Risk Assessment

• By : Dedy Syamsuar, PhD

 What..?

A Risk is combination of the consequences that would follow from the occurrence of an
unwanted event and the likelihood of the occurrence of the event.

- The objective of risk identification is

- to understand what is at risk within the context of the Institution’s explicit and
implicit
- to generate a comprehensive inventory of risks based on the threats and events
 The risk Assessment

• Risk assessment consists of the following activities:

• Risk analysis (Clause 8.2) which comprises:
• Risk identification (Clause 8.2.1)
• Risk estimation (Clause 8.2.2)
• Risk evaluation (Clause 8.3)
 Risk analysis

• The purpose of risk identification is to determine what could happen

to cause a potential loss, and to gain insight into how, where and why
the loss might happen
• Asset Identification
• An asset is anything that has value to the organization and which therefore
requires protection. For the identification of assets it should be borne in mind
that an information system consists of more than hardware and software.
• Asset identification should be performed at a suitable level of detail that
provides sufficient information for the risk assessment
 Risk analysis : Identification of threats

• A threat has the potential to harm assets such as information,

processes and systems and therefore organizations. Threats may be of
natural or human origin, and could be accidental or deliberate.
• Both accidental and deliberate threat sources should be identified. A
threat may arise from within or from outside the organization.
A = Accidental
D = Deliberate
E = Enviroment
Threat Sources
Threat Sources
 Risk analysis : Identification of existing Controls
• Identification of existing controls should be made to avoid unnecessary work
or cost, e.g. in the duplication of controls
• For the identification of existing or planned controls, the following activities
can be helpful:
• Reviewing documents containing information about the controls (for example, risk
treatment implementation plans).
• Checking with the people responsible for information security (e.g. information
security officer and information system security officer, building manager or
operations manager) and the users as to which controls are really implemented for
the information process or information system under consideration;
• Conducting an on-site review of the physical controls, comparing those implemented
with the list of what controls should be there, and checking those implemented as to
whether they are working correctly and effectively, or
• Reviewing results of internal audits
 Risk analysis : Identification of vulnerabilities
• Vulnerabilities that can be exploited by threats to cause harm to assets
or to the organization should be identified
• Vulnerabilities may be identified in following areas
• Organization
• Processes and procedures
• Management routines
• Personnel
• Physical environment
• Information system configuration
• Hardware, software or communications equipment
• Dependence on external parties
Samples of vulnerabilities (lanjt)
Samples of vulnerabilities (lanjt)
Samples of vulnerabilities (lanjt)
Samples of vulnerabilities (lanjt)
 Samples of vulnerabilities (lanjt)

Bisa juga dilihat dari sisi kerentanan Organisasi

 Risk analysis : Identification of consequences

• A consequence can be loss of effectiveness, adverse operating

conditions, loss of business, reputation, damage, etc.
• This activity identifies the damage or consequences to the organization
that could be caused by an incident scenario. An incident scenario is the
description of a threat exploiting a certain vulnerability or set of
vulnerabilities in an information security incident
 Risk analysis : Identification of consequences

• Organizations should identify the operational consequences of incident

scenarios in terms of (but not limited to):
• Investigation and repair time
• (Work)time lost
• Opportunity lost
• Health and Safety
• Financial cost of specific skills to repair the damage
• Image reputation and goodwill
 Next .. RISK ESTIMATION

• Risk estimation methodologies

• Assessment of consequences
• Assessment of incident likelihood
• Level of risk estimation
 Next .. RISK ESTIMATION

• Risk estimation methodologies

• Assessment of consequences
• Assessment of incident likelihood
• Level of risk estimation
 Risk estimation methodologies

• Risk analysis may be undertaken in varying degrees of detail

depending on the criticality of assets, extent of vulnerabilities known,
and prior incidents involving in the organization.
• An estimation methodology may be qualitative or quantitative, or a
combination of these, depending on the circumstances
 Estimation methodologies

• Qualitative estimation:
• Qualitative estimation uses a scale of qualifying attributes to describe the
magnitude of potential consequences (e.g. Low, Medium and High) and the
likelihood that those consequences will occur.
• An advantage of qualitative estimation is its ease of understanding by all
relevant personnel while a disadvantage is the dependence on subjective
choice of the scale.
• Quantitative estimation:
• Quantitative estimation uses a scale with numerical values (rather than the
descriptive scales used in qualitative estimation) for both consequences and
likelihood, using data from a variety of sources
 Next .. RISK ESTIMATION

• Risk estimation methodologies

• Assessment of consequences
• Assessment of incident likelihood
• Level of risk estimation
 Assessment of consequences

• The business impact value can be expressed in qualitative and quantitative

forms, but any method of assigning monetary value may generally provide
more information for decision making and hence facilitate a more efficient
decision making process.
• Asset valuation begins with classification of assets according to their
criticality, in terms of the importance of assets to fulfilling the business
objectives of the organization. Valuation is then determined using two
measures:
• the replacement value of the asset: the cost of recovery cleanup and replacing the
information (if at all possible), and
• the business consequences of loss or compromise of the asset, such as the potential
adverse business and/or legal or regulatory consequences from the disclosure
 Next .. RISK ESTIMATION

• Risk estimation methodologies

• Assessment of consequences
• Assessment of incident likelihood
• Level of risk estimation
 Assessment of incident likelihood
• After identifying the incident scenarios, it is necessary to assess the likelihood
of each scenario and impact occurring, using qualitative or quantitative
estimation techniques. This should take account of how often the threats
occur and how easily the vulnerabilities may be exploited, considering
• experience and applicable statistics for threat likelihood
• for deliberate threat sources: the motivation and capabilities, which will change over
time, and resources available to possible attackers, as well as the perception of
attractiveness and vulnerability of assets for a possible attacker
• for accidental threat sources: geographical factors e.g. proximity to chemical or
petroleum plants, the possibility of extreme weather conditions, and factors that could
influence human errors and equipment malfunction
• vulnerabilities, both individually and in aggregation
• existing controls and how effectively they reduce vulnerabilities
 Level of risk estimation

• Risk estimation methodologies

• Assessment of consequences
• Assessment of incident likelihood
• Level of risk estimation
• Risk estimation assigns values to the likelihood and the consequences
of a risk. These values may be quantitative or qualitative. Risk
estimation is based on assessed consequences and likelihood.
Additionally, it can consider cost benefit, the concerns of
stakeholders, and other variables, as appropriate for risk evaluation.
• The estimated risk is a combination of the likelihood of an incident
scenario and its consequences
 Next .. RISK Evaluation

• Risk evaluation criteria used to make decisions should be consistent with

the defined external and internal information security risk management
context and take into account the objectives of the organization and
stakeholder views etc.
• Considerations should include:
• Information security properties: if one criterion is not relevant for the
organization (e.g. loss of confidentiality),
• The importance of the business process or activity supported by a particular asset
or set of assets
ANy Questions…?