RISKS and THREATS for I.T.
Cybersecurity
- Risk, Threat, Vulnerability, Costs explained
see also  witiger.com/ecommerce/RiskAndThreatIntroTypesOfAttacks.htm
last updated 2014 Sept 15
 
. This page used in the following courses taught by Prof. Richardson
.
BIT 801
MGD 415		 MGD 426
.
What
is
a Risk

- definitions

 , Risk, as it is used in information security consists of three basis components;
  • threats, 
  • probability (chances it could happen) 
  • impact (cost) 
"A threat is defined as any event that has the potential to cause harm to the assets of an organization. Vulnerabilities are weaknesses or susceptibilities to particular threats. The vulnerability and threat determine the probability of a threat being realized."
from  www.transactionworld.com/articles/2005/May/compliance1.asp
.
What
is
a Risk

- definitions

 , The Risk Equation

Risk = Threat x Vulnerability x Cost ( $ $)
from  www.icharter.org/articles/risk_equation.html

- therefore in order to evaluate and quantify Risk, you need to 

  • ascertain what the threats are, 
  • assess your vulnerability to the threat, 
  • and determine if your company or enterprise has the financial resources to pay for covering those vulnerabilities
..
What
is
a Risk		 , The difference between a Risk and a Threat

Risk
"A threat that exploits a vulnerability that may cause harm to one or more assets"

Threat
"A circumstance, event, or person with the potential to cause harm to a system in the form of destruction, disclosure, data modification, and/or Denial of Service"

Simply put:

  • Threat is the bad thing that can happen
  • Risk is the consequence when that bad thing is very likely to actually happen to you because you did something, or created something that made you vulnerable.
    • the quantifying, or measuring, of Risk is directly related to how much you can afford for a Threat to take place
    • if the result of a Threat is "affordable", then there really is no Risk, if a Threat took place, and cost you very very much, then you can describe it as being a severe Risk
      • almost everybody drives a car
      • almost everybody worries about the threat of a mechanical breakdown, which is why many people have CAA to deal with the Risk
      • but if your son is a mechanic, and he lives close to you, and you never drive your car more than 10 miles from home, then there really is no risk and you don't need CAA
definitions from  http://securityresponse.symantec.com/avcenter/refa.html
..
What
is
a Risk		 , Example
  • threat - it is freezing rain
  • but if you stay inside all day, you have no risk
  • if you go out and drive your car, you have a risk
  • if your tires are bald, you have a vulnerability to the risk
  • if you are very wealthy and can afford to get your car smashed up, cause you were in an accident, cause your tires were bald, then you have no vulnerability (except the damage to your body)
..
What
is a Vulnerability		 , Vulnerability is the chances of success of a particular threat against some asset.

For example, we have a threat of heavy rain.
We have a tented awning in the backyard.
If the rain is expected to be very heavy, and we know the awning is not tied down well, then we have a vulnerability because the threat can successful act upon the asset and damage it.

If the awning is tied down well, and made of heavy canvas, then there is no vulnerability with a normal heavy rain. If the rain approaches that of a hurricane, than we have a graduation to the level of being vulnerable.
.
What
is a Vulnerability

- assessment of the threat happening

 , The key point in evaluating vulnerability is determining, as close as possible, the chances of the threat happening. One of the essential points in security management is using information about past indicents and the current environment to properly guesstimate the chances that a threat will, or will not take place - because it is this guess that determines how seriously you need to take the threat.
.
http://www.counterpane.com/ Risk Assessment - Costs

In Bruce Schneier's book "Secrets & Lies: Digital Security in a Networked World" he explains that 

"It's not enough to simply list a bunch of threats, you need to know how much to worry about each of them".
[this is where a threat becomes a risk]

"This is where risk assessment comes in. The basic idea is to take all the threats, estimate the expected loss per incident and the expected number of incidents per year, then calculate the annual loss expendency (ALE)."
Chpt 19, p. 301
..
What
are 
Costs		 , "Cost is the total cost of the impact of a particular threat experienced by a vulnerable target. Hard-dollar costs are measured in terms of "real" damages to hardware or software, as well as quantifiable IT staff time and resources spent repairing these damages. Semi-hard costs might include such things as lost business or transaction time during a period of downtime. Soft costs include such things as lost end user productivity, public relations damage control, a decrease in user or public confidence or lost business opportunities."

from  www.icharter.org/articles/risk_equation.html
..
What
are 
Costs		 , Evaluating costs

In the case of the awning in the backyard - we can hypothesize the following scenario
A. the awning costs $200 to replace
B. it would take you 1/2 hour to tie down the awning more firmly, and reinforce the supporting poles
C. you work from home as an IT consultant and bill $150 per hour
D. if you take 1/2 of your time to tie down the awning, it might be reasonable use of your time - if you took more than an hour and a half of your time to deal with this problem, it would not be reasonable - instead, let the rain come down and take the risk cause you can afford to buy a new awning with the money you made continuing to do your work
 
..
http://www.counterpane.com/ Risk Assessment - Evaluating Costs - an I.T. threat

Bruce Schneier's book "Secrets & Lies: Digital Security in a Networked World

"..if the risk is a network intrusion by hackers looking for something to do, the expected loss per incident might be $10,000 (cost of hiring someone to figure out what happened, restore things to their normal state, etc.) and the number of incidents per year might be three per day, or 1000. This means that the ALE is $10,000,000. (You can see where this is heading. If the ALE is $10M, then buying, installing, and maintaining a firewall for $25,000 a year is a bargain. Buying a $40M super whiz-bang whatever is a waste of money. This analysis implies that both the firewall and the super whiz-bang whatever actually counter the threat. We’ll come back to that point later.)

Some risks have a very low probability of incidence. If the risk is a network intrusion by an industrial competitor out to steal the new design plans, the expected loss per incident might be $10,000,000 but the number of incidents per year might be 0.001: there’s a 0.1% chance of this happening per year. This means that the ALE is $10,000, and a countermeasure costing $25,000 isn’t such a bargain anymore."

Chpt 19, p. 302
permission to quote Bruce Schneier and to quote from his book dealt with in emails June 9th, 2006. Copies of emails kept in the permissions binder.
..
permission to quote Bruce Schneier and to quote from his book dealt with in emails June 9th, 2006. Copies of emails kept in the permissions binder.
 
 
witiger.com
   CONTACT I MAIN PAGE I NEWS GALLERY I E-BIZ SHORTCUTS I INT'L BIZ SHORTCUTS I MKTG&BUSINESS SHORTCUTS I TEACHING SCHEDULE
.
  MISTAKES ITEXTS USED I IMAGES I RANK IDISCLAIMER I STUDENT CONTRIBUTORS I FORMER STUDENTS I
.
.