Risk Management
1/8
1/7
This material was developed with funding from the
National Science Foundation under Grant # DUE 1601612
Back
Next
Restart
An organization’s process of identifying and assessing risk is a continuous effort due to changing threats. The goal of risk management is to reduce these threats to an acceptable level.
Acceptable Risk
What is Risk Management?
2/7
High Risk
Lower Risk
Risk Management Terminology
3/7
Introduction
Risk analysis is a technique used to identify and assess factors that may threaten Information and Information systems. The study of Risk Analysis includes several commonly used terms.
Threat
Security Control
Vulnerability
Asset
Risk
Risk Assessment
Threat Agent
Exposure
Countermeasure
Impact
Anything of value that is used in and is necessary to the completion of a business task. Assets include both tangible and intangible items such as equipment, software code, data, facilities, personnel, market value and public opinion.
Click each asset type below.
Intangible
Tangible
Unintentional
A malicious act or unexpected event that damages information systems or other related organizational assets.
Intentional
Unexpected Event
How dare you!
An individual or group that acts, or has the power to, exploit a vulnerability or conduct other damaging activities.
Any flaw or weakness that would allow a threat to cause harm and damage an asset.
You Won!
Error!
Website unavailable
The probability of loss due to a threat to an organization’s assets.
An action, device, procedure, or technique that reduces a threat or a vulnerability by eliminating or preventing it.
Multi Step Authentication
Enter 4 digit PIN
Your account has been locked
Technical and physical measure or administrative policies and procedures designed to implement specific security functionality taken to avoid, detect, offset, or minimize security threats to an organization's assets. Information security control functions are preventative, detective, deterrent, compensating, recovery or corrective.
ADWARE AND SPYWARE
Adware is software designed to track browsing habits. Advertisements and pop-ups appear based on the tracked habits. Spyware is installed on a computer without the user’s knowledge and can contain keyloggers that record personal information including email addresses, passwords, and even credit card numbers.
PASSWORD CRACKING
Various measures used to discover computer passwords by recovering passwords from data stored in, or transported from, a computer system. Cracking is done by either repeatedly guessing the password by using a computer algorithm where numerous combinations are tried until the password is successfully discovered or by using a dictionary-type list.
4/7
MAN-IN-THE-MIDDLE ATTACK
The attacker eavesdrops on a communication between two targets. This type of attack gains access by stealing credentials or by altering transmitted data.
ROGUE SECURITY SOFTWARE
Software that misleads users into believing that there is a computer virus installed on their computer or that their security measures are not up-to-date. An offer of installing or updating security settings leads to the installation of malware.
UNAUTHORIZED ACCESS TO SENSITIVE DATA BREACH
Information is stolen or taken from a system without the knowledge or authorization of the system’s owner. Stolen data may involve sensitive, proprietary, or confidential information such as credit card numbers, customer data, trade secrets, or matters of national security.
VIRUS
Software that can be spread from one computer to another. Viruses require a host to spread and are often sent as email attachments or downloaded from the web with the intent to infect a computer (and other computers on your contact list) by using systems on your network.
IDENTY THEFT
Someone wrongfully obtains and uses another person's personal data in a way that involves fraud or deception, typically for economic gain.
Identifying Threats
MALWARE
MALicious softWARE is developed by cyber attackers with the intention of gaining access or causing damage to a computer or network, often while the victim remains oblivious to the fact that there has been a compromise.
LOGIC BOMB
Code inserted into an operating system or software application that triggers a malicious function based on a specific condition (the date, a user account being deleted).
SERVICE DISRUPTIONS
An interruption of information or information systems due to electrical or other related issues.
ROOTKITS
A collection of software tools that enables remote control and administration-level access over a computer or computer network. Once remote access is obtained, the rootkit can perform malicious actions such as installing a keylogger, stealing passwords or disabling antivirus.
WORMS
Standalone malicious programs that self-replicates quickly and spread from one computer to another. A worm does not require a host and can spread from an infected computer via a network without human intervention.
RANSOMWARE
Holds a victim's data hostage on the computer through robust encryption. There is then a demand made for payment (usually in the form of Bitcoin, an untraceable digital currency) in order to release control of the captured data.
EQUIPMENT FAILURE
Prevents users from accessing needed data and system resources.
PHISHING
A method of social engineering to obtain sensitive data such as passwords, usernames, credit card numbers. The attacks often come in the form of instant messages or emails designed to look like they come from a legitimate source.
In today’s information driven world, data and protecting data systems are critical considerations for businesses. Customers want to ensure that their information is secure, and businesses face multiple threats in protecting the confidentiality, integrity and availability of sensitive and private information.
DoS AND DDoS ATTACKS
A DoS attack uses an infected host to flood a system with requests making it impossible for legitimate users to access the flooded resource. Distributed denial-of-service attack (DDoS) uses multiple infected hosts (or an army of zombies) across the Internet to bring down a site.
Identify the threats that exist in modern information systems by clicking on the image below.
Frame Risk
Assess Risk
5/7
Respond to Risk
Monitor Risk
Risk Management Process
Negligence means that no actions or controls are taken to lower risk. The threat is very high, and the cost of an incident could be catastrophic.
Inventory
Computer
Buildings
Intellectual Property
Company Reputation
Accounts Receivable
Click each step of the risk management process for more information.
Risk management is a formal process that reduces the impact of threats and vulnerabilities. You cannot eliminate risk completely, but you can manage risk to an acceptable level. Risk management measures the impact of a threat and the cost to implement controls or countermeasures to mitigate the threat. All organizations accept some risk. The cost of a countermeasure should not be more than the value of the asset you are protecting.
Identify the threats throughout the organization that increase risk. Threats identified include processes, products, attacks, potential failure or disruption of services, negative perception of organization’s reputation, potential legal liability, or loss of intellectual property.
What goes on around us every day that we need to fix/monitor?
5)
Bathrooms Flood = $50,000 (Very Low)
Qualitative
Risk
VULNERABLITIES
Once a risk has been identified it is assessed and analyzed to determine the severity the threat poses. Some threats that can bring the entire organization to a standstill while other threats are merely minor inconveniences. Risk can be prioritized by actual financial impact (Quantitative Analysis) or a scaled impact on the organization's operation (Qualitative Analysis).
2)
Quantitative
Assessment
Stolen laptop = $1,200 (Very high)
3)
Data Breach = $100,000 (High)
Ransomware Attack = $20,000 (Low )
4)
Click to prioritize risk
Server Failure = $5,000 (Medium)
1)
Stolen laptop = $1,200
Hire company to train employees/insure against ransomware attack = $5,000
COUNTERMEASURES
Ransomware Attack = $20,000
Data Breach = $100,000
Backup systems/equipment monitoring systems cost = $1,500
IDS Systems/multifactor authentication
= $15,000
Server Failure = $5,000
Purchase insurance = $750
Bathroom Flood = $50,000
This step involves developing an action plan to reduce overall organization risk exposure. Management ranks and prioritizes threats; a team then determines how to respond to each threat. Risk can be eliminated, mitigated, transferred, or accepted.
Laptop checkout policy/harddrive encryption = $150
Continuously reviewed for both risk reductions due to elimination, mitigation, or transfer actions. Not all risks can be eliminated so threats that are accepted need to be closely monitored. It is important to understand that some risk is always present and acceptable.
Bathrooms Flood = $50,000
$10,000
Due care involves taking reasonable steps to lower the level of risk. The risk still exists but reasonable steps lower a potential loss.
Due diligence involves responsible steps taken to eliminate risk. Some risks still exist, but multiple controls are implemented to prevent potential loss.
Stolen laptop = (Very high)
Server Failure = (Medium)
Bathroom Flood = (Very Low)
Ransomware Attack = (Low)
Data Breach = (High)
Risk impact is the damage incurred by an event which causes loss of an asset or disruption of service
100% Loss
The percentage loss the organization suffers if a risk materializes
RISK
Identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement security controls
Action III
The laptops are not insured, and the data is not encrypted.
Great Job!
A company purchases all executives new laptops.
Due Care
6/7
Drop label here
Identified Threats:laptops stolenlaptops damagedpossible sensitive data exposure
Due Diligence
Action I
Insurance is purchased on laptops and new software is purchased that automatically encrypts and decrypts sensitive data stored on laptops.
Drag the proper label to identify the level of risk management for the scenario and actions taken below.
Negligence
Action II
Policy adopted that all sensitive data must be encrypted, and all executives are trained how to encrypt and decrypt sensitive data on laptops.
Risk Management Challenge I
Element
with Audio
HTML
7/7
Phishing
Self-replicates quickly and spreads from one computer to another and does not require a host
Risk Management Challenge II
Match each threat to it description.
Drop threat here
Can be spread from one computer to another and requires a host to spread
Ransomware
Password Cracking
Man-In-The-Middle Attack
Method of social engineering to obtain sensitive data
Rootkits
Virus
Implements a malicious function based on a specific condition
Adware and Spyware
Track browsing habits without the user’s knowledge
Logic Bomb
Uses encryption to holds a victim's data hostage
Wrongfully obtains and uses another person's personal data
Identity Theft
Worms
Attacker eavesdrops on a communication between two targets