2019-038-Deveeshree_Nayak-risk_analysis, and OWASP WIA
Published October 30, 2019
|
76 min
    Download
    Add to queue
    Copy URL
    Show notes

    OWASP WIA - https://www.youtube.com/watch?v=umnt0qbOPsE

    https://www.owasp.org/index.php/Women_In_AppSec

    OWASP Women in AppSec

    Twitter: 2013_Nayak (reach and ask to be added)


    https://www.tagnw.org/events/


    Risk in Infosec

     

    Risk - a situation which involves extreme danger and extensive amount of unrecovered loss

        What about risks that are positive in nature?  PMP calls them ‘opportunities’


    Risk Analysis - systemic examination of the components and characteristics of risk

     

    Analysis Steps - 

            Understanding and Assessment

                Understand there is a risk

                What if a company does not have security standards?

           

               

            Identification

                Identify and categorize risk - 

                    Informational risk

                    Network risk

                    Hardware risk

                    Software risk

                    Environment risk?

     

    https://en.wikipedia.org/wiki/Routine_activity_theory

     

                Scope of risk analysis?

                Threat modeling to find risks?

                    https://www.leviathansecurity.com/blog/the-calculus-of-threat-modeling 

                SWOT (strength/weakness/opportunities/threats) analysis will discover risks?

                Risk analysis methodologies?

                    https://www.project-risk-manager.com/blog/qualitative-risk-techniques/

                    https://securityscorecard.com/blog/it-security-risk-assessment-methodology

    https://en.wikipedia.org/wiki/Probabilistic_risk_assessment

     

    https://en.wikipedia.org/wiki/Capability_Maturity_Model_Integration 

     

            Estimation

                Chance that risk will occur (once a decade, once a week)

                Design controls to remediate

     

            Implementation

                Risk assessment is a combined approach

                Combined approach for a risk analysis

                    You mentioned a lot of people, what’s the scope?

                    How do you do the risk assessment? Framework?

               

            Evaluation

                Evaluation approach

                    Like an agile approach

                Provides an informed conclusion

                Report must be clear (no jargon)

            Decision Making

               

     

    Examples to Reduce Risk

    Training and education

        what kind of testing? Annual Security training?

     

    Publishing policies

    Agreement with organization

        BAA with 3rd parties

    Timely testing - 

       

      15
      15
        0:00:00 / 0:00:00