Enviar pesquisa
Carregar
Rcs webinar 1 2011_06_23
•
0 gostou
•
674 visualizações
J
Jeff Bodin
Seguir
Measurement, Qualitative vs Quantitative Analysis, and other Cool Stuff.
Leia menos
Leia mais
Tecnologia
Economia e finanças
Denunciar
Compartilhar
Denunciar
Compartilhar
1 de 57
Baixar agora
Baixar para ler offline
Recomendados
Measurement, Quantitative vs. Qualitative and Other Cool Stuff
Measurement, Quantitative vs. Qualitative and Other Cool Stuff
Jody Keyser
Measurement, Qualitative vs Quantitative Methods, and other Cool Stuff
Measurement, Qualitative vs Quantitative Methods, and other Cool Stuff
Patrick Florer
Chapter1 introduction to risk management
Chapter1 introduction to risk management
Dr Riyaz Muhmmad
Risk Management Frameworks
Risk Management Frameworks
Daniel Kapellmann Zafra
Effects of Risk Management Practices on the Performance of Insurance Firms in...
Effects of Risk Management Practices on the Performance of Insurance Firms in...
International Journal of Science and Research (IJSR)
Overview of Enterprise Risk Management (ERM)
Overview of Enterprise Risk Management (ERM)
Segun Ogunwale
Risk Management
Risk Management
Raina Zia
Enterprise risk management
Enterprise risk management
Anu Damodaran
Recomendados
Measurement, Quantitative vs. Qualitative and Other Cool Stuff
Measurement, Quantitative vs. Qualitative and Other Cool Stuff
Jody Keyser
Measurement, Qualitative vs Quantitative Methods, and other Cool Stuff
Measurement, Qualitative vs Quantitative Methods, and other Cool Stuff
Patrick Florer
Chapter1 introduction to risk management
Chapter1 introduction to risk management
Dr Riyaz Muhmmad
Risk Management Frameworks
Risk Management Frameworks
Daniel Kapellmann Zafra
Effects of Risk Management Practices on the Performance of Insurance Firms in...
Effects of Risk Management Practices on the Performance of Insurance Firms in...
International Journal of Science and Research (IJSR)
Overview of Enterprise Risk Management (ERM)
Overview of Enterprise Risk Management (ERM)
Segun Ogunwale
Risk Management
Risk Management
Raina Zia
Enterprise risk management
Enterprise risk management
Anu Damodaran
Enterprise Risk Management Erm
Enterprise Risk Management Erm
Nexus Aid
IMT 552-JPMorgan Chase & Co. Risk Assessment v05
IMT 552-JPMorgan Chase & Co. Risk Assessment v05
Daniel Kapellmann Zafra
Sap 2009 06 02 Risk Management
Sap 2009 06 02 Risk Management
Pierre Harboun
Journal+Feature-InsiderThreat
Journal+Feature-InsiderThreat
Anthony Buenger
insurance and Risk management ppt
insurance and Risk management ppt
prathimap
Risk & Risk Management
Risk & Risk Management
ansula
Chapter2 risk management process
Chapter2 risk management process
Dr Riyaz Muhmmad
Enterprise Risk Management (ERM); From theory to practice
Enterprise Risk Management (ERM); From theory to practice
Segun Ogunwale
Risk managment and insurance chap 4 5
Risk managment and insurance chap 4 5
Ashenafi Abera Wolde
Sharing Practice on Enterprise Risk Management (ERM)
Sharing Practice on Enterprise Risk Management (ERM)
Diane Christina
Risk Management ERM Presentation
Risk Management ERM Presentation
alygale
Financial risk management
Financial risk management
Yusef Hamayel
Risk Management in Business
Risk Management in Business
paperpublications3
A structured approach to Enterprise Risk Management (ERM) and the requirement...
A structured approach to Enterprise Risk Management (ERM) and the requirement...
Hassan Zaitoun
The Purpose And Goals Of Risk Management
The Purpose And Goals Of Risk Management
Lisa Shannon, RN, BSN, JD.
Chapter 5 risk_
Chapter 5 risk_
Rione Drevale
Risk managment and Insurance chap1-3 Addis Ababa University School of Commerce
Risk managment and Insurance chap1-3 Addis Ababa University School of Commerce
Ashenafi Abera Wolde
Risk Management Methodology - Copy
Risk Management Methodology - Copy
Rabah Odeh ITIL 5.0-OCP-CISA-PMP-OCP..etc
Enterprise Risk Management
Enterprise Risk Management
GAURAV SHARMA
Risk management chpt 2
Risk management chpt 2
Rione Drevale
Ch 25 11 21
Ch 25 11 21
pmuncy0001
Muncy unit 5 cdp utilize media and material
Muncy unit 5 cdp utilize media and material
pmuncy0001
Mais conteúdo relacionado
Mais procurados
Enterprise Risk Management Erm
Enterprise Risk Management Erm
Nexus Aid
IMT 552-JPMorgan Chase & Co. Risk Assessment v05
IMT 552-JPMorgan Chase & Co. Risk Assessment v05
Daniel Kapellmann Zafra
Sap 2009 06 02 Risk Management
Sap 2009 06 02 Risk Management
Pierre Harboun
Journal+Feature-InsiderThreat
Journal+Feature-InsiderThreat
Anthony Buenger
insurance and Risk management ppt
insurance and Risk management ppt
prathimap
Risk & Risk Management
Risk & Risk Management
ansula
Chapter2 risk management process
Chapter2 risk management process
Dr Riyaz Muhmmad
Enterprise Risk Management (ERM); From theory to practice
Enterprise Risk Management (ERM); From theory to practice
Segun Ogunwale
Risk managment and insurance chap 4 5
Risk managment and insurance chap 4 5
Ashenafi Abera Wolde
Sharing Practice on Enterprise Risk Management (ERM)
Sharing Practice on Enterprise Risk Management (ERM)
Diane Christina
Risk Management ERM Presentation
Risk Management ERM Presentation
alygale
Financial risk management
Financial risk management
Yusef Hamayel
Risk Management in Business
Risk Management in Business
paperpublications3
A structured approach to Enterprise Risk Management (ERM) and the requirement...
A structured approach to Enterprise Risk Management (ERM) and the requirement...
Hassan Zaitoun
The Purpose And Goals Of Risk Management
The Purpose And Goals Of Risk Management
Lisa Shannon, RN, BSN, JD.
Chapter 5 risk_
Chapter 5 risk_
Rione Drevale
Risk managment and Insurance chap1-3 Addis Ababa University School of Commerce
Risk managment and Insurance chap1-3 Addis Ababa University School of Commerce
Ashenafi Abera Wolde
Risk Management Methodology - Copy
Risk Management Methodology - Copy
Rabah Odeh ITIL 5.0-OCP-CISA-PMP-OCP..etc
Enterprise Risk Management
Enterprise Risk Management
GAURAV SHARMA
Risk management chpt 2
Risk management chpt 2
Rione Drevale
Mais procurados
(20)
Enterprise Risk Management Erm
Enterprise Risk Management Erm
IMT 552-JPMorgan Chase & Co. Risk Assessment v05
IMT 552-JPMorgan Chase & Co. Risk Assessment v05
Sap 2009 06 02 Risk Management
Sap 2009 06 02 Risk Management
Journal+Feature-InsiderThreat
Journal+Feature-InsiderThreat
insurance and Risk management ppt
insurance and Risk management ppt
Risk & Risk Management
Risk & Risk Management
Chapter2 risk management process
Chapter2 risk management process
Enterprise Risk Management (ERM); From theory to practice
Enterprise Risk Management (ERM); From theory to practice
Risk managment and insurance chap 4 5
Risk managment and insurance chap 4 5
Sharing Practice on Enterprise Risk Management (ERM)
Sharing Practice on Enterprise Risk Management (ERM)
Risk Management ERM Presentation
Risk Management ERM Presentation
Financial risk management
Financial risk management
Risk Management in Business
Risk Management in Business
A structured approach to Enterprise Risk Management (ERM) and the requirement...
A structured approach to Enterprise Risk Management (ERM) and the requirement...
The Purpose And Goals Of Risk Management
The Purpose And Goals Of Risk Management
Chapter 5 risk_
Chapter 5 risk_
Risk managment and Insurance chap1-3 Addis Ababa University School of Commerce
Risk managment and Insurance chap1-3 Addis Ababa University School of Commerce
Risk Management Methodology - Copy
Risk Management Methodology - Copy
Enterprise Risk Management
Enterprise Risk Management
Risk management chpt 2
Risk management chpt 2
Destaque
Ch 25 11 21
Ch 25 11 21
pmuncy0001
Muncy unit 5 cdp utilize media and material
Muncy unit 5 cdp utilize media and material
pmuncy0001
Transición á etapa de educación secundaria obrigatoria ( 1
Transición á etapa de educación secundaria obrigatoria ( 1
ceipanamariadieguez
Ch.25 1 10
Ch.25 1 10
pmuncy0001
Initial ideas
Initial ideas
zyguzsss
นำเสนอ..ศก.พอเพียง
นำเสนอ..ศก.พอเพียง
อภิชิต กลีบม่วง
นำเสนอเศรษฐกิจพอเพียง
นำเสนอเศรษฐกิจพอเพียง
อภิชิต กลีบม่วง
แผนการจัดการเรียนรู้ที่ 1 ศ 32101 วิชาดนตรี ม.5 ครูอภิชิต กลีบม่วง
แผนการจัดการเรียนรู้ที่ 1 ศ 32101 วิชาดนตรี ม.5 ครูอภิชิต กลีบม่วง
อภิชิต กลีบม่วง
แผนการจัดการเรียนรู้ที่ 1 ศ 32101 วิชาดนตรี ม.5 ครูอภิชิต กลีบม่วง
แผนการจัดการเรียนรู้ที่ 1 ศ 32101 วิชาดนตรี ม.5 ครูอภิชิต กลีบม่วง
อภิชิต กลีบม่วง
Economics 1st chapter
Economics 1st chapter
almasadi
Destaque
(10)
Ch 25 11 21
Ch 25 11 21
Muncy unit 5 cdp utilize media and material
Muncy unit 5 cdp utilize media and material
Transición á etapa de educación secundaria obrigatoria ( 1
Transición á etapa de educación secundaria obrigatoria ( 1
Ch.25 1 10
Ch.25 1 10
Initial ideas
Initial ideas
นำเสนอ..ศก.พอเพียง
นำเสนอ..ศก.พอเพียง
นำเสนอเศรษฐกิจพอเพียง
นำเสนอเศรษฐกิจพอเพียง
แผนการจัดการเรียนรู้ที่ 1 ศ 32101 วิชาดนตรี ม.5 ครูอภิชิต กลีบม่วง
แผนการจัดการเรียนรู้ที่ 1 ศ 32101 วิชาดนตรี ม.5 ครูอภิชิต กลีบม่วง
แผนการจัดการเรียนรู้ที่ 1 ศ 32101 วิชาดนตรี ม.5 ครูอภิชิต กลีบม่วง
แผนการจัดการเรียนรู้ที่ 1 ศ 32101 วิชาดนตรี ม.5 ครูอภิชิต กลีบม่วง
Economics 1st chapter
Economics 1st chapter
Semelhante a Rcs webinar 1 2011_06_23
Security Risk Management Essay
Security Risk Management Essay
Apa Papers For Sale Trinity
Risk managment ppt
Risk managment ppt
sachin kumar sharma
PECB Webinar: Aligning ISO 31000 and Management of Risk Methodology
PECB Webinar: Aligning ISO 31000 and Management of Risk Methodology
PECB
Risk all notes muj 4semester
Risk all notes muj 4semester
sachin kumar sharma
Insurance and security: finding common ground in a volatile security risk env...
Insurance and security: finding common ground in a volatile security risk env...
Doreen Loeber
Essay On Risk Management
Essay On Risk Management
Custom Paper Services Swainsboro
Rcs triumfant watchful_webinar_final
Rcs triumfant watchful_webinar_final
Patrick Florer
Deconstructing The Cost Of A Data Breach
Deconstructing The Cost Of A Data Breach
hgoodnight
Enterprise risk & risk management - I
Enterprise risk & risk management - I
Dr. Shiv S Tripathi
Risk Management Sir A. S. Chaubal
Risk Management Sir A. S. Chaubal
sameersanghani
'Unsustainably Sustainable' by Dr Carl Ungerer and Vanessa Liell at Mumbrella...
'Unsustainably Sustainable' by Dr Carl Ungerer and Vanessa Liell at Mumbrella...
Brittany Ferdinands
Risk Management Essay
Risk Management Essay
Pay For Paper The American College of Financial Services
Linking the CISO to the CFO
Linking the CISO to the CFO
Axio
News letter May 11
News letter May 11
captsbtyagi
ISACA Reporting relevant IT risks to stakeholders
ISACA Reporting relevant IT risks to stakeholders
Marc Vael
CHAPTER 7 Risk Assessment, Security Surveys, and PlanningLEARNIN.docx
CHAPTER 7 Risk Assessment, Security Surveys, and PlanningLEARNIN.docx
christinemaritza
Wisegate_GeekSpeak_LG
Wisegate_GeekSpeak_LG
Brian T. O'Hara CISA, CISM, CRISC, CCSP, CISSP
The meaning of security in the 21st century
The meaning of security in the 21st century
The Economist Media Businesses
Aon's Underrated Threats Report
Aon's Underrated Threats Report
Graeme Cross
2016 Top Security Threats
2016 Top Security Threats
Gail Essen, CPP, PSP
Semelhante a Rcs webinar 1 2011_06_23
(20)
Security Risk Management Essay
Security Risk Management Essay
Risk managment ppt
Risk managment ppt
PECB Webinar: Aligning ISO 31000 and Management of Risk Methodology
PECB Webinar: Aligning ISO 31000 and Management of Risk Methodology
Risk all notes muj 4semester
Risk all notes muj 4semester
Insurance and security: finding common ground in a volatile security risk env...
Insurance and security: finding common ground in a volatile security risk env...
Essay On Risk Management
Essay On Risk Management
Rcs triumfant watchful_webinar_final
Rcs triumfant watchful_webinar_final
Deconstructing The Cost Of A Data Breach
Deconstructing The Cost Of A Data Breach
Enterprise risk & risk management - I
Enterprise risk & risk management - I
Risk Management Sir A. S. Chaubal
Risk Management Sir A. S. Chaubal
'Unsustainably Sustainable' by Dr Carl Ungerer and Vanessa Liell at Mumbrella...
'Unsustainably Sustainable' by Dr Carl Ungerer and Vanessa Liell at Mumbrella...
Risk Management Essay
Risk Management Essay
Linking the CISO to the CFO
Linking the CISO to the CFO
News letter May 11
News letter May 11
ISACA Reporting relevant IT risks to stakeholders
ISACA Reporting relevant IT risks to stakeholders
CHAPTER 7 Risk Assessment, Security Surveys, and PlanningLEARNIN.docx
CHAPTER 7 Risk Assessment, Security Surveys, and PlanningLEARNIN.docx
Wisegate_GeekSpeak_LG
Wisegate_GeekSpeak_LG
The meaning of security in the 21st century
The meaning of security in the 21st century
Aon's Underrated Threats Report
Aon's Underrated Threats Report
2016 Top Security Threats
2016 Top Security Threats
Último
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
naman860154
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
Sinan KOZAK
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
RTylerCroy
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
Sujit Pal
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
OnBoard
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
Results
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
BookNet Canada
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
Ridwan Fadjar
Slack Application Development 101 Slides
Slack Application Development 101 Slides
praypatel2
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
shyamraj55
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
Pooja Nehwal
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
Paola De la Torre
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Anna Loughnan Colquhoun
Último
(20)
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
Slack Application Development 101 Slides
Slack Application Development 101 Slides
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Rcs webinar 1 2011_06_23
1.
Presenting: Risk Centric Security, Inc. www.riskcentricsecurity.com Sponsor: Aliado
www.aliadocorp.com Risk Centric Security, Inc. Confidential and Proprietary . Risk Analysis for the 21st Century Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
2.
Heather Goodnight is an accomplished Global Sales and Business Development Consultant. Over the years, her unique, practical insight into problems of risk and opportunity have provided important guidance for organizations both large and small. She is a cofounder of Risk Centric Security and currently serves as President of the Corporation. Patrick Florer has worked in information technology for 30 years. In addition, he worked a parallel track in medical outcomes research, analysis, and the creation of evidence‐based guidelines for medical treatment. His roles have included IT operations, programming, and systems analysis. From 1986 until now, he has worked as an independent consultant, helping customers with strategic development, analytics, risk analysis, and decision analysis. He is a cofounder of Risk Centric Security and currently serves as Chief Technology Officer.
Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
3.
When speaking with our customers, we recognized:
Information Security Professionals are comfortable speaking the technical language of firewalls, logs, threats, vulnerabilities, and exploits. Business managers are comfortable speaking the language of return on investment, discounted cash flows, and risk as financial impact. Mutual misunderstanding can occur, and it is often a source of frustration for everyone. Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
4.
By learning to speak about risk in business terms,
Information Security Professionals can reach out and bridge the language gap. The technical details of sql injection attacks may be important to you, but your business counterparts may not understand, and they usually don’t care. Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
5.
Instead of talking about threats, vulnerabilities, and
controls, talk about risk in terms of financial impact. Tell the business people what a sql injection attack could cost. They will understand that! (They may not believe you, but they will understand what you are saying!) Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
6.
Risk
Risk and Opportunity Possibility vs. probability Measurement Precision vs. accuracy Qualitative vs. quantitative methods The “not enough data” syndrome Monte Carlo simulation Modeling expert opinion and the PERT distribution Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
7.
From The American Heritage dictionary*:
The possibility of suffering harm or loss; danger. A factor, thing, element, or course involving uncertain danger; a hazard. The danger or probability of loss to an insurer. The amount that an insurance company stands to lose. The variability of returns from an investment. The chance of nonpayment of a debt. *The American Heritage® Dictionary of the English Language, Fourth Edition. Copyright © 2006, 2000. Houghton Mifflin Company. Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
8.
From ISO 31000:
1.1 risk ‐ effect of uncertainty on objectives NOTE 1 An effect is a deviation from the expected —positive and/or negative. NOTE 2 Objectives can have different aspects (such as financial, health and safety, and environmental goals) and can apply at different levels (such as strategic, organization‐wide, project, product and process). NOTE 3 Risk is often characterized by reference to potential events (3.5.1.3) and consequences (3.6.1.3), or a combination of these. NOTE 4 Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood (3.6.1.1) of occurrence. NOTE 5 Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
9.
In the USA, NIST, Special Publication 800‐30 describes
risk in the following way: Risk is: “the net mission impact considering the probability that a particular threat‐source will exercise (accidentally trigger or intentionally exploit) a particular information system vulnerability, and the resulting impact if this should occur.” Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
10.
NIST (The National Institute of Standards and
Technology), provides an additional definition of risk in Special Publication 800‐39: Risk A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. Information system‐related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. NIST, The National Institute of Standards and Technology, Special Publication 800‐39, Appendix B, Page B‐7. Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
11.
A probability that something will happen
A probable impact if something does happen Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
12.
The probability that something will happen to cause a
negative impact in financial terms: For example, a 50% chance that it will cost 50 million dollars if our data are stolen. Another way to express this is to multiply the two numbers together and say that: Risk = 25 million dollars on an annualized basis Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
13.
For our discussion today, Risk will be used to indicate
loss or harm. Opportunity can be viewed as the positive aspect of Risk. The techniques that apply to Risk analysis can also be applied to Opportunity analysis. Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
14.
Let’s look at tossing a coin:
What are the possibilities? What are the probabilities? Does knowing either help us predict what will happen when we toss the coin next time? Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
15.
A possibility is something that is “capable of
happening, existing, or being true without contradicting proven facts, laws, or circumstances known to be true. *” A probability is "the likelihood that a given event will occur.”* *All quotes from The American Heritage® Dictionary of the English Language, Fourth Edition. Copyright © 2006, 2000. Houghton Mifflin Company. Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
16.
In statistics, a probability is “a number expressing the
likelihood that a specific event will occur, expressed as the ratio of the number of actual occurrences to the number of possible occurrences.“ Probability is calculated after tossing the coin many times. Probability is always a number between 0 and 1, sometimes expressed as: *All quotes from The American Heritage® Dictionary of the English Language, Fourth Edition. Copyright © 2006, 2000. Houghton Mifflin Company. Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
17.
How can we use this in information security risk
analysis? The fact that something can happen (possibility) doesn't tell us how likely it is to happen (probability), or how much impact it might have if it does happen (probability). Estimating these values helps us prioritize our activities in a rational way. Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
18.
What is a measurement?
An observation that “ascertains the dimensions, quantity, or capacity of” an object or process”* A set of observations that reduce uncertainty where the result is expressed as a quantity** *The American Heritage® Dictionary of the English Language, Fourth Edition. Copyright © 2006, 2000. Houghton Mifflin Company ** Hubbard, Douglas W., “How to Measure Anything 2nd Edition”, John Wiley & Sons, New Jersey, 2010, p. 23 Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
19.
What are the properties of a measurement?
Validity – does the measurement actually do what you think it does? Reproducibility – when repeated, does the measurement give a consistent answer? Detail – does the measurement provide a useful level of detail? Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
20.
What are some sources of error in measurement?
Random error – a function of the instrument Bias – a function of the measurement taker Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
21.
Why do we make measurements?
Measurements are a way to collect data. Making measurements should be about reducing uncertainty. A measurement only has to be good enough for the decision at hand. Sometimes, you cannot get the data you think you need, so you have to use a proxy. Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
22.
Precision is “the ability of a measurement to be
consistently reproduced.” Accuracy is “the ability of a measurement to match the actual value of the quantity being measured.” *All quotes from The American Heritage® Dictionary of the English Language, Fourth Edition. Copyright © 2006, 2000. Houghton Mifflin Company. Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
23.
Precision: a machine can produce the same part to
within 1/1000th mm all day long. This is no guarantee that the part is the correct length, however. Accuracy: a machine can produce the same part to within +/‐ 2/1000th mm of the correct length. Although some parts are a bit shorter and some are a bit longer, every part is within spec. Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
24.
Precision: 100.001, or 10.233%
Accuracy: 100 or 10%, or 10.2% Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
25.
Prefer Accuracy to Precision.
Precise Accuracy? – it would be nice! Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
26.
Qualitative methods: green, yellow, orange, and red
(dashboards) or a scale from 0 – 5 (categorical, nominal, and ordinal). Quantitative methods: real numbers (cardinal scale). Most of the time, quantitative methods are easier. Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
27.
Benefits of qualitative methods?
They are useful in certain scenarios, and can be quick and good enough. Problems with qualitative methods? Variability between assessors Inconsistency of a single assessor Arithmetic and statistical operations not possible Problems near the boundaries of categories Loss of information Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
28.
Variability between assessors
Faced with the same set of facts, different assessors apply a scale differently. Two QSA’s apply the PCI standards differently. Two risk analysts classify risks differently – one says low, one say medium Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
29.
Inconsistency of a single assessor
Given the same set of facts, an assessor might make different assessments when the only difference is the passage of time. Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
30.
Difficulty with arithmetic and statistical operations
From ISO 17999 Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
31.
Difficulty with arithmetic and statistical operations
From ISO 17999 Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
32.
Difficulty with arithmetic and statistical operations
From ISO 17999 Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
33.
Difficulty with arithmetic and statistical operations
Imagine if money worked this way: The value of a dollar would be relative to the purchase price of an item. The value of a dollar might vary from store to store. Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
34.
Problems with aggregation and estimates near the
boundaries of categories Assume that: Low = < 1M Medium = 1M – 5M High = >5M Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
35.
And assume that the following risks have been
identified and put into categories: $100K, 500K, 800K: all in Low category $1M, 3M, 3M, 4M: all in Medium category Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
36.
What happens when you aggregate based upon
qualitative scales? What is the real difference between a very “high Low” and a very “low Medium”? How can we justify and defend category boundaries that are essentially arbitrary? Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
37.
Loss of information
Most of the time, we get a number in mind. Then, we assign it to a category. Why not just keep the number? Or better yet, create a distribution around a range of estimates to better express our beliefs and confidence? Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
38.
Benefits of quantitative methods?
The numbers mean what they are (cardinality). Arithmetic and statistical methods are possible. Problems with quantitative methods? Data are required. Estimates are estimates – the future hasn’t happened yet. Formal training in calibration techniques is very helpful. Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
39.
They say: there isn’t enough “good” data, so you are
just processing “garbage in and garbage out.” The reason we need data is to reduce uncertainty in decision‐making. The decision we need to make will define the data we need – some decisions require very little data, others require quite a bit. Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
40.
A sample can be smaller than you think.
Parametric vs. non‐parametric methods Contact us for more information on these topics. Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
41.
We often hear that the data are poor –
What does this mean? Data are just data – some data may be more interesting than other data – it depends on what you are doing. Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
42.
Dan Geer et al.:
The Index of Cybersecurity (http://www.cybersecurityindex.org/) Prediction Market Project The Beewise Project (http://beewise.org/markets/metricon.ctrl) Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
43.
Please refer to the slides at the end of this
presentation. Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
44.
Monte Carlo simulation is a game changer for
information security risk analysis. Less sophisticated methods use single‐point estimates or even simple ranges of estimates: 35%, or from 20% ‐ 51% Monte Carlo methods sample thousands or tens of thousands of values, and provide a much clearer picture of the possible outcomes. Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
45.
Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
46.
Minimum:
What is the least or lowest (best or worst) numerical estimate that you believe to be reasonable? This will be the smallest number you come up with. Most Likely: What is the most likely or most probable numerical estimate in your opinion? This number must fall between the minimum and maximum. It may equal either the minimum or the maximum, but should not equal both Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
47.
Maximum:
What is the greatest or highest (best or worst) numerical estimate that you believe to be reasonable? Note that “best” or “worst” case estimates could be either minimum or maximum values, depending upon the scenario. In a risk / loss exposure scenario, lower is better, so the minimum represents the lowest loss, or best outcome. The maximum represents the highest loss, or worst outcome. In a sales or opportunity scenario, it’s the reverse: lower is not better, so the minimum represents the worst case. Higher is better, so the maximum represents the best case. Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
48.
Confidence:
On a scale that includes “Very Low”, “Low”, “Average”, “High”, and “Very High”, how confident are you in the accuracy of your estimates? This parameter controls the sampling around the most likely value, and thereby also controls the height of the histogram or slope of the cumulative plot. For most analyses, using “Average” for the confidence parameter works well. In this instance, “Average” really means having no strong feeling about the matter – being evenly divided between under‐confidence and over‐ confidence. Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
49.
Percentile Tables Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
50.
Percentile Tables
1% of values are <= 10,044 and 99% are > 10,044 10% of values are <= 11,120 and 90% are > 11,120 20% of values are <= 11,658 and 80% are > 11,658 50% of values are <= 13,025 and 50% are > 13,025 The 50th percentile has another name ‐ it’s called the Median. The Median is the mid‐point in a list of values ‐ half of the values in the list are less and half are greater than the Median. Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
51.
Histogram Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
52.
Cumulative Plot Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
53.
Thank you !
Heather Goodnight Patrick Florer Risk Analysis for the 21st Century Co‐founders Risk Centric Security, Inc heather@riskcentricsecurity.com patrick@riskcentricsecurity.com www.riskcentricsecurity.com 214.405.5789 Jody Keyser Aliado jkeyser@aliadocorp.com Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
54.
Open Security Foundation: datalossdb and osvdb
http://www.opensecurityfoundation.org/ Computer Security Institute (CSI): http://gocsi.com/ Office of Inadequate Security: http://www.databreaches.net/ Identity Theft Resource Center: http://www.idtheftcenter.org/ ISACA: www.isaca.org ISSA: www.issa.org Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
55.
Mitre Corporation:
www.mitre.org OWASP: http://owasp.com/index.php/Main_Page Privacy Rights Clearing House: http://www.privacyrights.org/ SANS: www.sans.org The Ponemon Institute: www.ponemon.org Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
56.
Conference procedings: Black Hat, RSA, Source Conferences, BSides
Internet tools: Search engines: Google, Bing, Yahoo, Ask.com Trend Analyzers: Google trends: http://www.google.com/trends Twitter Trends: www.trendistic.com Amazon: http://www.metricjunkie.com/ Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
57.
Securitymetrics.org – mailing list
Society of Information Risk Analysts (SIRA) Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2011 Risk Centric Security, Inc . All rights reserved.
Baixar agora