About Risk Analysis

‚  < ‚  Free Open Study ‚  > ‚  

Although risk analysis means many things to many people, in the most fundamental sense, it means determining the expected loss associated with each source or cause of loss in computing systems and networks. In an organization, for example, tampering with financial applications might be perceived as the greatest risk, followed by damage to or disruption of the networking infrastructure, followed by external intrusions into servers that house financial applications, followed by something else.

Risk analysis can be either quantitative or qualitative. A quantitative risk analysis, as the term implies, involves numbers (normally monetary figures) to represent the amount of risk believed to be present. A quantitative risk analysis in the United States, for example, would yield expected dollar losses for each source of risk. In an annual loss expectancy (ALE), the expected loss associated with each individual source of risk during a year is calculated. The formula for determining the expected loss for each source of risk is the probability of occurrence multiplied by the cost of the negative outcome or loss:

Risk = Probability x Loss

The sum of all expected losses for the year is the ALE. Table 2.1 illustrates a hypothetical ALE calculation.

Table 2.1. Hypothetical Calculation of the ALE

Source

Probability

Loss

Risk

Destruction of customer database

.005

$24,000,000

$120,000

Unauthorized loss of copyright data to competitors

.003

$35,000,000

$105,000

Sabotage of major network components

.001

$18,000,000

$18,000

Disruption of billing systems

.002

$8,000,000

$16,000

Worm or virus attack

.05

$90,000

$4,500

TOTAL

‚  

$263,500

Alternatively, other professionals prefer to simply determine whether each threat is high, medium, or low in impact ‚ a qualitative approach in that the output is not quantitative. This is, in many respects, the most intuitive approach. Table 2.2 shows the results of a hypothetical qualitative risk analysis based on the same sources of threat as in Table 2.1.

Table 2.2. Hypothetical Qualitative Risk Analysis

Source

Risk

Destruction of customer database

High

Unauthorized loss of copyright data to competitors

High

Sabotage of major network components

Medium

Disruption of billing systems

Medium

Worm or virus attack

Low

There is little agreement within the field of computer and information security concerning exactly how to conduct a risk analysis. Controversy concerning whether quantitative risk analysis is better than qualitative risk analysis abounds. Proponents of qualitative risk analysis argue (among other things) that risk analysis implies a precision that does not really exist. Critics of the qualitative approach argue that this approach lacks precision. Still others say that risk analysis really boils down to little more than guesswork based on gut feelings at best. Those who downplay the value of risk analysis altogether are likely to embrace the previously discussed due care approach instead.

Despite spirited opposition and disagreement , risk analysis remains a fixture in the field of information security. A major reason that so many information security professionals value risk analysis so highly is not only because it provides a basis for determining the relative degree to which resources need to be protected, but also because the process of performing a risk analysis helps those engaged in it to better understand what they are trying to protect and why.

Assessing Risk

As should now be evident, no proven, well-accepted method of assessing risk currently exists. Several criteria are frequently applied, however, when professionals consider the degree of risk present. These criteria include the following:

  1. Monetary cost. How expensive would it be to fix whatever has occurred as the result of an incident?

  2. Operations impact. To what degree would critical services be lost and operational schedules disrupted?

  3. Public relations fallout. What kind of negative publicity would occur, especially outside of one's organization?

  4. Impact on humans . Would the incident elevate danger to humans in terms of safety, morale , loss of confidence in management and/or computing systems, and so on?

The treatment of risk analysis in this chapter represents anything but another attempt to regurgitate the principles of traditional risk analysis or to take one of the many (sometimes ludicrous) positions professionals have adopted concerning the "correct" way to perform a risk analysis. The reason that risk analysis is the theme of this entire chapter is that it is one of the most important parts of responding to incidents, as you will see shortly.

‚  < ‚  Free Open Study ‚  > ‚  


Incident Response. A Strategic Guide to Handling System and Network Security Breaches
Incident Response: A Strategic Guide to Handling System and Network Security Breaches
ISBN: 1578702569
EAN: 2147483647
Year: 2002
Pages: 103

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net