

Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Information Security and Systems is one of courses in Computer Science major. Its connected to database system, business, security. This lecture handout was provided by Dr. Anjli Gujral at Biyani Girls College. Its main points are: Control, Analysis, Likelihood, Determination, Vulnerability, Technical, Exercised, Reduced, Management
Typology: Study notes
1 / 3
This page cannot be seen from the preview
Don't miss anything!


Control Analysis
This phase includes assessment of controls already been implemented or planned, probability that they can be broken, assessment of potential loss despite such controls existing. Controls are also classified as non-technical controls also called management controls and technical controls – software, hardware controls. The output of this step is current or planned controls used for the IT system to measure the likelihood of vulnerability being exercised and reduce the impact of loss.
37.1 Likelihood Determination This phase determines that a potential vulnerability could be exercised by a given threat-source. Following table will help us to define and understand the likelihood definitions.
The input to this phase is Threat source motivation Threat capacity Nature of vulnerability Current Controls The output to this phase is a likelihood rating to be used further in the risk assessment process.
37.2 Impact Analysis This phase determines the adverse impact resulting from a successful threat exercise of vulnerability. Following information is required before conducting an impact analysis.
The information can be obtained from existing organizational documentation.
The threat source lacks motivation or capability or controls are in place to prevent or at least significantly impede the vulnerability from being exercised.
The threat source is motivated and capable but controls are in place that may impede the successful exercise of the vulnerability.
The threat source is highly motivated and sufficiently capable and controls to prevent the vulnerability from being exercised are ineffective
The threat source lacks motivation or capability or controls are in place to prevent or at least significantly impede the vulnerability from being exercised.
The threat source is motivated and capable but controls are in place that may impede the successful exercise of the vulnerability.
The threat source is highly motivated and sufficiently capable and controls to prevent the vulnerability from being exercised are ineffective
Impact needs to be measured by defining certain levels. E.g. high medium low as qualitative categories or quantifying the impact by using probability distribution.
Mission Impact Analysis Assess criticality assessment Data criticality Data sensitivity
The output of this phase is impact rating.
37.3 Risk Determination The purpose of this step is to assess the level of risk to the IT system. The determination of particular threat can be expressed as a function of
This phase also presumes the definition of risk levels in order to classify the risks. The is more of a discretionary act on part of the management. Levels can be defined as high medium low and allocating various probability ranges. Risk levels are made to compare them with the ranges of impact.
Once the risk of loss has been determined using probability of occurrence and level of impact, such risk amounts may then be classified at the discretion of management.
The inputs of to this phase are
High – 6,000 30,000 60, 60%
Medium – 3,000 15,000 30, 30%
10,000 5,000 10, x10% = 1,
Low – 10%
High Rs. 100,
Medium Rs. 50,
Low Rs. 10,
Threat Likelihoo d
Level of Impact
High – 6,000 30,000 60, 60%
Medium – 3,000 15,000 30, 30%
10,000 5,000 10, x10% = 1,
Low – 10%
High Rs. 100,
Medium Rs. 50,
Low Rs. 10,
Threat Likelihoo d
Level of Impact