Computer Security: Principles and Practice, 1/e



Yüklə 15,34 Kb.
səhifə4/6
tarix19.12.2023
ölçüsü15,34 Kb.
#186744
1   2   3   4   5   6
ch14(1)

Threat Sources

  • threats may be
    • natural “acts of god”
    • man-made and either accidental or deliberate
  • should consider human attackers
    • motivation
    • capability
    • resources
    • probability of attack
    • deterrence
  • any previous history of attack on org

Threat Identification

  • depends on risk assessors experience
  • uses variety of sources
    • natural threat chance from insurance stats
    • lists of potential threats in standards, IT security surveys, info from governments
    • tailored to organization’s environment
    • and any vulnerabilities in its IT systems

Vulnerability Identification

  • identify exploitable flaws or weaknesses in organization’s IT systems or processes
  • hence determine applicability and significance of threat to organization
  • need combination of threat and vulnerability to create a risk to an asset
  • again can use lists of potential vulnerabilities in standards etc

Analyze Risks

  • specify likelihood of occurrence of each identified threat to asset given existing controls
    • management, operational, technical processes and procedures to reduce exposure of org to some risks
  • specify consequence should threat occur
  • hence derive overall risk rating for each threat
  • risk = probability threat occurs x cost to organization

  • in practice very hard to determine exactly
  • use qualitative not quantitative, ratings for each
  • aim to order resulting risks in order to treat them

Determine Likelihood

Determine Consequence

Determine Resultant Risk


Consequences

Likelihood

Doomsday

Catastrophic

Major

Moderate


Yüklə 15,34 Kb.

Dostları ilə paylaş:
1   2   3   4   5   6




Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©azkurs.org 2025
rəhbərliyinə müraciət

gir | qeydiyyatdan keç
    Ana səhifə


yükləyin