These are the lecture notes I created which I used to revise for the CS3609 Cybersecurity exam at Brunel University in which I received a First Class in.
Module: CS3609
Lecture Topic: Information and Risk
Week: 2
Risk Management
Risk management is the process of understanding and responding to factors that may lead to a
failure in the confidentiality, integrity, or availability of an information system.
Confidentiality is about keeping information confidential and not allowing people who shouldn’t see
it, access that information.
Integrity is about ensuring that information is not altered or tampered with. (Blockchain e.g.)
Availability is who should have access to that information who can see it.
Risk is a situation or event that exposes an asset to harm, and the probability of that risk being
realised. If it is, that can cause a loss of money. (Fines: could be 4% of turnover, poor security or not
declaring breaches)
, Information security is the preservation of CIA. Other properties such as
authentication, authorization, non-reputation, audit and accountability
can also be involved.
Why risk management? It’s not a matter of IF but WHEN…
No organization is exempt from data breaches.
Tesco bank was fined 16.8 million pounds 2016-2019 for data breaches.
You must continuously identify and quantify risk; you need to access the effectiveness of deployed
goals to reduce impact.
(This one always included in the exam)
,These 7 factors need to be understood.
Stakeholders are risk owners, system owners, asset owners, or anyone who has a stake in the
information system or the asset.
An asset is anything that has value, tangible, people, information, intellectual property. Consider
what assets are at Risk in your network topology in terms of the vulnerabilities.
Threats is a single potential cause of an unwanted instant. These come from Threat agents.
Controls are implemented to mitigate Vulnerabilities, which is a weakness in an asset or the
absence of a security control that can be exploited by a threat. (e.g. insufficient maintenance, single
point of absence, as well as floods/fire)
Controls are the means of managing risk and can place limits on the activities that might pose a risk,
such as proactive, as safeguards, or counter measures, once an incident occurs – how to detect,
contain and recover from an incident.
CVE – Common Vulnerabilities and Exposures
Cve.mitre.org
You can explore the threats. The CVE system provides a reference method for publicly known
information security vulnerabilities and exposures.
Mitre attack framework.
, Risk Analysis
Risks can be analysed by either Quantitative or Qualitative risk methodologies
Quantitative relies on specific numbers, which makes it more precise, allows decision makers to
make better decisions about risk and quantify the risk. Usually involves money (£/$). Relies on the
accuracy and completeness of the numerical values. Quantifies the loss.
Qualitative you don’t have hard data, ask people what they think based on their experience,
subjective data, based on risk perception by the stakeholders. Quantitative gives a handle on risk
which is not covered by the hard numbers. This allows you to think about the risk register.
Ideally, you would take a hybrid approach and use both.
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller cslbrunel. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $9.13. You're not tied to anything after your purchase.
