RISK ASSESSMENT 

·         Assigns a risk rating or score to each Information asset.

·         It is useful in gauging the relative risk to each  Vulnerable asset.

 

Valuation of Information assets 

·         Assign weighted scores for the value to the organization of each Information asset. 

·         National Institute of Standards & Technology (NIST) gives some standards. 

·         To be effective, the values must be assigned by asking he following questions. 

·         Which threats present a danger to an organization’s assets in the given environment? 

·         Which threats represent the most danger to the organization’s Information? 

·         How much would it cost to recover from a successful attack? 

·         Which of the threats would require the greatest expenditure to prevent?

 Likelihood 

·         It is the probability of specific vulnerability within an organization will be successfully attacked. 

·         NIST gives some standards. 

·         0.1= Low 1.0 = High 

·         Eg: Number of network attacks can be forecast based on how many network address the organization has assigned.

  Risk Determination 

Risk = [ ( Likelihood of vulnerability occurrence ) X (Value of information Asset )] __ ( % of risk mitigated by current controls) + uncertainty of current knowledge of the Vulnerability

 

ü     For the purpose of relative risk assessment, risk equals: 

–   Likelihood of vulnerability occurrence TIMES value (or impact) 

–   MINUS percentage risk already controlled 

–   PLUS an element of uncertainty

 

Eg: Information Asset A has a value score of 50 & has one vulnerability: Vulnerability 1 has a likelihood of 1.0 with no current controls, estimate that assumptions and data are 90% accurate.

 Solution:

 

Risk  = [(1.0) x 50] – 0% + 10% 

= (50 x 1.0) – ((50 x 1.0)x 0.0) + ( (50 x 1.0) x 0.1) 

 = 50 – 0 + 5 

= 55