Transcript Risk Management - University of Tulsa

Risk Management
CS5493
Risk Management
The process of
●
identifying,
●
assessing,
●
prioritizing, and
●
mitigating
risks
Risk Analysis
●
Qualitative
●
Quantitative
Risk Analysis
●
Qualitative
–
Risk classification
●
●
●
–
High
Medium
Low
risk impact : how would it impact the overall
business.
Quantitative Risk Management
Finance measures risk as standard deviation;
and as such, risk has a sign.
Risk Management
Ultimately, risk will be measured in monetary
units, $.
Risk Management
●
Minimize the effects of negative risks
●
Maximize the effects of positive risks
Risk Analysis
●
Quantitative
–
Use math (probability)
Risk Vocabulary
Asset
Threat
Vulnerability
Risk Vocab
●
Asset – anything of value
Risk Vocab
●
threat – anything that can exploit, obtain,
damage or destroy an asset via a vulnerability
intentionally or accidentally.
A threat is what you wish to protect against.
Risk Vocab
●
Vulnerability – weaknesses exploited by
threats that compromise assets.
A vulnerability is a weakness
Threat & Vulnerability
How do you separate the two?
Consider malware:
there is the threat of a malware attack
a system is vulnerable to some types of
malware
Threats vs Vulnerabilities
Threat is the frequency or probability of an
adverse event
Vulnerability is the probability a threat will
succeed in causing damage to an asset.
Define Risk Probability
●
P(R) = P(T) x P(V)
–
P(T), Threats = Probability/frequency of an
adverse event
–
P(V), Vulnerability = the probability that a threat
will succeed.
- P(R) = the risk probability
Risk Aanalysis
●
The exposure cost (EC) is the product of the
risk-probability value times the loss (of the
asset) in dollars.
EC = P(R) * AssetValue
Example (annual)
●
●
●
Probability of a fire in the data center (per
year):
0.75%
Probability of the fire destroying all assets in
the data center: 15%
Risk Probability = .0075*.15 = .001125
Example (annual)
●
●
Replacement value of the data center:
$750,000.
Estimated annual loss due to fire = $843.75
(risk probability * value of the asset)
Risk Identification
●
The process of determining the risks to assets.
●
Create the “risk register”
Risk Register
●
Creation:
–
Brainstorming meeting to identify the risks
–
Surveys
–
Other events to collect information.
Risk Register
●
Content
–
A description of each identified risk threat
–
Probability or frequency of the risk threat event
occurring
–
Vulnerability Probability of the threat causing
damage, P(V).
–
Steps to mitigate
–
Rank each risk in the register
–
Exposure cost
Risk Register
●
Ranking risks
–
Limited budget will require dropping some
perceived risks.
–
Concentrate on the most important issues.
Risk Analysis
●
Quantitative
–
EF = Exposure Factor
–
SLE = Single Loss Expectancy
●
SLE = Asset Value x EF
–
ARO = annual rate of occurrence
–
ALE = annual loss expectancy
●
ALE = SLE x ARO
Risk Analysis
threat frequency
P(T)
vulnerability probability
P(V)
Risk probabiliby
P(R) = P(T)*P(V)
Exposure Cost
EC = Cost * P(R ) = Cost * P(T)*P(V)
Exposure Factor (Vulnerability Probability)
EF = P(V)
Single Loss Expectancy
SLE = EF * Cost = P(V)*Cost
Annual Rate of Occurance (Threat Frequency)
ARO = P(T)
Annual loss expectancy
ALE = ARO * SLE = P(T) * SLE = P(T)*P(V)*Cost = EC
Quantitative Risk Table
Resource
Risk
Building
Fire
File Server
disk crash
Data
theft
Value
EF
SLE
ARO
ALE
$700,000.00
0.8
$560,000.00
0.02
$11,200.00
$5000.00
0.5
$2500.00
0.2
$500.00
$200,000.00
0.6
$120,000.00
0.3
$36,000.00
Risk Response Planning
●
Negative Risks
●
Positive Risks
Risk Response Planning
●
Responses to negative risks
–
Eliminate
–
Transfer
–
Mitigate
–
Accept
Negative Risk Response
●
●
●
●
Eliminate – implies that the threat has been
eliminated (probability of zero).
Transfer – insurance is used to transfer risk
Mitigate – reduce the probability of the event
from occurring by taking some action.
Accept – take no additional action.
Risk Response Planning
●
Response to positive risks
–
Exploit
–
Share
–
Enhance
–
Accept
Positive Risk Response
●
●
●
●
Exploit – S-A-P is packaged and sold.
Share – finding a partner to purchase in bulk
and capture a lower price.
Enhance – meeting a deadline ahead of
schedule and collecting a bonus
Accept – take no action
BIA
●
Business Impact Analysis, BIA
–
A formal analysis separating an organization's
functions into critical and non-critical categories
BIA RPO
●
RPO - Recovery Point Objective,
–
Determine the amount of asset loss that is
acceptable
BIA RTO
●
RTO - Recovery Time Objective,
–
The maximum allowable time to recover from
asset loss.
Risk Management
• BIA- Business Impact Analysis
• BCP- Business Continuity Plan
• DRP - Disaster Recovery Plan
BIA
●
Business Impact Analysis,
–
Classifying business functions and activities into
critical or non-critical categories.
–
Determining the prerequisites to support each
function/activity.
–
Determine the maximum amount of time each
function/activity can be unavailable.
BCP
●
BCP – Business Continuity Plan
–
A response plan to interruptions of critical
functions
●
●
An interruption is an event that lasts for a short period
and while it will result in measurable loss, is not fatal.
Creation of an IT intrusion response team
DRP
●
DRP – Disaster Recovery Plan
–
A plan for responding to losses and interruptions
critical to the sustainability of the enterprise.
–
Creation of an IT disaster response team
DRP
●
DRP – Disaster Recovery Plan
–
Fire
–
Flood
–
Hurricane
–
Tornado
–
Earthquake
DRP Requirements
●
Contact list of critical personnel
●
Complete inventory of physical assets
●
Inventory of IT software applications for critical
business functions.
●
Data/system backups
●
Alternate or redundant facility planning