5.7.2 Risk Assessment
Risk assessment is concerned with discovering the potential losses due to risks, so that the organization can take steps to see that they are sufficiently protected. This may take the form of insurance policies, or perhaps self-insurance. Think your organization uses neither approach? If your organization is not insured against certain types of loss, then it is (by default) self-insuring against those losses. In other words, the organization has decided it is willing to take the financial hit of that loss occurring, based on the probability of that loss.
Risk is generally defined as vulnerabilities (see 5.7.4) X threats (see 5.7.3) X costs.
Two factors are computed when considering Risk Assessment:
Lets look at an example. If a firm has 100 employees who use email, this activity has a bottom line cost to the firm (salary+taxes+benefits) of $25 dollars an hour times 100 employees, or $2500 per hour. Now, select a threat, such as viruses. Select a probability that a virus is likely to occur that affects email. In this example we will say 90%. Further lets say it will take you 3 hours to repair the damage. Given this: (3 * $2500) = $7500. * .9 = $6750. That is your cost of the risk.
Use this figure against the cost of purchasing a site license for Anti-Virus software. Be careful to make an apple-to-apple comparison. If you estimate that without anti-virus software you would be repairing once a month for a year then it is $6750 * 12 = $81000 versus the annual fee for the site license of the anti-virus software. (Who says you cannot estimate risk? Insurance companies live by formulas like this (only more complex) for determining rates.
The example used for anti-virus is known as quantitative risk analysis. A more accurate model may be the qualitative risk analysis. Both are described in more detail at the web site mentioned in the footnote458.
A great article for software developers can be found in footnote459.
It isnt clear if its the long winters of Moscow and Idaho, or the very close physical proximity of Wazzu (the eastern Washington college campus) or both that contributes to the incredible work that flows out of the Center for Secure and Dependable Software at the University of Idaho.
Among other gems, when publishing a paper titled Cost-Benefit Analysis for Network Intrusion Detection Systems460 the team came up with a generic math model for risk assessment. It goes like this:
(R - E) + T = ALE, R - ALE = ROSI
"R" is the yearly cost of recovering from an intrusion; "E" is the savings gained from stopping an intrusion; "T" is the cost of an intrusion prevention or security system; "ALE" stands for annual loss expectancy; and "ROSI" is the return on security investment. All this and more can be found in the PDF available by the footnote.
Home - Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.