Computer Security: Principles and Practice, 1/e



Yüklə 15,34 Kb.
səhifə4/6
tarix19.12.2023
ölçüsü15,34 Kb.
#186744
1   2   3   4   5   6
ch14(1)

Threat Sources

  • threats may be
  • should consider human attackers
    • motivation
    • capability
    • resources
    • probability of attack
    • deterrence
  • any previous history of attack on org

Threat Identification

  • depends on risk assessors experience
  • uses variety of sources

Vulnerability Identification

  • identify exploitable flaws or weaknesses in organization’s IT systems or processes
  • hence determine applicability and significance of threat to organization
  • need combination of threat and vulnerability to create a risk to an asset
  • again can use lists of potential vulnerabilities in standards etc

Analyze Risks

  • specify likelihood of occurrence of each identified threat to asset given existing controls
  • specify consequence should threat occur
  • hence derive overall risk rating for each threat
  • risk = probability threat occurs x cost to organization

  • in practice very hard to determine exactly
  • use qualitative not quantitative, ratings for each
  • aim to order resulting risks in order to treat them

Determine Likelihood

Determine Consequence

Determine Resultant Risk


Consequences

Likelihood

Doomsday

Catastrophic

Major

Moderate


Yüklə 15,34 Kb.

Dostları ilə paylaş:
1   2   3   4   5   6




Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©azkurs.org 2024
rəhbərliyinə müraciət

gir | qeydiyyatdan keç
    Ana səhifə


yükləyin