ITC 596 IT Risk Management

Get Started. It's Free
or sign up with your email address
Rocket clouds
ITC 596 IT Risk Management by Mind Map: ITC 596 IT Risk Management

1. elaborate on the eight rules of security by showing how they can be applied to many real-life scenarios

2. Modules

2.1. M1 - Introduction

2.1.1. Theme

2.1.1.1. The role and environment of IT Security people

2.1.2. Reference

2.1.2.1. Chapters 1 - 3 of text

2.1.2.1.1. Notes

2.2. M2 - Fundamental Security Rules

2.2.1. Theme

2.2.1.1. Universal principles to support decision making

2.2.2. Reference

2.2.2.1. Chapters 4 & 5 of text

2.2.2.1.1. Notes

2.3. M3 - Security Decision Making

2.3.1. Theme

2.3.1.1. The process of crafting Security Decisions

2.3.2. Reference

2.3.2.1. Chapters 6 & 7 of text

2.3.2.1.1. Notes

2.4. M4 - Practising Security

2.4.1. Theme

2.4.1.1. Eight rules of security by showing how they can be applied to many real-life scenarios

2.4.2. Reference

2.4.2.1. Chapters 10 -12 of text

2.4.2.1.1. Notes

2.5. M5 - Foundations of Risk Management 1

2.5.1. Theme

2.5.1.1. Take a more formal look at the science of risk management, which includes both quantitative and qualitative techniques

2.5.2. Reference

2.5.2.1. Additional readings to the textbook

2.5.2.1.1. Henry, K. (2004). Risk management and analysis.

2.5.2.1.2. Kaplan, R. (2004). Risk management 101.

2.6. M6 - Foundations of Risk Management 2

2.6.1. Theme

2.6.1.1. Security requires trade-offs, and that these trade-offs are subjective.

2.6.2. Reference

2.6.2.1. Additional readings to the textbook

2.6.2.1.1. Schneier, B. (2003). Security trade-offs are subjective. In Beyond fear: Thinking sensibly about security in an uncertain world

2.6.2.1.2. Blakely, B., McDermott, E., & Geer, D. (2001). Information security is information risk management. Proceedings of the 2001 workshop on new security paradigms.

2.6.2.1.3. Reading 6: Gerber, M., & von Solms, R. (2005). Management of risk in the information age. Computers and Security

2.7. M7 - Quantitative Risk Assessment

2.7.1. Theme

2.7.1.1. Assigning a probability to the chances of an attack as well as determining how much damage a successful attack is likely to cause. This topic explores ALE (Average Loss Expectancy) and ROSI (Return on Security Investment).

2.7.2. Reference

2.7.2.1. Additional readings to the textbook

2.7.2.1.1. Ozier, W. (2004). Risk analysis and assessment. In Information security management handbook

2.7.2.1.2. Geer, D., Soo Hoo, K., & Jaquith, A. (2003). Information security: Why the future belongs to the quants. IEEE Security and Privacy

2.7.2.1.3. Endorf, C. (2004). Measuring ROI on security. In Information security management handbook

2.7.2.1.4. Berinato, S. (2003). Everything’s coming up ROSI. In CIO: Australia’s magazine for information executives

2.7.2.1.5. Jacobson, R. V. (2002). Risk assessment and risk management. In S. Bosworth & M. E. Kabay (Eds.),

2.8. M8 - Qualitative Risk Assessment

2.8.1. Theme

2.8.1.1. Qualitative risk assessment relies more on observational, subjective data rather than hard facts. There are many advantages to this approach. ‘Hard numbers’ are often difficult to come by when assessing security threats.

2.8.2. Reference

2.8.2.1. Additional readings to the textbook

2.8.2.1.1. Peltier, T. (2005). Quantitative versus qualitative risk assessment. In Information security risk analysis (2nd ed., pp. 77-114).

2.8.2.1.2. Munteanu, A. (2006). Information Security Risk Assessment: The Qualitative Versus Quantitative Dilemma. Paper presented at the Proceedings of the 6th International Business Information Management Association (IBIMA) Conference.

2.9. M9 - Insurance

2.9.1. Theme

2.9.1.1. Taking out an insurance policy is the most common approach for transferring risk. Cyber insurance, however, is still in its infancy and faces many challenges before being fully accepted as a market solution in the same way as traditional insurance.

2.9.2. Reference

2.9.2.1. Gordon, L. A., Loeb, M. P., & Sohail, T. (2003). A framework for using insurance for cyber-risk management. Communications of the ACM, 46(3), 81-85.

2.9.2.1.1. Written 2003, which is 10 years ago

2.9.2.1.2. need an insurance approach

2.9.2.1.3. Describe a cyber-risk framework

2.9.2.1.4. Product considerations

2.9.2.1.5. When to use?

2.9.2.2. Majuca, R. P., Yurcik, W., & Kesan, J. P. (2005). The evolution of cyberinsurance.

2.9.2.2.1. 2005, a bit later

2.9.2.2.2. The Issue

2.9.2.2.3. Pricing

2.9.2.2.4. Spreading Risk

2.9.2.2.5. Cyber risks are excluded from existing policies

2.9.2.2.6. Drivers for new products

2.10. M10 - Risk perception and Communication

2.10.1. Theme

2.10.2. Reference

2.10.2.1. Slovic, P. (1987). Perception of risk. Science, 236(4799)

2.10.2.1.1. Notes

2.10.2.2. Asgharpour, F., Liu, D., & Camp, L. J. (2007). Mental models of security risks. Lecture Notes in Computer Science, 4886, 367-377

2.10.2.2.1. Notes

2.11. M11- Relational assessment

2.11.1. Theme

2.11.1.1. The relational risk assessment process was pioneered by the author of your text, Kevin Day. It is similar in style to a qualitative risk analysis, but with more emphasis on concepts such as vulnerability inheritance and chained risks.

2.11.2. Reference

2.11.2.1. Return to the textbook, chapter 8

2.11.2.1.1. Notes

2.12. M12 - Security Metrics

2.12.1. Theme

2.12.1.1. Is our security better this year than last year? Could you respond? And if so how?

2.12.2. Reference

2.12.2.1. Jaquith, A. (2007).Defining security metrics. In Security metrics: Replacing fear, uncertainty and doubt (pp. 9-37). Upper Saddle River, NJ: Addison-Wesley.

2.12.2.1.1. Notes