Re: Security policy and risk analysis questions

["Joseph Pung" <pungjos () aquinas edu>]

Frank,

Assuming you are going through this exercise to justify your budget:
If you have identified the value of the assets (which you say you have) and 
if you have an idea of how much your budget should be, then try backing into 
the probability.  R=P*V, where R is risk, P is probability, and V is value of 
assets to be protected.  Hopefully, the probability you come up with is 
reasonable to those who hold the purse strings.  

Another, thing I've done is looked at the Business Resumption Plan (BRP) 
budget and used that amount to justify increased spending (assumes BRP 
spending is higher).  For example, say for BRP your company's assets are 
worth 1 million.  And let's say the probability of a tornado, fire, etc. 
destroying your data center is .001 for any given year.  Therefore, the 
annual BRP budget should be no more than $1,000 (1mm * .001).  Now say, the 
probability of a security "incident" is .01 (10 times more likely) but the 
assets at risk are only $100,000.  Then, the question you should ask is, 
(again assuming BRP spending is more) why are we not spending more/as 
much/etc on security, which has a much greater probability of occuring BTW, 
than BRP?

You can also try tying security to BRP.  BRP, IMO, consists of 3 types of 
disasters, natural, man-made (security incidents), and machine (hardware 
failures).  

Joe

> My  question concerns the risk analysis.  It is my understanding that the risk analysis is used to determine the 
> amount to spend to protect the assets.  My problem is assigning a probability to any o> 
> Any help or guidelines would be most appreciated.  My thanks in advance for all advice.
>
> Frank