Week 6

Introduction

• Recap of last week’s discussion on information security organization.

• Emphasis on the importance of understanding the structure of a security program.

Components of a Security Program

• Key Components:

  • Leadership (someone in charge).

  • Problem identification and rectification process.

  • Evidence gathering, which may or may not be necessary.

• Importance of iterative improvement in any security program focused on finding and fixing issues to avoid dysfunctionality.

Risk Management Overview

• Definition: Risk management deals with finite resources aimed at addressing infinite security goals.

• Purpose: To create a structure around problems that need immediate attention and those that can be deferred.

• Risk Assessment: Understanding uncertainty and the priorities of problems.

Understanding Risk

• General Definition of Risk: Uncertainty in decision-making regarding potential outcomes.

• Categories of Risk:

  • Bad Outcomes: Events that could lead to negative consequences (e.g., laptop loss, data breaches) which can't be entirely eliminated but can be mitigated.

  • Technical Risks: Risks due to vulnerabilities in software or systems that can be addressed through patching.

• Terminology Confusion: Different understandings of 'risk' across disciplines leading to communication friction.

Risk Quantification Challenges

• Subjectivity in Risk Assessment:

  • Evaluating risks involves subjective judgments about likelihood and impact.

  • Common metrics: Likelihood of an event and its potential impact.

• Quantitative Methods:

  • Application of RAG (Red, Amber, Green) ratings to categorize risks.

  • Use of testing to quantify risks (e.g., sample size calculations for laptops).

Example: Assessing Laptop Security Risks

• Likelihood Factors:

  • Increase in number of laptops increases likelihood of loss.

  • More remote workers increase chances of loss.

• Impact Factors: Assessing the importance of the data on the lost laptop and categorizing impacts as low, medium, or high.

RACI Model in Risk Management

• RACI Breakdown:

  • Responsible: The individuals who carry out the task.

  • Accountable: The person who is ultimately accountable for completion.

  • Consulted: Those whose opinions are sought.

  • Informed: Those who need to be kept up to date about progress.

• Importance of clearly defining roles in managing security issues to ensure accountability.

Risk Treatment Strategies

• Four Approaches:

  1. Accept the Risk: Acknowledging and hoping it does not manifest.

  2. Mitigate the Risk: Taking actions to reduce likelihood or impact (e.g., investing in security).

  3. Avoid the Risk: Altering processes to eliminate the risk (e.g., transitioning to desktops only).

  4. Transfer the Risk: Using insurance to cover potential losses.

Risk Tolerance Guidelines

• Understanding Risk Tolerance Levels: Organizations often claim a 'medium' risk tolerance, which may not reflect true priorities or actions.

  • High Risk Stance: Prioritizing profit over security.

  • Medium Risk Stance: Maintaining a balance, but not overly concerned.

  • Low Risk Stance: High prioritization of security and data protection.

Conclusion

• Importance of understanding risk management terminologies and processes to effectively engage in organizational discussions on security.

• Encouragement to seek further resources on risk management concepts for deeper insights into organizational security dynamics.

Questions and Engagement

• Opened for questions from attendees, emphasizing the practical implications of risk management and its subjective nature.