home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Collection of Tools & Utilities
/
Collection of Tools and Utilities.iso
/
dskut
/
risk10.zip
/
RISKIT.TXT
< prev
Wrap
Text File
|
1994-03-26
|
79KB
|
2,338 lines
R I S K I T 1.0 (TM)
Risk Assessment Software
Users Manual
Copyright (c) 1994 Brian Risman Associates All Rights Reserved
Table of Contents
Order Form . . . . . . . . . . . . . . . . . . . . . . . . . 4
License Agreement . . . . . . . . . . . . . . . . . . . . . 5
Limited Warranty . . . . . . . . . . . . . . . . . . . . . . 6
System Requirements . . . . . . . . . . . . . . . . . . . . 7
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 8
What is Risk Management ? . . . . . . . . . . . . . . . . . 9
Installation . . . . . . . . . . . . . . . . . . . . . . . . 10
General Commands . . . . . . . . . . . . . . . . . . . . . . 11
System Diagram . . . . . . . . . . . . . . . . . . . . . . . 12
Main Menu . . . . . . . . . . . . . . . . . . . . . . . . . 13
Screen Layout . . . . . . . . . . . . . . . . . . . . . 13
Description . . . . . . . . . . . . . . . . . . . . . . 13
Screen Options . . . . . . . . . . . . . . . . . . . . 13
Main Sub-Menu . . . . . . . . . . . . . . . . . . . . . . . 15
Screen Layout . . . . . . . . . . . . . . . . . . . . . 15
Description . . . . . . . . . . . . . . . . . . . . . . 15
Screen Options . . . . . . . . . . . . . . . . . . . . 15
Add Study . . . . . . . . . . . . . . . . . . . . . . . . . 16
Description . . . . . . . . . . . . . . . . . . . . . . 16
Area of Weakness Selection Screen Layout . . . . . . . 18
Description . . . . . . . . . . . . . . . . . . . . . . 18
Screen Options . . . . . . . . . . . . . . . . . . . . 18
Potential Area of Threat Selection Screen Layout . . . 20
Description . . . . . . . . . . . . . . . . . . . . . . 20
Screen Options . . . . . . . . . . . . . . . . . . . . 21
Add Study Case Input Screen Layout . . . . . . . . . . 22
Description . . . . . . . . . . . . . . . . . . . . . . 22
Screen Options
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Modify Study . . . . . . . . . . . . . . . . . . . . . . . . 24
Description . . . . . . . . . . . . . . . . . . . . . . 24
Area of Weakness Selection Screen Layout . . . . . . . 26
Description . . . . . . . . . . . . . . . . . . . . . . 26
Screen Options . . . . . . . . . . . . . . . . . . . . 26
Potential Area of Threat Selection Screen Layout . . . 28
Description . . . . . . . . . . . . . . . . . . . . . . 28
Screen Options . . . . . . . . . . . . . . . . . . . . 29
Modify Study Case Input Screen Layout . . . . . . . . . 30
Description . . . . . . . . . . . . . . . . . . . . . . 30
Screen Options . . . . . . . . . . . . . . . . . . . . 30
Delete Study . . . . . . . . . . . . . . . . . . . . . . . . 32
Description . . . . . . . . . . . . . . . . . . . . . . 32
Area of Weakness Selection Screen Layout . . . . . . . 34
Description . . . . . . . . . . . . . . . . . . . . . . 34
Screen Options . . . . . . . . . . . . . . . . . . . . 34
Potential Area of Threat Selection Screen Layout . . . 36
Description . . . . . . . . . . . . . . . . . . . . . . 36
Screen Options . . . . . . . . . . . . . . . . . . . . 37
Delete Study Case Input Screen Layout . . . . . . . . . 38
Description
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Screen Options . . . . . . . . . . . . . . . . . . . . 38
Print Risk Estimate Detail Sheet . . . . . . . . . . . . . . 40
Description . . . . . . . . . . . . . . . . . . . . . . 40
Report Layout . . . . . . . . . . . . . . . . . . . . . 43
Description . . . . . . . . . . . . . . . . . . . . . . 43
Screen Options . . . . . . . . . . . . . . . . . . . . 43
Print Summary Report . . . . . . . . . . . . . . . . . . . . 44
Description . . . . . . . . . . . . . . . . . . . . . . 44
Report Layout . . . . . . . . . . . . . . . . . . . . . 47
Description . . . . . . . . . . . . . . . . . . . . . . 47
Screen Options . . . . . . . . . . . . . . . . . . . . 47
Browse All Studies . . . . . . . . . . . . . . . . . . . . . 48
Description . . . . . . . . . . . . . . . . . . . . . . 48
Screen Layout . . . . . . . . . . . . . . . . . . . . . 51
Description . . . . . . . . . . . . . . . . . . . . . . 51
Screen Options . . . . . . . . . . . . . . . . . . . . 51
Delete All Records (Exclusive Control) . . . . . . . . . . . 53
Description . . . . . . . . . . . . . . . . . . . . . . 53
Quit . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Description . . . . . . . . . . . . . . . . . . . . . . 54
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
RISKIT 1.0 (TM)
Order Form
To register your copy of RISKIT 1.0 (TM), please send along the
following form, or a reasonable facsimile, and certified cheque
or money order for $ 99 in United States funds, to the following
address :
Brian Risman Associates
1 Canyon Avenue Suite 912
North York Ontario CANADA M3H 4X8
Name : _______________________________________________________
Company : ____________________________________________________
Address : ____________________________________________________
Day Phone : ____________________ Eve Phone : _________________
Fax Number : ______________________
Bulletin Board Address (Compuserve, Internet) :
______________________________________________________________
RISKIT 1.0 (TM)
License Agreement
Brian Risman Associates provides these programs and licenses
their use. You assume responsibility for selection of these
programs for your purposes, and for the installation, use, and
results from use of these programs. This software is licensed to
you for use as follows :
1. You may use the programs on a single machine.
2. You may copy the programs for the sole purpose of backup
in support of their use on a single machine.
3. All copies made must include the copyright notice.
4. You may transfer the programs and license to another party
if the other party agrees to accept the terms and
conditions of this Agreement.
5. If you transfer the program you must, at the same time,
transfer all copies of the program or destroy any copies
not transferred.
6. YOU MAY NOT USE, COPY, OR TRANSFER THE PROGRAMS OR ANY
COPY IN WHOLE OR PART, EXCEPT AS EXPRESSLY PROVIDED FOR IN
THIS LICENSE. IF YOU TRANSFER POSSESSION OF ANY COPY
TO ANOTHER PARTY, YOUR LICENSE IS AUTOMATICALLY
TERMINATED.
7. This license shall be construed, interpreted, and governed
by the laws of the Province of Ontario and the Federal
Government of Canada as applied in the Province of
Ontario.
This license is effective until terminated. You may terminate the
license by destroying the programs together with all copies in
any form. This license will also be terminated if you fail to
comply with any term or condition of this license. You agree upon
such termination to return the programs together will all the
copies to Brian Risman
Associates and the purchaser shall be liable for any and all
damages suffered as a result of the violation or default. You may
not sub-license, assign or transfer the programs or any rights
under this license to any third party except as permitted under
this license. Any attempt otherwise to sub-license, assign, or
transfer the programs or any rights under the license is void.
R I S K I T 1.0 (TM)
Limited Warranty
These programs are a product of Brian Risman Associates.
The programs contained in this package are provided "AS IS"
without warranty of any kind, either express or implied,
including, but not limited to, the implied warranties of merchant
ability and fitness for a particular purpose. The entire risk
related to the quality and performance of the programs is on you.
In the event there is any defect, you assume the entire cost of
all necessary servicing, repair or correction. Some states do not
allow the exclusion of implied warranties, so the above
exclusions may not apply to you. This warranty gives you specific
legal rights and you may also have other rights which vary from
state to state.
Brian Risman Associates does not warrant that the functions
contained within the programs will meet your requirements or that
the operation of the programs will be uninterrupted or error-
free. Brian Risman Associates warrants the diskettes on which the
programs are furnished to be free from defects in the materials
and workmanship under normal use for a period of thirty (30) days
from the date of delivery to you as evidenced by a copy of your
receipt. The entire liability of Brian Risman Associates and your
exclusive remedy shall be replacement of any diskette which does
not meet the Limited Warranty and which is returned to Brian
Risman Associates.
IN NO EVENT WILL BRIAN RISMAN ASSOCIATES BE LIABLE TO YOU FOR ANY
DAMAGES (INCLUDING ANY LOST PROFITS, LOST SAVINGS, OR OTHER
INCIDENTAL OR CONSEQUENTIAL DAMAGES EVEN IF BRIAN RISMAN
ASSOCIATES HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES)
OR FOR ANY CLAIM BY ANY OTHER PARTY. SOME STATES DO NOT ALLOW THE
LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR
CONSEQUENTIAL DAMAGES SO THE ABOVE LIMITATIONS OR EXCLUSION MAY
NOT APPLY TO YOU.
This agreement constitutes the complete and exclusive statement
of the terms of the agreement between you and Brian Risman
Associates. This agreement supersedes and replaces any previous
written or oral agreement and communications relating to this
software. No oral or written information of advice given by Brian
Risman Associates, its dealers, distributors, agents or employees
will create any warranty or in any way increase the scope of the
warranty provided in this agreement, you may not rely on any
information or advice.
R I S K I T 1.0 (TM)
System Requirements
1. IBM PC/XT/AT/386/486 or a compatible computer with a hard
disk with about 1 - 2 MB storage available.
2. MS-DOS version 5.0 or higher is required.
R I S K I T 1.0 (TM)
Overview
RISKIT 1.0 (TM) is a computer program run on the IBM PC and true
compatibles, which lets computer (EDP) auditors to organize and
assess their analysis of the potential risks in one or more
computer installations.
RISKIT 1.0 (TM) is a tool for use by those (for example, EDP
auditors) who are engaged in the assessment of the risks facing
the EDP environment. Multiple studies, and sub-studies, can be
carried out at the same time on RISKIT 1.0 (TM).
What is Risk Management ?
As we all know, no one can predict the future.
Companies and other organizations are no different. The
management of uncertainty is possible only through a complete
analysis of the risks facing the organization.
The first step in risk management is the analysis and measurement
of the risks, called risk analysis.
Once the risks are analyzed and measured, the next step is to
control the risks by instituting an action plan containing
countermeasures. Please note that an action plan should be
simple and to the point, since in the event the plan is invoked,
people are only going to be able to implement the high-level
principles. Rarely is the disaster so accommodating to let
a detail plan to be executed without alteration.
RISKIT 1.0 (TM) seeks to aid in risk management.
The basis of RISKIT 1.0 (TM) is to carry out a STUDY on, for
example, the threat of Terrorism.
Within the STUDY, the SYSTEM to be examined is determined.
Typically, the SYSTEM refers to an area of an organization. For
an oil company, the areas may be Refining or Marketing. For a
Bank : Treasury, Investment Banking and Retail Banking may be
the areas considered SYSTEMs.
And within the SYSTEM, a SUB-SYSTEM can be studied. The main
lines of business -- for example, the accounts receivable package
in the oil company's Marketing SYSTEM may be subject to a
Terrorism STUDY.
The Probability of an Event happening, and the Cost of the Impact
of the Event must be considered separately. An event may have a
low probability, but its cost may be so high that the firm may be
forced out of business. Therefore, an action plan of insurance,
for example, may be in order. Equally, an Event may have high
probability, but have little impact cost. Only a limited action
plan may be required.
Installation
RISKIT 1.0 (TM) is initially in compressed mode, in a file called
RISKIT10.EXE.
To decompress this file, type the following from the DOS prompt :
RISKIT10
RISKIT 1.0 (TM) will then decompress, placing the following files
on your disk in the directory you are currently using :
RISKIT.EXE - the executable code for the RISKIT 1.0 (TM)
application
RISKIT.TXT - the user manual that you are reading currently
RISKIT.DBF - the RISKIT 1.0 (TM) database.
General Commands
To start the application, from the DOS prompt type the
following :
RISKIT
On every screen, you can enter ESCape to return to the Main Menu.
On screens with a Next Record and Exit options, you can only
enter "Y" or "N". The default for Next Record is "Y", and for
Exit "N" -- though at the logical end of the browsing you will
exit back to the Main Menu.
System Diagram
The following diagram shows the flow of screens in RISKIT 1.0
(TM) :
-----------------------------------------------------------------
DOS prompt > RISKIT
v
v
v
Main Menu
v
v
v
----------------------------------------------------------------
v v v v v v v v
v v v v v v v v
v v v v v v v v
Main Sub - Menu Browse Delete Quit
v v v v v All All
v v v v v Records Records
v v v v v
v v v v v
Add Modify Delete Print Print
Study Study Study Risk Summary
Estimate Report
Detail
Sheet
-----------------------------------------------------------------
Main Menu
Screen Layout
-----------------------------------------------------------------
. RISKIT 1.0 TM (C) Copyright 1994 Brian Risman Associates .
. Main Menu .
. mm/dd/yyyy hh:mm:ss .
. .
. **** DATABASE ACTIVITY **** .
. Add Study .
. Modify Study .
. Delete Study .
. .
. **** PRINT/DISPLAY INFORMATION **** .
. Print Risk Estimate Detail Sheet .
. Print Summary Report .
. Browse All Studies .
. .
. **** DELETE ALL RECORDS **** .
. Delete All Records(Exclusive Control) .
. .
. **** EXIT **** .
. Quit .
-----------------------------------------------------------------
Description
On the Main Menu, options for Database Activity,
Printing/Displaying Information on the Database, Deleting all
records, or Exiting the application are selected.
Screen Options
Please note that options selected above can only be selected
one at a time.
The 'Add Study' option adds areas of POTENTIAL RISK for a
particular STUDY, SYSTEM, and SUB-SYSTEM -- and within those
criteria, different area of WEAKNESSES and POTENTIAL THREATS.
The 'Modify Study' option modifies areas of POTENTIAL RISK for a
particular STUDY, SYSTEM, and SUB-SYSTEM -- and within those
criteria, different area of WEAKNESSES and POTENTIAL THREATS.
The 'Delete Study' option deletes areas of POTENTIAL RISK for a
particular STUDY, SYSTEM, and SUB-SYSTEM -- and within those
criteria, different area of WEAKNESSES and POTENTIAL THREATS.
The 'Print Risk Estimate Detail Sheet' option prints all areas of
POTENTIAL RISK for a particular STUDY, SYSTEM, and SUB-SYSTEM --
and within those criteria, different area of WEAKNESSES and
POTENTIAL THREATS.
The 'Print Summary Report' option prints all areas of POTENTIAL
RISK for a particular STUDY, SYSTEM, and SUB-SYSTEM -- and within
those criteria, different area of WEAKNESSES and POTENTIAL
THREATS. Average values for the PROBABILITY OF EVENT and the
COST OF IMPACT are calculated.
The 'Browse All Studies' option displays all areas of POTENTIAL
RISK for all STUDY, SYSTEM, and SUB-SYSTEM -- and within those
criteria, different area of WEAKNESSES and POTENTIAL THREATS.
The 'Delete All Records' option physically removes all records
from the database.
The 'Quit' option closes the application and returns to DOS.
Main Sub-Menu
Screen Layout
-----------------------------------------------------------------
. RISKIT 1.0 TM (C) Copyright 1994 Brian Risman Associates .
. Main Sub-Menu .
. mm/dd/yyyy hh:mm:ss .
. .
. Please enter the following information : .
. .
. Study : .
. .
. System : .
. .
. Sub-System : .
-----------------------------------------------------------------
Description
On the Main Sub-Menu, the area of STUDY, the SYSTEM name, and the
SUB-SYSTEM being targeted are selected. All three fields are
mandatory.
Screen Options
Areas of STUDY may include Vandalism, Terrorism, Earthquakes,
Tornadoes, or Snowstorms.
SYSTEM name refers to the area of the organization with related
to the main lines of business. For an oil company, this would be
typically Refining and Marketing; for a Bank, it may be Treasury,
Investment Banking and Retail Banking.
SUB-SYSTEM name refers to the particular business applications
within the main lines of business -- for example, the accounts
receivable system in the Marketing area, or the Traders
Information System in a Bank. For more information, please see
the Main Sub-Menu section.
Add Study
Description
The 'Add Study' option adds areas of POTENTIAL RISK for a
particular STUDY, SYSTEM, and SUB-SYSTEM -- and within those
criteria, different area of WEAKNESSES and POTENTIAL THREATS.
FIRST, the selection of the 'Add Study' option on the Main Menu
is made. Please see the Main Menu section for further
information.
SECOND, the Main Sub-Menu is displayed, where the area of STUDY,
the SYSTEM name, and the SUB-SYSTEM being targeted are selected.
Areas of STUDY may include Vandalism, Terrorism, Earthquakes,
Tornadoes, or Snowstorms.
SYSTEM name refers to the area of the organization with related
to the main lines of business. For an oil company, this would be
typically Refining and Marketing; for a Bank, it may be Treasury,
Investment Banking and Retail Banking.
SUB-SYSTEM name refers to the particular business applications
within the main lines of business -- for example, the accounts
receivable system in the Marketing area, or the Traders
Information System in a Bank. For more information, please see
the Main Sub-Menu section.
THIRD, the AREAS OF WEAKNESS Selection Menu is displayed. This
menu focuses at the potential areas of weakness, such as the
data, software or hardware.
AREAS OF WEAKNESS can be distinguished from the potential threats
in the that the former is passive and should be protected, while
the latter is active and affects the former by its actions. On
this Menu, only one selection can be made for each physical entry
into Add Study, but different area of weaknesses can be selected
at different physical entries into the Add Study option.
FOURTH, the entry of data for the potential risk -- the actual
information added to the RISKIT 1.0 (TM) database -- is
performed.
The STUDY, SYSTEM, and SUB-SYSTEM fields are PROTECTED, having
been entered in the Main Sub-Menu referred to above.
The TOPIC and SUB-TOPIC are first entered.
The TOPIC would typically cover the group representing a threat -
- for example, computer hackers.
The SUB-TOPIC would typically cover potential actions by the
TOPIC -- for example, password breaking (SUB-TOPIC) by computer
hackers(TOPIC).
The PROBABILITY OF the EVENT is next examined. A value between 0
and 99 should be entered (0 is the default, implying zero
probability). This field looks at what is the likelihood that the
event will occur ? Following is the description explaining WHY
that probability level was chosen, followed by the corrective
action to be taken, if any.
Finally, the COST OF the IMPACT of the event -- independent of
the probability of the event happening -- is input in a method
identical with that of the PROBABILITY OF EVENT shown above.
After this field is entered, press ENTER to add the record -- or
ESCape to cancel record addition and return to the Main Menu.
Please note that ESCape can be entered at any time in the Data
Entry screen to exit back to the Main Menu. Add Study
Area of Weakness Selection Screen Layout
-----------------------------------------------------------------
. RISKIT 1.0 TM (C) Copyright 1994 Brian Risman Associates .
. Add Study .
. mm/dd/yyyy hh:mm:ss .
. .
. Data .
. Software .
. Hardware .
. Facilities .
. Media & Supplies .
. People .
. Communications .
. Other .
. Return .
-----------------------------------------------------------------
Description
AREAS OF WEAKNESS are inherent characteristics of a system that
could let a threat act upon an asset, causing a harmful
event. THREATS capitalize upon these AREAS OF WEAKNESS to breach
safeguards and cause a loss.
Complex systems are more likely to have greater AREAS OF WEAKNESS
than simple systems, due to the presence of more exposures not
covered by existing security procedures.
Please note that while only one AREA OF WEAKNESS can be selected
at a time, there is no reason that a user cannot enter 'Add
Study' several times to enter different AREAS OF WEAKNESS.
Screen Options
The following assets or corporate elements must be examined :
DATA
These assets may be on storage media, input forms, or output
listings.
SOFTWARE
Software assets generally exceed hardware in value, and consist
of both system and application programs.
HARDWARE
These assets include terminals, computers, and associated
equipment.
FACILITIES
These are the physical entities of the environment, such as
security alarms, utility back-ups, and real property.
MEDIA & SUPPLIES
Stocks of blank forms, tapes and paper are examples of media
assets.
PEOPLE
Any of the stakeholders in the organization -- for example,
employees, managers, executives, shareholders, government or
even the public.
COMMUNICATIONS
Corporate network and internal data processing links are examples
of communications.
OTHER
Other areas of weakness that you might want to add.
RETURN
Return to Main Menu.
Add Study
Potential Area of Threat Selection Screen Layout
-----------------------------------------------------------------
. RISKIT 1.0 TM (C) Copyright 1994 Brian Risman Associates .
. Add Study - area of weakness .
. mm/dd/yyyy hh:mm:ss .
. .
. Natural Hazards .
. Equipment Failure .
. Human Error .
. Theft .
. Fraud .
. Malice .
. Strategic Attack .
. Other .
. Return .
-----------------------------------------------------------------
Description
A THREAT is an aspect of the environment that, when given an
opportunity, can cause a harmful event(a partial or complete loss
of a corporate asset) by acting upon an asset.
THREATS fall into two main categories -- intentional and
probabilistic.
Intentional THREATS are performed by people seeking to harm the
organization by stealing or disrupting assets. THEFT, FRAUD,
MALICE, and STRATEGIC ATTACK fall into this category.
Probabilistic THREATS may occur as a result of HUMAN ERROR
precipitating threats involving procedures, programs, systems
software, and also EQUIPMENT FAILURE encompassing computer or
support equipment. Alternatively, NATURAL HAZARDS may also occur
-- storms, power loss, earthquakes, flooding, water damage, and
fire.
Please note that while only one THREAT can be entered at a time,
there is no reason that more THREATs cannot be entered in
subsequent 'Add Study' entries.
Screen Options
NATURAL HAZARDS are probabilistic events such as hurricanes,
floods, mud slides, cold weather that can have a harmful affect
on an AREA OF WEAKNESS.
EQUIPMENT FAILURE covers probabilistic events such as hardware
failures or sabotage. Damage to a mainframe by a disgruntled
employee is an example of a harmful effect to an AREA OF
WEAKNESS.
HUMAN ERROR is yet another probabilistic event that covers
mistakes made by staff or others (for example, external
consultants or vendors) adversely affecting an AREA OF WEAKNESS.
THEFT is, on the other hand, an intentional event aimed at
harming the organization through its AREA OF WEAKNESS. THEFT is
defined as the act or crime of stealing.
FRAUD is also an intentional event aimed at harming the
organization through its AREA OF WEAKNESS. FRAUD is defined as an
act or instance of deception or trickery.
MALICE is also an intentional event aimed at harming the
organization through its AREA OF WEAKNESS. MALICE is defined as a
wilfully formed event designed to do another an injury.
STRATEGIC ATTACK is a more organized, broad-based assault by
usually more than one person on the organization through its
AREA OF WEAKNESS.
Add Study
Add Study Case Input Screen Layout
-----------------------------------------------------------------
. RISKIT 1.0 TM (C) Copyright 1994 Brian Risman Associates .
. Add Study - area of weakness - threat .
. mm/dd/yyyy hh:mm:ss .
. Press ESC to cancel addition .
. .
. Study : .
. System : .
. Sub-System : .
. Topic : .
. Sub-Topic : .
. Probability of Event .
. (00:Low; 50:Medium; 99:High) : .
. Event Probability Description : .
. Action to be Taken : .
. Cost of Impact .
. (00:Low; 50:Medium; 99:High) : .
. Cost of Impact Description : .
. Action to be Taken : .
-----------------------------------------------------------------
Description
In this panel, the details for a particular THREAT to an AREA OF
WEAKNESS are entered.
Screen Options
The STUDY, SYSTEM, and SUB-SYSTEM fields are PROTECTED, having
been entered in the Main Sub-Menu referred to above.
The TOPIC and SUB-TOPIC are first entered.
The TOPIC would typically cover the group representing a threat -
- for example, computer hackers.
The SUB-TOPIC would typically cover potential actions by the
TOPIC -- for example, password breaking (SUB-TOPIC) by computer
hackers(TOPIC).
The PROBABILITY OF the EVENT is next examined. A value between 0
and 99 should be entered (0 is the default, implying zero
probability). This field looks at what is the likelihood that the
event will occur ? Following is the description explaining WHY
that probability level was chosen, followed by the corrective
action to be taken, if any.
Finally, the COST OF the IMPACT of the event -- independent of
the probability of the event happening -- is input in a method
identical with that of the PROBABILITY OF EVENT shown above.
After this field is entered, press ENTER to add the record -- or
ESCape to cancel record addition and return to the Main Menu.
Please note that ESCape can be entered at any time in the Data
Entry screen to exit back to the Main Menu.
Modify Study
Description
The 'Modify Study' option modifies areas of POTENTIAL RISK for a
particular STUDY, SYSTEM, and SUB-SYSTEM -- and within those
criteria, different area of WEAKNESSES and POTENTIAL THREATS.
FIRST, the selection of the 'Modify Study' option on the Main
Menu is made. Please see the Main Menu section for further
information.
SECOND, the Main Sub-Menu is displayed, where the area of STUDY,
the SYSTEM name, and the SUB-SYSTEM being targeted are selected.
Areas of STUDY may include Vandalism, Terrorism, Earthquakes,
Tornadoes, or Snowstorms.
SYSTEM name refers to the area of the organization with related
to the main lines of business. For an oil company, this would be
typically Refining and Marketing; for a Bank, it may be Treasury,
Investment Banking and Retail Banking.
SUB-SYSTEM name refers to the particular business applications
within the main lines of business -- for example, the accounts
receivable system in the Marketing area, or the Traders
Information System in a Bank. For more information, please see
the Main Sub-Menu section.
THIRD, the AREAS OF WEAKNESS Selection Menu is displayed. This
menu focuses at the potential areas of weakness, such as the
data, software or hardware.
AREAS OF WEAKNESS can be distinguished from the potential threats
in the that the former is passive and should be protected, while
the latter is active and affects the former by its actions. On
this Menu, only one selection can be made for each physical entry
into 'Modify Study', but different area of weaknesses can be
selected at different physical entries into the Modify Study
option.
FOURTH, the modification of data for the potential risk -- the
actual information added to the RISKIT 1.0 (TM) database -- is
performed.
The STUDY, SYSTEM, and SUB-SYSTEM fields are PROTECTED, having
been entered in the Main Sub-Menu referred to above.
The TOPIC and SUB-TOPIC are first entered.
The TOPIC would typically cover the group representing a threat -
- for example, computer hackers.
The SUB-TOPIC would typically cover potential actions by the
TOPIC -- for example, password breaking (SUB-TOPIC) by computer
hackers(TOPIC).
The PROBABILITY OF the EVENT is next examined. A value between 0
and 99 should be entered (0 is the default, implying zero
probability). This field looks at what is the likelihood that the
event will occur ? Following is the description explaining WHY
that probability level was chosen, followed by the corrective
action to be taken, if any.
Finally, the COST OF the IMPACT of the event -- independent of
the probability of the event happening -- is input in a method
identical with that of the PROBABILITY OF EVENT shown above.
After this field is entered, press ENTER to modify the record --
or ESCape to cancel record modification and return to the Main
Menu. Please note that ESCape can be entered at any time in the
Data Entry screen to exit back to the Main Menu. Modify Study
Area of Weakness Selection Screen Layout
-----------------------------------------------------------------
. RISKIT 1.0 TM (C) Copyright 1994 Brian Risman Associates .
. Modify Study .
. mm/dd/yyyy hh:mm:ss .
. .
. Data .
. Software .
. Hardware .
. Facilities .
. Media & Supplies .
. People .
. Communications .
. Other .
. Return .
-----------------------------------------------------------------
Description
AREAS OF WEAKNESS are inherent characteristics of a system that
could let a threat act upon an asset, causing a harmful
event. THREATS capitalize upon these AREAS OF WEAKNESS to breach
safeguards and cause a loss.
Complex systems are more likely to have greater AREAS OF WEAKNESS
than simple systems, due to the presence of more exposures not
covered by existing security procedures.
Please note that while only one AREA OF WEAKNESS can be selected
at a time, there is no reason that a user cannot enter 'Modify
Study' several times to modify different AREAS OF WEAKNESS.
Screen Options
The following assets or corporate elements must be examined :
DATA
These assets may be on storage media, input forms, or output
listings.
SOFTWARE
Software assets generally exceed hardware in value, and consist
of both system and application programs.
HARDWARE
These assets include terminals, computers, and associated
equipment.
FACILITIES
These are the physical entities of the environment, such as
security alarms, utility back-ups, and real property.
MEDIA & SUPPLIES
Stocks of blank forms, tapes and paper are examples of media
assets.
PEOPLE
Any of the stakeholders in the organization -- for example,
employees, managers, executives, shareholders, government or
even the public.
COMMUNICATIONS
Corporate network and internal data processing links are examples
of communications.
OTHER
Other areas of weakness that you might want to modify.
RETURN
Return to Main Menu.
Modify Study
Potential Area of Threat Selection Screen Layout
-----------------------------------------------------------------
. RISKIT 1.0 TM (C) Copyright 1994 Brian Risman Associates .
. Modify Study - area of weakness .
. mm/dd/yyyy hh:mm:ss .
. .
. Natural Hazards .
. Equipment Failure .
. Human Error .
. Theft .
. Fraud .
. Malice .
. Strategic Attack .
. Other .
. Return .
-----------------------------------------------------------------
Description
A THREAT is an aspect of the environment that, when given an
opportunity, can cause a harmful event(a partial or complete loss
of a corporate asset) by acting upon an asset.
THREATS fall into two main categories -- intentional and
probabilistic.
Intentional THREATS are performed by people seeking to harm the
organization by stealing or disrupting assets. THEFT, FRAUD,
MALICE, and STRATEGIC ATTACK fall into this category.
Probabilistic THREATS may occur as a result of HUMAN ERROR
precipitating threats involving procedures, programs, systems
software, and also EQUIPMENT FAILURE encompassing computer or
support equipment. Alternatively, NATURAL HAZARDS may also occur
-- storms, power loss, earthquakes, flooding, water damage, and
fire.
Please note that while only one THREAT can be modified at a time,
there is no reason that more THREATs cannot be modified in
subsequent 'Modify Study' entries.
Screen Options
NATURAL HAZARDS are probabilistic events such as hurricanes,
floods, mud slides, cold weather that can have a harmful affect
on an AREA OF WEAKNESS.
EQUIPMENT FAILURE covers probabilistic events such as hardware
failures or sabotage. Damage to a mainframe by a disgruntled
employee is an example of a harmful effect to an AREA OF
WEAKNESS.
HUMAN ERROR is yet another probabilistic event that covers
mistakes made by staff or others (for example, external
consultants or vendors) adversely affecting an AREA OF WEAKNESS.
THEFT is, on the other hand, an intentional event aimed at
harming the organization through its AREA OF WEAKNESS. THEFT is
defined as the act or crime of stealing.
FRAUD is also an intentional event aimed at harming the
organization through its AREA OF WEAKNESS. FRAUD is defined as an
act or instance of deception or trickery.
MALICE is also an intentional event aimed at harming the
organization through its AREA OF WEAKNESS. MALICE is defined as a
wilfully formed event designed to do another an injury.
STRATEGIC ATTACK is a more organized, broad-based assault by
usually more than one person on the organization through its
AREA OF WEAKNESS.
Modify Study
Modify Study Case Input Screen Layout
-----------------------------------------------------------------
. RISKIT 1.0 TM (C) Copyright 1994 Brian Risman Associates .
. Modify Study - area of weakness - threat .
. mm/dd/yyyy hh:mm:ss .
. Press ESC to cancel modification .
. Next Record ? : .
. Exit ? : .
. .
. Study : .
. System : .
. Sub-System : .
. Topic : .
. Sub-Topic : .
. Probability of Event .
. (00:Low; 50:Medium; 99:High) : .
. Event Probability Description : .
. Action to be Taken : .
. Cost of Impact .
. (00:Low; 50:Medium; 99:High) : .
. Cost of Impact Description : .
. Action to be Taken : .
-----------------------------------------------------------------
Description
In this panel, the details for a particular THREAT to an AREA OF
WEAKNESS are modified.
Screen Options
The STUDY, SYSTEM, and SUB-SYSTEM fields are PROTECTED, having
been entered in the Main Sub-Menu referred to above.
The TOPIC and SUB-TOPIC are first entered.
The TOPIC would typically cover the group representing a threat -
- for example, computer hackers.
The SUB-TOPIC would typically cover potential actions by the
TOPIC -- for example, password breaking (SUB-TOPIC) by computer
hackers(TOPIC).
The PROBABILITY OF the EVENT is next examined. A value between 0
and 99 should be entered (0 is the default, implying zero
probability). This field looks at what is the likelihood that the
event will occur ? Following is the description explaining WHY
that probability level was chosen, followed by the corrective
action to be taken, if any.
Finally, the COST OF the IMPACT of the event -- independent of
the probability of the event happening -- is input in a method
identical with that of the PROBABILITY OF EVENT before shown
above.
After this field is entered, press ENTER to modify the record -
- or ESCape to cancel record modification and return to the Main
Menu.
Please note that ESCape can be entered at any time in the Data
Entry screen to exit back to the Main Menu.
Delete Study
Description
The 'Delete Study' option deletes areas of POTENTIAL RISK for a
particular STUDY, SYSTEM, and SUB-SYSTEM -- and within those
criteria, different area of WEAKNESSES and POTENTIAL THREATS.
FIRST, the selection of the 'Delete Study' option on the Main
Menu is made. Please see the Main Menu section for further
information.
SECOND, the Main Sub-Menu is displayed, where the area of STUDY,
the SYSTEM name, and the SUB-SYSTEM being targeted are selected.
Areas of STUDY may include Vandalism, Terrorism, Earthquakes,
Tornadoes, or Snowstorms.
SYSTEM name refers to the area of the organization with related
to the main lines of business. For an oil company, this would be
typically Refining and Marketing; for a Bank, it may be Treasury,
Investment Banking and Retail Banking.
SUB-SYSTEM name refers to the particular business applications
within the main lines of business -- for example, the accounts
receivable system in the Marketing area, or the Traders
Information System in a Bank. For more information, please see
the Main Sub-Menu section.
THIRD, the AREAS OF WEAKNESS Selection Menu is displayed. This
menu focuses at the potential areas of weakness, such as the
data, software or hardware.
AREAS OF WEAKNESS can be distinguished from the potential threats
in the that the former is passive and should be protected, while
the latter is active and affects the former by its actions. On
this Menu, only one selection can be made for each physical entry
into Delete Study, but different area of weaknesses can be
selected at different physical entries into the Delete Study
option.
FOURTH, the deletion of data for the potential risk -- the actual
information added to the RISKIT 1.0 (TM) database -- is
performed.
All fields are PROTECTED.
The TOPIC would typically cover the group representing a threat -
- for example, computer hackers.
The SUB-TOPIC would typically cover potential actions by the
TOPIC -- for example, password breaking (SUB-TOPIC) by computer
hackers(TOPIC).
The PROBABILITY OF the EVENT is next examined. A value between 0
and 99 should be entered (0 is the default, implying zero
probability). This field looks at what is the likelihood that the
event will occur ? Following is the description explaining WHY
that probability level was chosen, followed by the corrective
action to be taken, if any.
Finally, the COST OF the IMPACT of the event -- independent of
the probability of the event happening -- is viewed in a method
identical with that of the PROBABILITY OF EVENT before shown
above.
After this field is entered, press ENTER to delete the record --
or ESCape to cancel record deletion and return to the Main Menu.
Please note that ESCape can be entered at any time in the Data
Entry screen to exit back to the Main Menu. Delete Study
Area of Weakness Selection Screen Layout
-----------------------------------------------------------------
. RISKIT 1.0 TM (C) Copyright 1994 Brian Risman Associates .
. Delete Study .
. mm/dd/yyyy hh:mm:ss .
. .
. Data .
. Software .
. Hardware .
. Facilities .
. Media & Supplies .
. People .
. Communications .
. Other .
. Return .
-----------------------------------------------------------------
Description
AREAS OF WEAKNESS are inherent characteristics of a system that
could let a threat act upon an asset, causing a harmful
event. THREATS capitalize upon these AREAS OF WEAKNESS to breach
safeguards and cause a loss.
Complex systems are more likely to have greater AREAS OF WEAKNESS
than simple systems, due to the presence of more exposures not
covered by existing security procedures.
Please note that while only one AREA OF WEAKNESS can be deleted
at a time, there is no reason that a user cannot enter 'Delete
Study' several times to enter different AREAS OF WEAKNESS.
Screen Options
The following assets or corporate elements must be examined :
DATA
These assets may be on storage media, input forms, or output
listings.
SOFTWARE
Software assets generally exceed hardware in value, and consist
of both system and application programs.
HARDWARE
These assets include terminals, computers, and associated
equipment.
FACILITIES
These are the physical entities of the environment, such as
security alarms, utility back-ups, and real property.
MEDIA & SUPPLIES
Stocks of blank forms, tapes and paper are examples of media
assets.
PEOPLE
Any of the stakeholders in the organization -- for example,
employees, managers, executives, shareholders, government or
even the public.
COMMUNICATIONS
Corporate network and internal data processing links are examples
of communications.
OTHER
Other areas of weakness that you might want to deleted.
RETURN
Return to Main Menu.
Delete Study
Potential Area of Threat Selection Screen Layout
-----------------------------------------------------------------
. RISKIT 1.0 TM (C) Copyright 1994 Brian Risman Associates .
. Delete Study - area of weakness .
. mm/dd/yyyy hh:mm:ss .
. .
. Natural Hazards .
. Equipment Failure .
. Human Error .
. Theft .
. Fraud .
. Malice .
. Strategic Attack .
. Other .
. Return .
-----------------------------------------------------------------
Description
A THREAT is an aspect of the environment that, when given an
opportunity, can cause a harmful event(a partial or complete loss
of a corporate asset) by acting upon an asset.
THREATS fall into two main categories -- intentional and
probabilistic.
Intentional THREATS are performed by people seeking to harm the
organization by stealing or disrupting assets. THEFT, FRAUD,
MALICE, and STRATEGIC ATTACK fall into this category.
Probabilistic THREATS may occur as a result of HUMAN ERROR
precipitating threats involving procedures, programs, systems
software, and also EQUIPMENT FAILURE encompassing computer or
support equipment. Alternatively, NATURAL HAZARDS may also occur
-- storms, power loss, earthquakes, flooding, water damage, and
fire.
Please note that while only one THREAT can be deleted at a time,
there is no reason that more THREATs cannot be deleted in
subsequent 'Delete Study' entries.
Screen Options
NATURAL HAZARDS are probabilistic events such as hurricanes,
floods, mud slides, cold weather that can have a harmful affect
on an AREA OF WEAKNESS.
EQUIPMENT FAILURE covers probabilistic events such as hardware
failures or sabotage. Damage to a mainframe by a disgruntled
employee is an example of a harmful effect to an AREA OF
WEAKNESS.
HUMAN ERROR is yet another probabilistic event that covers
mistakes made by staff or others (for example, external
consultants or vendors) adversely affecting an AREA OF WEAKNESS.
THEFT is, on the other hand, an intentional event aimed at
harming the organization through its AREA OF WEAKNESS. THEFT is
defined as the act or crime of stealing.
FRAUD is also an intentional event aimed at harming the
organization through its AREA OF WEAKNESS. FRAUD is defined as an
act or instance of deception or trickery.
MALICE is also an intentional event aimed at harming the
organization through its AREA OF WEAKNESS. MALICE is defined as a
wilfully formed event designed to do another an injury.
STRATEGIC ATTACK is a more organized, broad-based assault by
usually more than one person on the organization through its
AREA OF WEAKNESS.
Delete Study
Delete Study Case Input Screen Layout
-----------------------------------------------------------------
. RISKIT 1.0 TM (C) Copyright 1994 Brian Risman Associates .
. Delete Study - area of weakness - threat .
. mm/dd/yyyy hh:mm:ss .
. Press ESC to cancel deletion .
. Next Record ? : .
. Exit ? : .
. .
. Study : .
. System : .
. Sub-System : .
. Topic : .
. Sub-Topic : .
. Probability of Event .
. (00:Low; 50:Medium; 99:High) : .
. Event Probability Description : .
. Action to be Taken : .
. Cost of Impact .
. (00:Low; 50:Medium; 99:High) : .
. Cost of Impact Description : .
. Action to be Taken : .
-----------------------------------------------------------------
Description
In this panel, the details for a particular THREAT to an AREA OF
WEAKNESS are deleted.
Screen Options
All fields are PROTECTED, having been entered in the Main Sub-
Menu referred to above.
The TOPIC would typically cover the group representing a threat -
- for example, computer hackers.
The SUB-TOPIC would typically cover potential actions by the
TOPIC -- for example, password breaking (SUB-TOPIC) by computer
hackers(TOPIC).
The PROBABILITY OF the EVENT is next examined. A value between 0
and 99 should be entered (0 is the default, implying zero
probability). This field looks at what is the likelihood that the
event will occur ? Following is the description explaining WHY
that probability level was chosen, followed by the corrective
action to be taken, if any.
Finally, the COST OF the IMPACT of the event -- independent of
the probability of the event happening -- is reviewed in a method
identical with that of the PROBABILITY OF EVENT before shown
above.
After this field is reviewed, press ENTER to delete the record --
or ESCape to cancel record deletion and return to the Main Menu.
Please note that ESCape can be entered at any time in the Data
Entry screen to exit back to the Main Menu.
Print Risk Estimate Detail Sheet
Description
The 'Print Risk Estimate Detail Sheet' option prints all areas of
POTENTIAL RISK for a particular STUDY, SYSTEM, and SUB-SYSTEM --
and within those criteria, different area of WEAKNESSES and
POTENTIAL THREATS.
FIRST, the selection of the 'Print Risk Estimate Detail Sheet'
option on the Main Menu is made. Please see the Main Menu section
for further information.
SECOND, the Main Sub-Menu is displayed, where the area of STUDY,
the SYSTEM name, and the SUB-SYSTEM being targeted are selected.
Areas of STUDY may include Vandalism, Terrorism, Earthquakes,
Tornadoes, or Snowstorms.
SYSTEM name refers to the area of the organization with related
to the main lines of business. For an oil company, this would be
typically Refining and Marketing; for a Bank, it may be Treasury,
Investment Banking and Retail Banking.
SUB-SYSTEM name refers to the particular business applications
within the main lines of business -- for example, the accounts
receivable system in the Marketing area, or the Traders
Information System in a Bank. For more information, please see
the Main Sub-Menu section.
Finally, the reports are printed. Information on the fields is
presented below. At the time of printing, a message stating that
the report is current printing appears on the screen.
The TOPIC would typically cover the group representing a threat -
- for example, computer hackers.
The SUB-TOPIC would typically cover potential actions by the
TOPIC -- for example, password breaking (SUB-TOPIC) by computer
hackers(TOPIC).
AREAS OF WEAKNESS can be distinguished from the potential threats
in the that the former is passive and should be protected, while
the latter is active and affects the former by its actions. AREAS
OF WEAKNESS are inherent characteristics of a system that could
let a threat act upon an asset, causing a harmful event. THREATS
capitalize upon these AREAS OF WEAKNESS to breach
safeguards and cause a loss. Complex systems are more likely to
have greater AREAS OF WEAKNESS than simple systems, due to the
presence of more exposures not covered by existing security
procedures.
AREAS OF WEAKNESS include the following :
DATA
These assets may be on storage media, input forms, or output
listings.
SOFTWARE
Software assets generally exceed hardware in value, and consist
of both system and application programs.
HARDWARE
These assets include terminals, computers, and associated
equipment.
FACILITIES
These are the physical entities of the environment, such as
security alarms, utility back-ups, and real property.
MEDIA & SUPPLIES
Stocks of blank forms, tapes and paper are examples of media
assets.
PEOPLE
Any of the stakeholders in the organization -- for example,
employees, managers, executives, shareholders, government or
even the public.
COMMUNICATIONS
Corporate network and internal data processing links are examples
of communications.
A THREAT is an aspect of the environment that, when given an
opportunity, can cause a harmful event(a partial or complete loss
of a corporate asset) by acting upon an asset.
THREATS fall into two main categories -- intentional and
probabilistic.
Intentional THREATS are performed by people seeking to harm the
organization by stealing or disrupting assets. THEFT, FRAUD,
MALICE, and STRATEGIC ATTACK fall into this category.
Probabilistic THREATS may occur as a result of HUMAN ERROR
precipitating threats involving procedures, programs, systems
software, and also EQUIPMENT FAILURE encompassing computer or
support equipment. Alternatively, NATURAL HAZARDS may also occur
-- storms, power loss, earthquakes, flooding, water damage, and
fire.
THREATS include the following :
NATURAL HAZARDS are probabilistic events such as hurricanes,
floods, mud slides, cold weather that can have a harmful affect
on an AREA OF WEAKNESS.
EQUIPMENT FAILURE covers probabilistic events such as hardware
failures or sabotage. Damage to a mainframe by a disgruntled
employee is an example of a harmful effect to an AREA OF
WEAKNESS.
HUMAN ERROR is yet another probabilistic event that covers
mistakes made by staff or others (for example, external
consultants or vendors) adversely affecting an AREA OF WEAKNESS.
THEFT is, on the other hand, an intentional event aimed at
harming the organization through its AREA OF WEAKNESS. THEFT is
defined as the act or crime of stealing.
FRAUD is also an intentional event aimed at harming the
organization through its AREA OF WEAKNESS. FRAUD is defined as an
act or instance of deception or trickery.
MALICE is also an intentional event aimed at harming the
organization through its AREA OF WEAKNESS. MALICE is defined as a
wilfully formed event designed to do another an injury.
STRATEGIC ATTACK is a more organized, broad-based assault by
usually more than one person on the organization through its
AREA OF WEAKNESS.
Print Risk Estimate Detail Sheet
Report Layout
-----------------------------------------------------------------
. RISKIT 1.0 TM (C) Copyright 1994 Brian Risman Associates .
. Risk Estimate Detail Sheet .
. mm/dd/yyyy hh:mm:ss .
. .
. .
. Study : .
. System : .
. Sub-System : .
. Topic : .
. Sub-Topic : .
. Probability of Event .
. (00:Low; 50:Medium; 99:High) : .
. Event Probability Description : .
. Action to be Taken : .
. Cost of Impact .
. (00:Low; 50:Medium; 99:High) : .
. Cost of Impact Description : .
. Action to be Taken : .
-----------------------------------------------------------------
Description
In this report, the details for a particular THREAT to an AREA OF
WEAKNESS are printed.
Screen Options
ALL fields are PROTECTED.
The TOPIC would typically cover the group representing a threat -
- for example, computer hackers.
The SUB-TOPIC would typically cover potential actions by the
TOPIC -- for example, password breaking (SUB-TOPIC) by computer
hackers(TOPIC).
The PROBABILITY OF the EVENT is next examined. A value between 0
and 99 should be entered (0 is the default, implying zero
probability). This field looks at what is the likelihood that the
event will occur ? Following is the description explaining WHY
that probability level was chosen, followed by the corrective
action to be taken, if any.
Finally, the COST OF the IMPACT of the event -- independent of
the probability of the event happening -- is reviewed in a method
identical with that of the PROBABILITY OF EVENT shown above.
Print Summary Report
Description
The 'Print Summary Report' option prints all areas of POTENTIAL
RISK for a particular STUDY, SYSTEM, and SUB-SYSTEM -- and within
those criteria, different area of WEAKNESSES and POTENTIAL
THREATS. Average values for the PROBABILITY OF EVENT and the
COST OF IMPACT are calculated.
FIRST, the selection of the 'Print Summary Report' option on the
Main Menu is made. Please see the Main Menu section for further
information.
SECOND, the Main Sub-Menu is displayed, where the area of STUDY,
the SYSTEM name, and the SUB-SYSTEM being targeted are selected.
Areas of STUDY may include Vandalism, Terrorism, Earthquakes,
Tornadoes, or Snowstorms.
SYSTEM name refers to the area of the organization with related
to the main lines of business. For an oil company, this would be
typically Refining and Marketing; for a Bank, it may be Treasury,
Investment Banking and Retail Banking.
SUB-SYSTEM name refers to the particular business applications
within the main lines of business -- for example, the accounts
receivable system in the Marketing area, or the Traders
Information System in a Bank. For more information, please see
the Main Sub-Menu section.
Finally, the reports are printed. Information on the fields is
presented below. At the time of printing, a message stating that
the report is current printing appears on the screen.
AREAS OF WEAKNESS can be distinguished from the potential threats
in the that the former is passive and should be protected, while
the latter is active and affects the former by its actions. AREAS
OF WEAKNESS are inherent characteristics of a system that could
let a threat act upon an asset, causing a harmful event. THREATS
capitalize upon these AREAS OF WEAKNESS to breach
safeguards and cause a loss. Complex systems are more likely to
have greater AREAS OF WEAKNESS than simple systems, due to the
presence of more exposures not covered by existing security
procedures.
AREAS OF WEAKNESS include the following :
DATA
These assets may be on storage media, input forms, or output
listings.
SOFTWARE
Software assets generally exceed hardware in value, and consist
of both system and application programs.
HARDWARE
These assets include terminals, computers, and associated
equipment.
FACILITIES
These are the physical entities of the environment, such as
security alarms, utility back-ups, and real property.
MEDIA & SUPPLIES
Stocks of blank forms, tapes and paper are examples of media
assets.
PEOPLE
Any of the stakeholders in the organization -- for example,
employees, managers, executives, shareholders, government or
even the public.
COMMUNICATIONS
Corporate network and internal data processing links are examples
of communications.
A THREAT is an aspect of the environment that, when given an
opportunity, can cause a harmful event(a partial or complete loss
of a corporate asset) by acting upon an asset.
THREATS fall into two main categories -- intentional and
probabilistic.
Intentional THREATS are performed by people seeking to harm the
organization by stealing or disrupting assets. THEFT, FRAUD,
MALICE, and STRATEGIC ATTACK fall into this category.
Probabilistic THREATS may occur as a result of HUMAN ERROR
precipitating threats involving procedures, programs, systems
software, and also EQUIPMENT FAILURE encompassing computer or
support equipment. Alternatively, NATURAL HAZARDS may also occur
-- storms, power loss, earthquakes, flooding, water damage, and
fire.
THREATS include the following :
NATURAL HAZARDS are probabilistic events such as hurricanes,
floods, mud slides, cold weather that can have a harmful affect
on an AREA OF WEAKNESS.
EQUIPMENT FAILURE covers probabilistic events such as hardware
failures or sabotage. Damage to a mainframe by a disgruntled
employee is an example of a harmful effect to an AREA OF
WEAKNESS.
HUMAN ERROR is yet another probabilistic event that covers
mistakes made by staff or others (for example, external
consultants or vendors) adversely affecting an AREA OF WEAKNESS.
THEFT is, on the other hand, an intentional event aimed at
harming the organization through its AREA OF WEAKNESS. THEFT is
defined as the act or crime of stealing.
FRAUD is also an intentional event aimed at harming the
organization through its AREA OF WEAKNESS. FRAUD is defined as an
act or instance of deception or trickery.
MALICE is also an intentional event aimed at harming the
organization through its AREA OF WEAKNESS. MALICE is defined as a
wilfully formed event designed to do another an injury.
STRATEGIC ATTACK is a more organized, broad-based assault by
usually more than one person on the organization through its
AREA OF WEAKNESS.
The average PROBABILITY OF EVENT, and the average COST OF IMPACT
are then printed.
Print Summary Report
Report Layout
-----------------------------------------------------------------
. RISKIT 1.0 TM (C) Copyright 1994 Brian Risman Associates .
. Summary Report .
. mm/dd/yyyy hh:mm:ss .
. .
. .
. Study : .
. System : .
. Sub-System : .
. Weakness : .
. Threat : .
. Probability of Event .
. (00:Low; 50:Medium; 99:High) : .
. Cost of Impact .
. (00:Low; 50:Medium; 99:High) : .
-----------------------------------------------------------------
Description
In this report, the average values for a particular THREAT to an
AREA OF WEAKNESS are printed.
Screen Options
ALL fields are PROTECTED.
The TOPIC would typically cover the group representing a threat -
- for example, computer hackers.
The SUB-TOPIC would typically cover potential actions by the
TOPIC -- for example, password breaking (SUB-TOPIC) by computer
hackers(TOPIC).
The PROBABILITY OF the EVENT is next examined. A value between 0
and 99 is averaged (0 is the default, implying zero
probability). This field looks at what is the likelihood that the
event will occur ?
Finally, the COST OF the IMPACT of the event -- independent of
the probability of the event happening -- is averaged in a method
identical with that of the PROBABILITY OF EVENT shown above.
Browse All Studies
Description
The 'Browse All Studies' option displays all areas of POTENTIAL
RISK for all STUDY, SYSTEM, and SUB-SYSTEM -- and within those
criteria, different area of WEAKNESSES and POTENTIAL THREATS.
FIRST, the selection of the 'Browse All Studies' option on the
Main Menu is made. Please see the Main Menu section for further
information.
The information on the database is then displayed.
Areas of STUDY may include Vandalism, Terrorism, Earthquakes,
Tornadoes, or Snowstorms.
SYSTEM name refers to the area of the organization with related
to the main lines of business. For an oil company, this would be
typically Refining and Marketing; for a Bank, it may be Treasury,
Investment Banking and Retail Banking.
SUB-SYSTEM name refers to the particular business applications
within the main lines of business -- for example, the accounts
receivable system in the Marketing area, or the Traders
Information System in a Bank.
The TOPIC would typically cover the group representing a threat -
- for example, computer hackers.
The SUB-TOPIC would typically cover potential actions by the
TOPIC -- for example, password breaking (SUB-TOPIC) by computer
hackers(TOPIC).
AREAS OF WEAKNESS can be distinguished from the potential threats
in the that the former is passive and should be protected, while
the latter is active and affects the former by its actions. AREAS
OF WEAKNESS are inherent characteristics of a system that could
let a threat act upon an asset, causing a harmful event. THREATS
capitalize upon these AREAS OF WEAKNESS to breach
safeguards and cause a loss. Complex systems are more likely to
have greater AREAS OF WEAKNESS than simple systems, due to the
presence of more exposures not covered by existing security
procedures.
AREAS OF WEAKNESS include the following :
DATA
These assets may be on storage media, input forms, or output
listings.
SOFTWARE
Software assets generally exceed hardware in value, and consist
of both system and application programs.
HARDWARE
These assets include terminals, computers, and associated
equipment.
FACILITIES
These are the physical entities of the environment, such as
security alarms, utility back-ups, and real property.
MEDIA & SUPPLIES
Stocks of blank forms, tapes and paper are examples of media
assets.
PEOPLE
Any of the stakeholders in the organization -- for example,
employees, managers, executives, shareholders, government or
even the public.
COMMUNICATIONS
Corporate network and internal data processing links are examples
of communications.
A THREAT is an aspect of the environment that, when given an
opportunity, can cause a harmful event(a partial or complete loss
of a corporate asset) by acting upon an asset.
THREATS fall into two main categories -- intentional and
probabilistic.
Intentional THREATS are performed by people seeking to harm the
organization by stealing or disrupting assets. THEFT, FRAUD,
MALICE, and STRATEGIC ATTACK fall into this category.
Probabilistic THREATS may occur as a result of HUMAN ERROR
precipitating threats involving procedures, programs, systems
software, and also EQUIPMENT FAILURE encompassing computer or
support equipment. Alternatively, NATURAL HAZARDS may also occur
-- storms, power loss, earthquakes, flooding, water damage, and
fire.
THREATS include the following :
NATURAL HAZARDS are probabilistic events such as hurricanes,
floods, mud slides, cold weather that can have a harmful affect
on an AREA OF WEAKNESS.
EQUIPMENT FAILURE covers probabilistic events such as hardware
failures or sabotage. Damage to a mainframe by a disgruntled
employee is an example of a harmful effect to an AREA OF
WEAKNESS.
HUMAN ERROR is yet another probabilistic event that covers
mistakes made by staff or others (for example, external
consultants or vendors) adversely affecting an AREA OF WEAKNESS.
THEFT is, on the other hand, an intentional event aimed at
harming the organization through its AREA OF WEAKNESS. THEFT is
defined as the act or crime of stealing.
FRAUD is also an intentional event aimed at harming the
organization through its AREA OF WEAKNESS. FRAUD is defined as an
act or instance of deception or trickery.
MALICE is also an intentional event aimed at harming the
organization through its AREA OF WEAKNESS. MALICE is defined as a
wilfully formed event designed to do another an injury.
STRATEGIC ATTACK is a more organized, broad-based assault by
usually more than one person on the organization through its
AREA OF WEAKNESS.
Browse All Records
Screen Layout
-----------------------------------------------------------------
. RISKIT 1.0 TM (C) Copyright 1994 Brian Risman Associates .
. Browse All Records .
. mm/dd/yyyy hh:mm:ss .
. Press ESC to exit .
. Next Record ? : .
. Exit ? : .
. .
. Study : .
. System : .
. Sub-System : .
. Topic : .
. Sub-Topic : .
. Probability of Event .
. (00:Low; 50:Medium; 99:High) : .
. Event Probability Description : .
. Action to be Taken : .
. Cost of Impact .
. (00:Low; 50:Medium; 99:High) : .
. Cost of Impact Description : .
. Action to be Taken : .
-----------------------------------------------------------------
Description
In this report, the details for a particular THREAT to an AREA OF
WEAKNESS are printed.
Screen Options
ALL fields are PROTECTED.
The TOPIC would typically cover the group representing a threat -
- for example, computer hackers.
The SUB-TOPIC would typically cover potential actions by the
TOPIC -- for example, password breaking (SUB-TOPIC) by computer
hackers(TOPIC).
The PROBABILITY OF the EVENT is next examined. A value between 0
and 99 should be entered (0 is the default, implying zero
probability). This field looks at what is the likelihood that the
event will occur ? Following is the description explaining WHY
that probability level was chosen, followed by the corrective
action to be taken, if any.
Finally, the COST OF the IMPACT of the event -- independent of
the probability of the event happening -- is reviewed in a method
identical with that of the PROBABILITY OF EVENT shown above.
Delete All Records (Exclusive Control)
Description
The 'Delete All Records' option physically removes all records
from the database.
Please note that exclusive control of the database is required
for this function to operate.
No screens are displayed, but the Main Menu is re-displayed after
the completion of the operation.
Quit
Description
The 'Quit' option closes the application and returns to DOS.
Index
Add Study
Description . . . . . . . . . . . . . . . . . . . . . . . 16
Commands
general . . . . . . . . . . . . . . . . . . . . . . . . . 11
Description
Add Study . . . . . . . . . . . . . . . . . . . . . . . . 16
Main Menu . . . . . . . . . . . . . . . . . . . . . . . . 13
Main Sub-Menu . . . . . . . . . . . . . . . . . . . . . . 15
Installation . . . . . . . . . . . . . . . . . . . . . . . . . 10
License Agreement . . . . . . . . . . . . . . . . . . . . . . 5
Main Menu . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Description . . . . . . . . . . . . . . . . . . . . . . . 13
Screen Layout . . . . . . . . . . . . . . . . . . . . . . 13
Screen Options . . . . . . . . . . . . . . . . . . . . . 13
Main Sub-Menu
Description . . . . . . . . . . . . . . . . . . . . . . . 15
Screen Layout . . . . . . . . . . . . . . . . . . . . . . 15
Screen Options . . . . . . . . . . . . . . . . . . . . . 15
Order Form . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Risk management
definition . . . . . . . . . . . . . . . . . . . . . . . 9
Screen Layout
Main Menu . . . . . . . . . . . . . . . . . . . . . . . . 13
Main Sub-Menu . . . . . . . . . . . . . . . . . . . . . . 15
Screen Options
Main Menu . . . . . . . . . . . . . . . . . . . . . . . . 13
Main Sub-Menu . . . . . . . . . . . . . . . . . . . . . . 15
System Diagram . . . . . . . . . . . . . . . . . . . . . . . . 12
System Requirements . . . . . . . . . . . . . . . . . . . . . 7
Warranty, limited
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 6