Lecture-6-Risk Management, Lecture notes of Information Security and Markup Languages

Learn the fundamentals of **Risk Management** in Information Security with these clear, comprehensive, and exam-focused study notes. This resource simplifies key concepts, helping you understand how organizations identify, assess, and manage security risks while preparing confidently for quizzes, assignments, midterms, and final exams. **Topics covered:** • Introduction to Risk Management • Risk identification and assessment • Threats, vulnerabilities, and impact analysis • Risk analysis methodologies • Risk treatment strategies (mitigate, transfer, avoid, accept) • Risk management lifecycle and best practices These notes are organized in a student-friendly format for quick learning and efficient revision. Ideal for **Cybersecurity, Computer Science, Information Technology, and Software Engineering** students. **Includes:** Lecture 6 – Risk Management Study Notes (PDF)

Typology: Lecture notes

2025/2026

Available from 06/30/2026

sanwal-fareed
sanwal-fareed 🇵🇰

9 documents

1 / 19

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
RISK MANAGEMENT:
CONTROLLING RISK IN
INFORMATION
SECURITY
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13

Partial preview of the text

Download Lecture-6-Risk Management and more Lecture notes Information Security and Markup Languages in PDF only on Docsity!

RISK MANAGEMENT:

CONTROLLING RISK IN

INFORMATION

SECURITY

THE PURPOSE OF RISK

MANAGEMENT

Ensure overall business and business assets are safe Protect against competitive disadvantage Compliance with laws and best business practices Maintain a good public reputation

RISK IDENTIFICATION

The steps to risk identification are:

Identify your organization’s

information asset`s

Classify and categorize said assets

into useful groups

Rank assets necessity to the

organization

To the right is a simplified example

of how a company may identify risks

Asset Asset Type and Subcategory

Asset Function Priority Level (Low, Medium, High, Critical) Bob Worker Personnel: InfoSec

  • Secure Networks
  • Penetration Testing
  • Make coffee

Low

Cisco UCS B460 M4 Blade Server

Hardware: Networking

  • Database Server High

Customer Personally Identifiable Information (PII)

Data: Confidential Information

  • Provide information for all business transactions

Critical

Windows 7 Software: Operating System

  • Employee access to enterprise software

Medium

RISK ASSESSMENT

The steps to risk assessment are: Identify threats and threat agents Prioritize threats and threat agents Assess vulnerabilities in current InfoSecplan Determine risk of each threat R = P * V – M + U R = Risk P = Probability of threat attack V = Value of Information Asset M = Mitigation by current controls U = Uncertainty of vulnerability The table to the right combines elements ofall of these in a highly simplified format

Threat Agent and Threat

Targeted Asset

Threat Level

Possible Exploits

Risk (Scale of 1-5)

Disgruntled Insider: Steal company information to sell

Company data (i.e. Customer PII)

High Access control credentials, knowledge of InfoSec policies, etc.

Fire: Burn the facility down or cause major damage

Company Facility, Personnel, Equipment

Critical Mishandled equipment

Hacktivists: Quality of service deviation

Company Hardware/S oftware

Low Lack of effective filtering

COST-BENEFIT ANALYSIS

Determine what risk control strategies are cost effective Below are some common formulas used to calculate cost-benefit analysis SLE = AV * EF AV = Asset Value, EF = Exposure factor (% of asset affected) ALE = SLE * ARO CBA = ALE (pre-control) – ALE (post-control) – ACE

FEASIBILITY ANALYSIS

Organizational: Does the plan correspond to the organization’s objectives? What is in it for the organization? Does it limit the organization’s capabilities in any way? Operational: Will shareholders (users, managers, etc.) be able/willing to accept the plan? Is the system compatible with the new changes? Have the possible changes been communicated to the employees? Technical: Is the necessary technology owned or obtainable? Are our employees trained and if not can we afford to train them? Should we hire new employees? Political: Can InfoSec acquire the necessary budget and approval to implement the plan? Is the budget required justifiable? Does InfoSec have to compete with other departments to acquire the desired budget?

RISK CONTROL STRATEGY:

DEFENSE

Defense: Prevent the exploitation of the system via application of policy, training/education, and technology. Preferably layered security (defense in depth) ❖Counter threats ❖Remove vulnerabilities from assess ❖Limit access to assets ❖Add protective safeguards

RISK CONTROL STRATEGY:

TRANSFERAL

Transferal: Shift risks to other areas or outside entities to handle Can include: ❖Purchasing insurance ❖Outsourcing to other organizations ❖Implementing service contracts with providers ❖Revising deployment models

RISK CONTROL STRATEGY:

ACCEPTANCE

Acceptance: Properly identifying and acknowledging risks, and choosing to not control them Appropriate when: ❖The cost to protect an asset or assets exceeds the cost to replace it/them ❖When the probability of risk is very low and the asset is of low priority ❖Otherwise acceptance = negligence

RISK CONTROL STRATEGY:

TERMINATION

Termination: Removing or discontinuing the information asset from the organization Examples include: ❖Equipment disposal ❖Discontinuing a provided service ❖Firing an employee

STANDARD APPROACHES TO

RISK MANAGEMENT

U.S CERT’s Operationally Critical Threat Assessment Vulnerability Evaluation (OCTAVE) Methods (Original, OCTAVE-S, OCTAVE-Allegro) ISO 27005 Standard for InfoSec Risk Management NIST Risk Management Model Microsoft Risk Management Approach Jack A. Jones’ Factor Analysis of Information Risk (FAIR) Delphi Technique

RISK MANAGEMENT

SOFTWARE

https://www.youtube.com/watch?v=lUZy7je-nMY

CLASS ACTIVITY

Students exercises Risk Management process

  1. Identifying Information Assets
  2. Identifying Security Risk and evaluation
  3. Risk Treatment
  4. Presentation of exercise result