Introduction to Network Security Comptia Security+ Exam Domain 5 Risk Management Trang Nguyen Risk Management A skill and a task that all managers do, either deliberately or intuitively to reduce or mitigate risk as an ongoing process. An overall decision-making process of identifying threats and vulnerabilities and their potential impacts, determining the costs to mitigate such events, and deciding what actions are cost effective for controlling these risks. No one specific risk management. Trang Nguyen Key Terms Risk Risk management Risk assessment or risk analysis Asset Threat Vulnerability Impact Countermeasure (control or safeguard) Mitigate Trang Nguyen 1 Key Terms Qualitative risk assessment Subjective analysis using expert judgment, experience and expertise Can be in the form of 1 through 5 Quantitative risk assessment Measurable analysis using metric or model Trang Nguyen Key Terms Single loss expectancy (SLE) Monetary loss or impact of each occurrence of a threat Exposure factor A measure of the magnitude of loss of an asset Use in calculating single loss expectancy Annualized rate of occurrence (ARO) Annualized loss expectancy (ALE) Trang Nguyen General Risk Management Model Asset identification Threat assessment Impact identification and quantification Control design and evaluation Residual risk management Trang Nguyen 2 Risk Response Strategies Avoidance Acceptance Transfer Risk avoidance involves changing to remove the threat. This can be done by changing or reducing the scope. Risk transference involves shifting the impact of a risk event and the ownership of the risk response to a third party. Mitigate Reduce the probability or impact of a potential risk event to a more acceptable level. This included reducing the consequences of the risk. Trang Nguyen Risk Assessment Apply both quantitative and qualitative Accept some risk Common objective model Calculate single loss expectancy Calculate annualized rate of occurrence Calculate annualized loss expectancy ALE is used in cost-benefit analysis SLE = Asset Value * Exposure Factor ALE = SLE * ARO Trang Nguyen Single Loss Expectancy Single Loss Expectancy SLE = Asset value * Exposure factor SLE = 100,000 * 3 = $300,000 Asset value Exposure factor E-Business profit $100,000 per day System down time is 3 days at a time Trang Nguyen 3 Annualized Loss Expectancy SLE = 100,000 * 3 = $300,000 Annualized Rate of Occurrence Annualized Loss Expectancy System down once every 3 years ARO = 1/3 ALE = SLE * ARO ALE = $300,000 * 1/3 = $100,000 Annual cost-benefit expenditure to mitigate that risk is $100,000 Trang Nguyen Risk Management Tools Affinity grouping Baseline identification and analysis Cause and effect analysis Cost-benefit analysis Gantt charts Interrelationship digraphs Cause and effect relationship Pareto charts Histogram ranking of most to least frequent PERT (program evaluation and review technique) Risk management plan Trang Nguyen Software Risk Management Model Software Engineering Institute Model Identify Analyze Plan Track Control Trang Nguyen 4