Upload
mmagario
View
1.606
Download
10
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
Risk Analysis
Completing the Risk Analysis PuzzleA Presentation by Michelle Magario
For BSDP 583 Spring 2012
Table of Contents
• Part 1:
• Risk Analysis• Limitations• Interdependency
• Part 3
• In Practice
• Part 2:
• Interventions• Recommendations• Budgetary considerations
Purpose Statement
Purpose:• Characterize• Define• Mitigate• Eliminate
Protect Defend
Vulnerabilities
Threats
Risks
Assets
Risk Management
© Copyright 2004 Risk Mitigation Associates -- All rights reserved.
Risk Analysis
• Phase 1– Analyze RisksAssetsThreatsVulnerabilitiesRisks
• Phase 2– CountermeasuresMitigation OpportunitiesPlan DevelopmentPolicy Institution
Phase 1
Risk Assessment: Phase 1
• Asset Characterization• Criticality Analysis• Threat Identification• Consequence Analysis• Vulnerability Analysis• Probability Assessment• Risk Assessment• Risk Prioritization• Risk Management
Assets
ThreatsVulnerabilities
Risks
Risk Assessment: Phase 1
Assets
PeoplePropertyProprietary InformationReputation
Risk Assessment: Phase 1
• Criticality Analysis
-which assets are criticalUnderstand• Mission related
-describe the assetDescribe• Location• Type
-assign a valueRank• Numeric• Relative
Risk Assessment: Phase 1
Hazard• Natural• Manmade• Unintentional• Safety• Security• Disasters• Political/Military• Environmental or Behavioral
Threat• Manmade• Intentional• With Malice• Terrorists• Petty or Economic Criminals• Subversives
Risk Assessment: Phase 1
• Consequence Analysis– Losses• Human life• Property• Proprietary information• Reputation
– Impact• Environmental• Economical
Risk Assessment: Phase 1
• Vulnerability Analysis
– 3 distinct steps• Define• Evaluate• Identify Vulnerability
Define
EvaluateIdentify
Risk Assessment: Phase 1
• Probability Assessment– View point dependent– Based on attractiveness– Historic Data– Statistics
Risk Assessment: Phase 1
Risk = Probability x Vulnerability x Consequence
Risk Assessment: Phase 1
• Risk:
– Assessment– Prioritization– Management
Assess
Prioritize
Manage
Phase 2
Risk Assessment: Phase 2
Countermeasures• Mitigation opportunities– Safety– Security– Policy Development
• Enforcement• Costs
Mitigation
Security
SafetyPolicy
Risk Assessment: Phase 2
Safety: In Place• Identify• Evaluate• Enforce
Safety: In Need Of • Identify• Evaluate• Implement• Assess• Enforce
Risk Assessment: Phase 2
Security: In Place• Identify• Evaluate• Enforce
Security: In Need Of• Identify• Evaluate• Implement• Assess• Enforce
Risk Assessment: Phase 2
• Policy Development and Implementation:
Trigger
Review
Impact
Expert Review
Approval
Monitor
Phase 3
Risk Assessment: Phase 3
• In Practice:– Small facility– 5 employees– Widgets
Risk Assessment: Phase 3
Asset Risk Consequence Vulnerability Probability
Employees 12 2 3 2
Facility 16 4 2 2
Equipment 20 5 2 2
Proprietary info 100 5 5 4
Reputation 125 5 5 5
Risk Assessment: 3
Asset Risk Consequence Vulnerability Probability
Employee 12 2 3 2
Risk Assessment: 3
Asset Risk Consequence Vulnerability Probability
Facility 16 4 2 2
Risk Assessment: 3
Asset Risk Consequence Vulnerability Probability
Equipment 20 5 2 2
Risk Assessment: 3
Asset Risk Consequence Vulnerability Probability
Proprietary info 100 5 5 4
Risk Assessment: 3
Asset Risk Consequence Vulnerability Probability
Reputation 125 5 5 5
Risk Assessment: Phase 3
• Prioritization
Asset Risk
Reputation 125
Proprietary Information 100
Equipment 20
Facility 16
Employees 12
Risk Assessment: Phase 3
• Countermeasures
– QA/QC support– Sabotage protection– Computer back-up and security– Visitor management
Risk Assessment: Phase 3
• Policy Development and Implementation
References
Booz-Allen and Hamilton, Inc. (2000). Analytical risk management: A course guide for
security risk management.
Norman, T. L. (2010). Risk Analysis and Security Countermeasure Selection. Boca Raton,
FL: Taylor & Francis Group.