There are two commonly used risk-assessment approaches that essentially combine elements of risk management and risk analysis with financial impact and financial return on investment calculations. Determining which approach is best depends on the landscape of your IT infrastructure and assets and how your organization makes business decisions. Many organizations lack the adequate asset management, asset valuation, and intrinsic dollar valuation for their IT infrastructure and assets. Without accurate financials and access to financial data, conducting a quantitative risk assessment is difficult, if not impossible. In this case, organizations typically choose to do a qualitative risk assessment by assigning mission criticality values and priorities to those IT assets that are critical to the organization. This is a subjective prioritization that typically requires an organization's executive management team to define for the IT organization. This is why it is important to align an organization's business drivers, goals, and objectives with the overall risk assessment. The only tricky part is defining what the yardstick of measurement is for your organization (that is, what is most important to you, what threats you are most concerned with, and so on).
Quantitative Risk-Assessment Approach
Organizations that have accurate asset management, inventory management, annual software and hardware maintenance contracts, and access to accurate financials and depreciation schedules for IT assets typically conduct a quantitative risk assessment. A quantitative risk assessment is a methodical, step-by-step calculation of asset valuation, exposure to threats, and the financial impact or loss in the event of the threat being realized. Performing a methodical quantitative risk assessmentinvolves assessing the asset value and threats to those critical IT assets. This is accompanied with several calculations that provide insight into the cost magnitude elements of the security requirement.
Because of the direct relationship between the cost of security and the amount or level of security desired, conducting an asset valuation and a risk and threat analysis is a critical step in conducting a quantitative risk assessment. This critical step will assist organizations in making effective business decisions. By assessing the risks and threats and comparing them to quantitative and measurable financial impacts, an organization's management is better equipped to make sound business decisions pertaining to prioritizing investments for security controls and security countermeasures.
The following steps describe conducting a quantitative risk assessment for an IT asset:
1. |
Determine the Asset Value (AV) for each IT asset. |
2. |
Identify threats to the asset. |
3. |
Determine the Exposure Factor (EF) for each IT asset in relation to each threat. |
4. |
Calculate the Single Loss Expectancy (SLE). |
5. |
Calculate the Annualized Rate of Occurrence (ARO). |
6. |
Calculate the Annualized Loss Expectancy (ALE). |
The first step in conducting a quantitative risk assessment is to identify all the IT assets that will act as the IT infrastructure's asset inventory. These assets should then be prioritized in regard to the systems and applications that support the organization's business processes and functions.
The second step is to identify the likelihood of a threat occurring to those IT assets. These threats include both internal and external threats, natural and man-made threats, accidental or intentional threats, and hardware or software vulnerabilities. For each threat, the risk assessor must calculate the estimated impact of the threat on that IT asset and the likelihood of occurrence or probability that the threat will occur.
The third step is to define the exposure factor, which is the subjective, potential percentage of loss to a specific IT asset if a specific threat is realized. The exposure factor (EF) is a subjective value that the risk assessor must define. It is important to identify as many threats or vulnerabilities as possible so that a clear understanding of those risks can be derived when determining the EF value. This is usually in the form of a percentage of the likelihood of it occurring, similar to how weather reports predict the likelihood of rain. For example, a hurricane may be a serious catastrophic threat to an IT asset because it can wipe out an entire data center in an office building, but if that office building is located in New York City, the likelihood of occurrence or exposure factor is negligible. Although there are no scales or predefined percentages or likelihood of occurrence values, the risk assessor must figure out how best to provide the percentage.
The fourth step is to calculate the single loss expectancy (SLE). The SLE value is a dollar value figure that represents the organization's loss from a single loss or loss of this particular IT asset. This is a financially calculated value that provides a measurable and comparable value to other IT assets that the organization may have. This allows for a consistent and logical prioritization of all IT assets within an IT infrastructure, which in turn allows an organization to prioritize its security controls and security countermeasures according to the highest SLE calculated for an IT asset. These should be ranked from highest to lowest, providing a prioritization and SLE value that can be compared with all the other critical IT assets of the organization.
The fifth step in a quantitative risk-assessment calculation for an IT asset is to assign a value for the annualized rate of occurrence (ARO). The ARO is a value that represents the estimated frequency at which a given threat is expected to occur. For the preceding customer database example, the two threats that were assessed were a critical software vulnerability and exposure to malicious code or malicious software because of the void in antivirus and personal firewall security countermeasures. Either of these threats being realized could cause a critical or major security incident. In the example of a critical virus infecting the customer database and the server that houses it, the ARO may be once every four years, so the ARO may be 0.25. If the threat was a hurricane and the IT data center was located in a hurricane belt, the ARO may very well be a higher value, such as 0.75 or even 0.80, given the frequency of potential hurricane damage.
The sixth step is to assign a value for the annualized loss expectancy (ALE). The ALE is an annual expected financial loss to an organization's IT asset because of a particular threat being realized within that same calendar year. The ALE is typically the value that executive management needs to assess the priority and threat potential if one were to occur. This is where the ROI or cost-benefit analysis comes into play, especially if you have to justify the cost of security controls and security countermeasures based on the calculated values pertaining to a quantitative risk assessment.
Qualitative Risk-Assessment Approach
A qualitative risk assessment is scenario based, where one scenario is examined and assessed for each critical or major threat to an IT asset. A qualitative risk assessment examines the asset, the threat, and the exposure or potential for loss that would occur if the threat were realized on the IT asset. A Qualitative Risk Assessment requires the risk assessor to assess and play "What If?" regarding specific threat conditions on IT assets. Qualitatively, the risk assessor must conduct a risk and threat analysis and assess the impact of that threat on the IT asset. This must be done consistently and without bias for all IT assets and their identified threats as part of the scenario-based assessment. For example, a data classification standard will dictate the importance of data and the IT systems, resources, and applications that support that data. This data classification standard will dictate the level of security controls and security countermeasures needed for the different types of datasome confidential and some in the public domain.
The purpose of a qualitative risk assessment is to provide a consistent and subjective assessment of the risk to specific IT assets. This typically involves a group or team of members participating in the assessment. All members of the IT organization should participate in risk assessments for various IT assets within the seven areas of information security responsibility; thus, the IT staff and those responsible for maintaining the confidentiality, integrity, and availability of the IT asset all have ownership. Within each of the seven areas of information security responsibility, for example, assets, threats, and their exposure can be assessed. A qualitative risk assessment is scenario based, with an examination of the IT asset, the threat (there can be more than one), and then the exposure of that threat on the IT asset.
Introduction to Assessing Network Vulnerabilities
Foundations and Principles of Security
Why Risk Assessment
Risk-Assessment Methodologies
Scoping the Project
Understanding the Attacker
Performing the Assessment
Tools Used for Assessments and Evaluations
Preparing the Final Report
Post-Assessment Activities
Appendix A. Security Assessment Resources
Appendix B. Security Assessment Forms
Appendix C. Security Assessment Sample Report
Appendix D. Dealing with Consultants and Outside Vendors
Appendix E. SIRT Team Report Format Template