Cyber Risk Analysis - benjamin-s-hobbs/reading-notes GitHub Wiki

Cyber Risk Analysis

From: Security and Risk Management

CISSP Domain 1: Security and Risk Management - What you need to know for the exam

  • The primary objectives of Information Security within the organization from a risk management perspective include:
    • To have controls in place to support the mission of the organization.
    • To have all decisions be based on the risk tolerance of the organization.

CAUTION: This is not intuitive to military training! Strategy-Tactics-Operations (in THAT order)

  • Strategic - Long-term goals

    • Planning Horizon - An approach to creating a strategy

  • Tactical - Mid-term goals

  • Operational - Short-term or daily goals

Security Fundamentals: Confidentiality, Integrity, and Availability (CIA Triad)

  1. Confidentiality: Prevent unauthorized disclosure

  2. Integrity: Detect modification of information

  3. Availability: Provide timely and reliable access to resources

Risk Management Lifecycle

  • Identify

    • Categorize

  • Assess

    • Analysis

      • Quantatative

        1. Asset Value (AV) - How much is the asset worth?

        2. Exposure Factor (EF) - What percentage of Asset Value is lost?

        3. Single Loss Expectancy (SLE) - What does it cost if happens once?

           SLE = AV x EF

        4. Annual Rate of Occurence (ARO) - How often this will happen per year?

        5. Annualized Loss Expectancy (ALE) - What it cost per year if we do nothing?

           ALE = SLE x ARO

        6. Total Cost of Ownership (TCO) is the mitigation cost: upfront + ongoing cost

      • Qualitative

  • Mitigate

  • Monitor, Report, & Document

Questions for Understanding

  1. Consider a bank ATM that allows users to access bank account balances. What measures can the ATM incorporate to cover the principles of the CIA triad?

    • A low-visibility screen may be employed to preserve confidentiality
    • The ATMs location outside of the back, where it can be accessed 24/7 contributes to availability
    • The use of a PIN and locking out to many wrong attempts, combined with an on-premises camera supports the integrity of the process.

  2. Name three best practices that support the CIA triad.

    • Separation of Duties - Primarily supports Integrity.
    • Dual Control - Preserves Integrity and can support Confidentiality.
    • Least Privilege - Support Confidentiality, Integrity, and Availability.
    • Need to know - Supports Confidentiality and Availability.

  3. What are the three stages of the risk management lifecycle? What is each stage’s main goal or objective?

    • Risk Assessment - Identify, categorize, classify, and evaluate assets, threats, and vulnerabilities

    • Risk Analysis - Conduct Qualitative and Quantitative analysis of risks

    • Risk Mitigation/Response - Reduce/Transfer/or Accept the risk (or combination thereof)

Additional Resources The below resources are not a part of this reading assignment but will enrich your understanding of the topic.

What more do I want to know?

Additional Materials