After gathering as much information as possible from almost every em- ployee of the organization, start to identify the organizational assets. These are the assets that the security policy is meant to protect. The process of identifying and determining risk exposure for each system asset is referred to as risk.analysis. Risk itself is the possibility that damage could happen to a business or organization. The goal of risk analysis is to determine this
probability of potential risks, in order to integrate financial objectives with
security objectives. According to the Society of Risk Analysis (2006), risk
analysis is broadly defined to include risk assessment, risk characterization,
The information gathering process started earlier acquaints you with the ways the organization operates, what business procedures are used, which information resources are taken to be more important, and provides you with the ability to identify devices and procedures that can lead to security threats—events that may occur independent of the system under consideration and which may pose a risk. System threats can be any of the following:
• Power loss
• Communication loss
• Data integrity loss • Accidental errors
• Computer virus
• Abuse of access privileges • Natural disasters
• Attempted unauthorized system access by an outsider • Theft or destruction of computing resources
• Destruction of data
• Abuse of access privileges by other authorized users • Successful unauthorized system access by an outsider
• Nondisaster downtime
• Fire
• Earthquake
There are several primary steps to performing a risk analysis, and they are (2006):
• Identify the risks by identifying those assets you are trying to protect (resources may be hardware, software, or even personnel)
• Define potential adversaries from which you are protecting the re- sources
• Determine the impact of the threats on these resources; • Balance the impact of the threats with safeguards • Plan for continued monitoring of these resources
Use the outcome of these steps to perform a comprehensive risk analysis.
There are two ways for doing this: quantitative analysis and benefits analysis
(ISO IEC 17799, 2005).
Quantitative.Risk.Analysis.
Quantitative risk analysis is a process that produces a numerical measure of the risk of each asset or resource in an organization’s system. The process
works by first identifying the potential threats to the system assets and then
determining the probability of the occurrence of each of these threats on
the specified system asset or resource. The outcomes or consequences of
each event of these threats occurring on each system asset or resource are then calculated and tabulated resulting in a matrix of scores of threats by assets. In addition to calculating consequences of threats to system assets, the analysis also considers the safeguards already in place and those which may be implemented to achieve an acceptable level of risk and increase overall awareness.
System assets and resources used can be a network/telecommunications device like modems, routers, cabling, and others. It also can be software, like an operating system, application, and others. It can be hardware devices, like monitors, printers, computers, and others. Finally, it can be anything related to computers, like data or information including facilities, supplies, documentation, and personnel.
Each asset or resource responds differently to different threats. Also each threat has a different effect on an asset. Some threats have no impact at all on an asset, while others may have devastating effects on the same asset. The amount of loss is based on the vulnerability of the asset to a given threat. This vulnerability can be determined by a mathematical formula as a vul- nerability factor of that particular threat to a given asset. The calculation is based on two values. The expected loss from a single impact of a threat on an asset and the potential loss of the asset in the event the threat occurs. The vulnerability factor can then be calculated as follows:
The.vulnerability.factor.=.(expected.loss.from.a.single.impact.of.a.threat.to. an.asset)/(the.loss.potential.of.the.asset).
The expected annual loss for an asset = sum of all losses of the asset by all threats. The sum of all threats to all assets in the system is the annual.loss. expectancy (ALE). This is the foundation of risk assessment. It is the most used loss metric and is calculated from two values: the probability of an incident occurring and the likely loss should it occur.
ALE = Incident cost x probability of incident loss.
For example, there is a virus attack on an organization’s vital server, and it is taken out of use for three days. Suppose the resulting loss due to this incident is $80,000 and the probability of that incident occurring had been calculate to be 0.3, then the ALE is: $80,000.x.0.3.=.$24,000.
Suppose after such an incident, the organization invests in antivirus software. This act alone lowers the risk to the organization’s servers. This is an act of mitigation of risk. It lowers the probability of another virus attack. With this new probability, a new ALE can be calculated. This new ALE is called the
modified ALE or mALE. Suppose with the new antivirus software, the prob- ability of loss reduces to 0.185, then mALE.=.$80,000.x.0.185.=.$14,800. A big improvement with savings:
ALE – mALE = $24,000 − $14,800 = $9,200.
This ALE value becomes the theoretical value of risk in the occurrence of
an event on a specific system resource. ALE also can be used to rank events on system resources, based on the raking. ALE was first developed in 1979
by the National Bureau of Standards, now the NIST.
Current methods to calculate risk exposure are based on two values: the probability of the potential loss of a resource should an event occur and the severity of the potential loss. From these two values we calculate the risk exposure per threat on an asset as: Risk.Exposure.=.Probability.of.Potential. Loss.X.Severity.of.Potential.Loss.
.
Qualitative.Risk.Analysis.
This type of risk analysis, unlike quantitative analysis, identifies where in
with their implementation. Most qualitative risk analysis methodologies make use of a number of interrelated elements including threat, vulnerability, and controls.
• Threats: Are things that can go wrong in the system. (We defined threat
in the previous chapter.)
• Vulnerabilities:.Are whatever makes a system more prone to attack by
a threat or makes an attack more likely to have some success or impact.
(We defined vulnerability in the previous chapter.)
• Controls: Are countermeasures to vulnerabilities. There are four types of controls:
1. Deterrent controls to reduce the likelihood of a deliberate attack 2. Preventative controls to protect vulnerabilities and make an attack
unsuccessful or reduce its impact
3. Corrective controls to reduce the effect of an attack
4. Detective controls to discover attacks and trigger preventative or corrective controls