Unit Outline
Qualitative Risk Analysis
 Module 1: Qualitative Risk Analysis
Module 2: Determine Assets and Vulnerabilities
Module 3: Determine Threats and Controls
Module 4: Matrix Based Approach
Module 5: Case Study
Module 6: Summary
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
1
Module 1
Risk Analysis:
Qualitative Risk Analysis
Risk Analysis
Learning Objectives
•
Students should be able to:
– Recognize the difficulties associated with information
security risk analysis
– Identify the the two different risk analysis approaches
– Understand how a qualitative risk analysis is performed.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
3
Risk Analysis
Risk Analysis Definition
• Risk analysis involves the identification and
assessment of the levels of risks calculated from the
known values of assets and the levels of threats to,
and vulnerabilities of, those assets.
• It involves the interaction of the following elements:
–
–
–
–
–
–
Assets
Vulnerabilities
Threats
Impacts
Likelihoods
Controls
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
4
Risk Analysis
Concept Map
• Threats exploit system vulnerabilities which expose system assets.
• Security controls protect against threats by meeting security
requirements established on the basis of asset values.
Source: Australian Standard Handbook of Information Security Risk Management – HB231-2000
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
5
Risk Analysis
Difficulties with Information Security Risk Analysis
•
•
•
•
•
Relatively new field
Lack of formal models
Lack of data
Evolving threats
Constantly changing information systems and
vulnerabilities
• Human factors related to security
• No standard of practice
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
6
Risk Analysis
Approaches
• Two Risk Analysis Approaches
– Quantitative
– Qualitative
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
7
Risk Analysis
Quantitative Approach
• Quantitative Risk Analysis
– Relating to or based on the amount or number
of something, capable of being measured or
expressed in numerical terms.
– Quantitative Risk Analysis computes risks in
terms of actual losses
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
8
Risk Analysis
Qualitative Approach
• Qualitative Risk Analysis
– Based on literal description of risk factors and
risk is expressed in terms of its potential.
Threats and vulnerabilities are identified and
analyzed using subjective judgment. Uses
checklists to determine if recommended
controls are implemented and if different
information systems or organizations are secure.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
9
Risk Analysis: Qualitative
Methodology
• Qualitative risk analysis methodologies involve relative
comparison of risks and prioritization of controls
• Usually associate relationships between interrelated
factors
– Assets: Things of value for the organization
– Threats: things that can go wrong
– Vulnerabilities: Weaknesses that make a
system more prone to attack or make an
attack more likely to succeed
– Controls: These are the countermeasures
for vulnerabilities
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
10
Risk Analysis: Qualitative
Methodology, cont’d.
• More practical since it is based on user inference and
follows current processes better. It capitalizes on user
experience and doesn’t resort to extensive data
gathering.
• Allows for easier valuation of non-tangible assets.
• Probability data is not required and only estimated
potential loss may be used
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
11
Risk Analysis
Summary
• Risk analysis involves assessing assets, vulnerabilities, threats,
and controls, as well as the impact they have on each other in
order to determine risk.
• Information security risk analysis is a new field and is
constantly changing due to introduction of new assets,
discovery of new vulnerabilities, presence of new threats,
and development of new controls.
• Two different types of risk analysis exist:
– Quantitative, which are based on actual
numerical values, and
– Qualitative, which involves relative values
based on prioritization and expert judgment.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
12