IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [risk-analysis]

Risk Analysis is a practice used to identify and assess factors that may jeopardize the success of a project or achieving a goal. Security Risk Analysis or Risk Assessment could be Quantitative and Qualitative

Quantitative risk analysis is based on potential loss multiplying by probability. Qualitative risk analysis is based on analysis of interrelated elements: Threats, Vulnerabilities and Controls (countermeasures for vulnerabilities)

158 questions
6
votes
3 answers

Security Testing Methods for Enterprise Level

I have been asked to perform risk assessment for a company. The scope covers about 100 applications and in various business units. Major task is to assess currently implemented security controls and provided recommendations after the assessment.…
ray bash
  • 61
  • 1
6
votes
2 answers

What is as CISOs job, exactly?

The company I work for (kind of a startup) can't afford a full-time chief information security officer (CISO). So the boss is asking the security aware people in the team to work together to do a CISOs job. And I don't think we will have any budget…
Bytemare
  • 143
  • 5
6
votes
2 answers

How to calculate the risk rating of a feature?

I'm working on a threat modeling/architectural risk analysis (ARA) methodology for the organization I work for. Our business consists of one major product (developed by ~500 developers over a decade). The product contains hundreds of features, most…
NLuburić
  • 294
  • 2
  • 9
6
votes
1 answer

Attack tree file format?

Wikipedia lists five software packages for creating/editing/analysing attack trees. These software packages do not seem to have settled, between them, upon an agreed file format for attack trees. This lack of standardisation means that…
sampablokuper
  • 1,961
  • 1
  • 19
  • 33
5
votes
1 answer

How to help users manage password portfolios based on risks of compromise?

A framework for modeling password management risks and costs, and the beginnings of a good strategy for users to help them manage passwords for their often large portfolios of accounts is outlined in the paper Password Portfolios and the…
nealmcb
  • 20,544
  • 6
  • 69
  • 116
5
votes
2 answers

Stolen Laptop - Next steps

My laptop (modded 2007 Macbook Pro) was stolen 2 days ago when I didn't pay attention to my backpack in a tourist spot in Europe and while I'm quite certain they won't have much use for it (the apple is orange :) I'd still like to make sure I'm…
Christian Macht
  • 153
  • 4
5
votes
3 answers

How can I determine whether a website somehow protects against brute force attacks on my password? (assume I can't create an anonymous account)

After the hack of Mat Honan I studied my own laundry list of accounts I have at the numerous web sites I use. There is one fact that stands out: Many of the websites severely restrict the size and character options of passwords. Ironically,…
alx9r
  • 569
  • 4
  • 18
5
votes
2 answers

WireGuard: what's wrong with this automatic IP assignment

WireGuard is extremely simple and fast kernel-space VPN based on modern cryptography. I want to use it in production and need automatic IP assignment for new peers. The project provides two short scripts for server and client that do just this.…
user1876484
  • 279
  • 3
  • 6
5
votes
2 answers

Skype security concerns on an enterprise network

I am trying to write a security opinion that may influence policy in the future in the Enterprise-grade network which I work to protect regarding the use of Skype on the networks, and security risks thereof. I have been trying to find recent…
Thomas Ward
  • 731
  • 1
  • 7
  • 24
5
votes
2 answers

How to convert risk scores (CVSSv1, CVSSv2, CVSSv3, OWASP Risk Severity)?

Is there an accurate method or formula to convert risk scores between the OWASP Risk Rating Methodology (Overall Risk Severity) and the CVSS v1, v2 and v3 models) base score)? As well as converting scores between the different CVSS versions? For…
Bob Ortiz
  • 6,234
  • 8
  • 43
  • 90
4
votes
1 answer

IP address filtering vs web application security

We have a web application behind a firewall that requires no user authentication. If we open up access to this application via the firewall to a small list of IP addresses what is the risk of unauthorized access from other hosts? Is there a risk to…
user5826
4
votes
1 answer

How to calculate Exposure Factor?

How can I calculate a single loss expectancy without a given Exposure Factor? Can someone please explain me?
Diogo
  • 41
  • 1
  • 1
  • 2
4
votes
3 answers

Where can I find a collection of Threat Models?

I found a very nice SSL Threat model on this web page and would like to find more on different topics. How would I go about locating more images like these? Is there an organisation or website I could go to?
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
4
votes
1 answer

How are CVSS scores used in security risk management products?

From CVSS v2 complete guide : "Security (Risk) Management: Security Risk Management firms use CVSS scores as input to calculating an organization's risk or threat level. These firms use sophisticated applications that often integrate with an…
sashank
  • 511
  • 5
  • 17
4
votes
1 answer

Dangerous to open a unix socket within www root?

My web server is chrooted into /var/www, and its contents are available over the network. One of my web applications needs access to a unix socket, and so that socket needs to be somewhere in /var/www to be accessible by the server. Does it pose any…
ssh2ksh
  • 141
  • 2
1 2
3
10 11