In this case study assignment, you will perform a quantitative risk analysis for a company’s network. Please use your imagination and feel free to specify any vulnerabilities and threats while completing the steps of this case study.
Case Study: Information Security Risk Assessment
In this case study assignment, you will perform a quantitative risk analysis for the company network shown below. Write your answers on the Case Study Information Security Risk Assessment Answer Sheet.
Please use your imagination and feel free to specify any vulnerabilities and threats while completing the steps of this case study.
As depicted in the textbook, the following risk analysis formula will guide you throughout the process.
Risk = Probability (Threat + Exploit of Vulnerability) * Cost of Asset Damage
This formula tells that “Risk can be calculated by multiplying the probability (of exploitation of a vulnerability by a threat) with the impact (of the exploitation once occurred.)”
Rewrite the formula as follows:
Risk = Probability of the exploitation of a vulnerability by a threat * Impact of the exploitation
There are five steps of the risk analysis process.
Fill out the first three columns of Table-1.
Table-1 | |||||
Assets | Vulnerabilities | Threats | Probability -numerical value | Impact-numerical value | Risk |
|
|||||
|
|||||
|
Think about the threats and vulnerabilities for each asset. For each asset, appraise the probability of the exploitation of the vulnerability (in the second column) by the threat (in the third column). For this estimation, use the following reference table. You should also think about the factors like “is the threat agent external or internal, what is the severity of the vulnerability, is it remotely exploitable?”
Probability | Numerical value | Frequency of exploitation |
Very Low | 1 | Once per year |
Low | 2 | Once every six months |
Medium | 3 | Once per month |
High | 4 | Once per week |
Very High | 5 | Once per day |
Write the numerical value to the fourth column of Table-1.
Write your justifications here:
Probability-numerical value | Your Justification (Why you assigned that value for the probability) |
Impact | Numerical value | Impact of exploitation |
Very Low | 1 | The systems/asset may be restored immediately. |
Low | 2 | The systems/asset may be restored in the short term. |
Medium | 3 | The systems/asset may be restored in the medium term. |
High | 4 | The systems/asset may be restored in the long term. |
Very High | 5 | The systems/asset may not restored in the long term, and the adverse effects may persist even longer. |
Write the numerical value to the fifth column of Table-1.
Write your justifications here:
Impact-numerical value | Your Justification (Why you assigned that value for the impact) |
Risk | Impact | |||||
1 | 2 | 3 | 4 | 5 | ||
Probability | 1 | 1 | 2 | 3 | 4 | 5 |
2 | 2 | 4 | 6 | 8 | 10 | |
3 | 3 | 6 | 9 | 12 | 15 | |
4 | 4 | 8 | 12 | 16 | 20 | |
5 | 5 | 10 | 15 | 20 | 25 |
Risk Value | Priority |
12, 15, 16, 20, 25 | Highest priority |
5, 6, 8, 9, 10 | Medium priority |
1, 2, 3, 4 | Lowest priority |
Fill out Table-2 from the highest-level risk to the lowest level. Also replace the <asset>, <vulnerability>, and <threat> by your findings. Write your action to the third column. If it has low probability, you may accept risk; otherwise, consider mitigating the risk, and write your mitigation actions.
Table-2 | ||
Definition of Risk | Priority | Action (Risk Acceptance or Risk Mitigation) |
The exploitation of the <vulnerability> of <asset> by <threat> | ||
The exploitation of the <vulnerability> of <asset> by <threat> | ||
The exploitation of the <vulnerability> of <asset> by <threat> |
Use “Case Study Information Security Risk Assessment Answer Sheet” document for your answers.
[1] An asset is anything that has a value for the company. It can be software, hardware, storage media, documents, even employees. One of the most critical assets is information. Note that, one of the essential duties of the other assets (software, hardware, etc.) is to process information. Therefore, the value of a software, for example, is directly proportional to the value of information it processes.
[2] A vulnerability is a weakness in design, development, structure, properties or configurations of an asset. An asset’s weakness could allow it to be exploited and harmed by one or more threats.
[3] A threat is an active agent that has the intent and/or potential of exploiting vulnerabilities and causing harm. There are many threat agents that fall into broad categories of deliberate or accidental actions of human (internal or external to the organization) and acts of nature.
Case Study: Information Security Risk Assessment – Answer Sheet
Table-1 | |||||
Assets | Vulnerabilities | Threats | Probability -numerical value | Impact-numerical value | Risk |
|
|||||
|
|||||
|
Probability-numerical value | Your Justification (Why you assigned that value for the probability) |
Impact-numerical value | Your Justification (Why you assigned that value for the impact) |
Table-2 | ||
Definition of Risk | Priority | Action (Risk Acceptance or Risk Mitigation) |
The exploitation of the <vulnerability> of <asset> by <threat> | ||
The exploitation of the <vulnerability> of <asset> by <threat> | ||
The exploitation of the <vulnerability> of <asset> by <threat> |