Like what you see? Get it in one document for easy printing! Click Here!Use coupon code "certiguide" to save 20%!(Expires 2004/12/31)

 Test yourself better with 300 extra Security+ questions! Get It Here!

5.7.2  Risk Assessment

Risk assessment is concerned with discovering the potential losses due to risks, so that the organization can take steps to see that they are sufficiently protected. This may take the form of insurance policies, or perhaps self-insurance. Think your organization uses neither approach? If your organization is not insured against certain types of loss, then it is (by default) self-insuring against those losses. In other words, the organization has decided it is willing to take the financial “hit” of that loss occurring, based on the probability of that loss.

Risk is generally defined as vulnerabilities (see 5.7.4) X threats (see 5.7.3) X costs.

Two factors are computed when considering Risk Assessment:

• The cost of an event, should it occur.

• The probability of it occurring.(a combination of vulnerabilities and threats).

Let’s look at an example. If a firm has 100 employees who use email, this activity has a bottom line cost to the firm (salary+taxes+benefits) of \$25 dollars an hour times 100 employees, or \$2500 per hour. Now, select a threat, such as viruses. Select a probability that a virus is likely to occur that affects email. In this example we will say 90%. Further let’s say it will take you 3 hours to repair the damage. Given this: (3 * \$2500) = \$7500. * .9 = \$6750. That is your cost of the risk.

Use this figure against the cost of purchasing a site license for Anti-Virus software. Be careful to make an apple-to-apple comparison. If you estimate that without anti-virus software you would be repairing once a month for a year then it is \$6750 * 12 = \$81000 versus the annual fee for the site license of the anti-virus software. (Who says you cannot estimate risk? Insurance companies live by formulas like this (only more complex) for determining rates.

The example used for anti-virus is known as quantitative risk analysis. A more accurate model may be the qualitative risk analysis. Both are described in more detail at the web site mentioned in the footnote458.

A great article for software developers can be found in footnote459.

It isn’t clear if it’s the long winters of Moscow and Idaho, or the very close physical proximity of Wazzu (the eastern Washington college campus) or both that contributes to the incredible work that flows out of the Center for Secure and Dependable Software at the University of Idaho.

Among other gems, when publishing a paper titled Cost-Benefit Analysis for Network Intrusion Detection Systems460 the team came up with a generic math model for risk assessment. It goes like this:

(R - E) + T = ALE, R - ALE = ROSI

"R" is the yearly cost of recovering from an intrusion; "E" is the savings gained from stopping an intrusion; "T" is the cost of an intrusion prevention or security system; "ALE" stands for annual loss expectancy; and "ROSI" is the return on security investment. All this and more can be found in the PDF available by the footnote.

__________________

458. http://www.security-risk-analysis.com/introduction.htm

459. http://www.processimpact.com/articles/risk_mgmt.html

460. http://www.csds.uidaho.edu/director/costbenefit.pdf

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than \$1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
 Donate \$2
 Donate \$5
 Donate \$10
 Donate \$20
 Donate \$30
 Donate: \$