R I S K I T 1.0 (TM) Risk Assessment Software Users Manual Copyright (c) 1994 Brian Risman Associates All Rights Reserved Table of Contents Order Form . . . . . . . . . . . . . . . . . . . . . . . . . 4 License Agreement . . . . . . . . . . . . . . . . . . . . . 5 Limited Warranty . . . . . . . . . . . . . . . . . . . . . . 6 System Requirements . . . . . . . . . . . . . . . . . . . . 7 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 8 What is Risk Management ? . . . . . . . . . . . . . . . . . 9 Installation . . . . . . . . . . . . . . . . . . . . . . . . 10 General Commands . . . . . . . . . . . . . . . . . . . . . . 11 System Diagram . . . . . . . . . . . . . . . . . . . . . . . 12 Main Menu . . . . . . . . . . . . . . . . . . . . . . . . . 13 Screen Layout . . . . . . . . . . . . . . . . . . . . . 13 Description . . . . . . . . . . . . . . . . . . . . . . 13 Screen Options . . . . . . . . . . . . . . . . . . . . 13 Main Sub-Menu . . . . . . . . . . . . . . . . . . . . . . . 15 Screen Layout . . . . . . . . . . . . . . . . . . . . . 15 Description . . . . . . . . . . . . . . . . . . . . . . 15 Screen Options . . . . . . . . . . . . . . . . . . . . 15 Add Study . . . . . . . . . . . . . . . . . . . . . . . . . 16 Description . . . . . . . . . . . . . . . . . . . . . . 16 Area of Weakness Selection Screen Layout . . . . . . . 18 Description . . . . . . . . . . . . . . . . . . . . . . 18 Screen Options . . . . . . . . . . . . . . . . . . . . 18 Potential Area of Threat Selection Screen Layout . . . 20 Description . . . . . . . . . . . . . . . . . . . . . . 20 Screen Options . . . . . . . . . . . . . . . . . . . . 21 Add Study Case Input Screen Layout . . . . . . . . . . 22 Description . . . . . . . . . . . . . . . . . . . . . . 22 Screen Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Modify Study . . . . . . . . . . . . . . . . . . . . . . . . 24 Description . . . . . . . . . . . . . . . . . . . . . . 24 Area of Weakness Selection Screen Layout . . . . . . . 26 Description . . . . . . . . . . . . . . . . . . . . . . 26 Screen Options . . . . . . . . . . . . . . . . . . . . 26 Potential Area of Threat Selection Screen Layout . . . 28 Description . . . . . . . . . . . . . . . . . . . . . . 28 Screen Options . . . . . . . . . . . . . . . . . . . . 29 Modify Study Case Input Screen Layout . . . . . . . . . 30 Description . . . . . . . . . . . . . . . . . . . . . . 30 Screen Options . . . . . . . . . . . . . . . . . . . . 30 Delete Study . . . . . . . . . . . . . . . . . . . . . . . . 32 Description . . . . . . . . . . . . . . . . . . . . . . 32 Area of Weakness Selection Screen Layout . . . . . . . 34 Description . . . . . . . . . . . . . . . . . . . . . . 34 Screen Options . . . . . . . . . . . . . . . . . . . . 34 Potential Area of Threat Selection Screen Layout . . . 36 Description . . . . . . . . . . . . . . . . . . . . . . 36 Screen Options . . . . . . . . . . . . . . . . . . . . 37 Delete Study Case Input Screen Layout . . . . . . . . . 38 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Screen Options . . . . . . . . . . . . . . . . . . . . 38 Print Risk Estimate Detail Sheet . . . . . . . . . . . . . . 40 Description . . . . . . . . . . . . . . . . . . . . . . 40 Report Layout . . . . . . . . . . . . . . . . . . . . . 43 Description . . . . . . . . . . . . . . . . . . . . . . 43 Screen Options . . . . . . . . . . . . . . . . . . . . 43 Print Summary Report . . . . . . . . . . . . . . . . . . . . 44 Description . . . . . . . . . . . . . . . . . . . . . . 44 Report Layout . . . . . . . . . . . . . . . . . . . . . 47 Description . . . . . . . . . . . . . . . . . . . . . . 47 Screen Options . . . . . . . . . . . . . . . . . . . . 47 Browse All Studies . . . . . . . . . . . . . . . . . . . . . 48 Description . . . . . . . . . . . . . . . . . . . . . . 48 Screen Layout . . . . . . . . . . . . . . . . . . . . . 51 Description . . . . . . . . . . . . . . . . . . . . . . 51 Screen Options . . . . . . . . . . . . . . . . . . . . 51 Delete All Records (Exclusive Control) . . . . . . . . . . . 53 Description . . . . . . . . . . . . . . . . . . . . . . 53 Quit . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Description . . . . . . . . . . . . . . . . . . . . . . 54 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 RISKIT 1.0 (TM) Order Form To register your copy of RISKIT 1.0 (TM), please send along the following form, or a reasonable facsimile, and certified cheque or money order for $ 99 in United States funds, to the following address : Brian Risman Associates 1 Canyon Avenue Suite 912 North York Ontario CANADA M3H 4X8 Name : _______________________________________________________ Company : ____________________________________________________ Address : ____________________________________________________ Day Phone : ____________________ Eve Phone : _________________ Fax Number : ______________________ Bulletin Board Address (Compuserve, Internet) : ______________________________________________________________ RISKIT 1.0 (TM) License Agreement Brian Risman Associates provides these programs and licenses their use. You assume responsibility for selection of these programs for your purposes, and for the installation, use, and results from use of these programs. This software is licensed to you for use as follows : 1. You may use the programs on a single machine. 2. You may copy the programs for the sole purpose of backup in support of their use on a single machine. 3. All copies made must include the copyright notice. 4. You may transfer the programs and license to another party if the other party agrees to accept the terms and conditions of this Agreement. 5. If you transfer the program you must, at the same time, transfer all copies of the program or destroy any copies not transferred. 6. YOU MAY NOT USE, COPY, OR TRANSFER THE PROGRAMS OR ANY COPY IN WHOLE OR PART, EXCEPT AS EXPRESSLY PROVIDED FOR IN THIS LICENSE. IF YOU TRANSFER POSSESSION OF ANY COPY TO ANOTHER PARTY, YOUR LICENSE IS AUTOMATICALLY TERMINATED. 7. This license shall be construed, interpreted, and governed by the laws of the Province of Ontario and the Federal Government of Canada as applied in the Province of Ontario. This license is effective until terminated. You may terminate the license by destroying the programs together with all copies in any form. This license will also be terminated if you fail to comply with any term or condition of this license. You agree upon such termination to return the programs together will all the copies to Brian Risman Associates and the purchaser shall be liable for any and all damages suffered as a result of the violation or default. You may not sub-license, assign or transfer the programs or any rights under this license to any third party except as permitted under this license. Any attempt otherwise to sub-license, assign, or transfer the programs or any rights under the license is void. R I S K I T 1.0 (TM) Limited Warranty These programs are a product of Brian Risman Associates. The programs contained in this package are provided "AS IS" without warranty of any kind, either express or implied, including, but not limited to, the implied warranties of merchant ability and fitness for a particular purpose. The entire risk related to the quality and performance of the programs is on you. In the event there is any defect, you assume the entire cost of all necessary servicing, repair or correction. Some states do not allow the exclusion of implied warranties, so the above exclusions may not apply to you. This warranty gives you specific legal rights and you may also have other rights which vary from state to state. Brian Risman Associates does not warrant that the functions contained within the programs will meet your requirements or that the operation of the programs will be uninterrupted or error- free. Brian Risman Associates warrants the diskettes on which the programs are furnished to be free from defects in the materials and workmanship under normal use for a period of thirty (30) days from the date of delivery to you as evidenced by a copy of your receipt. The entire liability of Brian Risman Associates and your exclusive remedy shall be replacement of any diskette which does not meet the Limited Warranty and which is returned to Brian Risman Associates. IN NO EVENT WILL BRIAN RISMAN ASSOCIATES BE LIABLE TO YOU FOR ANY DAMAGES (INCLUDING ANY LOST PROFITS, LOST SAVINGS, OR OTHER INCIDENTAL OR CONSEQUENTIAL DAMAGES EVEN IF BRIAN RISMAN ASSOCIATES HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES) OR FOR ANY CLAIM BY ANY OTHER PARTY. SOME STATES DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES SO THE ABOVE LIMITATIONS OR EXCLUSION MAY NOT APPLY TO YOU. This agreement constitutes the complete and exclusive statement of the terms of the agreement between you and Brian Risman Associates. This agreement supersedes and replaces any previous written or oral agreement and communications relating to this software. No oral or written information of advice given by Brian Risman Associates, its dealers, distributors, agents or employees will create any warranty or in any way increase the scope of the warranty provided in this agreement, you may not rely on any information or advice. R I S K I T 1.0 (TM) System Requirements 1. IBM PC/XT/AT/386/486 or a compatible computer with a hard disk with about 1 - 2 MB storage available. 2. MS-DOS version 5.0 or higher is required. R I S K I T 1.0 (TM) Overview RISKIT 1.0 (TM) is a computer program run on the IBM PC and true compatibles, which lets computer (EDP) auditors to organize and assess their analysis of the potential risks in one or more computer installations. RISKIT 1.0 (TM) is a tool for use by those (for example, EDP auditors) who are engaged in the assessment of the risks facing the EDP environment. Multiple studies, and sub-studies, can be carried out at the same time on RISKIT 1.0 (TM). What is Risk Management ? As we all know, no one can predict the future. Companies and other organizations are no different. The management of uncertainty is possible only through a complete analysis of the risks facing the organization. The first step in risk management is the analysis and measurement of the risks, called risk analysis. Once the risks are analyzed and measured, the next step is to control the risks by instituting an action plan containing countermeasures. Please note that an action plan should be simple and to the point, since in the event the plan is invoked, people are only going to be able to implement the high-level principles. Rarely is the disaster so accommodating to let a detail plan to be executed without alteration. RISKIT 1.0 (TM) seeks to aid in risk management. The basis of RISKIT 1.0 (TM) is to carry out a STUDY on, for example, the threat of Terrorism. Within the STUDY, the SYSTEM to be examined is determined. Typically, the SYSTEM refers to an area of an organization. For an oil company, the areas may be Refining or Marketing. For a Bank : Treasury, Investment Banking and Retail Banking may be the areas considered SYSTEMs. And within the SYSTEM, a SUB-SYSTEM can be studied. The main lines of business -- for example, the accounts receivable package in the oil company's Marketing SYSTEM may be subject to a Terrorism STUDY. The Probability of an Event happening, and the Cost of the Impact of the Event must be considered separately. An event may have a low probability, but its cost may be so high that the firm may be forced out of business. Therefore, an action plan of insurance, for example, may be in order. Equally, an Event may have high probability, but have little impact cost. Only a limited action plan may be required. Installation RISKIT 1.0 (TM) is initially in compressed mode, in a file called RISKIT10.EXE. To decompress this file, type the following from the DOS prompt : RISKIT10 RISKIT 1.0 (TM) will then decompress, placing the following files on your disk in the directory you are currently using : RISKIT.EXE - the executable code for the RISKIT 1.0 (TM) application RISKIT.TXT - the user manual that you are reading currently RISKIT.DBF - the RISKIT 1.0 (TM) database. General Commands To start the application, from the DOS prompt type the following : RISKIT On every screen, you can enter ESCape to return to the Main Menu. On screens with a Next Record and Exit options, you can only enter "Y" or "N". The default for Next Record is "Y", and for Exit "N" -- though at the logical end of the browsing you will exit back to the Main Menu. System Diagram The following diagram shows the flow of screens in RISKIT 1.0 (TM) : ----------------------------------------------------------------- DOS prompt > RISKIT v v v Main Menu v v v ---------------------------------------------------------------- v v v v v v v v v v v v v v v v v v v v v v v v Main Sub - Menu Browse Delete Quit v v v v v All All v v v v v Records Records v v v v v v v v v v Add Modify Delete Print Print Study Study Study Risk Summary Estimate Report Detail Sheet ----------------------------------------------------------------- Main Menu Screen Layout ----------------------------------------------------------------- . RISKIT 1.0 TM (C) Copyright 1994 Brian Risman Associates . . Main Menu . . mm/dd/yyyy hh:mm:ss . . . . **** DATABASE ACTIVITY **** . . Add Study . . Modify Study . . Delete Study . . . . **** PRINT/DISPLAY INFORMATION **** . . Print Risk Estimate Detail Sheet . . Print Summary Report . . Browse All Studies . . . . **** DELETE ALL RECORDS **** . . Delete All Records(Exclusive Control) . . . . **** EXIT **** . . Quit . ----------------------------------------------------------------- Description On the Main Menu, options for Database Activity, Printing/Displaying Information on the Database, Deleting all records, or Exiting the application are selected. Screen Options Please note that options selected above can only be selected one at a time. The 'Add Study' option adds areas of POTENTIAL RISK for a particular STUDY, SYSTEM, and SUB-SYSTEM -- and within those criteria, different area of WEAKNESSES and POTENTIAL THREATS. The 'Modify Study' option modifies areas of POTENTIAL RISK for a particular STUDY, SYSTEM, and SUB-SYSTEM -- and within those criteria, different area of WEAKNESSES and POTENTIAL THREATS. The 'Delete Study' option deletes areas of POTENTIAL RISK for a particular STUDY, SYSTEM, and SUB-SYSTEM -- and within those criteria, different area of WEAKNESSES and POTENTIAL THREATS. The 'Print Risk Estimate Detail Sheet' option prints all areas of POTENTIAL RISK for a particular STUDY, SYSTEM, and SUB-SYSTEM -- and within those criteria, different area of WEAKNESSES and POTENTIAL THREATS. The 'Print Summary Report' option prints all areas of POTENTIAL RISK for a particular STUDY, SYSTEM, and SUB-SYSTEM -- and within those criteria, different area of WEAKNESSES and POTENTIAL THREATS. Average values for the PROBABILITY OF EVENT and the COST OF IMPACT are calculated. The 'Browse All Studies' option displays all areas of POTENTIAL RISK for all STUDY, SYSTEM, and SUB-SYSTEM -- and within those criteria, different area of WEAKNESSES and POTENTIAL THREATS. The 'Delete All Records' option physically removes all records from the database. The 'Quit' option closes the application and returns to DOS. Main Sub-Menu Screen Layout ----------------------------------------------------------------- . RISKIT 1.0 TM (C) Copyright 1994 Brian Risman Associates . . Main Sub-Menu . . mm/dd/yyyy hh:mm:ss . . . . Please enter the following information : . . . . Study : . . . . System : . . . . Sub-System : . ----------------------------------------------------------------- Description On the Main Sub-Menu, the area of STUDY, the SYSTEM name, and the SUB-SYSTEM being targeted are selected. All three fields are mandatory. Screen Options Areas of STUDY may include Vandalism, Terrorism, Earthquakes, Tornadoes, or Snowstorms. SYSTEM name refers to the area of the organization with related to the main lines of business. For an oil company, this would be typically Refining and Marketing; for a Bank, it may be Treasury, Investment Banking and Retail Banking. SUB-SYSTEM name refers to the particular business applications within the main lines of business -- for example, the accounts receivable system in the Marketing area, or the Traders Information System in a Bank. For more information, please see the Main Sub-Menu section. Add Study Description The 'Add Study' option adds areas of POTENTIAL RISK for a particular STUDY, SYSTEM, and SUB-SYSTEM -- and within those criteria, different area of WEAKNESSES and POTENTIAL THREATS. FIRST, the selection of the 'Add Study' option on the Main Menu is made. Please see the Main Menu section for further information. SECOND, the Main Sub-Menu is displayed, where the area of STUDY, the SYSTEM name, and the SUB-SYSTEM being targeted are selected. Areas of STUDY may include Vandalism, Terrorism, Earthquakes, Tornadoes, or Snowstorms. SYSTEM name refers to the area of the organization with related to the main lines of business. For an oil company, this would be typically Refining and Marketing; for a Bank, it may be Treasury, Investment Banking and Retail Banking. SUB-SYSTEM name refers to the particular business applications within the main lines of business -- for example, the accounts receivable system in the Marketing area, or the Traders Information System in a Bank. For more information, please see the Main Sub-Menu section. THIRD, the AREAS OF WEAKNESS Selection Menu is displayed. This menu focuses at the potential areas of weakness, such as the data, software or hardware. AREAS OF WEAKNESS can be distinguished from the potential threats in the that the former is passive and should be protected, while the latter is active and affects the former by its actions. On this Menu, only one selection can be made for each physical entry into Add Study, but different area of weaknesses can be selected at different physical entries into the Add Study option. FOURTH, the entry of data for the potential risk -- the actual information added to the RISKIT 1.0 (TM) database -- is performed. The STUDY, SYSTEM, and SUB-SYSTEM fields are PROTECTED, having been entered in the Main Sub-Menu referred to above. The TOPIC and SUB-TOPIC are first entered. The TOPIC would typically cover the group representing a threat - - for example, computer hackers. The SUB-TOPIC would typically cover potential actions by the TOPIC -- for example, password breaking (SUB-TOPIC) by computer hackers(TOPIC). The PROBABILITY OF the EVENT is next examined. A value between 0 and 99 should be entered (0 is the default, implying zero probability). This field looks at what is the likelihood that the event will occur ? Following is the description explaining WHY that probability level was chosen, followed by the corrective action to be taken, if any. Finally, the COST OF the IMPACT of the event -- independent of the probability of the event happening -- is input in a method identical with that of the PROBABILITY OF EVENT shown above. After this field is entered, press ENTER to add the record -- or ESCape to cancel record addition and return to the Main Menu. Please note that ESCape can be entered at any time in the Data Entry screen to exit back to the Main Menu. Add Study Area of Weakness Selection Screen Layout ----------------------------------------------------------------- . RISKIT 1.0 TM (C) Copyright 1994 Brian Risman Associates . . Add Study . . mm/dd/yyyy hh:mm:ss . . . . Data . . Software . . Hardware . . Facilities . . Media & Supplies . . People . . Communications . . Other . . Return . ----------------------------------------------------------------- Description AREAS OF WEAKNESS are inherent characteristics of a system that could let a threat act upon an asset, causing a harmful event. THREATS capitalize upon these AREAS OF WEAKNESS to breach safeguards and cause a loss. Complex systems are more likely to have greater AREAS OF WEAKNESS than simple systems, due to the presence of more exposures not covered by existing security procedures. Please note that while only one AREA OF WEAKNESS can be selected at a time, there is no reason that a user cannot enter 'Add Study' several times to enter different AREAS OF WEAKNESS. Screen Options The following assets or corporate elements must be examined : DATA These assets may be on storage media, input forms, or output listings. SOFTWARE Software assets generally exceed hardware in value, and consist of both system and application programs. HARDWARE These assets include terminals, computers, and associated equipment. FACILITIES These are the physical entities of the environment, such as security alarms, utility back-ups, and real property. MEDIA & SUPPLIES Stocks of blank forms, tapes and paper are examples of media assets. PEOPLE Any of the stakeholders in the organization -- for example, employees, managers, executives, shareholders, government or even the public. COMMUNICATIONS Corporate network and internal data processing links are examples of communications. OTHER Other areas of weakness that you might want to add. RETURN Return to Main Menu. Add Study Potential Area of Threat Selection Screen Layout ----------------------------------------------------------------- . RISKIT 1.0 TM (C) Copyright 1994 Brian Risman Associates . . Add Study - area of weakness . . mm/dd/yyyy hh:mm:ss . . . . Natural Hazards . . Equipment Failure . . Human Error . . Theft . . Fraud . . Malice . . Strategic Attack . . Other . . Return . ----------------------------------------------------------------- Description A THREAT is an aspect of the environment that, when given an opportunity, can cause a harmful event(a partial or complete loss of a corporate asset) by acting upon an asset. THREATS fall into two main categories -- intentional and probabilistic. Intentional THREATS are performed by people seeking to harm the organization by stealing or disrupting assets. THEFT, FRAUD, MALICE, and STRATEGIC ATTACK fall into this category. Probabilistic THREATS may occur as a result of HUMAN ERROR precipitating threats involving procedures, programs, systems software, and also EQUIPMENT FAILURE encompassing computer or support equipment. Alternatively, NATURAL HAZARDS may also occur -- storms, power loss, earthquakes, flooding, water damage, and fire. Please note that while only one THREAT can be entered at a time, there is no reason that more THREATs cannot be entered in subsequent 'Add Study' entries. Screen Options NATURAL HAZARDS are probabilistic events such as hurricanes, floods, mud slides, cold weather that can have a harmful affect on an AREA OF WEAKNESS. EQUIPMENT FAILURE covers probabilistic events such as hardware failures or sabotage. Damage to a mainframe by a disgruntled employee is an example of a harmful effect to an AREA OF WEAKNESS. HUMAN ERROR is yet another probabilistic event that covers mistakes made by staff or others (for example, external consultants or vendors) adversely affecting an AREA OF WEAKNESS. THEFT is, on the other hand, an intentional event aimed at harming the organization through its AREA OF WEAKNESS. THEFT is defined as the act or crime of stealing. FRAUD is also an intentional event aimed at harming the organization through its AREA OF WEAKNESS. FRAUD is defined as an act or instance of deception or trickery. MALICE is also an intentional event aimed at harming the organization through its AREA OF WEAKNESS. MALICE is defined as a wilfully formed event designed to do another an injury. STRATEGIC ATTACK is a more organized, broad-based assault by usually more than one person on the organization through its AREA OF WEAKNESS. Add Study Add Study Case Input Screen Layout ----------------------------------------------------------------- . RISKIT 1.0 TM (C) Copyright 1994 Brian Risman Associates . . Add Study - area of weakness - threat . . mm/dd/yyyy hh:mm:ss . . Press ESC to cancel addition . . . . Study : . . System : . . Sub-System : . . Topic : . . Sub-Topic : . . Probability of Event . . (00:Low; 50:Medium; 99:High) : . . Event Probability Description : . . Action to be Taken : . . Cost of Impact . . (00:Low; 50:Medium; 99:High) : . . Cost of Impact Description : . . Action to be Taken : . ----------------------------------------------------------------- Description In this panel, the details for a particular THREAT to an AREA OF WEAKNESS are entered. Screen Options The STUDY, SYSTEM, and SUB-SYSTEM fields are PROTECTED, having been entered in the Main Sub-Menu referred to above. The TOPIC and SUB-TOPIC are first entered. The TOPIC would typically cover the group representing a threat - - for example, computer hackers. The SUB-TOPIC would typically cover potential actions by the TOPIC -- for example, password breaking (SUB-TOPIC) by computer hackers(TOPIC). The PROBABILITY OF the EVENT is next examined. A value between 0 and 99 should be entered (0 is the default, implying zero probability). This field looks at what is the likelihood that the event will occur ? Following is the description explaining WHY that probability level was chosen, followed by the corrective action to be taken, if any. Finally, the COST OF the IMPACT of the event -- independent of the probability of the event happening -- is input in a method identical with that of the PROBABILITY OF EVENT shown above. After this field is entered, press ENTER to add the record -- or ESCape to cancel record addition and return to the Main Menu. Please note that ESCape can be entered at any time in the Data Entry screen to exit back to the Main Menu. Modify Study Description The 'Modify Study' option modifies areas of POTENTIAL RISK for a particular STUDY, SYSTEM, and SUB-SYSTEM -- and within those criteria, different area of WEAKNESSES and POTENTIAL THREATS. FIRST, the selection of the 'Modify Study' option on the Main Menu is made. Please see the Main Menu section for further information. SECOND, the Main Sub-Menu is displayed, where the area of STUDY, the SYSTEM name, and the SUB-SYSTEM being targeted are selected. Areas of STUDY may include Vandalism, Terrorism, Earthquakes, Tornadoes, or Snowstorms. SYSTEM name refers to the area of the organization with related to the main lines of business. For an oil company, this would be typically Refining and Marketing; for a Bank, it may be Treasury, Investment Banking and Retail Banking. SUB-SYSTEM name refers to the particular business applications within the main lines of business -- for example, the accounts receivable system in the Marketing area, or the Traders Information System in a Bank. For more information, please see the Main Sub-Menu section. THIRD, the AREAS OF WEAKNESS Selection Menu is displayed. This menu focuses at the potential areas of weakness, such as the data, software or hardware. AREAS OF WEAKNESS can be distinguished from the potential threats in the that the former is passive and should be protected, while the latter is active and affects the former by its actions. On this Menu, only one selection can be made for each physical entry into 'Modify Study', but different area of weaknesses can be selected at different physical entries into the Modify Study option. FOURTH, the modification of data for the potential risk -- the actual information added to the RISKIT 1.0 (TM) database -- is performed. The STUDY, SYSTEM, and SUB-SYSTEM fields are PROTECTED, having been entered in the Main Sub-Menu referred to above. The TOPIC and SUB-TOPIC are first entered. The TOPIC would typically cover the group representing a threat - - for example, computer hackers. The SUB-TOPIC would typically cover potential actions by the TOPIC -- for example, password breaking (SUB-TOPIC) by computer hackers(TOPIC). The PROBABILITY OF the EVENT is next examined. A value between 0 and 99 should be entered (0 is the default, implying zero probability). This field looks at what is the likelihood that the event will occur ? Following is the description explaining WHY that probability level was chosen, followed by the corrective action to be taken, if any. Finally, the COST OF the IMPACT of the event -- independent of the probability of the event happening -- is input in a method identical with that of the PROBABILITY OF EVENT shown above. After this field is entered, press ENTER to modify the record -- or ESCape to cancel record modification and return to the Main Menu. Please note that ESCape can be entered at any time in the Data Entry screen to exit back to the Main Menu. Modify Study Area of Weakness Selection Screen Layout ----------------------------------------------------------------- . RISKIT 1.0 TM (C) Copyright 1994 Brian Risman Associates . . Modify Study . . mm/dd/yyyy hh:mm:ss . . . . Data . . Software . . Hardware . . Facilities . . Media & Supplies . . People . . Communications . . Other . . Return . ----------------------------------------------------------------- Description AREAS OF WEAKNESS are inherent characteristics of a system that could let a threat act upon an asset, causing a harmful event. THREATS capitalize upon these AREAS OF WEAKNESS to breach safeguards and cause a loss. Complex systems are more likely to have greater AREAS OF WEAKNESS than simple systems, due to the presence of more exposures not covered by existing security procedures. Please note that while only one AREA OF WEAKNESS can be selected at a time, there is no reason that a user cannot enter 'Modify Study' several times to modify different AREAS OF WEAKNESS. Screen Options The following assets or corporate elements must be examined : DATA These assets may be on storage media, input forms, or output listings. SOFTWARE Software assets generally exceed hardware in value, and consist of both system and application programs. HARDWARE These assets include terminals, computers, and associated equipment. FACILITIES These are the physical entities of the environment, such as security alarms, utility back-ups, and real property. MEDIA & SUPPLIES Stocks of blank forms, tapes and paper are examples of media assets. PEOPLE Any of the stakeholders in the organization -- for example, employees, managers, executives, shareholders, government or even the public. COMMUNICATIONS Corporate network and internal data processing links are examples of communications. OTHER Other areas of weakness that you might want to modify. RETURN Return to Main Menu. Modify Study Potential Area of Threat Selection Screen Layout ----------------------------------------------------------------- . RISKIT 1.0 TM (C) Copyright 1994 Brian Risman Associates . . Modify Study - area of weakness . . mm/dd/yyyy hh:mm:ss . . . . Natural Hazards . . Equipment Failure . . Human Error . . Theft . . Fraud . . Malice . . Strategic Attack . . Other . . Return . ----------------------------------------------------------------- Description A THREAT is an aspect of the environment that, when given an opportunity, can cause a harmful event(a partial or complete loss of a corporate asset) by acting upon an asset. THREATS fall into two main categories -- intentional and probabilistic. Intentional THREATS are performed by people seeking to harm the organization by stealing or disrupting assets. THEFT, FRAUD, MALICE, and STRATEGIC ATTACK fall into this category. Probabilistic THREATS may occur as a result of HUMAN ERROR precipitating threats involving procedures, programs, systems software, and also EQUIPMENT FAILURE encompassing computer or support equipment. Alternatively, NATURAL HAZARDS may also occur -- storms, power loss, earthquakes, flooding, water damage, and fire. Please note that while only one THREAT can be modified at a time, there is no reason that more THREATs cannot be modified in subsequent 'Modify Study' entries. Screen Options NATURAL HAZARDS are probabilistic events such as hurricanes, floods, mud slides, cold weather that can have a harmful affect on an AREA OF WEAKNESS. EQUIPMENT FAILURE covers probabilistic events such as hardware failures or sabotage. Damage to a mainframe by a disgruntled employee is an example of a harmful effect to an AREA OF WEAKNESS. HUMAN ERROR is yet another probabilistic event that covers mistakes made by staff or others (for example, external consultants or vendors) adversely affecting an AREA OF WEAKNESS. THEFT is, on the other hand, an intentional event aimed at harming the organization through its AREA OF WEAKNESS. THEFT is defined as the act or crime of stealing. FRAUD is also an intentional event aimed at harming the organization through its AREA OF WEAKNESS. FRAUD is defined as an act or instance of deception or trickery. MALICE is also an intentional event aimed at harming the organization through its AREA OF WEAKNESS. MALICE is defined as a wilfully formed event designed to do another an injury. STRATEGIC ATTACK is a more organized, broad-based assault by usually more than one person on the organization through its AREA OF WEAKNESS. Modify Study Modify Study Case Input Screen Layout ----------------------------------------------------------------- . RISKIT 1.0 TM (C) Copyright 1994 Brian Risman Associates . . Modify Study - area of weakness - threat . . mm/dd/yyyy hh:mm:ss . . Press ESC to cancel modification . . Next Record ? : . . Exit ? : . . . . Study : . . System : . . Sub-System : . . Topic : . . Sub-Topic : . . Probability of Event . . (00:Low; 50:Medium; 99:High) : . . Event Probability Description : . . Action to be Taken : . . Cost of Impact . . (00:Low; 50:Medium; 99:High) : . . Cost of Impact Description : . . Action to be Taken : . ----------------------------------------------------------------- Description In this panel, the details for a particular THREAT to an AREA OF WEAKNESS are modified. Screen Options The STUDY, SYSTEM, and SUB-SYSTEM fields are PROTECTED, having been entered in the Main Sub-Menu referred to above. The TOPIC and SUB-TOPIC are first entered. The TOPIC would typically cover the group representing a threat - - for example, computer hackers. The SUB-TOPIC would typically cover potential actions by the TOPIC -- for example, password breaking (SUB-TOPIC) by computer hackers(TOPIC). The PROBABILITY OF the EVENT is next examined. A value between 0 and 99 should be entered (0 is the default, implying zero probability). This field looks at what is the likelihood that the event will occur ? Following is the description explaining WHY that probability level was chosen, followed by the corrective action to be taken, if any. Finally, the COST OF the IMPACT of the event -- independent of the probability of the event happening -- is input in a method identical with that of the PROBABILITY OF EVENT before shown above. After this field is entered, press ENTER to modify the record - - or ESCape to cancel record modification and return to the Main Menu. Please note that ESCape can be entered at any time in the Data Entry screen to exit back to the Main Menu. Delete Study Description The 'Delete Study' option deletes areas of POTENTIAL RISK for a particular STUDY, SYSTEM, and SUB-SYSTEM -- and within those criteria, different area of WEAKNESSES and POTENTIAL THREATS. FIRST, the selection of the 'Delete Study' option on the Main Menu is made. Please see the Main Menu section for further information. SECOND, the Main Sub-Menu is displayed, where the area of STUDY, the SYSTEM name, and the SUB-SYSTEM being targeted are selected. Areas of STUDY may include Vandalism, Terrorism, Earthquakes, Tornadoes, or Snowstorms. SYSTEM name refers to the area of the organization with related to the main lines of business. For an oil company, this would be typically Refining and Marketing; for a Bank, it may be Treasury, Investment Banking and Retail Banking. SUB-SYSTEM name refers to the particular business applications within the main lines of business -- for example, the accounts receivable system in the Marketing area, or the Traders Information System in a Bank. For more information, please see the Main Sub-Menu section. THIRD, the AREAS OF WEAKNESS Selection Menu is displayed. This menu focuses at the potential areas of weakness, such as the data, software or hardware. AREAS OF WEAKNESS can be distinguished from the potential threats in the that the former is passive and should be protected, while the latter is active and affects the former by its actions. On this Menu, only one selection can be made for each physical entry into Delete Study, but different area of weaknesses can be selected at different physical entries into the Delete Study option. FOURTH, the deletion of data for the potential risk -- the actual information added to the RISKIT 1.0 (TM) database -- is performed. All fields are PROTECTED. The TOPIC would typically cover the group representing a threat - - for example, computer hackers. The SUB-TOPIC would typically cover potential actions by the TOPIC -- for example, password breaking (SUB-TOPIC) by computer hackers(TOPIC). The PROBABILITY OF the EVENT is next examined. A value between 0 and 99 should be entered (0 is the default, implying zero probability). This field looks at what is the likelihood that the event will occur ? Following is the description explaining WHY that probability level was chosen, followed by the corrective action to be taken, if any. Finally, the COST OF the IMPACT of the event -- independent of the probability of the event happening -- is viewed in a method identical with that of the PROBABILITY OF EVENT before shown above. After this field is entered, press ENTER to delete the record -- or ESCape to cancel record deletion and return to the Main Menu. Please note that ESCape can be entered at any time in the Data Entry screen to exit back to the Main Menu. Delete Study Area of Weakness Selection Screen Layout ----------------------------------------------------------------- . RISKIT 1.0 TM (C) Copyright 1994 Brian Risman Associates . . Delete Study . . mm/dd/yyyy hh:mm:ss . . . . Data . . Software . . Hardware . . Facilities . . Media & Supplies . . People . . Communications . . Other . . Return . ----------------------------------------------------------------- Description AREAS OF WEAKNESS are inherent characteristics of a system that could let a threat act upon an asset, causing a harmful event. THREATS capitalize upon these AREAS OF WEAKNESS to breach safeguards and cause a loss. Complex systems are more likely to have greater AREAS OF WEAKNESS than simple systems, due to the presence of more exposures not covered by existing security procedures. Please note that while only one AREA OF WEAKNESS can be deleted at a time, there is no reason that a user cannot enter 'Delete Study' several times to enter different AREAS OF WEAKNESS. Screen Options The following assets or corporate elements must be examined : DATA These assets may be on storage media, input forms, or output listings. SOFTWARE Software assets generally exceed hardware in value, and consist of both system and application programs. HARDWARE These assets include terminals, computers, and associated equipment. FACILITIES These are the physical entities of the environment, such as security alarms, utility back-ups, and real property. MEDIA & SUPPLIES Stocks of blank forms, tapes and paper are examples of media assets. PEOPLE Any of the stakeholders in the organization -- for example, employees, managers, executives, shareholders, government or even the public. COMMUNICATIONS Corporate network and internal data processing links are examples of communications. OTHER Other areas of weakness that you might want to deleted. RETURN Return to Main Menu. Delete Study Potential Area of Threat Selection Screen Layout ----------------------------------------------------------------- . RISKIT 1.0 TM (C) Copyright 1994 Brian Risman Associates . . Delete Study - area of weakness . . mm/dd/yyyy hh:mm:ss . . . . Natural Hazards . . Equipment Failure . . Human Error . . Theft . . Fraud . . Malice . . Strategic Attack . . Other . . Return . ----------------------------------------------------------------- Description A THREAT is an aspect of the environment that, when given an opportunity, can cause a harmful event(a partial or complete loss of a corporate asset) by acting upon an asset. THREATS fall into two main categories -- intentional and probabilistic. Intentional THREATS are performed by people seeking to harm the organization by stealing or disrupting assets. THEFT, FRAUD, MALICE, and STRATEGIC ATTACK fall into this category. Probabilistic THREATS may occur as a result of HUMAN ERROR precipitating threats involving procedures, programs, systems software, and also EQUIPMENT FAILURE encompassing computer or support equipment. Alternatively, NATURAL HAZARDS may also occur -- storms, power loss, earthquakes, flooding, water damage, and fire. Please note that while only one THREAT can be deleted at a time, there is no reason that more THREATs cannot be deleted in subsequent 'Delete Study' entries. Screen Options NATURAL HAZARDS are probabilistic events such as hurricanes, floods, mud slides, cold weather that can have a harmful affect on an AREA OF WEAKNESS. EQUIPMENT FAILURE covers probabilistic events such as hardware failures or sabotage. Damage to a mainframe by a disgruntled employee is an example of a harmful effect to an AREA OF WEAKNESS. HUMAN ERROR is yet another probabilistic event that covers mistakes made by staff or others (for example, external consultants or vendors) adversely affecting an AREA OF WEAKNESS. THEFT is, on the other hand, an intentional event aimed at harming the organization through its AREA OF WEAKNESS. THEFT is defined as the act or crime of stealing. FRAUD is also an intentional event aimed at harming the organization through its AREA OF WEAKNESS. FRAUD is defined as an act or instance of deception or trickery. MALICE is also an intentional event aimed at harming the organization through its AREA OF WEAKNESS. MALICE is defined as a wilfully formed event designed to do another an injury. STRATEGIC ATTACK is a more organized, broad-based assault by usually more than one person on the organization through its AREA OF WEAKNESS. Delete Study Delete Study Case Input Screen Layout ----------------------------------------------------------------- . RISKIT 1.0 TM (C) Copyright 1994 Brian Risman Associates . . Delete Study - area of weakness - threat . . mm/dd/yyyy hh:mm:ss . . Press ESC to cancel deletion . . Next Record ? : . . Exit ? : . . . . Study : . . System : . . Sub-System : . . Topic : . . Sub-Topic : . . Probability of Event . . (00:Low; 50:Medium; 99:High) : . . Event Probability Description : . . Action to be Taken : . . Cost of Impact . . (00:Low; 50:Medium; 99:High) : . . Cost of Impact Description : . . Action to be Taken : . ----------------------------------------------------------------- Description In this panel, the details for a particular THREAT to an AREA OF WEAKNESS are deleted. Screen Options All fields are PROTECTED, having been entered in the Main Sub- Menu referred to above. The TOPIC would typically cover the group representing a threat - - for example, computer hackers. The SUB-TOPIC would typically cover potential actions by the TOPIC -- for example, password breaking (SUB-TOPIC) by computer hackers(TOPIC). The PROBABILITY OF the EVENT is next examined. A value between 0 and 99 should be entered (0 is the default, implying zero probability). This field looks at what is the likelihood that the event will occur ? Following is the description explaining WHY that probability level was chosen, followed by the corrective action to be taken, if any. Finally, the COST OF the IMPACT of the event -- independent of the probability of the event happening -- is reviewed in a method identical with that of the PROBABILITY OF EVENT before shown above. After this field is reviewed, press ENTER to delete the record -- or ESCape to cancel record deletion and return to the Main Menu. Please note that ESCape can be entered at any time in the Data Entry screen to exit back to the Main Menu. Print Risk Estimate Detail Sheet Description The 'Print Risk Estimate Detail Sheet' option prints all areas of POTENTIAL RISK for a particular STUDY, SYSTEM, and SUB-SYSTEM -- and within those criteria, different area of WEAKNESSES and POTENTIAL THREATS. FIRST, the selection of the 'Print Risk Estimate Detail Sheet' option on the Main Menu is made. Please see the Main Menu section for further information. SECOND, the Main Sub-Menu is displayed, where the area of STUDY, the SYSTEM name, and the SUB-SYSTEM being targeted are selected. Areas of STUDY may include Vandalism, Terrorism, Earthquakes, Tornadoes, or Snowstorms. SYSTEM name refers to the area of the organization with related to the main lines of business. For an oil company, this would be typically Refining and Marketing; for a Bank, it may be Treasury, Investment Banking and Retail Banking. SUB-SYSTEM name refers to the particular business applications within the main lines of business -- for example, the accounts receivable system in the Marketing area, or the Traders Information System in a Bank. For more information, please see the Main Sub-Menu section. Finally, the reports are printed. Information on the fields is presented below. At the time of printing, a message stating that the report is current printing appears on the screen. The TOPIC would typically cover the group representing a threat - - for example, computer hackers. The SUB-TOPIC would typically cover potential actions by the TOPIC -- for example, password breaking (SUB-TOPIC) by computer hackers(TOPIC). AREAS OF WEAKNESS can be distinguished from the potential threats in the that the former is passive and should be protected, while the latter is active and affects the former by its actions. AREAS OF WEAKNESS are inherent characteristics of a system that could let a threat act upon an asset, causing a harmful event. THREATS capitalize upon these AREAS OF WEAKNESS to breach safeguards and cause a loss. Complex systems are more likely to have greater AREAS OF WEAKNESS than simple systems, due to the presence of more exposures not covered by existing security procedures. AREAS OF WEAKNESS include the following : DATA These assets may be on storage media, input forms, or output listings. SOFTWARE Software assets generally exceed hardware in value, and consist of both system and application programs. HARDWARE These assets include terminals, computers, and associated equipment. FACILITIES These are the physical entities of the environment, such as security alarms, utility back-ups, and real property. MEDIA & SUPPLIES Stocks of blank forms, tapes and paper are examples of media assets. PEOPLE Any of the stakeholders in the organization -- for example, employees, managers, executives, shareholders, government or even the public. COMMUNICATIONS Corporate network and internal data processing links are examples of communications. A THREAT is an aspect of the environment that, when given an opportunity, can cause a harmful event(a partial or complete loss of a corporate asset) by acting upon an asset. THREATS fall into two main categories -- intentional and probabilistic. Intentional THREATS are performed by people seeking to harm the organization by stealing or disrupting assets. THEFT, FRAUD, MALICE, and STRATEGIC ATTACK fall into this category. Probabilistic THREATS may occur as a result of HUMAN ERROR precipitating threats involving procedures, programs, systems software, and also EQUIPMENT FAILURE encompassing computer or support equipment. Alternatively, NATURAL HAZARDS may also occur -- storms, power loss, earthquakes, flooding, water damage, and fire. THREATS include the following : NATURAL HAZARDS are probabilistic events such as hurricanes, floods, mud slides, cold weather that can have a harmful affect on an AREA OF WEAKNESS. EQUIPMENT FAILURE covers probabilistic events such as hardware failures or sabotage. Damage to a mainframe by a disgruntled employee is an example of a harmful effect to an AREA OF WEAKNESS. HUMAN ERROR is yet another probabilistic event that covers mistakes made by staff or others (for example, external consultants or vendors) adversely affecting an AREA OF WEAKNESS. THEFT is, on the other hand, an intentional event aimed at harming the organization through its AREA OF WEAKNESS. THEFT is defined as the act or crime of stealing. FRAUD is also an intentional event aimed at harming the organization through its AREA OF WEAKNESS. FRAUD is defined as an act or instance of deception or trickery. MALICE is also an intentional event aimed at harming the organization through its AREA OF WEAKNESS. MALICE is defined as a wilfully formed event designed to do another an injury. STRATEGIC ATTACK is a more organized, broad-based assault by usually more than one person on the organization through its AREA OF WEAKNESS. Print Risk Estimate Detail Sheet Report Layout ----------------------------------------------------------------- . RISKIT 1.0 TM (C) Copyright 1994 Brian Risman Associates . . Risk Estimate Detail Sheet . . mm/dd/yyyy hh:mm:ss . . . . . . Study : . . System : . . Sub-System : . . Topic : . . Sub-Topic : . . Probability of Event . . (00:Low; 50:Medium; 99:High) : . . Event Probability Description : . . Action to be Taken : . . Cost of Impact . . (00:Low; 50:Medium; 99:High) : . . Cost of Impact Description : . . Action to be Taken : . ----------------------------------------------------------------- Description In this report, the details for a particular THREAT to an AREA OF WEAKNESS are printed. Screen Options ALL fields are PROTECTED. The TOPIC would typically cover the group representing a threat - - for example, computer hackers. The SUB-TOPIC would typically cover potential actions by the TOPIC -- for example, password breaking (SUB-TOPIC) by computer hackers(TOPIC). The PROBABILITY OF the EVENT is next examined. A value between 0 and 99 should be entered (0 is the default, implying zero probability). This field looks at what is the likelihood that the event will occur ? Following is the description explaining WHY that probability level was chosen, followed by the corrective action to be taken, if any. Finally, the COST OF the IMPACT of the event -- independent of the probability of the event happening -- is reviewed in a method identical with that of the PROBABILITY OF EVENT shown above. Print Summary Report Description The 'Print Summary Report' option prints all areas of POTENTIAL RISK for a particular STUDY, SYSTEM, and SUB-SYSTEM -- and within those criteria, different area of WEAKNESSES and POTENTIAL THREATS. Average values for the PROBABILITY OF EVENT and the COST OF IMPACT are calculated. FIRST, the selection of the 'Print Summary Report' option on the Main Menu is made. Please see the Main Menu section for further information. SECOND, the Main Sub-Menu is displayed, where the area of STUDY, the SYSTEM name, and the SUB-SYSTEM being targeted are selected. Areas of STUDY may include Vandalism, Terrorism, Earthquakes, Tornadoes, or Snowstorms. SYSTEM name refers to the area of the organization with related to the main lines of business. For an oil company, this would be typically Refining and Marketing; for a Bank, it may be Treasury, Investment Banking and Retail Banking. SUB-SYSTEM name refers to the particular business applications within the main lines of business -- for example, the accounts receivable system in the Marketing area, or the Traders Information System in a Bank. For more information, please see the Main Sub-Menu section. Finally, the reports are printed. Information on the fields is presented below. At the time of printing, a message stating that the report is current printing appears on the screen. AREAS OF WEAKNESS can be distinguished from the potential threats in the that the former is passive and should be protected, while the latter is active and affects the former by its actions. AREAS OF WEAKNESS are inherent characteristics of a system that could let a threat act upon an asset, causing a harmful event. THREATS capitalize upon these AREAS OF WEAKNESS to breach safeguards and cause a loss. Complex systems are more likely to have greater AREAS OF WEAKNESS than simple systems, due to the presence of more exposures not covered by existing security procedures. AREAS OF WEAKNESS include the following : DATA These assets may be on storage media, input forms, or output listings. SOFTWARE Software assets generally exceed hardware in value, and consist of both system and application programs. HARDWARE These assets include terminals, computers, and associated equipment. FACILITIES These are the physical entities of the environment, such as security alarms, utility back-ups, and real property. MEDIA & SUPPLIES Stocks of blank forms, tapes and paper are examples of media assets. PEOPLE Any of the stakeholders in the organization -- for example, employees, managers, executives, shareholders, government or even the public. COMMUNICATIONS Corporate network and internal data processing links are examples of communications. A THREAT is an aspect of the environment that, when given an opportunity, can cause a harmful event(a partial or complete loss of a corporate asset) by acting upon an asset. THREATS fall into two main categories -- intentional and probabilistic. Intentional THREATS are performed by people seeking to harm the organization by stealing or disrupting assets. THEFT, FRAUD, MALICE, and STRATEGIC ATTACK fall into this category. Probabilistic THREATS may occur as a result of HUMAN ERROR precipitating threats involving procedures, programs, systems software, and also EQUIPMENT FAILURE encompassing computer or support equipment. Alternatively, NATURAL HAZARDS may also occur -- storms, power loss, earthquakes, flooding, water damage, and fire. THREATS include the following : NATURAL HAZARDS are probabilistic events such as hurricanes, floods, mud slides, cold weather that can have a harmful affect on an AREA OF WEAKNESS. EQUIPMENT FAILURE covers probabilistic events such as hardware failures or sabotage. Damage to a mainframe by a disgruntled employee is an example of a harmful effect to an AREA OF WEAKNESS. HUMAN ERROR is yet another probabilistic event that covers mistakes made by staff or others (for example, external consultants or vendors) adversely affecting an AREA OF WEAKNESS. THEFT is, on the other hand, an intentional event aimed at harming the organization through its AREA OF WEAKNESS. THEFT is defined as the act or crime of stealing. FRAUD is also an intentional event aimed at harming the organization through its AREA OF WEAKNESS. FRAUD is defined as an act or instance of deception or trickery. MALICE is also an intentional event aimed at harming the organization through its AREA OF WEAKNESS. MALICE is defined as a wilfully formed event designed to do another an injury. STRATEGIC ATTACK is a more organized, broad-based assault by usually more than one person on the organization through its AREA OF WEAKNESS. The average PROBABILITY OF EVENT, and the average COST OF IMPACT are then printed. Print Summary Report Report Layout ----------------------------------------------------------------- . RISKIT 1.0 TM (C) Copyright 1994 Brian Risman Associates . . Summary Report . . mm/dd/yyyy hh:mm:ss . . . . . . Study : . . System : . . Sub-System : . . Weakness : . . Threat : . . Probability of Event . . (00:Low; 50:Medium; 99:High) : . . Cost of Impact . . (00:Low; 50:Medium; 99:High) : . ----------------------------------------------------------------- Description In this report, the average values for a particular THREAT to an AREA OF WEAKNESS are printed. Screen Options ALL fields are PROTECTED. The TOPIC would typically cover the group representing a threat - - for example, computer hackers. The SUB-TOPIC would typically cover potential actions by the TOPIC -- for example, password breaking (SUB-TOPIC) by computer hackers(TOPIC). The PROBABILITY OF the EVENT is next examined. A value between 0 and 99 is averaged (0 is the default, implying zero probability). This field looks at what is the likelihood that the event will occur ? Finally, the COST OF the IMPACT of the event -- independent of the probability of the event happening -- is averaged in a method identical with that of the PROBABILITY OF EVENT shown above. Browse All Studies Description The 'Browse All Studies' option displays all areas of POTENTIAL RISK for all STUDY, SYSTEM, and SUB-SYSTEM -- and within those criteria, different area of WEAKNESSES and POTENTIAL THREATS. FIRST, the selection of the 'Browse All Studies' option on the Main Menu is made. Please see the Main Menu section for further information. The information on the database is then displayed. Areas of STUDY may include Vandalism, Terrorism, Earthquakes, Tornadoes, or Snowstorms. SYSTEM name refers to the area of the organization with related to the main lines of business. For an oil company, this would be typically Refining and Marketing; for a Bank, it may be Treasury, Investment Banking and Retail Banking. SUB-SYSTEM name refers to the particular business applications within the main lines of business -- for example, the accounts receivable system in the Marketing area, or the Traders Information System in a Bank. The TOPIC would typically cover the group representing a threat - - for example, computer hackers. The SUB-TOPIC would typically cover potential actions by the TOPIC -- for example, password breaking (SUB-TOPIC) by computer hackers(TOPIC). AREAS OF WEAKNESS can be distinguished from the potential threats in the that the former is passive and should be protected, while the latter is active and affects the former by its actions. AREAS OF WEAKNESS are inherent characteristics of a system that could let a threat act upon an asset, causing a harmful event. THREATS capitalize upon these AREAS OF WEAKNESS to breach safeguards and cause a loss. Complex systems are more likely to have greater AREAS OF WEAKNESS than simple systems, due to the presence of more exposures not covered by existing security procedures. AREAS OF WEAKNESS include the following : DATA These assets may be on storage media, input forms, or output listings. SOFTWARE Software assets generally exceed hardware in value, and consist of both system and application programs. HARDWARE These assets include terminals, computers, and associated equipment. FACILITIES These are the physical entities of the environment, such as security alarms, utility back-ups, and real property. MEDIA & SUPPLIES Stocks of blank forms, tapes and paper are examples of media assets. PEOPLE Any of the stakeholders in the organization -- for example, employees, managers, executives, shareholders, government or even the public. COMMUNICATIONS Corporate network and internal data processing links are examples of communications. A THREAT is an aspect of the environment that, when given an opportunity, can cause a harmful event(a partial or complete loss of a corporate asset) by acting upon an asset. THREATS fall into two main categories -- intentional and probabilistic. Intentional THREATS are performed by people seeking to harm the organization by stealing or disrupting assets. THEFT, FRAUD, MALICE, and STRATEGIC ATTACK fall into this category. Probabilistic THREATS may occur as a result of HUMAN ERROR precipitating threats involving procedures, programs, systems software, and also EQUIPMENT FAILURE encompassing computer or support equipment. Alternatively, NATURAL HAZARDS may also occur -- storms, power loss, earthquakes, flooding, water damage, and fire. THREATS include the following : NATURAL HAZARDS are probabilistic events such as hurricanes, floods, mud slides, cold weather that can have a harmful affect on an AREA OF WEAKNESS. EQUIPMENT FAILURE covers probabilistic events such as hardware failures or sabotage. Damage to a mainframe by a disgruntled employee is an example of a harmful effect to an AREA OF WEAKNESS. HUMAN ERROR is yet another probabilistic event that covers mistakes made by staff or others (for example, external consultants or vendors) adversely affecting an AREA OF WEAKNESS. THEFT is, on the other hand, an intentional event aimed at harming the organization through its AREA OF WEAKNESS. THEFT is defined as the act or crime of stealing. FRAUD is also an intentional event aimed at harming the organization through its AREA OF WEAKNESS. FRAUD is defined as an act or instance of deception or trickery. MALICE is also an intentional event aimed at harming the organization through its AREA OF WEAKNESS. MALICE is defined as a wilfully formed event designed to do another an injury. STRATEGIC ATTACK is a more organized, broad-based assault by usually more than one person on the organization through its AREA OF WEAKNESS. Browse All Records Screen Layout ----------------------------------------------------------------- . RISKIT 1.0 TM (C) Copyright 1994 Brian Risman Associates . . Browse All Records . . mm/dd/yyyy hh:mm:ss . . Press ESC to exit . . Next Record ? : . . Exit ? : . . . . Study : . . System : . . Sub-System : . . Topic : . . Sub-Topic : . . Probability of Event . . (00:Low; 50:Medium; 99:High) : . . Event Probability Description : . . Action to be Taken : . . Cost of Impact . . (00:Low; 50:Medium; 99:High) : . . Cost of Impact Description : . . Action to be Taken : . ----------------------------------------------------------------- Description In this report, the details for a particular THREAT to an AREA OF WEAKNESS are printed. Screen Options ALL fields are PROTECTED. The TOPIC would typically cover the group representing a threat - - for example, computer hackers. The SUB-TOPIC would typically cover potential actions by the TOPIC -- for example, password breaking (SUB-TOPIC) by computer hackers(TOPIC). The PROBABILITY OF the EVENT is next examined. A value between 0 and 99 should be entered (0 is the default, implying zero probability). This field looks at what is the likelihood that the event will occur ? Following is the description explaining WHY that probability level was chosen, followed by the corrective action to be taken, if any. Finally, the COST OF the IMPACT of the event -- independent of the probability of the event happening -- is reviewed in a method identical with that of the PROBABILITY OF EVENT shown above. Delete All Records (Exclusive Control) Description The 'Delete All Records' option physically removes all records from the database. Please note that exclusive control of the database is required for this function to operate. No screens are displayed, but the Main Menu is re-displayed after the completion of the operation. Quit Description The 'Quit' option closes the application and returns to DOS. Index Add Study Description . . . . . . . . . . . . . . . . . . . . . . . 16 Commands general . . . . . . . . . . . . . . . . . . . . . . . . . 11 Description Add Study . . . . . . . . . . . . . . . . . . . . . . . . 16 Main Menu . . . . . . . . . . . . . . . . . . . . . . . . 13 Main Sub-Menu . . . . . . . . . . . . . . . . . . . . . . 15 Installation . . . . . . . . . . . . . . . . . . . . . . . . . 10 License Agreement . . . . . . . . . . . . . . . . . . . . . . 5 Main Menu . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Description . . . . . . . . . . . . . . . . . . . . . . . 13 Screen Layout . . . . . . . . . . . . . . . . . . . . . . 13 Screen Options . . . . . . . . . . . . . . . . . . . . . 13 Main Sub-Menu Description . . . . . . . . . . . . . . . . . . . . . . . 15 Screen Layout . . . . . . . . . . . . . . . . . . . . . . 15 Screen Options . . . . . . . . . . . . . . . . . . . . . 15 Order Form . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Risk management definition . . . . . . . . . . . . . . . . . . . . . . . 9 Screen Layout Main Menu . . . . . . . . . . . . . . . . . . . . . . . . 13 Main Sub-Menu . . . . . . . . . . . . . . . . . . . . . . 15 Screen Options Main Menu . . . . . . . . . . . . . . . . . . . . . . . . 13 Main Sub-Menu . . . . . . . . . . . . . . . . . . . . . . 15 System Diagram . . . . . . . . . . . . . . . . . . . . . . . . 12 System Requirements . . . . . . . . . . . . . . . . . . . . . 7 Warranty, limited . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6