Security Basics mailing list archives
RE: Getting the value of an asset and the probability of a risk to it
From: "Sergio Castro" <sergio.castro () unicin net>
Date: Fri, 16 May 2008 15:02:19 -0500
Hi Philippe, The only true way of doing a quantitative risk assessment on an asset is using statistics. If you have historical data on the downtime of a server, then you can estimate the probability of it being offline at any given moment. Or your vendor may be able to provide such information. With enough data you can get into Bayesian inference, in which you calculate the probability of downtime based on the presence of other variables. For example, what is the probability that the server will be down during a thunderstorm (possible power failure). In real life this is hard to do due to the lack of hard data, but it looks good on a Powerpoint :) As to the asset value, what you really need to worry about is the "cost of opportunity". In other words, if the server is down for a period of time, how much money does the company either looses or is preventing from earning? Or what are the legal liabilities? Service Level Agreement penalties? Stuff like that. And yes, you consider humans in risk assessment. Actually they are THE most important risk factor :) As to placing value on a human, you do the exact same analysis as any other asset: how much cash you lose, or how much cash you stop earning if the person leaves. Tecnically yes, you would stop investing in an asset at X-1$, although in a real life analysis you have to take into consideration not only the present, but potential future cashflows, loses, and risks. Good luck! - Sergio -----Mensaje original----- De: listbounce () securityfocus com [mailto:listbounce () securityfocus com] En nombre de Rivest, Philippe Enviado el: Viernes, 16 de Mayo de 2008 02:39 p.m. Para: security-basics () securityfocus com Asunto: Getting the value of an asset and the probability of a risk to it Currently doing my CISA and i have one small question, how do you do a quantitative risk assesment. Qualitative i understand, low,med,high or 1-10. but a quantitative risk assessment is harder and a bit more complex A) I know that first you need to identify your assets B) Then you have to identify the asset value for the enterprise (first problem) C) Then you have to identify the risks that your asset have D) You have to identify the impact and probability of these risk (my main question is how to do this) E) You then have to calculate the risk per asset which is clear to me. The stage B and D are unclear as to HOW do you affect a value to a server, computer asset, data and so on. Also how/what would you use to identify the probability of a risk. Last question, i understand that the human are the enterprises most valuable asset. If so, how much would one value's anothers life in a quantitative evaluation. Also in link to this question, if you value the life of someone to X, would you stop investing in protection at X or X-1$ or would you go as far as you can (considering that this could put a serious bill up). Would you consider human in a risk assesment? Thanks a lot for all the info i may get **And to all who are going for CISA/CISM in june, keep it up :P Merci Philippe Rivest, Certified Ethical Hacker Analyste en sécurité de l'information Métro Richelieu 450-662-3300x3115 ►Avant d'imprimer, demandez-vous si c'est nécessaire! ►Before printing, ask yourself if you really need to!
Current thread:
- Basic Computer Security Advice Needed Mark Goodridge (May 16)
- RE: Basic Computer Security Advice Needed Sergio Castro (May 16)
- Getting the value of an asset and the probability of a risk to it Rivest, Philippe (May 16)
- RE: Getting the value of an asset and the probability of a risk to it Sergio Castro (May 16)
- Re: Getting the value of an asset and the probability of a risk to it Jon Kibler (May 17)
- RE: Getting the value of an asset and the probability of a risk to it Craig Wright (May 18)
- RE: Getting the value of an asset and the probability of a risk to it Murda Mcloud (May 20)
- RE: Getting the value of an asset and the probability of a risk to it Craig Wright (May 21)
- Getting the value of an asset and the probability of a risk to it Rivest, Philippe (May 16)
- RE: Getting the value of an asset and the probability of a risk to it Craig Wright (May 18)
- RE: Getting the value of an asset and the probability of a risk to it Rivest, Philippe (May 20)
- RE: Getting the value of an asset and the probability of a risk to it Craig Wright (May 21)
- RE: Basic Computer Security Advice Needed Sergio Castro (May 16)
- Re: Getting the value of an asset and the probability of a risk to it Jon Kibler (May 16)
- Re: Basic Computer Security Advice Needed Gustavo V G C Rios (May 18)