Académique Documents
Professionnel Documents
Culture Documents
1
1) asset is anything within an environment that
should be protected
2
3) Vulnerability: is a software, hardware, or
procedural weakness that may provide an
attacker the open door to enter a system.
3
5) Risk: is the possibility that any specific threat will
exploit a specific vulnerability to cause harm to an
asset.
risk = threat + vulnerability.
6) safeguard: or countermeasure, is anything that
removes a vulnerability or protects against one or
more specific threats.
Safeguards and counter-measures are the only means
by which risk is mitigated or removed.
4
A) Internal:
* Changes in budget
* change of initial requirement
* disruption to day to day operation of the organization
* key staff leaving
* equipment failure.
B) External:
* Hardware/software not delivered
* supplier becomes insolvent
* unauthorised access into systems
* disruption through power/communication
5
Risk event: the adverse event that results in
a risk.
6
1. Technical risk
2. Managerial risk
3. Operational risk
4. Environment risk
5. Testing risk
7
(1)Do we really know what the
problem is?
(2) Is the problem solvable?
Technical risk .1
Managerial risk .2
Operational risk .3
Environment risk .4
Testing risk .5
Types of risk
;Schedule risk *
;Financial risk *
;Personnel risk *
;Quality risk *
Technical risk .1
Managerial risk .2
Operational risk .3
Environment risk .4
Testing risk .5
Types of risk
;Inadequate user education or training *
;Software Misuse *
.Inadequate maintenance of the product *
Technical risk .1
Managerial risk .2
Operational risk .3
Environment risk .4
Testing risk .5
Types of risk
physical risks that may threaten
a particular data center as: Fire, water
Technical risk .1
Managerial risk .2
Operational risk .3
Environment risk .4
Testing risk .5
Types of risk
Technical risk .1
Managerial risk .2
Operational risk .3
Environment risk .4
Testing risk .5
is the process of controlling risk and monitoring the
effectiveness of the control mechanisms.
13
1) Identifying the risk;
2) Assessing the risk's magnitude;
3) Determining the response to the risk;
4) Planning for the addressing of, and
reporting on, the risk if encountered
14
The cost potential of the risk's
occurrence;
The probability of the risk
occurring;
The risk exposure;
The cost to respond to the risk.
15
1) Elimination;
2) Avoidance;
3) Mitigation;
4) Acceptance.
16
the process of identifying,
estimating, and evaluating
risk.
17
Benefits of RA
Ease of data comprehension.
Identification and prioritization of critical activities
and functions
Identification of areas where policies and
procedures need to be enhanced and
implemented Justification of cost of
implementation of measures
Assessment of the preparedness of an
organization with respect to the risks.
Assessment of the security awareness among
employees
18
1) Software Risk Analysis
2) Planning Risks and Contingencies
19
Who Should Do the Analysis?
The risk analysis should be done by a team of experts
from various groups within the organization include
developers, testers, users, customers, marketers, and
other interested, willing, and able contributors.
20
Step 1: Form a Brainstorming Team
Step 2: Compile a List of Features
Step 3: Determine the Likelihood
Step 4: Determine the Impact
Step 5: Assign Numerical Values
Step 6: Compute the Risk Priority
Step 7: Review/Modify the Values
Step 8: Prioritize the Features
Step 9: Determine the "Cut Line“
Step 10: Consider Mitigation
21
Step 1: Form a Brainstorming Team
Include:
users (such as business analysts)
developers
testers
marketers
customer service representatives
support personnel
and anyone else that has knowledge of the business and/or
product, and is willing and able to participate.
22
Step 2: Compile a List of Features
23
Step 3: Determine the Likelihood
Assign an indicator for the relative
likelihood of failure.
24
Table 2: Likelihood of Failure for ATM Features/Attributes
Likelihood ATM Software
Attributes Features
High Withdraw cash
Medium Usability
Low Performance
Medium Security
25
Step 4: Determine the Impact
What would be the impact on the user if
this feature or attribute failed to
operate correctly?
26
Table 3: Impact of Failure for ATM Features/Attributes
Impact Likelihood ATM Software
Attributes Features
High High Withdraw cash
High Medium Deposit cash
Medium Low Check account balance
Medium Medium Transfer funds
Low High Purchase stamps
Medium Low Make a loan payment
High Medium Usability
Medium Low Performance
High Medium Security
Step 5: Assign Numerical Values
Brainstorming team should assign
numerical values for H, M, and L for both
likelihood and impact.
28
Step 6: Compute the Risk Priority
The values assigned to the likelihood of
failure and the impact of failure
should be added together.
29
Table 4: Summed Priorities for ATM Features/Attributes
Priority Impact Likelihood ATM Software
Attributes Features
6 High High Withdraw cash
5 High Medium Deposit cash
3 Medium Low Check account
balance
4 Medium Medium Transfer funds
4 Low High Purchase stamps
3 Medium Low Make a loan payment
5 High Medium Usability
3 Medium Low Performance
5 High Medium Security
30
Step 7: Review/Modify the Values
Values of the likelihood of failure for each
feature may be modified based on
additional information or analyses that
may be available.
31
Step 8: Prioritize the Features
The brainstorming team should
reorganize their list of features
and attributes in order of risk
priority.
32
Table 5: Sorted Priorities for ATM Features/Attributes
Priority Impact Likelihood ATM Software
Attributes Features
6 High High Withdraw cash
34
Table 6 "Cut Line" for ATM Features/Attributes
Priority Impact Likelihood ATM Software
Attributes Features
36
Table 7: Mitigated List of Priorities for ATM Features/Attributes
Attributes Features
Code inspection 6 High High Withdraw cash
Early prototype 5 High Medium Deposit cash
Early user 5 High Medium Usability
feedback
5 High Medium Security
4 Medium Medium Transfer funds
4 Low High Purchase stamps
3 Medium Low Make a loan
payment
3 Medium Low Check account
balance
3 Medium Low Performance
Purpose:
To determine the best contingencies in the event
that one of the planning risks occurs.
This is important because the scope and nature of a
project almost always change as the project
progresses.
The planning risks help us to do the "What if…"
and develop contingencies.
38
39