Risk, as I mentioned, is highly valuable for corporate decision making. It allows the steering committee to review the risk assessments and allows them to make tactical or strategic decisions. If a techy-nerd presented to upper management that the "firewall ACL configuration has deficiencies and would require many man-hours", they will initially reject the idea because of the expense and probably the fact that they wouldn't have a freaking clue what the guy is initially on about. Instead, if you stress the severity and the business impact that firewall misconfiguration may cause, then the decision makers could relate and understand the technical issues in hand.

Just a note on that, the decision makers are ultimately responsible and therefore would have to mitigate the risk meaning they would have to approve the request or accept the problem.

1. Identify Assets

What is tangible (such as asset values) or intangible (such as data trends)

Not just the cost of assets, A server might be worth $3000 to buy, though because it's a critical server, the repercussions could be catastrophic, not just because of money.

Qualitative or Quantitative (explained in more detail below)

Based on cost, would a countermeasure would be even worth implementing?
• (explained in more detail below)

If there's not definitive decision-making, management have to make a decision
• (explained in more detail below)

This is fairly intuitive to understand. The scope of objects need to be identified and valued, both tangible and intangible values Delphi Technique (Qualitative Process)

• A manager may influence the employees
• Collecting data anonymously

You need to decide how to calculate risk, which comes in two ways: Qualitative or Quantitative

Qualitative means it's measured on values, not numbers (most common)
Advantages

• can assign values instead of numbers (High/Medium/low)
• Not as much preliminary work

• Gut feeling/based on opinion
• Hard to assign money to risk

• Able to provide results in monetary values

• Large amount of data (Loads of preliminary effort)
• Hard to do manually
• Complex Formulas
• No Standards

A common qualitative method to determine the severity is constructing a grid based on probability against the impact. Alternatively, you could use the Delphi Technique, which is classed as a qualitative process where they collect opinion-based data from individuals anonymously. This technique ensure that the manager cannot influence the individuals in question.

Quantitative - least common
Quantitative measurements uses monetary values. Were are the common terminologies used

Asset Value

The actual Value of an object (e.g. Server = $3000)

The % of damage is an effect happens

SLE = Asset Value x Exposure Factor

How often the disaster occurs (used for ALE)
1/year = 1.0
3/year = 3.0
1 every 10 years = 0.1

Is the expected lost on an annual rate. This includes the single expense and the occurrence
ALE = SLE x ARO

Imagine a tornado is expected to hit the $650,000 office department (1 every 10 years) and it will cause 35% damage.

Single Loss = $650,000 x .035 = $227,500
Annual Loss = $227,500 x 0.1 = $22,750

So the Annual Loss for a tornado will be $22,750. This information can be used in the next stage, cost/Benefit Analysis

After the assets have been identified, values and measured, it then passed over to management for them to acknowledge and understand the risks.

The analysis will highlight the very-low risks and very-low chance of occurrences so management would happy to accept that risk. They will however require to understand, based on budget and security concerns, the acceptable risk level. This line represents all the risk that can be accepted or requires action. They will need to put countermeasures to mitigate the risk (and bring it below the line) or to eliminate the risk (see uncertainty analysis)

Management needs to determine if the expense of a countermeasure is worth it.

By using the example above, the annual loss of a hurricane is $22,750. For it to be financially beneficial, the cost of the countermeasure needs to be lower than the money lost, otherwise it wouldn't be worth it.

Before Countermeasure expenses = $22,750
Countermeasure implemented = $10,000 (+$30,000 maintenance) = $40,000 Total

In this situation, the countermeasure is more expensive than a solutions, so it's not worth it. If it's not resolved, it then needs to be reviewed within the uncertainty analysis.

If cost/benefit analysis cannot determine if a countermeasure should be introduced, it's then rolled into the uncertainty analysis. This is where management needs to decide what option to take, and they have 4 options

• Risk Acceptance (Add a control in plan)
• Risk Transference Take out insurance with a company like AIG
• Risk Mitigation Do nothing!
• Risk Avoidance Discontinue the process

About the author