,poorlyAdefinedre*uirements,

defecti!e soft"are,unprotected

communication

8hysical'ulnera1ilities.

Fire, flood,negligence, theft,kicked terminals,no redundancy


23/43

Step 4:

Estimate 3ikelihood of Exploitation$est sources: 8ast e!perience

mass media Specialists and expert ad!ice Economic, engineering, or other models Market research & analysis

Experiments & prototypes


24/43

Step 6: Compute Expected 3oss

Risk nalysis Strategies9ualitati#e: #riorities risks so that highest risks

can be addressed first

$ased on -udgment, intuition, and experience May factor in reputation, good"ill, nontangibles

9uantitati#e: Measures approximate cost of

impact in financial terms6emi/uantitati#e: Combination of Dualitati!e &Duantitati!e techni*ues


25/43

Step 6: Compute 3oss Bsing

9ualitati#e nalysisDualitati!e nalysis is used:

s a preliminary look at risk

'ith nonAtangibles, such as reputation,image A market share, share !alue

'hen there is insufficient information toperform a more *uantified analysis


26/43


6emi39uantitati#e nalysisImpact

:; Insigni$icant:


27/43

SemiDuantitati!e %mpact Matrix

Rare=.> Bnlikely=2> Moderate=4> 3ikely =6> Fre*uent=;>

Catastrophic =;>

Material=6>

Ma-or =4>

Minor =2>

%nsignificant=.>

6 ' R

4 I C 4 M

& I 2 M

" O W

"ikelihood

I m p a c t


28/43


9uantitati#e nalysis6ingle "oss !pectancy (6"+: he cost to the organiation if one

threat occurs once Eg/ Stolen laptop7

Replacement cost 8

Cost of installation of special soft"are and data ssumes no liability

S3E 7 Asset 'alue (A'+ x !posure Factor (F+ 'ith Stolen 3aptop EF ./5

Annualized Rate o$ Occurrence (ARO+. #robability or fre*uencyof the threat occurring in one year

%f a fire occurs once e!ery 2; years, R97.@2;Annual "oss !pectancy (A"+. he annual expected financial

loss to an asset, resulting from a specific threat 3E 7 S3E x R9


29/43

Duantitati!e

RiskAsset Threat 6ingle "oss

!pectancy

(6"+

AnnualizedRate o$

Occurrence(ARO+

Annual "oss!pectancy

(A"+

Buil*ing

/ire $1M .0

-(0 +ears

$0

Laptop

2tolen $1 $9 0.(

- +ears

$1


30/43

Step ;: reat Risk

Risk Acceptance: Handle attack "hen necessary E/g/: Comet hits %gnore risk if risk exposure is negligible

Risk A#oidance: Stop doing risky beha!ior E/g/: )o not use Social Security


31/43

Extra Step:

Step G: Risk MonitoringStolen 3aptop %n in!estigation +2k, legal issues

H%# %ncidentResponse

#rocedure being defined ?incident response

+255

Cost o!erruns %nternal audit in!estigation +655

H%#: #hysicalsecurity

raining occurred +255

Report to Mgmt status of security Metrics sho"ing current performance 9utstanding issues


32/43

raining %mportance of follo"ing policies & procedures

Clean desk policy

%ncident or emergency response

uthentication & access control

#ri!acy and confidentiality

Recogniing and reporting security incidents

Recogniing and dealing "ith social engineering


33/43

Risk Management

Risk Management is aligned "ith businessstrategy & direction

Risk mgmt must be a -oint effort bet"eenall key business units & %S

$usinessA)ri!en =not echnologyA)ri!en>

Steering Committee:I Sets risk management prioritiesI )efine Risk management ob-ecti!es to

achie!e business strategy


34/43

Duestion

Risk ssessment includes:

./ he steps: risk analysis, risk treatment, risk

acceptance, and risk monitoring2/ ns"ers the *uestion: 'hat risks are "e prone

to, and "hat is the financial costs of these risks(

4/ ssesses controls after implementation

6/ he identification, financial analysis, andprioritiation of risks, and e!aluation of controls


35/43

Duestion

Risk Management includes:

./ he steps: risk analysis, risk treatment, risk

acceptance, and risk monitoring2/ ns"ers the *uestion: 'hat risks are "e prone

to, and "hat is the financial costs of these risks(

4/ ssesses controls after implementation

6/ he identification, financial analysis, andprioritiation of risks, and e!aluation of controls


36/43

Duestion

he F%RS step in Security Risk ssessment is:

./ )etermine threats and !ulnerabilities

2/ )etermine !alues of key assets

4/ Estimate likelihood of exploitation

6/ nalye existing controls


37/43

Duestion

Single 3oss Expectancy refers to:

./ he probability that an attack "ill occur in one

year 2/ he duration of time "here a loss is expected

to occur =e/g/, one month, one year, onedecade>

4/ he cost of losing an asset once

6/ he a!erage cost of loss of this asset per year


38/43

Duestion

he role=s> responsible for deciding "hetherrisks should be accepted, transferred, or

mitigated is:./ he Chief %nformation 9fficer

2/ he Chief Risk 9fficer

4/ he Chief %nformation Security 9fficer

6/ Enterprise go!ernance and senior businessmanagement


39/43

Duestion

'hich of these risks is best measured using a*ualitati!e process(

./ emporary po"er outage in an office building2/ 3oss of consumer confidence due to a

malfunctioning "ebsite

4/ heft of an employeeJs laptop "hile tra!eling6/ )isruption of supply deli!eries due to flooding


40/43

Duestion

he risk that is assumed afterimplementing controls is kno"n as:

./ ccepted Risk2/ nnualied 3oss Expectancy

4/ Duantitati!e risk

6/ Residual risk


41/43

Duestion

he primary purpose of risk managementis to:

./ Eliminate all risk2/ Find the most costAeffecti!e controls

4/ Reduce risk to an acceptable le!el

6/ )etermine budget for residual risk


42/43

Duestion

)ue )iligence ensures that

./ n organiation has exercised the best possible securitypractices according to best practices

2/ n organiation has exercised acceptably reasonablesecurity practices addressing all ma-or security areas

4/ n organiation has implemented risk management andestablished the necessary controls

6/ n organiation has allocated a Chief %nformationSecurity 9fficer "ho is responsible for securing theorganiationJs information assets


43/43

Duestion

3E is:./ he a!erage cost of loss of this asset, for a

single incident2/ n estimate using *uantitati!e risk

management of the fre*uency of asset loss dueto a threat

4/ n estimate using *ualitati!e risk management

of the priority of the !ulnerability6/ 3E 7 S3E x R9

I & II - Introduction to Value & Risk Mgt. & Process Summary

Documents

Transcript of I & II - Introduction to Value & Risk Mgt. & Process Summary