2019-038-Deveeshree_Nayak-risk_analysis, and OWASP WIA

OWASP WIA - https://www.youtube.com/watch?v=umnt0qbOPsE

https://www.owasp.org/index.php/Women_In_AppSec

OWASP Women in AppSec

Twitter: 2013_Nayak (reach and ask to be added)

https://www.tagnw.org/events/

Risk in Infosec

Risk - a situation which involves extreme danger and extensive amount of unrecovered loss

What about risks that are positive in nature? PMP calls them 'opportunities'

Risk Analysis - systemic examination of the components and characteristics of risk

Analysis Steps -

Understanding and Assessment

Understand there is a risk

What if a company does not have security standards?

Identification

Identify and categorize risk -

Informational risk

Network risk

Hardware risk

Software risk

Environment risk?

https://en.wikipedia.org/wiki/Routine_activity_theory

Scope of risk analysis?

Threat modeling to find risks?

https://www.leviathansecurity.com/blog/the-calculus-of-threat-modeling

SWOT (strength/weakness/opportunities/threats) analysis will discover risks?

Risk analysis methodologies?

https://www.project-risk-manager.com/blog/qualitative-risk-techniques/

https://securityscorecard.com/blog/it-security-risk-assessment-methodology

https://en.wikipedia.org/wiki/Probabilistic_risk_assessment

https://en.wikipedia.org/wiki/Capability_Maturity_Model_Integration

Estimation

Chance that risk will occur (once a decade, once a week)

Design controls to remediate

Implementation

Risk assessment is a combined approach

Combined approach for a risk analysis

You mentioned a lot of people, what's the scope?

How do you do the risk assessment? Framework?

Evaluation

Evaluation approach

Like an agile approach

Provides an informed conclusion

Report must be clear (no jargon)

Decision Making

Examples to Reduce Risk

Training and education

what kind of testing? Annual Security training?

Publishing policies

Agreement with organization

BAA with 3rd parties

Timely testing -