RISK ANALYSIS

HELLO!
Mukesh Mahto
15030141036

Yogesh Khetan
150301401062

Sagar
Ramanandi
MBA-IT
Div
B
15030141117
Subject: ISM

What is Risk Analysis?

analytical process to provide information regarding

undesirable events;

process of estimating probabilities and expected

consequences for identified risks.

It is estimation of the risk associated with the

identified hazards. It is qualitative or quantitative
process of linking the likelihood of occurrence and
severity of harms.

detailed examination including risk assessment, risk

Goals of Risk Analysis.

All assets have been identified.
All threats have been identified
Their impact on assets has been valued.
All vulnerabilities have been identified and
assessed

Steps for Risk

Analysis

Identification of asset and business process

Identification of threats and valuation of their

impact on assets (impact valuation)

Risk assessment (Qualitative/Quantitative)

Risk Management

Risk communication

Identification and assessment of

vulnerabilities to threats

Identification of Assets
Types of asset:

Hardware
Software: purchased or developed programs
Data
People: who run the system
Documentation: manuals, administrative
procedures, etc
Supplies: paper forms, magnetic media, printer
liquid, etc
Money
Intangibles
Organization confidence
Organization image

Impact Valuation
Identification and valuation of threats for each group of assets
Identify threats, e.g. for stored data

Loss
Loss
Loss
Loss

of
of
of
of

confidentiality
integrity
completeness
availability (Denial of Service)

For many asset types the only threat is

loss of availability
Assess impact of threat

Assess in levels, e.g H-M-L or 1 - 10

This gives the valuation of the asset in the face
of the threat

Identification of Process
Every company or organisation has some
processes that are critical to its operation
The criticality of a process may increase
the impact valuation of one or more
assets identified
So
Identify critical processes
Review assets needed for critical
processes
Revise impact valuation of these assets

Identification of
Vulnerabilities
Identify vulnerabilities against a baseline
system
For risk analysis of an existing system
Existing system with its known security measures and
weaknesses
For development of a new system
Security facilities of the envisaged software, e.g.
Windows NT
Standard good practice, e.g. BS 7799
recommendations of good practice

Assessment of
Vulnerabilities
For each threat
Identify vulnerabilities

How to exploit a threat successfully;

Assess levels of likelihood - High, Medium, Low

Expensive attacks are less likely (e.g. brute-force attacks on
encryption keys)
Successful exploitation of vulnerability;

Combine them

Likelihood of Attempt

Low Med High

Likelihood
of Success

Low Low Low Med

Med Low Med High
High Low Med High

Risk Assessment
The process of evaluating the risk resulting
from a hazard
It is of two types:
1. Quantitative Risk Assessment.
2. Qualitative Risk Assessment.

Quantitative Risk
Assessment.
A quantitative analysis:
- This approach employs two fundamental elements; the
probability of an event occurring and the likely loss should
it occur.
Quantitative risk analysis makes use of a single figure
produced from these elements. This is called the 'Annual
Loss Expectancy (ALE)' or the 'Estimated Annual Cost
(EAC)'. This is calculated for an event by simply
multiplying the potential loss by the probability.
It is thus theoretically possible to rank events in order of
risk (ALE) and to make decisions based upon this.
For risk analysis:
RISK = LOSS ($) x PROBABILITY
Usually measured as $ per annum.
Expressed as Annual Loss Expectancy (ALE) expressed as:

Quantitative Risk Assessment

Example.
Hard Disk Failure on your PC
Hard Disks fail about every three years;
Probability of failure is 1/3 per year
Intrinsic cost say $600 to buy a new
disk
But also, say 10 hours of your effort to
reload O/sys and software and
Say 4 hours to re-key assignments from
last backup.
Assume $10.00 per hour for your effort
Total loss = $600 + 10 x( 10 + 4) =
$740

Qualitative Risk
Assessment.
This is by far the most widely used approach to risk
analysis. Probability data is not required and only
estimated potential loss is used.
Most qualitative risk analysis methodologies make use of
a number of interrelated elements:
THREATS
These are things that can go wrong or that can 'attack' the
system.
Examples might include fire or fraud. Threats are ever present for
every system.

VULNERABILITIES

These make a system more prone to attack by a threat or make an

attack more
likely to have some success or impact.
For example, for fire a vulnerability would be the presence of
inflammable materials (e.g. paper).

Example Qualitative Risk

Assessment.
Hard Disk Failure
Risk

Loss of data /information, loss

of money

Threat

Hard drive failure

Vulnerability

Poor quality of Hard drive,

Fluctuating voltage, improper
protection from dust.

Impact

High loss to Business

Control

Redundant Hard drive

Risk management and Risk

Communication
Risk Management
-Based on the results of the risk assessment and are
taken and policy is formulated.
Risk management is the process of weighting the
judgement of the risk managers, decisions policy
alternatives in consultation with all interested parties
considering risk assessment and other factors.

Risk Communication
Information exchange between risk assessors, risk

managers and those affected by both the risk and the

decisions taken before the final policy decisions are
taken.

THANK
S!
Any questions?