Star Trek, World War II and
Risk Management
Reg Harnish, CISM, CISA, CISSP
Chief Security Strategist
GreyCastle Security
January 31, 2013
Courtesy of CBS Paramount Television All Rights Reserved
Residual
Challenges
Why Risk Management?
Because you have to
Because you can’t
be secure
Copyright DC Comics All Rights Reserved
Because people
are not awesome
Copyright Universal Pictures All Rights Reserved
Show Me This Thing You Call
Risk Management
Risk Management 101
“the total process of identifying,
controlling and mitigating information
system-related risks”*
* National Institute of Standards in Technology (NIST) SP800-30
Risk Management 101
Risk
Assessment
Risk
Mitigation
Evaluation
and
Assessment
Risk Management 101
• Focuses on:
– Confidentiality
– Integrity
– Availability
• Qualitative or Quantitative
• Balances risk, effort and costs
– Risk will always exist
– Don’t build a $200 fence around a $20 horse
Risk Management 101
Impact
Probability
Low (10)
Medium (50)
High (100)
High (1.0)
Low
10 x 1 = 10
Medium
50 x 1 = 50
High
100 x 1 = 100
Medium (0.5)
Low
10 x .5 = 5
Medium
50 x .5 = 25
Medium
100 x .5 = 50
Low (0.1)
Low
10 x .1 = 1
Low
50 x .1 = 5
Low
100 x .1 = 10
Must. Resist. Temptation.
Risk Management Demo
Final Thoughts
1.
2.
3.
Risk Management is a continuous process
Risk Management should be performed
whenever changes occur
You cannot eliminate risk!
Who should
care about Risk
Management?