Risk Management

Course Overview

  • Course Title: INFOSYS 727 - Advanced Information Security
  • Instructor: Fernando Beltrán, Associate Professor
  • Semester: 2025 - Semester 1

Key Topics to Discuss

  • Risk Management
  • Security Management
  • Personnel Security
  • The relationship between security and the organization’s mission, goals, and objectives

Understanding Mission Statements

  • Definition: A mission statement articulates the organization's ongoing purpose and reason for existence.
  • Purpose: Communicates to employees, customers, suppliers, and partners about the organization's objectives.
  • Influence: A mission statement should influence how the organization approaches asset protection.

Example Mission Statements

  • (ISC)²: "Promote professionalism among information system security practitioners through the provisioning of professional certification and training."
  • Electronic Frontier Foundation: "Help civilize the electronic frontier; to make it truly useful and beneficial not just to a technical elite, but to everyone…"
  • Wikimedia Foundation: "Empower and engage people around the world to collect and develop educational content under a free license…"

Objectives and Goals

  • Objectives:

    • Statements describing activities or end-states that support the mission.
    • Must be observable and measurable but do not specify completion details.

  • Examples of Objectives:

    • Improve security audit results.
    • Develop a security awareness strategy.
    • Consolidate computer account provisioning processes.

  • Goals:

    • Specific accomplishments enabling the meeting of objectives.
    • Should be measurable, observable, and support mission and objectives.

  • Examples of Goals:

    • Obtain ISO 27001 certification by the end of the third quarter.
    • Reduce development costs by 20% in the next fiscal year.
    • Complete the integration of CRM and ERP systems by the end of November.

Risk Management

  • Definition: The process of determining the maximum acceptable level of overall risk associated with an activity, assessing it, and developing strategies to reduce excessive risks.
  • Key Components:
    • Vulnerabilities
    • Threats
    • Probability of threats (Low / Medium / High)
    • Impact assessment (Low / Medium / High)
    • Countermeasures

Risk Assessment Types

  • Qualitative Risk Assessment:

    • Identifies assets, vulnerabilities, threats, and assesses their impact qualitatively.

  • Quantitative Risk Assessment:

    • Provides numerical assessments of expected losses, based on asset value, exposure factor, and annualized rate of occurrence.

  • Example Calculation:

    1. Asset Value (AV): $2 million.
    2. Exposure Factor (EF): 50% loss during an attack.
    3. Annualized Rate of Occurrence (ARO): Probability of loss in a year.

  • To calculate annual expected loss:
    extAnnualExpectedLoss=AVimesEFimesAROext{Annual Expected Loss} = AV imes EF imes ARO

Risk Treatment Strategies

  • Risk Acceptance: Accepting the risk as it is.
  • Risk Avoidance: Discontinuing the risky activity.
  • Risk Reduction: Implementing measures to mitigate risk.
  • Risk Transfer: Purchasing insurance to cover potential losses.

Additional Considerations

  • Geographic Considerations: Replacement and repair costs may vary by location, impacting overall risk assessment and management.

  • Risk Assessment Methodologies:

    • NIST 800-30: Risk Management Guide for IT systems.
    • OCTAVE: Operationally Critical Threat, Asset, and Vulnerability Evaluation.
    • FRAP: Facilitated Risk Analysis Process.
    • Spanning Tree Analysis: Visual representation, similar to a mind map.

  • Residual Risk: The risk that remains after implementing risk treatment strategies.