RE: Getting the value of an asset and the probability of a risk to it

[<mark.pokorni () accenture com>]

Craig -

That's awesome. I wanted to do something like that and get a Masters in Statistics. I have an undergrad degree in 
Economics, but my calculus is rusty.

What's the recommended math background for such a degree? 

Mark Pokorni
CIRT
Engineering and Deployment
IO - Central Infrastructure Management (CIM)
Accenture   
mark.pokorni () accenture com
Chicago, 161 N. Clark St.


-----Original Message-----
From: Craig Wright [mailto:Craig.Wright () bdo com au] 
Sent: Tuesday, May 20, 2008 8:53 PM
To: Pokorni, Mark; krymson () gmail com; security-basics () securityfocus com; Rivestp () metro ca; Jon.Kibler () aset 
com; sergio.castro () unicin net; smalm () ncircle com
Subject: RE: Getting the value of an asset and the probability of a risk to it


I am completing a Masters in Statistics at Newcastle Uni at the moment. In particular I am looking at statistical 
measure of risk and security. The paper is due for this one at the end of the year. I have also done some work in fraud 
analysis (and anti-money laundering) and I am presenting a paper on this topic in Sydney next week at a data mining 
conference. The paper is on Exploratory Data Visualisation.

Back in 1999/2000 I started on this path as I (my company at the time) was trying to create an early SIEM. With the 
crash the VC's (vulture capitalists) pulled out as they could not see that a SIEM would have value. No foresight.

I have also done some 6sigma and SAS training.

I am an academic junkie. I help keep universities viable by remaining enrolled and adding to their fees by remaining a 
perpetual student. There is a strong statistical component in both Economics and Physicals as well.

Regards,
Craig


Craig Wright
Manager, Risk Advisory Services

Direct : +61 2 9286 5497
Craig.Wright () bdo com au
+61 417 683 914

BDO Kendalls (NSW-VIC) Pty. Ltd.
Level 19, 2 Market Street Sydney NSW 2000
GPO BOX 2551 Sydney NSW 2001
Fax +61 2 9993 9497
http://www.bdo.com.au/

The information in this email and any attachments is confidential. If you are not the named addressee you must not 
read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received 
this message in error, please notify the sender by return email, destroy all copies and delete it from your system.

Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. 
You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or 
Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer 
viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may 
result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy 
statement, can be found on the BDO Kendalls website at http://www.bdo.com.au/ or by emailing mailto:administrator () 
bdo com au.

BDO Kendalls is a national association of separate partnerships and entities. Liability limited by a scheme approved 
under Professional Standards Legislation.
-----Original Message-----

From: mark.pokorni () accenture com [mailto:mark.pokorni () accenture com]
Sent: Wednesday, 21 May 2008 3:19 AM
To: Craig Wright; krymson () gmail com; security-basics () securityfocus com; Rivestp () metro ca; Jon.Kibler () aset 
com; sergio.castro () unicin net; smalm () ncircle com
Subject: RE: Getting the value of an asset and the probability of a risk to it

So where did you pick up statistical analysis with an LLM?

Mark Pokorni
CIRT
Engineering and Deployment
IO - Central Infrastructure Management (CIM)
Accenture
mark.pokorni () accenture com
Chicago, 161 N. Clark St.



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Craig Wright
Sent: Friday, May 16, 2008 7:31 PM
To: krymson () gmail com; security-basics () securityfocus com; Rivest, Philippe; Jon Kibler; Sergio Castro; Sheldon 
Malm
Subject: RE: Getting the value of an asset and the probability of a risk to it


Quantitative risk requires statistics.

It is not hard to do as long as you have the maths. The difficulties are missing values (requiring longitudinal data 
analysis and multivariate methods) and incomplete risk profiling (requiring Bayesian methods).

The risk is a survival function with compounding time factors (heteroscadesis).

Pulling a number "out of your ass" is qualitative. If another can not re-calculate the same value, it is qualitative 
and NOT quantitative. Quantitative methods are not based in subjectivity.

Why this is not commonly done in IT risk assessment (BASELL II DOES require a qualitative risk assessment).
        Lack of math skills in IT people
        SAS and other quant people earn more (2.5-3x) the IT salaries

A good quant in a hedge fund can earn $300-500k US without too much trouble. This type of person rarely cares to do IT 
security. Hence few people who are statisticians AND security people.

Hence few quantitative risk reviews.

Some standards (BASEL II, GLBA) have requirements for quantitative risk. This is mainly banks, hedge funds etc. Few 
others can afford it.

The large ones do some. The smaller ones issue fake numbers more than not.

As for being delusional, that is for anyone who trusts a qualitative assessment where people pull numbers. These assess 
perceived risk - these do not assess risk. There is a distinction.

Qualitative             =       Perceived risk
Quantitative    =       Risk (within confidence bounds)

ncircle IP360 does nothing of the sort. ncircle IP360 is fluffy qualitative assessment.

You need to feed all the data you can and do a little dimensionality reduction, letting the numbers chose the factors 
and including the errors.

If you want to start learning how:
http://rem.ph.ucla.edu/rob/rm/new/index.html

To answer John;
"Bottom line: I personally do not believe that it is possible to do a quantitative risk assessment and anyone who 
thinks otherwise either does not understand today's risk environment, or is delusional."

No, the opposite. Qualitative risk is for those who like to think they know. The data is far too complex to be assessed 
by ANY person and requires computational methods. I have yet to see a qualitative assessment that when compared to a 
REAL quantitative one comes close. The issue being many naive qualitative methods that are falsely called quantitative.

Look at ARO, ALE etc. This relies on a risk calculation. The likelihood of an event for the type of organisation. The 
ONLY way to do this is to use survival analysis with multivariate analysis taking compounding factors into account. The 
issue is that people pull a figure out of their proverbial as was stated. ANY addition of non-quantitative data makes 
the ENTIRE calculation qualitative. ALE is ONLY a quant measure if the likelihood calcs are completed using hazard 
factors and survival calcs.

The difficulty is the cost. I have seen PCA, PLS, SIR and k-dimensional factorisation for 80+ dimensions that can take 
a few weeks of computer time and this costs $. Look at the rates of C++ programmers with quant skills. The question is 
why use these skills for security risk when market risk pays $600-$800 an hour. Even at the security risk calcs, few 
want to pay. My charge rate for this is $370 ex tax. For 80 hours plus work per system, the cost of the process is 
often greater than the assess value and risk for smaller firms.

However, once done, the model generally only needs to be updated yearly with the principle 5-6 components accounting 
for over 98% of risk by asset. This leaves an error of the 1-2% which is not material for most organisations.

Regards,
Dr Craig Wright (GSE-Compliance)


Craig Wright
Manager, Risk Advisory Services

Direct : +61 2 9286 5497
Craig.Wright () bdo com au
+61 417 683 914

BDO Kendalls (NSW-VIC) Pty. Ltd.
Level 19, 2 Market Street Sydney NSW 2000
GPO BOX 2551 Sydney NSW 2001
Fax +61 2 9993 9497
http://www.bdo.com.au/

The information in this email and any attachments is confidential. If you are not the named addressee you must not 
read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received 
this message in error, please notify the sender by return email, destroy all copies and delete it from your system.

Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. 
You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or 
Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer 
viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may 
result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy 
statement, can be found on the BDO Kendalls website at http://www.bdo.com.au/ or by emailing mailto:administrator () 
bdo com au.

BDO Kendalls is a national association of separate partnerships and entities. Liability limited by a scheme approved 
under Professional Standards Legislation.
-----Original Message-----

From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of krymson () gmail com
Sent: Saturday, 17 May 2008 6:11 AM
To: security-basics () securityfocus com
Subject: Re: Getting the value of an asset and the probability of a risk to it

Fine, I'm biting.

You've hit the area of a quantitive (or other) assessment that makes many people wonder why we bother. Both B and D in 
your list are pretty subjective, and the best you can hope for is consistency in your valuation, rather than accuracy. 
You would think a quantitative assessment is rooted only in fact, but it still is rooted in belief, although often 
based on experience and maybe public data. But still, it always does still have roots in being just a guess that no two 
analysts will always agree on.

B) For the asset value, pretend the asset is no longer present. Then figure out the pain caused by that loss.

value = cost of replacement + lost value until fixed
cost of replacement = hardware + software + time-hours
lost value until fixed = business loss (sorry, not my area to determine that, but typically the accounting teams need 
to be involved) + productivity loss (typically on a per day measure)

Now, how do you REALLY determine all those values? You estimate and guess or you find the last time the incident 
occurred and ask how much it cost.


D) Risk probability is done in two ways, I believe.

First: You still subjectively pull a number out of your ass and call it the probability that the event will occur that 
year. This is very common. :)

Second: You take public or internally generated data and guesstimate based on that. If the event has happened 5 times 
in the last 5 years, the probability will be 1 (yes, it will happen once this year).

Also, make sure to avoid thinking in terms of partial loss. Either the asset is available or it is not. Saying it is 
kinda half there will burn you out quickly. :)

In my opinion (and obviously I am not a dedicated auditor or strategic risk assessor), this is sufficient for everyone 
except large companies in the Fortune 50 range. And any of those leftover 50 should have standards already in place to 
guide their shee...workers.



<- snip ->
A) I know that first you need to identify your assets
B) Then you have to identify the asset value for the enterprise (first problem)
C) Then you have to identify the risks that your asset have
D) You have to identify the impact and probability of these risk (my main question is how to do this)
E) You then have to calculate the risk per asset which is clear to me.

The stage B and D are unclear as to HOW do you affect a value to a server, computer asset, data and so on. Also 
how/what would you use to identify the probability of a risk.




This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private 
information.  If you have received it in error, please notify the sender immediately and delete the original.  Any 
other use of the email by you is prohibited.




This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private 
information.  If you have received it in error, please notify the sender immediately and delete the original.  Any 
other use of the email by you is prohibited.