‚ < ‚ Free Open Study ‚ > ‚ |
Although risk analysis means many things to many people, in the most fundamental sense, it means determining the expected loss associated with each source or cause of loss in computing systems and networks. In an organization, for example, tampering with financial applications might be perceived as the greatest risk, followed by damage to or disruption of the networking infrastructure, followed by external intrusions into servers that house financial applications, followed by something else. Risk analysis can be either quantitative or qualitative. A quantitative risk analysis, as the term implies, involves numbers (normally monetary figures) to represent the amount of risk believed to be present. A quantitative risk analysis in the United States, for example, would yield expected dollar losses for each source of risk. In an annual loss expectancy (ALE), the expected loss associated with each individual source of risk during a year is calculated. The formula for determining the expected loss for each source of risk is the probability of occurrence multiplied by the cost of the negative outcome or loss: Risk = Probability x Loss The sum of all expected losses for the year is the ALE. Table 2.1 illustrates a hypothetical ALE calculation. Table 2.1. Hypothetical Calculation of the ALE
Alternatively, other professionals prefer to simply determine whether each threat is high, medium, or low in impact ‚ a qualitative approach in that the output is not quantitative. This is, in many respects, the most intuitive approach. Table 2.2 shows the results of a hypothetical qualitative risk analysis based on the same sources of threat as in Table 2.1. Table 2.2. Hypothetical Qualitative Risk Analysis
There is little agreement within the field of computer and information security concerning exactly how to conduct a risk analysis. Controversy concerning whether quantitative risk analysis is better than qualitative risk analysis abounds. Proponents of qualitative risk analysis argue (among other things) that risk analysis implies a precision that does not really exist. Critics of the qualitative approach argue that this approach lacks precision. Still others say that risk analysis really boils down to little more than guesswork based on gut feelings at best. Those who downplay the value of risk analysis altogether are likely to embrace the previously discussed due care approach instead. Despite spirited opposition and disagreement , risk analysis remains a fixture in the field of information security. A major reason that so many information security professionals value risk analysis so highly is not only because it provides a basis for determining the relative degree to which resources need to be protected, but also because the process of performing a risk analysis helps those engaged in it to better understand what they are trying to protect and why.
The treatment of risk analysis in this chapter represents anything but another attempt to regurgitate the principles of traditional risk analysis or to take one of the many (sometimes ludicrous) positions professionals have adopted concerning the "correct" way to perform a risk analysis. The reason that risk analysis is the theme of this entire chapter is that it is one of the most important parts of responding to incidents, as you will see shortly. |
‚ < ‚ Free Open Study ‚ > ‚ |