Lec 1 - IS - Intro
Lec 1 - IS - Intro
Lec 1 - IS - Intro
Mahwish Shahid
Email: Mahwish.shahid@ucp.edu.pk
Office: Sports Building (GYM Faculty),
o 2nd floor, Cabin 13, FOIT
Policies and Guidelines
No usage of cellphones in the class!
Attendance Policy/Late Policy
Quiz Policy
Mostly announced and 4-6 Quizzes
Assignments
Mostly group based assignments
Group strength 5-6 students
4 Assignments
Plagiarism/AI results in Zero (0)
Class Participation
Class exercises (No retake)
Good Practices
Be on time in class
Be regular (do not miss a single class)
Start assignments on time
Do not miss any assignment or quiz
Come up with good questions (ask in class/after class)
Visit during office hours to discuss your problems/assignments
Bad Practices
Excuses
Coming late in class (remember: quiz will be in first 15 min of class)
Come to class without pen and notebooks
Asking for leaves --- Teacher has no authority to grant leaves.
Manage your 6 absents as emergency leaves, or request HoD/Dean for extra leaves.
Requesting to increase marks
Coming to class without reading the required text/notes
Copying / plagiarism
Asking to extend the deadline
Using mobile phones in class or Cross talk in class
“There is no alternative to hard work!”
Learning Outcomes
CLO CLO STATEMENT Bloom’s PLO
Taxonomy Level
Identify and comprehend basics terms and
technologies and concepts of information security PLO 1-Academic
1 2
Education
Investigate and analyze real situations from the
information security point of view and model them
using various security control measures PLO 3- Problem
2 4
Analysis
Example:
• Data: Login attempts at different times.
• Information: Multiple failed login attempts.
• Knowledge: These are coming from different IPs, indicating a possible brute
force attack.
• Wisdom: Implement multi-factor authentication to enhance security.
DIKIW - MODEL
The DIKIW model is a framework that describes the relationship
between data, information, knowledge, intelligence, and wisdom.
The model suggests that data is the most basic form of information,
which is then processed and contextualized to form knowledge.
Intelligence is the ability to use knowledge to solve problems or make
decisions, while wisdom is the ability to apply intelligence to achieve
long-term goals and benefits.
The DIKIW model is often used in information management and
knowledge management to help organizations manage and leverage
their data, information, and knowledge assets.
WHAT IS AN ASSET?
Threat Agent:
The entity which causes threat to happen
Example: An intruder in a system, Malware, Nature
WHAT IS A VULNERABILITY?
Exposure Factor and Impact are two terms that are commonly used in
the field of risk management.
Exposure Factor refers to the percentage of loss that an asset may
experience due to a specific threat.
In other words, it represents the potential damage that a threat can cause
to an asset.
This percentage is usually estimated based on the asset's value, the
likelihood of the threat occurring, and the vulnerability of the asset to
the threat.
EXPOSURE FACTOR AND IMPACT
(Cont.)
Impact, on the other hand, refers to the extent of damage that a threat
can cause.
It takes into account the Exposure Factor, as well as other factors such
as the duration of the impact and the availability of backup resources.
Impact is usually expressed in terms of a range of values, such as low,
medium, or high, based on the severity of the potential damage.
RISK REDUCTION LEVERAGE
Risk Reduction Leverage is another Quantitative means of assessing how Risks are being
managed.
Since Risk Exposure is not absolute but relative, we can compare different exposures to one
another. One of the ways we can compare such exposures is to compare the Exposure of a single
event BEFORE and AFTER managing the risk. We need a simple measure to assess Risk
Reduction.
Let us consider a Server with some data on it. The probability of losing the data is 20%. The cost
of losing such data is measured in terms of the cost of rebuilding it. This is estimated at $20,000:
Now we provide a method of reducing the possibility of data loss (Say frequent backup or replication on another database,
etc). This reduces the risk to 5%. The impact on losing the data is the same since we still need to rebuild the data.
However, the cost of introducing the loss reduction is $2000.
We can now compare different ways of reducing data loss to each other by comparing the Reduction Leverage
We can increase Leverage by Increasing the difference between Exposure (Before) and Exposure (After), that is by improving
the solution and reducing the probability.
We can also increase Leverage by reducing the cost of risk reduction or by selecting better solutions.
In conclusion, use Risk Reduction Leverage to assess different solutions to a risky event.
Exercise
A company owns an asset with a total cost of 50,000 PKR.
The probability of a risk associated with the asset occurring is 70%.
Total Loss if the risk occurs is 10,000 PKR.
The company is evaluating two potential countermeasures:
• Countermeasure X, which reduces the probability of the risk occurring to 30% and the total
loss if the risk occurs to 2,000 PKR, and Countermeasure Y, which reduces the probability to
15% and the total loss if the risk occurs to 2,510 PKR.
Calculate the Risk Exposure (R.E) before and after implementing the countermeasures.
Determine which countermeasure is more cost-effective, considering that
Countermeasure X costs 25,000 PKR and Countermeasure Y costs 10,000 PKR.
Which countermeasure would you recommend the company to implement based on
cost-effectiveness?
Solution??
Countermeasure Y is more cost effective (0.66235)
SECURITY CONCEPTS
Assurance:
The level of guarantee that a security system will behave as expected
Countermeasure/safeguard/control:
A countermeasure is a way to stop a threat
Defense in depth:
Never rely on one single security measure alone
Take (maximum) steps to protect the system
SECURITY
— The Art
of War, Sun Tzu
SECURITY
Non-repudiation :
The ability to verify that an action or communication has been performed by a specific individual or entity and that it
cannot be denied later.
SECURITY LEVELS
SECURITY ATTACKS
SECURITY ATTACKS
• Question: Can you think of a recent security breach and how it could
have been prevented?
• Discussion Points: Apply the CIA Triad to real-world examples.