Security Basics mailing list archives
RE: Risk Assessment
From: "David Gillett" <gillettdavid () fhda edu>
Date: Mon, 22 May 2006 10:06:14 -0700
This is a significant part of the CISSP certification material. The three basic variables are the Threat (how likely is this attack -- annualized rate or occurrence), the Exposure (how vulnerable to it are we -- percentage) and the Asset (how valuable is the thing to be protected -- dollars). A countermeasure whose annual cost is less than the calculated Annualized Expectation of Loss is considered a viable investment. Although Exposure can only range between 0 and 100%, the annualized rate of occurrence for some threats has no trouble exceeding 1. And far too many companies don't discover the value of information assets or business-critical systems until a loss actually occurs.... David Gillett CISSP CCNP CCSE
-----Original Message----- From: timpacalypse () yahoo com [mailto:timpacalypse () yahoo com] Sent: Thursday, May 18, 2006 7:33 AM To: security-basics () securityfocus com Subject: Risk Assessment This is quickly becoming one of my favorite sites ever. Anyway, I posted a message in the Focus on Microsoft List about securing FE/BE Communications in Exchange. I was presented with many options. And with all of those options was a common theme. Risk assessment. I know that people make entire careers out of risk assessment. But I was wondering if anyone could point me to a source that gives a general outline how to quantitatively calculate risk so that something can be presented to management in the form of numbers. It'll be nice to come to someone with something more concrete than..."well, it could happen." Oh yeah, I don't have an IDS or anything so it's not like I can go to them and say this is how many times we get scanned, etc.
Current thread:
- Risk Assessment timpacalypse (May 20)
- RE: Risk Assessment Murad Talukdar (May 23)
- RE: Risk Assessment David Gillett (May 23)