The Traditional Security Assessment Model

Assessing risk is normally one of the most difficult tasks in an audit process. There are several official assessment models for determining the risk of each object in light of the threats surrounding it. The two assessment models that are prominent today are based on qualitative and quantitative analysis practices.

Traditional Quantitative Assessment

Think of a quantitative assessment as a process of calculating numeric values for each object being assessed. The goal of a quantitative assessment is to recognize a series of common factors in each object and:

  • Derive some dollar amount that represents how much we should spend on protecting it

  • Come to a conclusion about which objects are more at risk and which should be addressed first

A normal quantitative assessment follows a process like this (see also Table 8.1):

Step 1. Assign a value to the object.

Step 2. Take the major threats posed against that object and determine the damage that each could do.

Step 3. Calculate the likeliness of each threat occurring on an annual basis.

Step 4. Multiply these factors together to get an annual loss expectancy, or ALE.

Table 8.1. Quantitative Assessment

Object

Value

Threat

Chance per Year

Potential Loss

ALE

Server X

$50,000

Fire

Compromised

Component failure

5%

15%

25%

$35,000

$22,000

$10,000

$1,750

$3,300

$2,500

Router X

$30,000

Fire

5%

25,000

By using this model, we could look to the ALE figure and determine how much per year we should spend on security for each object. For instance, if we are spending $10,000 a year to secure Server X, then we probably need to rethink our security. Through this quantitative analysis, we can also see the priority of securing Server X vs. securing Router X and other objects.

Traditional Qualitative Assessment

A qualitative approach is very different from a quantitative one in that it works to weigh a series of educated opinions about each object's risks. For each object being assessed, several people gather together who have knowledge of the object and its function within the organization (see also Table 8.2):

  • Each person is presented with a list of objects or types of objects.

  • Each person is then asked to comment on and rank a series of scenarios and how they could affect the object and the organization.

  • The cumulative opinions are then averaged, giving us an overall ranking for the object.

Table 8.2. Assessment for "Server X Being Compromised by a Hacker"

If Server X was compromised by a hacker, how could this affect the organization (scale of 1 10)?

 

Damage to Productivity

Damage to Customers

Likelihood of Threat

John

9

7

5

Jane

3

2

3

Mike

3

3

4

Average

5

4

4

By averaging the scores from each scenario, we can compare different risks within each object. We may also look at the risks of every object within the organization and compare them against each other to create a ranking and priority for dealing with security issues.

Problems with Traditional Models

While these models of assessment give a very formal and repeatable assessment process, they also have drawbacks that make them impractical in many situations:

  • Quantitative: It is difficult to reasonably assign a value to an object.

  • Quantitative: It is difficult to calculate the chance per year that a threat will occur.

  • Quantitative: It takes a great deal of time and resources to perform such an audit with any degree of depth.

  • Qualitative: Risk decisions are based primarily on opinion. Opinions could vary widely and thus, render the audit useless. Also, any imbalances, such as people who do not desire to participate or people who give little thought in answering the questions, will invalidate the results.

  • Qualitative: Understanding how to interpret the results or what to do with them can be complicated.

  • Qualitative: There is a high taxation of employee resources when collecting opinions for each object.

  • Both: It is hard to evaluate security relationships with these models.

  • Both: Neither of these models scale well to large environments.



Inside the Security Mind(c) Making the Tough Decisions
Inside the Security Mind: Making the Tough Decisions
ISBN: 0131118293
EAN: 2147483647
Year: 2006
Pages: 119
Authors: Kevin Day

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net