3/14/23
1
Welcome to INF20031 Lecture 3, S1, 2023
Identifying & assessing risks
Dr Paul Scifleet
Semester 1 , 2023
1
Weekly Schedule
Online lecture :
– Published Thursday/Friday for review prior
to Wednesday’s class
Weekly
– Review materials for current unit module
– Complete any readings and activities
– Complete CLAs on due weeks by
11:59pm,, repeat
Assessment
– Continuous learning activities
– 3 x submitted ‘1 pagers’ = 500
words (#2 due 28 March ) 25%
– 1 x Group warm up exercise , 5%
– Assignments
– 1 x Cybersecurity report 25%
– 1x BCM report 30%
– 1x Week 12 Quiz (online – in class)
Slide 2

2
3/14/23
2
Week Three, learning plan
Slide 3
This weeks learning plan builds on your understanding of
cybersecurity risk and risk management established in week1 & 2,
Objectives for this week: to become familiar with key concepts:
Cyber security risk assessment
a) Risk management process, COSO ERM and the organisations cyber
security mission
b) Risk appetite & tolerance
c) Identification and analysis of cybersecurity risks
d) Assessing security and internal control (week 4)
3
Preparing for coming week, Modules 3, 4, 5
Slide 4
Required reading, week 2
Whitman, Michael E. and Mattord, Herbert J. Management of information security. Sixth Edition.,
Stamford, Conn.: Cengage Learning, 2019. (main)
chapter 6 and 7, Assessing and Treating risks
Whitman, Michael E. and Mattord, Herbert J. Principles of information security. Seventh Edition.,
Stamford, Conn.: Cengage Learning, 2022 (additional)
chapter 6 and 7, Assessing and Treating risks
4
3/14/23
3
Individual assignment tasks
Slide 5
You are to take on the role of an external auditor who has been hired by the Trusted Health Clinic to undertake a
general cybersecurity risk assessment and prepare a report with the aim of securing THC’s information assets
1. Explain your approach to Cybersecuity risk management, assessment & treatment to THC; i.e. let your
clients know what information nassets are at risk in InfoSec tersm and how you will approach intenral control and
risk mitigation
2. Assess and describe, THC’s strategic environment and cybersecurity mission, their value creating activities
and current risk posture; propose a target risk appetite and risk tolerance level in report,
3. Identify and table the key roles and responsibilities of individuals and departments within the organisation
as they pertain to the management of information assets and assess associated information risks,
4. Audit the case study to identify and prepare a full inventory (descriptive list) of information assets that includes
THC’s most significant, information resources in order to establish sound cybersecurity. Include your list as an
appendix item,
5. Include an ATV table in your report identify information assets at risks (threats and vulnerabilities) for the top 7
information assets identified: provide a supporting explanation for your analysis of the threats and
vulnerabilities for THC’s most important information assets (both information and information systems/processes),
6. Present a likelihood and impact analysis for the seven (7) most operationally critical / significant information
assets
7. Evaluate and prioritise the most significant seven (7) information risks in order, and prepare a migtation
plan, incorporating mitigation strategy and intenral controls to applied for each
Its all about identifying information assets and assessing and prioritising risks so that information
is secure
5
Slide 6
What is Cybersecurity risk assessment
Cybersecurity risk assessment is the identification and analysis of information
risks so that an organisation can achieve its (business) objectives. It forms a basis
for determining how information risks should be managed. It Includes the
development of risk treatment strategies.
Risk identification
Risk Management

Risk analysis
Risk prioritisation/
Evaluation
Risk reduction
Emergency planning
Implementation
IT Security Policy
AS/NZS IS0 31000:2018
Principles & framework
6
3/14/23
4
The role of standards
– Issued by a standards body, e.g. Standards Australia or ISO.
– the outcome of a defined industry need.
– developed by industry.
– agreed to by industry.
– Accepted specifications or codes for practice assisting to define materials, methods,
processes and practices used for industry or by a professional body. Support policy
development and decision making,
– Basis for determining consistent and acceptable minimum levels of quality, performance,
safety and reliability. Suppport business improvement, benchmarking practice,
– Familiar examples include Design Standards (or Codes) e.g, Australian Design Rules (car
emissions) product safety; here standards providing guidance on safety for health, life and
property matters,
– There are also competency standards – setting benchmarks for qualifications in
professions, e.g. ISACA certifications,
– Enables compliance and provides evidence Issued by a regulatory authority or prescribed
under a regulatory requirement e.g. National Privacy Principles and the Privacy Act ; ADR,
Motor Vehicle Standards Act 1989
Slide 7
7
Preparing for your Individual Assignment
Familiarise yourself with Required readings
Access details will be provided in CANVAS
1. AS ISO 31000:2018 : Risk management –
Guidelines
Start with its 16 pages
2. AS/NZS ISO/IEC 27005:2012 : Information
technology – Security techniques – Information
security risk management
Start with first section, pages 1-9
familiarise yourself with general content researching
more detail towards assignments
Note the structure of the assignment is embedded in
each model
8
3/14/23
5
Slide 9
Risk assessment, ISO 27005: 2012
ISO/IEC 27005:2011(E)
8 © ISO/IEC 2011 – All rights reserved
Figure 2 shows how this International Standard applies this risk management process.
The information security risk management process consists of context establishment (Clause 7), risk
assessment (Clause 8), risk treatment (Clause 9), risk acceptance (Clause 10), risk communication and
consultation (Clause 11), and risk monitoring and review (Clause 12).
Figure 2 — Illustration of an information security risk management process
As Figure 2 illustrates, the information security risk management process can be iterative for risk assessment
and/or risk treatment activities. An iterative approach to conducting risk assessment can increase depth and
detail of the assessment at each iteration. The iterative approach provides a good balance between
minimizing the time and effort spent in identifying controls, while still ensuring that high risks are appropriately
assessed.
The context is established first. Then a risk assessment is conducted. If this provides sufficient information to
effectively determine the actions required to modify the risks to an acceptable level then the task is complete
and the risk treatment follows. If the information is insufficient, another iteration of the risk assessment with
AS/NZS ISO/IEC 27005:2012 8
COPYRIGHT
Accessed by SWINBURNE UNIVERSITY OF TECHNOLOGY on 10 Mar 2019 (Document currency not guaranteed when printed)
9
Risk assessment, NIST SP 800-30
10
3/14/23
6
Risk assessment
An Information Security Risk assessment (audit) , including treatment of the risk
you identify can be read directly as your Individual Assignment
– Identify: where and what are the risks are to the organisation’s information
resources?
– Identify assets
– Identify vulnerabilities
– Identify threats
– Analyse : how severe is the current level of risk to information assets?
– e.g. costs and impacts associated with risks / not managing the risks, relative to the
organisations goals
– Evaluate: is the current level of risk to information assets acceptable?
– Prioritise the risks we want to treat
– Treat: propose mitigation strategy
– Propose internal control; recommendations
11
Slide 12
Risk assessment
Assignment reporting requirements
– Report should include:
– Executive summary
– Context setting ( overview, risk appetite & tolerance, cybersecurity
mission, responsibilities)
– Findings (in terms of an inventory of assets, vulnerabilities & threats)
– Evaluation : summarised in terms of, likelihood, consequences and
the resulting impacts, could be done as an ATV table
– Treatment: mitigation strategy internal control
– Concluding recommendations
12
3/14/23
7
Slide 13
1. Risk assessment
What is cybersecurity risk assessment?
Cybersecurity risk assessment is the identification, analysis and priortisation of
information risks to support the achievement of business objectives, and the
mitigation of any risk identified
Decisions
on business
strategy
Decisions transforming
strategy into action
Decisions required to enable
Implementation of actions
Strategic level
Program (tactical) level
Operational level
Source: IT Governance Institute. 2005 Information risks: Whose business are they? Page 12
13
Slide 14
1. Risk assessment
Establishing the context of control …. COSO’s ERM
Enterprise Risk Management is a process, effected by an entity’s board of
directors, management and other personnel, applied in a strategy setting
and across an enterprise, designed to identify potential events that may
effect an entity, and manage risks within its risk appetite, to provide
reasonable assurance regarding achievement of entity objectives
COSO, ERM framework 2004
o A strategic understanding of an organisations information resources
o Establishing a philosophy that recognises expected and unexpected
events and emphasising control of effect
o Governance of risk, identifying, assessment, acceptance,
communication & treatment
14
3/14/23
8
Slide 15
1. Risk assessment
Strategic understanding of information value
– The strategic objectives, how, why, what information is most
critical. Value of other information assets
– A clear idea of information needs and how staff use information ,
the value creating activities of the organisation
– Having this should
– Support decision making
– Focus resources efficiently and effectively
– Legal requirements, innovation, production
– Identifying the information assets first, allows us to assess
information risks & plan for business continuity
15
Slide 16
1. Risk assessment
Who is responsible, for what information? What questions can you ask of your case?

16
3/14/23
9
Slide 17
1. Risk assessment
(a) Risk appetite and risk tolerance
1. Establishes (sets the scene for) the Enterprise’s cybersecurity mission
The critical point is that risk strategy (and through that cybersecurity planning) is
aligned to the business objectives of the organisation,
i.e. its value creating activities and its future directions
2. Risk appetite is a strategic conversation, its a a high-level view (a formal
statement) of how much risk the management teams (including the
Executive & Board) is willing to accept
3. Risk appetite is often expressed in terms of tolerance; both in
quantitative and qualitative terms (e.g. how much earnings we are willing
to put at risk, versus not; how much reputational risk) and the
considered risk tolerance (range of acceptable variation)
17
Slide 18
Establishes (sets the scene for) the Enterprise’s cybersecurity mission
https://www.unimelb.edu.au/cybersecurity/about/mission
18
3/14/23
10
Slide 19
1. Risk assessment
(b) Risk appetite and risk tolerance
1. Risk appetite the high level – strategic – conversation focussed on
driving business direction with a suitable risk profile
2. Risk tolerance is a – tactical – conversation, linking risk appetite to
metrics and measures that can be monitored
o e.g. articulating a strategic preparedness to take risk by extending
business into the BRIC markets (Brazil, Russia, India, China) expresses
an appetite and set the organisational tone
o Identifying the specific market to enter (a measure) and the acceptable
level of variation around performance targets for those markets ( metrics)
expresses the tolerance
E.g. Amazon typically allows 7 years to establish a market share its happy
with
19
Slide 20
Concluding risk assessment
Review of the process
Identify
Business objectives, (…value, appetite & tolerance, cybersecurity mission)
Assets
Vulnerabilities
Threats
Analyse
Likelihood and consequences
Impact
Existing controls
Evaluate
cost of exposure versus cost of protection
Priortise risks
Treatment
Determine right strategy for treatment
Propose internal control
20
3/14/23
11
2. Risk identification
o Processes for identifying the risks and opportunities that could impact
on an organisation
o At the strategic, tactical and operational levels, considering how an
organisation best achieves its outcomes and ensures the protection of
its assets by examining all sources of risk to assets
o It is an IT/IS audit (inventory and analysis) approach that focuses
on the effects of information assets being put at risk
21
2. Risk identification
Information assets and information audits
o In IT/IS security risk assessment takes on many names and can vary greatly in
terms of method, rigor and scope, but the core goal remains the same: identify
and quantify the risks to the organization’s information assets.
o The assessment approach analyses the relationships among assets, threats,
vulnerabilities and other elements
o What constitutes an information asset will be specific to the organisation (and
this is why the approach or methodology becomes more important). Assets might
include, Network architecture and infrastructure, customer records, intellectual
property, other corporate records essential for the operation of the business, web
services essential for the operation of the business, knowledge of the
organisation’s business processes
o You get the picture! it is all about ‘what is essential to continue business
operations’
22
3/14/23
12
2. Risk identification
Information assets and information audits
o Systematic examination of information assets/resources, their use and flow
(e.g. dissemination information internal and external, information available to
the public)
o How? Document analysis, verification by people (interviews, surveys. Focus
groups)
o How? Undertaking an inventory of existing information and systems (digital
work environments, databases, electronic and paper information exchange,
network architecture, applications)
o How? Isolate the most significant information assets and systems (e.g. plans,
financial records, email, social media)
o Indicate what is important to protect (i.e. control)
23
2. Risk identification
Threats & exposures and vulnerabilities
1. Threat
o Potential cause of an unwanted incident, which may result in harm to (an
asset) a system or organisation ISO/IEC 27000:2009
o The potential for a threat source to exercise (accidentally trigger or
intentionally exploit) a specific vulnerability NIST SP 800-30
2. Vulnerability
o Weakness of an asset or control that can be exploited by a threat
ISO/IEC 27000:2009
o A flaw or weakness in system security procedures, design, implementation,
or internal controls NIST SP 800-30
o judgement error, unexpected transactions or events, collusion,
management override, conflicting signals
24
3/14/23
13
3. Analysing risks to information assets
Likelihood & consequences
1. Likelihood
The probability of a risk eventuating
2. Consequence
The impact of an adverse change to the level of business objectives
achieved
3. Existing controls
Safeguards and countermeasures in place to manage risk
ISO/IEC 27000:2009
25
3. Analysing risks to information assets
Jacobson’s window

Isolates four classes of risk –
– low-low, high-low, lowhigh, and high-high. These
four are easily broken down
into either inconsequential
or significant risk classes.
E.g with a focus on 3
26
3/14/23
14
3. Analysing risks to information assets
Impact versus probability

Low
High
High
IMPACT
PROBABILITY
27
3. Analysing risks to information assets
Categorisation of exposure
o Options available:
o Accept = monitor
o Avoid = eliminate (get out of situation)
o Reduce = institute controls
o Share = partner with someone (e.g. insurance)
o Residual risk (unmitigated risk – e.g. shrinkage)
o Residual risk = inherent risk – impact of risk controls
28
3/14/23
15
3. Analysing risks to information assets
Example of call centre
Low
High
High
IMPACT
PROBABILITY

29
3. Analysing risks to information assets
Determining acceptable levels of risk
o Evaluating risks on the basis of the likelihood of and
consequences provides two factors that can be used to prioritise
risk management
o Specific risks can be ranked on the basis of the evaluation
o Using ranking and rating systems the order for addressing the
risks can be determined
30
3/14/23
16
3. Analysing risks to information assets
Prioritisation of assets at risk
31
3. Analysing risks to information assets
Key elements of likelihood analysis
o Estimations the probability of a threat(s) occurring
o Probability of Occurrence (High, Medium, Low)
o Category Ranking – nominal or numeric,
o (e.g. 7-10 = High,4-6 = Medium, 1-3 = Low)
o Ordinal Ranking (a weighting, e.g. a numeric weighted impact
factor)
o Relative Likelihood of Occurrence (risk in doing a, compared to b)
(Applying COSO’s Enterprise Risk Management Integrated Framework:
http://www.coso.org/erm-integratedframework.htm)
32
3/14/23
17
o Assess the degree of harm or loss that can occur as a result of
exploitation of vulnerability
o a.k.a impact assessment, consequence analysis, consequence
assessment
o Rate or rank
o Calculating the cost of exposure
o Both direct and indirect business impacts
e.g. immediate financial impact (cost) of losing an asset
e.g. cost of advertising to counteract negative publicity
3. Analysing risks to information assets
Key elements of impact analysis
33
3. Analysing risks to information assets
Applying analysis
Whitman, Michael E. and Mattord, Herbert J. Management of information security. Sixth Edition., Stamford, Conn. : Cengage Learning, Chapter 6
34
3/14/23
18
Whitman, Michael E. and Mattord,
Herbert J. Management of information
security. Sixth Edition., Stamford,
Conn. : Cengage Learning, Chapter 6
Applying analysis
35
Whitman, Michael E. and Mattord,
Herbert J. Management of information
security. Sixth Edition., Stamford,
Conn. : Cengage Learning, Chapter 6
Applying analysis
36
3/14/23
19

thank you
37