Our chapter this week discussed risk analysis, asset valuation, and other topics associated with risk analysis. I found an article discussing a hybrid of qualitative and quantitative risk analysis.
Threat can be defined as the result of an Actor, a Motivation and an exploitable Vulnerability. Risk can be defined as the product of a Threat, Probability and Business Impact.
NIST SP800-30 discusses a series of steps that should be carried out during a Risk Analysis, or Risk Assessment. The steps as noted below, are a hybrid of quantitative and qualitative analysis. When a quantity is known, that quantity should be included, when threats, risks, or assets are subjective, scenarios should be developed. ‘High / Med / Low’ can be substituted for figures in both likelihood and impact assessments.
The object of a Risk Analysis is to rate the current exposure of the organization and a resulting plan to institute controls to mitigate some or all of that risk.
Loss expectancy is calculated for each asset vulnerability during a Quantitative Risk Analysis. Each asset must be valued (AV), and the exposure (as a %) of that asset, as related to each particular vulnerability in question, must also be calculated. Said formula is noted below:
Single Loss Expectancy (SLE) = Asset Value (AV) x Exposure Factor (EF)
The organization should then estimate the number of occurrences, annually, of the particular loss. The resulting number can be a whole number or a fraction if the event occurs less than once per year. The Annual Rate of Occurrence (ARO) can be predicted based on historical figures. It is essentially the balance of the adversary capability against the countermeasures (controls) put in place by the Security Manager.
Referencing our earlier noted flow chart, the Asset and Vulnerability are used to calculate the Single Loss Expectancy (SLE) and the Threat, Threat Actor, Controls and Security Manager are used to estimate the Annual Rate of Occurrence (ARO).
The final calculation – Annual Loss Expectancy (ALE) – is a numeric approximation of risk. The resulting percentage can be utilized to help the business decide whether the risk should be:
➢ avoided – through changing business process
➢ mitigated – through introduction of countermeasures
➢ accepted – because the cost of avoidance or mitigation outweighs the ALE
Annual Loss Expectancy (ALE) = Single Loss Expectancy (SLE) x Annual Rate of Occurrence (ARO)
When the cost of adoption is less than Annual Loss Expectancy for any single threat, countermeasures or risk avoidance measures should be discussed. Countermeasures or Risk Avoidance measures should only be considered if the cost of adoption is less than the Annual Loss Expectancy for the particular threat.
REFERENCES
Maniscalchi. (2010, May 17). Digital Threat - Information Security Analysis. Retrieved October 2012, from digitalthreat.net. http://www.digitalthreat.net/2010/05/information-security-risk-analysis/#
No comments:
Post a Comment