ITC 596 IT Risk Management

Get Started. It's Free
or sign up with your email address
ITC 596 IT Risk Management by Mind Map: ITC 596 IT Risk Management

1. elaborate on the eight rules of security by showing how they can be applied to many real-life scenarios

2. Modules

2.1. M1 - Introduction

2.1.1. Theme The role and environment of IT Security people

2.1.2. Reference Chapters 1 - 3 of text Notes

2.2. M2 - Fundamental Security Rules

2.2.1. Theme Universal principles to support decision making

2.2.2. Reference Chapters 4 & 5 of text Notes

2.3. M3 - Security Decision Making

2.3.1. Theme The process of crafting Security Decisions

2.3.2. Reference Chapters 6 & 7 of text Notes

2.4. M4 - Practising Security

2.4.1. Theme Eight rules of security by showing how they can be applied to many real-life scenarios

2.4.2. Reference Chapters 10 -12 of text Notes

2.5. M5 - Foundations of Risk Management 1

2.5.1. Theme Take a more formal look at the science of risk management, which includes both quantitative and qualitative techniques

2.5.2. Reference Additional readings to the textbook Henry, K. (2004). Risk management and analysis. Kaplan, R. (2004). Risk management 101.

2.6. M6 - Foundations of Risk Management 2

2.6.1. Theme Security requires trade-offs, and that these trade-offs are subjective.

2.6.2. Reference Additional readings to the textbook Schneier, B. (2003). Security trade-offs are subjective. In Beyond fear: Thinking sensibly about security in an uncertain world Blakely, B., McDermott, E., & Geer, D. (2001). Information security is information risk management. Proceedings of the 2001 workshop on new security paradigms. Reading 6: Gerber, M., & von Solms, R. (2005). Management of risk in the information age. Computers and Security

2.7. M7 - Quantitative Risk Assessment

2.7.1. Theme Assigning a probability to the chances of an attack as well as determining how much damage a successful attack is likely to cause. This topic explores ALE (Average Loss Expectancy) and ROSI (Return on Security Investment).

2.7.2. Reference Additional readings to the textbook Ozier, W. (2004). Risk analysis and assessment. In Information security management handbook Geer, D., Soo Hoo, K., & Jaquith, A. (2003). Information security: Why the future belongs to the quants. IEEE Security and Privacy Endorf, C. (2004). Measuring ROI on security. In Information security management handbook Berinato, S. (2003). Everything’s coming up ROSI. In CIO: Australia’s magazine for information executives Jacobson, R. V. (2002). Risk assessment and risk management. In S. Bosworth & M. E. Kabay (Eds.),

2.8. M8 - Qualitative Risk Assessment

2.8.1. Theme Qualitative risk assessment relies more on observational, subjective data rather than hard facts. There are many advantages to this approach. ‘Hard numbers’ are often difficult to come by when assessing security threats.

2.8.2. Reference Additional readings to the textbook Peltier, T. (2005). Quantitative versus qualitative risk assessment. In Information security risk analysis (2nd ed., pp. 77-114). Munteanu, A. (2006). Information Security Risk Assessment: The Qualitative Versus Quantitative Dilemma. Paper presented at the Proceedings of the 6th International Business Information Management Association (IBIMA) Conference.

2.9. M9 - Insurance

2.9.1. Theme Taking out an insurance policy is the most common approach for transferring risk. Cyber insurance, however, is still in its infancy and faces many challenges before being fully accepted as a market solution in the same way as traditional insurance.

2.9.2. Reference Gordon, L. A., Loeb, M. P., & Sohail, T. (2003). A framework for using insurance for cyber-risk management. Communications of the ACM, 46(3), 81-85. Written 2003, which is 10 years ago need an insurance approach Describe a cyber-risk framework Product considerations When to use? Majuca, R. P., Yurcik, W., & Kesan, J. P. (2005). The evolution of cyberinsurance. 2005, a bit later The Issue Pricing Spreading Risk Cyber risks are excluded from existing policies Drivers for new products

2.10. M10 - Risk perception and Communication

2.10.1. Theme

2.10.2. Reference Slovic, P. (1987). Perception of risk. Science, 236(4799) Notes Asgharpour, F., Liu, D., & Camp, L. J. (2007). Mental models of security risks. Lecture Notes in Computer Science, 4886, 367-377 Notes

2.11. M11- Relational assessment

2.11.1. Theme The relational risk assessment process was pioneered by the author of your text, Kevin Day. It is similar in style to a qualitative risk analysis, but with more emphasis on concepts such as vulnerability inheritance and chained risks.

2.11.2. Reference Return to the textbook, chapter 8 Notes

2.12. M12 - Security Metrics

2.12.1. Theme Is our security better this year than last year? Could you respond? And if so how?

2.12.2. Reference Jaquith, A. (2007).Defining security metrics. In Security metrics: Replacing fear, uncertainty and doubt (pp. 9-37). Upper Saddle River, NJ: Addison-Wesley. Notes