Search in ISMS Guides


Saturday, July 28, 2007

Risk Analysis Steps

The three primary steps in performing a risk analysis are similar to the steps in
performing a Business Impact Assessment (see Chapter 6, “Operations Security”).
However, a risk analysis is commonly much more comprehensive and is designed to be
used to quantify complicated, multiple-risk scenarios.

The three primary steps are as follows:
1. Estimate the potential losses to assets by determining their value.
2. Analyze potential threats to the assets.
3. Define the Annualized Loss Expectancy (ALE).

Estimate Potential Losses

To estimate the potential losses incurred during the realization of a threat, the assets
must be valued by commonly using some sort of standard asset valuation process (this
is described in more detail later). This results in an assignment of an asset’s financial
value by performing the EF and the SLE calculations.

Analyze Potential Threats

Here we determine what the threats are, and how likely and often they are to occur. To
define the threats, we must also understand the asset’s vulnerabilities and perform an
ARO calculation for the threat and vulnerabilities.

All types of threats should be considered in this section, no matter if they seem likely or
not. It is may be helpful to organize the threat listing into the types of threats by source,
or by their expected magnitude. In fact, some organizations can provide statistics on
the frequency of various threats that occur in your area. In addition, the other domains
of InfoSec discussed in this book have several varied listings of the categories of

Some of the following categories of threats could be included in this section.
Data Classification. Data aggregation or concentration that results in data inference,
covert channel manipulation, a malicious code/virus/Trojan horse/worm/logic bomb, or
a concentration of responsibilities (lack of separation of duties)
Information Warfare. Technology-oriented terrorism, malicious code or logic, or
emanation interception for military or economic espionage
Personnel. Unauthorized or uncontrolled system access, the misuse of technology by
authorized users, tampering by disgruntled employees, or falsified data input
Application/Operational. Ineffective security application that results in procedural
errors or incorrect data entry
Criminal. Physical destruction or vandalism, the theft of assets or information,
organized insider theft, armed robbery, or physical harm to personnel
Environmental. Utility failure, service outage, natural disasters, or neighboring
Computer Infrastructure. Hardware/equipment failure, program errors, operating
system flaws, or a communications system failure
Delayed Processing. Reduced productivity or a delayed funds collection that results
in reduced income, increased expenses, or late charges

Define the Annualized Loss Expectancy (ALE)

Once the SLE and ARO have been determined, we can estimate the ALE using the
formula we previously described.

After performing the Risk Analysis, the final results should contain the following:
Valuations of the critical assets in hard costs
A detailed listing of significant threats
Each threat’s likelihood and its possible occurrence rate
Loss potential by a threat — the dollar impact the threat will have on an asset
Recommended remedial measures and safeguards or countermeasures

There are three generic remedies to risk, which may take the form of either one or a
combination of the following three:
Risk Reduction. Taking measures to alter or improve the risk position of
an asset throughout the company
Risk Transference. Assigning or transferring the potential cost of a loss
to another party (like an insurance company)
Risk Acceptance. Accepting the level of loss that will occur, and
absorbing that loss
The remedy chosen will usually be the one that results in the greatest risk reduction,
while retaining the lowest annual cost necessary to maintain a company.

No comments: