Preview Mode Links will not work in preview mode

Oct 30, 2019


OWASP Women in AppSec

Twitter: 2013_Nayak (reach and ask to be added)

Risk in Infosec


Risk - a situation which involves extreme danger and extensive amount of unrecovered loss

    What about risks that are positive in nature?  PMP calls them ‘opportunities’

Risk Analysis - systemic examination of the components and characteristics of risk


Analysis Steps - 

        Understanding and Assessment

            Understand there is a risk

            What if a company does not have security standards?




            Identify and categorize risk - 

                Informational risk

                Network risk

                Hardware risk

                Software risk

                Environment risk?


            Scope of risk analysis?

            Threat modeling to find risks?


            SWOT (strength/weakness/opportunities/threats) analysis will discover risks?

            Risk analysis methodologies?





            Chance that risk will occur (once a decade, once a week)

            Design controls to remediate



            Risk assessment is a combined approach

            Combined approach for a risk analysis

                You mentioned a lot of people, what’s the scope?

                How do you do the risk assessment? Framework?



            Evaluation approach

                Like an agile approach

            Provides an informed conclusion

            Report must be clear (no jargon)

        Decision Making



Examples to Reduce Risk

Training and education

    what kind of testing? Annual Security training?


Publishing policies

Agreement with organization

    BAA with 3rd parties

Timely testing -