RE: Risk Assessment

["David Gillett" <gillettdavid () fhda edu>]

  This is a significant part of the CISSP certification material.
The three basic variables are the Threat (how likely is this
attack -- annualized rate or occurrence), the Exposure (how 
vulnerable to it are we -- percentage) and the Asset (how valuable 
is the thing to be protected -- dollars).  A countermeasure whose
annual cost is less than the calculated Annualized Expectation of
Loss is considered a viable investment.
  Although Exposure can only range between 0 and 100%,  the annualized
rate of occurrence for some threats has no trouble exceeding 1.  And
far too many companies don't discover the value of information assets 
or business-critical systems until a loss actually occurs....

David Gillett
CISSP CCNP CCSE


> -----Original Message-----
> From: timpacalypse () yahoo com [mailto:timpacalypse () yahoo com] 
> Sent: Thursday, May 18, 2006 7:33 AM
> To: security-basics () securityfocus com
> Subject: Risk Assessment
>
> This is quickly becoming one of my favorite sites ever.  
>
> Anyway, I posted a message in the Focus on Microsoft List 
> about securing FE/BE Communications in Exchange.  I was 
> presented with many options.  And with all of those options 
> was a common theme.  Risk assessment.  
>
> I know that people make entire careers out of risk 
> assessment.  But I was wondering if anyone could point me to 
> a source that gives a general outline how to quantitatively 
> calculate risk so that something can be presented to 
> management in the form of numbers.  It'll be nice to come to 
> someone with something more concrete than..."well, it could happen."  
>
> Oh yeah, I don't have an IDS or anything so it's not like I 
> can go to them and say this is how many times we get scanned, etc.