Module: CS3609
Lecture Topic: Information and Risk
Week: 2
Risk Management
Risk management is the process of understanding and responding to factors that may lead to a
failure in the confidentiality, integrity, or availability of an information system.
Confidentiality is about keeping information confidential and not allowing people who shouldn’t see
it, access that information.
Integrity is about ensuring that information is not altered or tampered with. (Blockchain e.g.)
Availability is who should have access to that information who can see it.
Risk is a situation or event that exposes an asset to harm, and the probability of that risk being
realised. If it is, that can cause a loss of money. (Fines: could be 4% of turnover, poor security or not
declaring breaches)
, Information security is the preservation of CIA. Other properties such as
authentication, authorization, non-reputation, audit and accountability
can also be involved.
Why risk management? It’s not a matter of IF but WHEN…
No organization is exempt from data breaches.
Tesco bank was fined 16.8 million pounds 2016-2019 for data breaches.
You must continuously identify and quantify risk; you need to access the effectiveness of deployed
goals to reduce impact.
(This one always included in the exam)
,These 7 factors need to be understood.
Stakeholders are risk owners, system owners, asset owners, or anyone who has a stake in the
information system or the asset.
An asset is anything that has value, tangible, people, information, intellectual property. Consider
what assets are at Risk in your network topology in terms of the vulnerabilities.
Threats is a single potential cause of an unwanted instant. These come from Threat agents.
Controls are implemented to mitigate Vulnerabilities, which is a weakness in an asset or the
absence of a security control that can be exploited by a threat. (e.g. insufficient maintenance, single
point of absence, as well as floods/fire)
Controls are the means of managing risk and can place limits on the activities that might pose a risk,
such as proactive, as safeguards, or counter measures, once an incident occurs – how to detect,
contain and recover from an incident.
CVE – Common Vulnerabilities and Exposures
Cve.mitre.org
You can explore the threats. The CVE system provides a reference method for publicly known
information security vulnerabilities and exposures.
Mitre attack framework.
, Risk Analysis
Risks can be analysed by either Quantitative or Qualitative risk methodologies
Quantitative relies on specific numbers, which makes it more precise, allows decision makers to
make better decisions about risk and quantify the risk. Usually involves money (£/$). Relies on the
accuracy and completeness of the numerical values. Quantifies the loss.
Qualitative you don’t have hard data, ask people what they think based on their experience,
subjective data, based on risk perception by the stakeholders. Quantitative gives a handle on risk
which is not covered by the hard numbers. This allows you to think about the risk register.
Ideally, you would take a hybrid approach and use both.
Lecture Topic: Information and Risk
Week: 2
Risk Management
Risk management is the process of understanding and responding to factors that may lead to a
failure in the confidentiality, integrity, or availability of an information system.
Confidentiality is about keeping information confidential and not allowing people who shouldn’t see
it, access that information.
Integrity is about ensuring that information is not altered or tampered with. (Blockchain e.g.)
Availability is who should have access to that information who can see it.
Risk is a situation or event that exposes an asset to harm, and the probability of that risk being
realised. If it is, that can cause a loss of money. (Fines: could be 4% of turnover, poor security or not
declaring breaches)
, Information security is the preservation of CIA. Other properties such as
authentication, authorization, non-reputation, audit and accountability
can also be involved.
Why risk management? It’s not a matter of IF but WHEN…
No organization is exempt from data breaches.
Tesco bank was fined 16.8 million pounds 2016-2019 for data breaches.
You must continuously identify and quantify risk; you need to access the effectiveness of deployed
goals to reduce impact.
(This one always included in the exam)
,These 7 factors need to be understood.
Stakeholders are risk owners, system owners, asset owners, or anyone who has a stake in the
information system or the asset.
An asset is anything that has value, tangible, people, information, intellectual property. Consider
what assets are at Risk in your network topology in terms of the vulnerabilities.
Threats is a single potential cause of an unwanted instant. These come from Threat agents.
Controls are implemented to mitigate Vulnerabilities, which is a weakness in an asset or the
absence of a security control that can be exploited by a threat. (e.g. insufficient maintenance, single
point of absence, as well as floods/fire)
Controls are the means of managing risk and can place limits on the activities that might pose a risk,
such as proactive, as safeguards, or counter measures, once an incident occurs – how to detect,
contain and recover from an incident.
CVE – Common Vulnerabilities and Exposures
Cve.mitre.org
You can explore the threats. The CVE system provides a reference method for publicly known
information security vulnerabilities and exposures.
Mitre attack framework.
, Risk Analysis
Risks can be analysed by either Quantitative or Qualitative risk methodologies
Quantitative relies on specific numbers, which makes it more precise, allows decision makers to
make better decisions about risk and quantify the risk. Usually involves money (£/$). Relies on the
accuracy and completeness of the numerical values. Quantifies the loss.
Qualitative you don’t have hard data, ask people what they think based on their experience,
subjective data, based on risk perception by the stakeholders. Quantitative gives a handle on risk
which is not covered by the hard numbers. This allows you to think about the risk register.
Ideally, you would take a hybrid approach and use both.
