Difference between revisions of "Security Risk"
From MgmtWiki
(→Context) |
(→Context) |
||
| (One intermediate revision by the same user not shown) | |||
| Line 5: | Line 5: | ||
[[Risk Management]] consists of risk evaluation based on assets that need protection. In any transaction there are at least two points of view, that of each party to the transaction, For identity risk management we will be addressing the POV of the user and of the web site, also known (in the GDPR) as the [[Principal]] and the [[PII Controller]]. | [[Risk Management]] consists of risk evaluation based on assets that need protection. In any transaction there are at least two points of view, that of each party to the transaction, For identity risk management we will be addressing the POV of the user and of the web site, also known (in the GDPR) as the [[Principal]] and the [[PII Controller]]. | ||
* [[Threat Model]] provides the core data needed for [[Security Risk]] evaluation. | * [[Threat Model]] provides the core data needed for [[Security Risk]] evaluation. | ||
| + | * [[User Risk]] is a special case of two party [[Security Risk]] as the transaction is nearly always biased against the user. | ||
==Cost== | ==Cost== | ||
| Line 17: | Line 18: | ||
[[Category:Assurance]] | [[Category:Assurance]] | ||
[[Category:Security]] | [[Category:Security]] | ||
| + | [[Category:Vulnerability]] | ||
| + | [[Category:Risk]] | ||
Latest revision as of 17:28, 11 April 2024
Contents
Full Title
For Identity Management this is the measure of the risk created by exposing protected information and access on the web.
Context
Risk Management consists of risk evaluation based on assets that need protection. In any transaction there are at least two points of view, that of each party to the transaction, For identity risk management we will be addressing the POV of the user and of the web site, also known (in the GDPR) as the Principal and the PII Controller.
- Threat Model provides the core data needed for Security Risk evaluation.
- User Risk is a special case of two party Security Risk as the transaction is nearly always biased against the user.
Cost
- The Risk is typically measured by the likelihood of a breach times the cost of the breach.
- An alternate measure is to look at similar enterprises and measure the cost of breaches in those simply situations.
- Banking has in many ways the easiest measures as there is a history of losses by a range of categories so a measure of risk is actually fairly easy to gage, at least for old techniques. Even for new techniques the historical data can help to create a risk metric. For example Ross Anderson and his grad students have created an extensive inventory of cybercrime costs.
