Mathematics Can Be Simple, even for the Mathematically Challenged

 < Day Day Up > 



Threat analysis is where we will compare the nature of threats, their frequency of occurrence, with the value of the asset. The risk team should consider the response information in the completed questionnaires, their own experience, and the expertise of those outside the risk team. Do not be proud, it is acceptable for the team to consult with others who have more experience in certain business operations.

There are two assessment concepts, one of quantitative analysis and the other of qualitative analysis. The distinction is fairly simple; quantitative is a process where numeric values are assigned to elements of risk analysis. In this fashion, those who are inclined to measure differences and similarities in numeric form are very comfortable. In the qualitative model, asset values, threat frequency, and safeguard efficiency are indicated by values reflecting the experience of the risk team. Values are based on subjective expressions stated in relative terms, with the credibility resting with the team. Qualitative reports usually require much less explanation, and therefore depend more on the strength of the team's writing ability.

Executives, auditors, and stockholders are more likely to understand risk assessment reports in the quantitative model. They appreciate the risk report's granularity with the advantage of being more difficult for distorted findings. One of the more important features to consider is that risk reports will be reviewed by outside people who do not have the view, knowledge, or experience of the risk team.

Experience Note 

In the face of disasters, litigation is always a question. Consequently, one of the first documents sought is the most-current risk analysis report.

Single Loss Expectancy and Annualized Loss Expectancy

The National Institute of Standards and Technology lays the foundation for the standards used to calculate single loss expectancy (SLE) and annualized loss expectancy (ALE).

This is a good time to deliver the mathematical formula for arriving at the single loss exposure: take the replacement value of an asset and multiply it by the exposure value to arrive at the SLE. For example, we value a file server at $50,000 excluding data, and we know that it is located in the basement of an office building. According to the local county recorder's office, the office building's basement is located 15 feet beneath the flood plain. Consequently, the company has been paying for flood insurance since the date it moved into this location. A review of news articles and information from the local weather bureau showed the area surrounding the office building has been severely flooded as a result of hurricanes four times in the past 20 years. Because the basement is located beneath the flood plain, it is reasonable to assume the equipment located there would be a total loss if flooded. So, the asset exposure factor would be expressed as 100 percent, and the chance of flooding is one in five.

Doing the calculation, we find that replacement value of our server, minus data, is $50,000 and the exposure factor is 100 percent. The expressed SLE is $50,000.

Now calculate the ALE by multiplying the SLE ($50,000) by the annualized rate of occurrence (ARO). This is expressed as 1/5. Remember, a flood occurred once every five years. This is expressed as SLE × ARO = ALE. Turning the crank on the numbers reveals an ARO of $10,000. The purpose of this drill is realized when we complete the risk analysis report; we're going to schedule the SLE and ARO for critical assets.



 < Day Day Up > 



Critical Incident Management
Critical Incident Management
ISBN: 084930010X
EAN: 2147483647
Year: 2004
Pages: 144

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net