资源描述:
《rational risk management - m e kabay web site:合理的风险管理- m e kabay网站》由会员上传分享,免费在线阅读,更多相关内容在教育资源-天天文库。
1、RationalRiskManagement:BalancingCostsandBenefitsofSecurityMeasuresCybersecurityConference26July2006–13:00-16:00M.E.Kabay,PhD,CISSP-ISSMPAssoc.Prof.InformationAssuranceDivisionofBusiness&Management,NorwichUniversityProgramDirector,MSIASchoolofGraduateStudies,NorwichUniversitymailto:mkabay@no
2、rwich.eduV:802.479.7937TopicsPart1:RiskAssessment*DefinitionsObjectivesofRiskAssessmentLimitsofQuestionnairesAModelofRiskRiskMitigationPart2:RiskAssessmentTechniquesQuestionnairesFocusGroupsInterviewsAnalyticalTools____________________________________________*BasedinpartonRobertJacobson’sch
3、apterinCSH4(Bosworth&Kabay’sComputerSecurityHandbook,4thedition–Wiley,2002)DefinitionsRisk:possibilityofsufferingharmorlossRiskManagementRiskassessmentRiskmitigationSecuritymanagementSecurityauditingFeedbackensurescorrectiveactionsbackintoprocess–continuousprocessimprovementSecurityisaproce
4、ss,notastate.ObjectivesofRiskAssessmentHelptoselectsubsetofsecuritymeasuresgivenlimitationsonresourcesEverysystemwillhaveuniquesecurityrequirementsRiskassessmentmustprovideappropriateinformationaboutPossiblelosses(costsofdamageandofrecovery)Estimatedprobabilityofspecificeventsorclassesofevent
5、sAModelofRiskFundamentalRiskModelTwoInconsequentialRiskClassesTwoSignificantRiskClassesReal-WorldRisks&theALEFundamentalRiskModel“Jacobson’sWindow”LowHighConsequencesHighOccurrencesLowTwoInconsequentialRiskClassesLowHighConsequencesHighOccurrencesDon’tcareDoesn’thappenLowTwoSignificantRiskC
6、lassesLowHighConsequencesHighOccurrencesMajorfire,longpoweroutage,flooding,cashfraud,….Powertransient,minorswbug,keystrokeerror,….LowReal-WorldRisks&theALETocomparerisks,weusetheannualizedlossexpectancy(ALE):E(x)=piciWhereE(x)=ALEofstrategyxpi=probabilityofoccurrenceici=costofoccurren
7、cei=adduptheproductsiExampleofALECalculationKeystrokeerrors(Jacobson’sexamplewithslightmodifications)100errorsperoperatorperhour100operators2,000hoursperoperatorperyear=20,000,000errorsperyearDetectionrate99.9%atnocostThusp=0.001failurera