epoly_ism_module_3_risk_ii

epoly_ism_module_3_risk_ii - CS6804 Information Security...

Info iconThis preview shows pages 1–6. Sign up to view the full content.

View Full Document Right Arrow Icon
CS6804 Information Security Management Copyright 2009 Page 1 Information System Security  Engineering and Management Module 3: Risk, Part II Spring, 2009
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
CS6804 Information Security Management Copyright 2009 Page 2 Module 3 Objectives To continue examining the role of risk analysis and management in  information security. This week we discuss: Quantitative and qualitative scales for the impact of the compromise of  a security critical IT asset Quantitative and qualitative scales for the likelihood of the compromise  of a security critical IT asset Approaches to risk management for risks that have been identified and  “rated” This work is illustrated with a detailed look at the risks in the DAITS  case study 
Background image of page 2
CS6804 Information Security Management Copyright 2009 Page 3 Information Security Risk Analysis  Summary (from last week) A risk is a combination of an “asset at risk,” a threat agent (who wants to  do something), and a vulnerability (how they will do it) Asset: The compromise of an asset has an “impact” measured quantitatively or qualitatively For information security, the asset is related back to an IT asset, typically  information in an IT system, or an IT process Threat agent A threat is a “threat agent” that wants to compromise the asset with some specific  goal in mind Vulnerability The threat agent wants to find some vulnerability in the system that allows them to  achieve the goal The likelihood of the successful execution of the threat is measured quantitatively or  qualitatively
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
CS6804 Information Security Management Copyright 2009 Page 4 Information Security Risk Analysis  Summary (continued) If Asset and Threat are measured quantitatively Amount at Risk= (Impact of Asset compromise) x (Likelihood of  successful threat execution) This lecture will go into to the assessing the impact, assessing the  likelihood of success, and compiling a prioritized list of risks. This  analysis will be used to derive security requirements for the system  in the next lecture Risk is the primary driver of everything in information security
Background image of page 4
CS6804 Information Security Management Copyright 2009 Page 5 Steps in Risk Analysis and Management  (Review) Step I: Identify assets at risk Step II: Identify threats/threat agents Step III: Identify vulnerabilities A risk is a combination of an asset at risk, a threat to that asset, and a  vulnerability that exposes that asset An “event” is when the threat agent succeeds in using the vulnerability  to compromise an asset Step IV: Risk Assessment and Management Dealing with risk by planning in advance
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Image of page 6
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 03/03/2010 for the course CS 6803 taught by Professor Hery during the Fall '09 term at NYU Poly.

Page1 / 64

epoly_ism_module_3_risk_ii - CS6804 Information Security...

This preview shows document pages 1 - 6. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online