Please enable JavaScript.
Coggle requires JavaScript to display documents.
RISK (Risk (definition (probability of an event, And its consequences),…
RISK
Risk
definition
probability of an event
And its consequences
formula
RISK= PROBABILITY X IMPACT
other
Need to measure
The impact
on digital assets
The probability
will always happen
Triangle of risk
Vulnerabilities
Definition
weaknesses in design
allow a threat to be an attack
What can be done
Vulnerability analysis
Security controls
Definition
Countermeasures to secure valuable assets
given their vulnerabilities and threats
What can be done
technical
controls that are applied by comp systems
Managerial
focus on management of system
Operational
address methods
Done by people not systems
Threats
Definition
A situation
where vulnerabilities are exploited
What can be done
Threat analysis
Analytical algorythms
Big data
Attack trees
Threat trees
Annualized loss expectancy
Single loss expectancy(SLE)
monetary value of how much one attack would cost
Formula
ALE=SLE X ARO
Annualised rate of Occurrence(ARO)
The frequency of the attack in a year
risk management
definition
Deals with
Vulnerabilities
Threats
Security controls
Frameworks
NIST
NASA
ENISA
ISACA
risk assesment
Definition
the potential impact
of the identified risk
by measuring the likelihood and impact
assessing the risk
Qualitatively
Risk control self assessment (RCSA)
scorecards and key risk indicators(KRI)
Based on human judgement
Quantitatively
ALEs
Risk matrices
risk identification
Definition
Impact an organisation digital assets
Identifying
Vulnerabilities
Attacks
Threats
Threat analysis
purpose
identify all threats to system
techniques
threat trees
consists of
Root threat (basic threat)
Number of sub threats(branches)
End threats (leaves)
root
Branch 1
Leaf 1.2
leaf 1.1
Branch 2
Leaf 2.1
Attack trees
similar to threat trees
bottom up approach
represent attackers POV
construction of an attack tree
Top level
attack is defined
broken down into sub-attacks
Possibility of attacks
I= impossible
P= possible
Risk scenario
definition
descriptions of it related events
can lead to a loss in business
elements
Actors
Threat type
Event
asset/resource
Time
risk register
definition
catalogue of all the registered risks
info contained
impact of the risk
likilihood of risk
control effectiveness
security properties affected
Threat likelihood
the likelihood of the attack/threat happening
Qualitative
A value from 0.00 to 1.00
Quantitative
Very rare, rare, moderate, frequent or very frequent
Its a top down tree as it represents the view of the system