Educause Security Discussion mailing list archives
Re: Vulnerability vs. Risk Assessments
From: Chris Vakhordjian <chrisv () MAIL UCF EDU>
Date: Thu, 5 Nov 2009 10:13:54 -0500
Since we are on this subject.... Anyone have a simple, but well written, risk assessment/report template? Thanks, Chris
Eric Case <ecase () EMAIL ARIZONA EDU> 11/5/2009 10:10 AM >>>
Here is Ira Winkler's "formula" for risk. Here it is as plain text: Risk = ((Threat * Vulnerability) / Countermeasures) * Value Threats (Malicious and Malignant) are the people or entities who can do you harm if given the opportunity. Threats are outside your control and you cannot change them effect them directly. Vulnerabilities are the wearknesses that allow the threat to exploit you. Countermeasures are the precautions you take. Reducing the exposure is a countermeasure. Value is the potential loss you can experience. More than a hard asset, value can be Monetary, Nuisance, Competitor Value, etc. Most things can be turned into a monetary value but sometimes they are left as reputation, etc. The value part can be very fluid. Take a simple malware infection. On a "stupid user's" machine, the value may be less than on the Provost's machine, which may still be less than on the CISO's machine. The same Countermeasures are in place on all the machines but the Provost can have a Nuisance factor to deal with, but the CISO can have a major loss of reputation and a Nuisance factor to deal with. Vulnerability Assessments are typically looking for technical weaknesses and Risk Assessments typically look for things that can impact the enterprise on more than a technical level. -Eric Eric Case, CISSP eric (at) ericcase (dot) com http://www.linkedin.com/in/ericcase From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gary Dobbins Sent: Wednesday, November 04, 2009 8:21 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Vulnerability vs. Risk Assessments While I definitely agree with the other responses, I also find this variant on the formula helpful when explaining to non-IT's or non-tech's: Risk = Asset * Threat * Vulnerability Asset represents what other formulae sometimes call "impact". I just feel it's a bit more intuitive to call it "asset" since execs think of assets easily, so do accountants. Drive any one of those three factors toward zero, and you affect risk directly. e's.g. Remove the asset, no risk. Keep sensitive data out of harm's way. Reduce threats, lower risk. Block unnecessary traffic, encrypt laptops. Reduce vulnerabilities, reduce risk. Patch systems. Nice thing about having Vulnerabilities in the formula is they are one of the factors you can sometimes directly control through system management. Asset reduction can be done with data handling/access controls. Threat reduction can be done with technical measures, but not always. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mike Waller Sent: Wednesday, November 04, 2009 9:32 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Vulnerability vs. Risk Assessments The below is a pretty good explanation. From my experience, a vulnerability assessment is a look at a system/site/application/firewall/whatever with an eye towards all of the vulnerable points. Once you identify the vulnerabilities, you would then move to a risk assessment by determining what the threat, potential impact and likelihoods are. On Wed, Nov 4, 2009 at 9:13 PM, St Clair, Jim <Jim.StClair () gt com> wrote: Hi Chris, Yes they are often used interchangeably, causing confusion. If you think of the risk formula (threat X impact X likelihood = risk) then a vulnerability assessment focuses on more technical issues (either a port is closed or not) while a risk assessment should be more specific to a business/ process (this open port creates high risk in web services supporting health records). Both are useful, and should be conducted periodically. It's only unfortunate when a service provider calls it the latter but can only deliver the former. James A. St.Clair, CISM, PMP Senior Manager Global Public Sector Grant Thornton LLP T 703-637-3078 F 703-637-4455 C 703-727-6332 E jim.stclair () gt com The people in the independent firms of Grant Thornton International Ltd provide personalized attention and the highest quality service to public and private clients in more than 100 countries. Grant Thornton LLP is the U.S. member firm of Grant Thornton International Ltd, one of the six global audit, tax and advisory organizations. Grant Thornton International Ltd and its member firms are not a worldwide partnership, as each member firm is a separate and distinct legal entity. In the U.S., visit Grant Thornton LLP at http://www.grantthornton.com/. -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Chris Kidd Sent: Wednesday, November 04, 2009 9:03 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Vulnerability vs. Risk Assessments I'm having a hard time articulating the difference between these two types of assessments, so I'm hoping someone can clearly define them. Any thoughts are appreciated. Thanks, Chris Chris Kidd Chief Information Security and Privacy Officer The University of Utah 650 Komas Drive, Suite 102 Salt Lake City, UT 84108 Office: 801.587.9241 Cell: 801.747.9028 chris.kidd () utah edu http://www.secureit.utah.edu In accordance with applicable professional regulations, please understand that, unless expressly stated otherwise, any written advice contained in, forwarded with, or attached to this e-mail is not intended or written by Grant Thornton LLP to be used, and cannot be used, by any person for the purpose of avoiding any penalties that may be imposed under the Internal Revenue Code. -------------------------------------------------------------------------- This e-mail is intended solely for the person or entity to which it is addressed and may contain confidential and/or privileged information. Any review, dissemination, copying, printing or other use of this e-mail by persons or entities other than the addressee is prohibited. If you have received this e-mail in error, please contact the sender immediately and delete the material from any computer.
Current thread:
- Vulnerability vs. Risk Assessments Chris Kidd (Nov 04)
- <Possible follow-ups>
- Re: Vulnerability vs. Risk Assessments St Clair, Jim (Nov 04)
- Re: Vulnerability vs. Risk Assessments Mike Waller (Nov 04)
- Re: Vulnerability vs. Risk Assessments Valdis Kletnieks (Nov 04)
- Re: Vulnerability vs. Risk Assessments Gary Dobbins (Nov 04)
- Re: Vulnerability vs. Risk Assessments John Ladwig (Nov 04)
- Re: Vulnerability vs. Risk Assessments Gary Dobbins (Nov 05)
- Re: Vulnerability vs. Risk Assessments Flynn, Gerald (Nov 05)
- Re: Vulnerability vs. Risk Assessments Scott Koger (Nov 05)
- Re: Vulnerability vs. Risk Assessments Eric Case (Nov 05)
- Re: Vulnerability vs. Risk Assessments Chris Vakhordjian (Nov 05)
- Re: Vulnerability vs. Risk Assessments Brad Judy (Nov 05)
- Re: Vulnerability vs. Risk Assessments Valerie Vogel (Nov 05)
- Re: Vulnerability vs. Risk Assessments Basgen, Brian (Nov 05)
- Re: Vulnerability vs. Risk Assessments Hugh Burley (Nov 05)
- Re: Vulnerability vs. Risk Assessments Hugh Burley (Nov 06)