Risk Management
CS5493
Risk Management
The process of
●
identifying,
●
assessing,
●
prioritizing, and
●
mitigating
risks
Risk Management
●
An ongoing process that has a life-cycle
–
(sustainability cycle)
Risk Management
●
Minimize the effects of negative risks
●
Maximize the effects of positive risks
Risk Management
●
Asset – anything of value
Risk Management
●
threat – anything that can exploit, obtain,
damage or destroy an asset via a vulnerability
intentionally or accidentally.
A threat is what you wish to protect against.
Risk Management
●
Vulnerability – weaknesses exploited by
threats that compromise assets.
A vulnerability is a weakness
Define a Risk Equation
●
Risk = Threats x Vulnerabilities
–
Threats = frequency of an adverse event
–
Vulnerability = the probability that a threat will
succeed.
–
Risk = the risk probability
Risk Management
●
The exposure cost is the product of the riskprobability value times the loss (of the asset) in
dollars.
Cost = RiskProbability * AssetLoss
Example (annual)
●
●
●
Probability of a fire in the data center resulting
in a loss: 0.75%
Probability of the fire destroying all assets in
the data center: 15%
Risk Probability = .0075*.15 = .001125
Example (annual)
●
●
Replacement value of the data center:
$750,000.
Estimated annual loss due to fire = $843.75
(risk probability * value of the asset)
Risk Identification
●
The process of determining the risks to assets.
●
Create the “risk register”
Risk Register
●
Creation:
–
Brainstorming meeting to identify the risks
–
Surveys
–
Other events to collect information.
Risk Register
●
Content
–
A description of each identified risk
–
Probability of the risk event occurring
–
Steps to mitigate
–
Rank each risk in the register
–
Describe the impact if the risk-event actually
occurs and include the cost.
Risk Register
●
Ranking risks
–
Limited budget will require dropping some
perceived risks.
–
Concentrate on the most important issues.
Risk Analysis
●
Qualitative
●
Quantitative
Risk Analysis
●
Qualitative
–
Risk classification
●
●
●
–
High
Medium
Low
risk impact : how would it impact the overall
business.
Risk Analysis
●
Quantitative
–
Use math
Risk Analysis
●
Quantitative
–
EF = Exposure Factor
–
SLE = Single Loss Expectancy
●
SLE = Asset Value x EF
–
ARO = annual rate of occurrence
–
ALE = annual loss expectancy
●
ALE = SLE x ARO
Quantitative Risk Table
Resource
Risk
Building
Fire
File Server
disk crash
Data
theft
Value
EF
SLE
ARO
ALE
$700,000.00
0.6
$420,000.00
0.2
$84,000.00
$50,000.00
0.5
$25,000.00
0.2
$5,000.00
$200,000.00
0.9
$180,000.00
0.7
$126,000.00
Risk Response Planning
●
Negative Risks
●
Positive Risks
Risk Response Planning
●
Responses to negative risks
–
Eliminate
–
Transfer
–
Mitigate
–
Accept
Negative Risk Response
●
●
●
●
Eliminate – implies that the threat has been
eliminated (probability of zero).
Transfer – insurance is used to transfer risk
Mitigate – reduce the probability of the event
from occurring by taking some action.
Accept – take no additional action.
Risk Response Planning
●
Response to positive risks
–
Exploit
–
Share
–
Enhance
–
Accept
Positive Risk Response
●
●
●
●
Exploit – S-A-P is packaged and sold.
Share – finding a partner to purchase in bulk
and capture a lower price.
Enhance – meeting a deadline ahead of
schedule and collecting a bonus
Accept – take no action
BIA
●
Business Impact Analysis, BIA
–
A formal analysis separating an organization's
functions into critical and non-critical categories
BIA RPO
●
RPO - Recovery Point Objective,
–
Determine the amount of asset loss that is
acceptable
BIA RTO
●
RTO - Recovery Time Objective,
–
The maximum allowable time to recover from
asset loss.
Risk Management
• BIA- Business Impact Analysis
• BCP- Business Continuity Plan
• DRP - Disaster Recovery Plan
BIA
●
Business Impact Analysis,
–
Classifying business functions and activities into
critical or non-critical categories.
–
Determining the prerequisites to support each
function/activity.
–
Determine the maximum amount of time each
function/activity can be unavailable.
BCP
●
BCP – Business Continuity Plan
–
A response plan to interruptions of critical
functions
●
●
An interruption is an event that lasts for a short period
and while it will result in measurable loss, is not fatal.
Creation of an IT intrusion response team
DRP
●
DRP – Disaster Recovery Plan
–
A plan for responding to losses and interruptions
critical to the sustainability of the enterprise.
–
Creation of an IT disaster response team
DRP
●
DRP – Disaster Recovery Plan
–
Fire
–
Flood
–
Hurricane
–
Tornado
–
Earthquake
DRP Requirements
●
Contact list of critical personnel
●
Complete inventory of physical assets
●
Inventory of IT software applications for critical
business functions.
●
Data/system backups
●
Alternate or redundant facility planning