Menu
Home
Log in / Register
 
Home arrow Computer Science arrow The InfoSec Handbook
< Prev   CONTENTS   Next >

Risk Analysis

Risk analysis is the next important step. At the end of the risk analysis we need to quantify the risk in terms of quantified risk exposure. This is different from the impact levels on confidentiality, integrity, and availability we discussed in the earlier paragraphs.

For a particular information asset, for each of the pair of threat and vulnerability, we identify the actual impact on the business. For example, a banking server compromised and misused may impact the entire business severely, including potential loss of customer confidence, reputation loss, loss of data integrity, or monetary loss. Then we determine the probability of this risk (also known as the likelihood of risk), as shown in Table 5-5. Probability of the rating is from 1% to 99%. A probability of 100% means that the risk is already true and has already occurred.

Table 5-5. Risk Probability Ratings

Probability

Description

Probability Value

Almost certain

Several times a week or day

5

Likely

More than once per month

4

Moderate

Up to several times a year

3

Unlikely

2–5 times every 5 years

2

Rare

Unlikely to occur

1

Then for each pair of threat and vulnerability we identify the possibility of detection and assign a rating in a scale of 1 to 5. However, here the lower the possibility of detection, the higher the rating and the higher the possibility of detection the lower the rating, as shown in Table 5-6.

Table 5-6. Possible Detection Ratings

Possibility of detection

Description

Probability Value

Extremely Low

Probability of detection is 0 to 20 %

5

Low

Probability of detection is 21 to 40 %

4

Medium

Probability of detection is 41 to 60 %

3

High

Probability of detection is 61 to 80 %

2

Extremely High

Probability of detection is 81 to 100 %

1

Once all three (total asset value, probability of occurrence and the rating for the possibility of detection) are determined for each of the threat and vulnerability pairs, then the risk exposure is quantified using the following formula:

Risk Exposure = Total Asset Impact Value x Probability of Occurrence x Possibility of Detection

The organization should have decided the risk exposure it considers as acceptable as a part of the risk assessment methodology adopted by it. It should not be too high that it leads to acceptance of every risk and it should not be too low that it leads to compulsory mitigation, avoidance, or transfer of every risk. Organizations are free to set their own acceptable risk xposure threshold depending upon their risk appetite.

 
Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >
 
Subjects
Accounting
Business & Finance
Communication
Computer Science
Economics
Education
Engineering
Environment
Geography
Health
History
Language & Literature
Law
Management
Marketing
Philosophy
Political science
Psychology
Religion
Sociology
Travel