1
Q
Why risk management?
A
- Of some things in life we never enough: safety, security, …, but they come at a cost: investment in controls, opportunity costs, reduction of usability, reduction of flexibility, etc.
- So there is always a trade-off. Risk management helps to make such trade-offs in a systematic way.
2
Q
Time-based model of Information Security
A
P > D + R
P = time it takes an attacker to break through the various controls that protect the organization’s information assets D = time it takes for the organization to detect that an attack is in progress R = time it takes to respond to and stop the attack
If the equation is satisfied (P > D + R is true), then the organization’s information security procedures are effective. Otherwise, security is ineffective.
3
Q
The main purpose of monitoring and review process are:
A
- Ensure that controls are effective and efficient
- Obtain further information to improve risk assessment
- Analyse and learn lessons from incidents, but also from changes, trends, successes, and failures
- Detect changes
- Identify emerging risks
4
Q
Criticism on COSO ERM
A
Michael Power:
In particular, he observes that risk management did little to prevent or slow down the financial crisis.
•Nothing about systemic risks
•Nothing about comparability of risk across departments
•Tends to be based on risks that are easy to measure and record
•Real risks are about human decision:
5
Q
Conclusions
A
- Monitor risks (external), and monitor risk managament (internal)
- Detect: situation awareness
- Qualitative versus quantitative risk analysis metrics
- Continuous monitoring:n research topics
Cybersecurity
flashcards
Decks in class (13)
# Cards
