Risk Management Concepts
Risk - the possibility that something could happen to damage, destroy, or
disclose data or other resources is known as RISK
Managing risk is an element of sustaining a secure environment
Risk Management is a detailed process of identifying factors that could
damage or disclose data, evaluating those factors in light of data value and
countermeasure cost, and implementing cost-effective solutions for
mitigating - to reduce the overall risk
Risk Terminology
Asset
Asset valuation
Threats
Vulnerability
Exposure
Risk
RISK=THREAT x VULNERABILITY
Safeguards
Attack
Breach
Identify threats and vulnerabilities - essential part of RM is identification and
examination of threats
Risk assessment/analysis - exercise for upper management to initiate and
support risk analysis and assessment by defining the scope and purpose
Quantitative Risk Analysis - concrete %'s
What is the value of the asset - Asset value - AV
1
, What are the possible threats to the asset - Exposure factor - EF
If a threat was realized, what is the loss - Single Loss Expectancy SLE
Calculate the likelihood of each threat being realized in a single year -
Annualized Rate of Occurrence - ARO
Calculate overall loss potential per threat - Annualized Loss Expectancy
- ALE
Formulas
ALE = SLE x ARO
If an asset is valued at $200,000 and it has an EF of 45% for a specific threat,
then the SLE is $90,000
ALE before safeguard - ALE after implementing the safeguard - annual cost of
safeguard (ACS) = value of the safeguard to the company
ALE1 - ALE2 - ACS
Concept Formula
Exposure Factor - EF %
Single Loss Expectancy - SLE SLE = AV x EF
Annualized Rate of Occurrence - # / year
ARO
Annualized Loss Expectancy - ALE = SLE x ARO or ALE = AV x EF x
ALE ARO
Annual cost of Safeguard - ACS $ / year
Value or benefit of a safeguard (ALE1 - ALE2) - ACS
Calculating Safeguards
Cost of purchase, development, and licensing
Cost of implementation and customization
2
Risk - the possibility that something could happen to damage, destroy, or
disclose data or other resources is known as RISK
Managing risk is an element of sustaining a secure environment
Risk Management is a detailed process of identifying factors that could
damage or disclose data, evaluating those factors in light of data value and
countermeasure cost, and implementing cost-effective solutions for
mitigating - to reduce the overall risk
Risk Terminology
Asset
Asset valuation
Threats
Vulnerability
Exposure
Risk
RISK=THREAT x VULNERABILITY
Safeguards
Attack
Breach
Identify threats and vulnerabilities - essential part of RM is identification and
examination of threats
Risk assessment/analysis - exercise for upper management to initiate and
support risk analysis and assessment by defining the scope and purpose
Quantitative Risk Analysis - concrete %'s
What is the value of the asset - Asset value - AV
1
, What are the possible threats to the asset - Exposure factor - EF
If a threat was realized, what is the loss - Single Loss Expectancy SLE
Calculate the likelihood of each threat being realized in a single year -
Annualized Rate of Occurrence - ARO
Calculate overall loss potential per threat - Annualized Loss Expectancy
- ALE
Formulas
ALE = SLE x ARO
If an asset is valued at $200,000 and it has an EF of 45% for a specific threat,
then the SLE is $90,000
ALE before safeguard - ALE after implementing the safeguard - annual cost of
safeguard (ACS) = value of the safeguard to the company
ALE1 - ALE2 - ACS
Concept Formula
Exposure Factor - EF %
Single Loss Expectancy - SLE SLE = AV x EF
Annualized Rate of Occurrence - # / year
ARO
Annualized Loss Expectancy - ALE = SLE x ARO or ALE = AV x EF x
ALE ARO
Annual cost of Safeguard - ACS $ / year
Value or benefit of a safeguard (ALE1 - ALE2) - ACS
Calculating Safeguards
Cost of purchase, development, and licensing
Cost of implementation and customization
2
