7CCSMSEM
Security Management
Tutorial Week 3
(Sketch of Solutions)
Question 1. What are the differences between Threat Assessment, Vulnerability Assessment and Risk Assessment?
In threat assessment, you look at the potential threat agents and how/why they may be interested in targeting your organisation as well as their characteristics like their capability. In vulnerability assessment, you actually look at the vulnerabilities your system has independently from the threats. Risk assessment provides a combined analysis of the threats and vulnerability assessments to evaluate the actual risk that a particular threat exploits a vulnerability and has some impact in the organisation.
Question 2. Which are the six steps for Risk Management?
Asset identification and valuation (also called impact assessment), threat assessment,
vulnerability assessment, risk assessment, risk treatment, and risk monitoring.
Question 3. Once the key risks have been assessed, what action is unacceptable for very low risks?
1) They can be ignored.
2) They can be accepted.
3) They can be reduced.
The correct one is 1). Risks that are ignored can cause problems later, so even very low risks must be monitored and reviewed at suitable intervals in case the impact or likelihood have changed since the initial assessment was carried out.
Question 4. What does a risk management plan include?
A Risk management plan should include, among others (see the slides for more), the
following:
• How to document the initial state
• Manage risk reduction and implementation
• Risk communication, how and to whom.
Question 5. A widget manufacturer has a network of 100 workstations and 1 server without Internet connectivity or anti-virus software. The company now installs a new server to provide Internet connectivity for employees to send/receive email and surf the Internet.
The company has asked you to determine the annual loss that can be expected from viruses and determine if it is beneficial in terms of cost to purchase licensed copies of anti-virus software. What you know:
• You read in a trade magazine that other widget companies have reported an 80 percent chance of viruses infecting their network after installing Internet connectivity.
• The cost of restoring the network after an infection would be £10,000 (considering loss of productivity, data, etc.).
• A vendor will sell licensed copies of anti-virus software for all servers and the 100
workstations at a cost of £3,000 per year. Now:
1. What is the Annualized Rate of Occurrence (ARO) for this risk?
2. What is the Annual Loss Expectancy?
3. What would you do with this risk? Explain why and include the specific name of the
risk treatment type you would use, together with the particular action recommended for this risk.
1. What is the Annualized Rate of Occurrence (ARO) for this risk? ARO = 0.8
2. What is the Annual Loss Expectancy? ALE = 0.8 * 10,000 = £8,000
3. What would you do with this risk? Explain why and include the specific name of the risk treatment type you would use, together with the particular action recommended for this risk.
Here you would have that the ALE is £8,000. As the anti-virus is £3,000 per year, then an adequate risk treatment would be to Reduce this risk, by actually purchasing, paying the license of, and install the anti-virus software.