RISK ASSESSMENT
· Assigns a risk rating or score to each Information asset.
· It is useful in gauging the relative risk to each Vulnerable asset.
Valuation of Information assets
· Assign weighted scores for the value to the organization of each Information asset.
· National Institute of Standards & Technology (NIST) gives some standards.
· To be effective, the values must be assigned by asking he following questions.
· Which threats present a danger to an organization’s assets in the given environment?
· Which threats represent the most danger to the organization’s Information?
· How much would it cost to recover from a successful attack?
· Which of the threats would require the greatest expenditure to prevent?
Likelihood
· It is the probability of specific vulnerability within an organization will be successfully attacked.
· NIST gives some standards.
· 0.1= Low 1.0 = High
· Eg: Number of network attacks can be forecast based on how many network address the organization has assigned.
Risk Determination
Risk = [ ( Likelihood of vulnerability occurrence ) X (Value of information Asset )] __ ( % of risk mitigated by current controls) + uncertainty of current knowledge of the Vulnerability
ü For the purpose of relative risk assessment, risk equals:
– Likelihood of vulnerability occurrence TIMES value (or impact)
– MINUS percentage risk already controlled
– PLUS an element of uncertainty
Eg: Information Asset A has a value score of 50 & has one vulnerability: Vulnerability 1 has a likelihood of 1.0 with no current controls, estimate that assumptions and data are 90% accurate.
Solution:
Risk = [(1.0) x 50] – 0% + 10%
= (50 x 1.0) – ((50 x 1.0)x 0.0) + ( (50 x 1.0) x 0.1)
= 50 – 0 + 5
= 55