Search in ISMS Guides


Saturday, September 1, 2007

Risk Assessment and Threat Identification

Although you’ve gathered a considerable amount of data to this point, you will need to analyze this information to determine the probability of a risk occurring, what is affected, and the costs involved with each risk. Once you’ve identified the risks that can pose a probable threat to your company, and determined how much loss can be expected from an incident, you are then prepared to make decisions on how to protect your company.

Risk Assesment

Although you’ve gathered a considerable amount of data to this point, you will need to analyze this information to determine the probability of a risk occurring, what is affected, and the costs involved with each risk. Assets will have different risks associated with them, and you will need to correlate different risks with each of the assets inventoried in a company. Some risks will impact all of the assets of a company, such as the risk of a massive fire destroying a building and everything in it, while in other cases; groups of assets will be affected by specific risks.

Assets of a company will generally have multiple risks associated with them. Equipment failure, theft, or misuse can affect hardware, while viruses, upgrade problems, or bugs in the code may affect software. By looking at the weight of importance associated with each asset, you should then prioritize which assets will be analyzed first, and then determine what risks are associated with each.

Once you’ve determined what assets may be affected by different risks, you then need to determine the probability of a risk occurring. While there may be numerous threats that could affect a company, not all of them are probable. For example, a tornado is highly probable for a business located in Oklahoma City, but not highly probable in New York City. For this reason, a realistic assessment of the risks must be performed.

Historical data can provide information on how likely it is that a risk will become reality within a specific period of time. Research must be performed to determine the likelihood of risks within a locality or with certain resources. By determining the likelihood of a risk occurring within a year, you can determine what is known as the Annualized Rate of Occurrence (ARO).

Information for risk assessment can be acquired through a variety of sources. Police departments may be able to provide crime statistics on the area your facilities are located, allowing you to determine the probability of vandalism, break-ins, or dangers potentially encountered by personnel. Insurance companies will also provide information on risks faced by other companies, and the amounts paid out when these risks became reality. Other sources may include news agencies, computer incident monitoring organizations, and online resources.

Once the ARO has been calculated for a risk, you can then compare it to the monetary loss associated with an asset. This is the dollar value that represents how much money would be lost if the risk occurred. You can calculate this by looking at the cost of fixing or replacing the asset. For example, if a router failed on a network, you would need to purchase a new router, and pay to have the new one installed. In addition to this, the company would also have to pay for employees who aren’t able to perform their jobs because they can’t access the network. This means that the monetary loss would include the price of new equipment, the hourly wage of the person replacing the equipment, and the cost of employees unable to perform their work. When the dollar value of the loss is calculated, this provides total cost of the risk, or the Single Loss Expectancy (SLE).

To plan for the probable risk, you would need to budget for the possibility that the risk will happen. To do this, you need to use the ARO and the SLE to find the Annual Loss Expectancy (ALE). To illustrate how this works, let’s say that the probability of a Web server failing is 30 percent. This would be the ARO of the risk. If the e-commerce site hosted on this server generates $10,000 an hour and the site would be estimated to be down two hours while the system is repaired, then the cost of this risk is $20,000. In addition to this, there would also be the cost of replacing the server itself. If the server cost $6000, this would increase the cost to $26000. This would be the SLE of the risk. By multiplying the ARO and the SLE, you would find how much money would need to be budgeted to deal with this risk. This formula provides the ALE:


When looking at the example of the failed server hosting an e-commerce site, this means the ALE would be:

.3 x $26,000 = $7,800

To deal with the risk, you need to assess how much needs to be budgeted to deal with the probability of the event occurring. The ALE provides this information, leaving you in a better position to recover from the incident when it occurs.

Exercise: Determining the Annual Loss Expected to Occur From Risks

A widget manufacturer has installed new network servers, changing its network from a peer-to-peer network to a client/server-based network. The network consists of 200 users who make an average of $20 an hour, working on 100 workstations. Previously, none of the workstations involved in the network had anti-virus software installed on the machines. This was because there was no connection to the Internet, and the workstations didn’t have floppy disk drives or Internet connectivity, so the risk of viruses was deemed minimal. One of the new servers provides a broadband connection to the Internet, which employees can now use to send and receive email, and surf the Internet. One of the managers read in a trade magazine that other widget companies have reported an 80 percent chance of viruses infecting their network after installing T1 lines and other methods of Internet connectivity, and that it may take upwards of three hours to restore data that’s been damaged or destroyed. A vendor will sell licensed copies of anti-virus software for all servers and the 100 workstations at a cost of $4,700 per year. The company has asked you to determine the annual loss that can be expected from viruses, and determine if it is beneficial in terms of cost to purchase licensed copies of anti-virus software.

1. What is the Annualized Rate of Occurrence (ARO) for this risk?

2. Calculate the Single Loss Expectancy (SLE) for this risk.

3. Using the formula ARO x SLE = ALE, calculate the Annual Loss Expectancy.

4. Determine whether it is beneficial in terms of monetary value to purchase the anti-virus software by calculating how much money would be saved or lost by purchasing the software.


1. The Annualized Rate of Occurrence (ARO) is the likelihood of a risk occurring within a year. The scenario states that trade magazines calculate an 80% risk of virus infection after connecting to the Internet, so the ARO is 80% or .8.

2. The Single Loss Expectancy (SLE) is the dollar value of the loss that equals the total cost of the risk. In the case of this scenario, there are 200 users who make an average of $20 per hour. Multiplying the number of employees who are unable to work due to the system being down by their hourly income, this means that the company is losing $4,000 an hour (200 x $20 = $4000). Because it may take up to three hours to repair damage from a virus, this amount must be multiplied by three because employees will be unable to perform duties for approximately three hours. This makes the SLE $12,000 ($4,000 x 3 = $12,000).

3. The ALE is calculated by multiplying the ARO by the SLE (ARO x SLE = ALE). In this case, this would mean that you would multiply $12,000 by 80 percent (.8) to give you $9,600 (.8 x $12,000 = $9,600). Therefore, the ALE is $9,600.

4. Because the ALE is $9,600, and the cost of the software that will minimize this risk is $4,700 per year, this means that the company would save $4,900 per year by purchasing the software ($9,600 - $4,700 = $4900).

Threat Identification

Once you’ve identified the risks that can pose a probable threat to your company, and determined how much loss can be expected from an incident, you are then prepared to make decisions on how to protect your company. After performing a risk assessment, you may find a considerable number of probable threats that can affect your company. These may include intrusions, vandalism, theft, or other incidents and situations that may vary from business to business. This may make any further actions dealing with risk management seem impossible.

The first thing to realize is that there is no way to eliminate every threat that may affect your business. There is no such thing as absolute security. To make a facility absolutely secure would be excessive in price, and it would be so secure that no one would be able to enter and do any work. The goal is to manage risks, so that the problems resulting from them will be minimized.

The other important issue to remember is that some threats will be excessive in cost to prevent. For example, there are a number of threats that can impact a server. Viruses, hackers, fire, vibrations, and other risks are only a few. To protect the server, it is possible to install security software (such as anti-virus software and firewalls) and make the room fireproof, earthquake proof, and secure from any number of threats. The cost of doing so, however, will eventually become more expensive than the value of the asset. It would be wiser to back up the data, install a firewall and anti-virus software, and run the risk that other threats will not happen. The rule of thumb is to decide which risks are acceptable.

After calculating the loss that may be experienced from a threat, you will need to find cost-effective measures of protecting yourself. To do this, you will need to identify which threats will be dealt with and how. Decisions will need to be made by management as to how to proceed, based on the data you’ve collected on risks. In most cases, this will involve devising methods of protecting the asset from threats. This may involve installing security software, implementing policies and procedures, or adding additional security measures to protect the asset.

You may decide that the risks involved with an asset are too high, and the costs to protect it are too high, as well. In such cases, the asset should be moved to another location, or eliminated completely. For example, if there is a concern about a Web server affected by vibrations from earthquakes in California, then moving the Web server to the branch office in New York nullifies the threat. By removing the asset, you subsequently eliminate the threat of it being damaged or destroyed.

Another option is to transfer the potential loss associated with a threat to another party. Insurance policies can be taken out insuring the asset, so that if any loss occurs the company can be reimbursed through the policy. Leasing equipment or services through another company can also transfer the risk. If a problem occurs, the leasing company will be responsible for fixing or replacing the assets involved.

Finally, the other option is to do nothing about the potential threat, and live with the consequences (if they occur). This happens more often than you’d expect, especially when you consider that security is a tradeoff. For every security measure put in place, it makes it more difficult to access resources and requires more steps for people to do their jobs. A company may have broadband Internet connectivity through a T1 line for employees working from computers inside the company, and live with the risk that they may download malicious programs. While this is only one possible situation where a company will live with a potential threat (and gamble that it stays “potential” only), it does show that in some situations, it is preferable to have the threat rather than to lose a particular service.

About Robert J. Shimonski

Robert J. Shimonski (MCSE, etc) is an entrepreneur, technology consultant and published author. Robert's specialties include network infrastructure design, management and the troubleshooting of Microsoft and Cisco products. Robert has in depth experience with globally deployed Microsoft and Cisco systems. Robert works with new companies constantly to help them forge their designs, as well as to optimize their networks and keep them highly available, secure and disaster free. Robert is author of many security related articles and published books to include the best selling: "Sniffer Network Optimization and Troubleshooting Handbook" from Syngress Media Inc (ISBN: 1931836574). Robert is also the author of the best selling: Security+ Study Guide and DVD Training System (ISBN: 1931836728) and Building DMZs for Enterprise Networks (ISBN: 1931836884) also from Syngress. Robert can be found online at

Article Source :

No comments: