Firewall Wizards mailing list archives
Re: Security policy and risk analysis questions
From: "Joseph Pung" <pungjos () aquinas edu>
Date: Thu, 29 Apr 1999 09:03:56 -0500
Frank, Assuming you are going through this exercise to justify your budget: If you have identified the value of the assets (which you say you have) and if you have an idea of how much your budget should be, then try backing into the probability. R=P*V, where R is risk, P is probability, and V is value of assets to be protected. Hopefully, the probability you come up with is reasonable to those who hold the purse strings. Another, thing I've done is looked at the Business Resumption Plan (BRP) budget and used that amount to justify increased spending (assumes BRP spending is higher). For example, say for BRP your company's assets are worth 1 million. And let's say the probability of a tornado, fire, etc. destroying your data center is .001 for any given year. Therefore, the annual BRP budget should be no more than $1,000 (1mm * .001). Now say, the probability of a security "incident" is .01 (10 times more likely) but the assets at risk are only $100,000. Then, the question you should ask is, (again assuming BRP spending is more) why are we not spending more/as much/etc on security, which has a much greater probability of occuring BTW, than BRP? You can also try tying security to BRP. BRP, IMO, consists of 3 types of disasters, natural, man-made (security incidents), and machine (hardware failures). Joe
My question concerns the risk analysis. It is my understanding that the risk analysis is used to determine the amount to spend to protect the assets. My problem is assigning a probability to any o> Any help or guidelines would be most appreciated. My thanks in advance for all advice. Frank
Current thread:
- Security policy and risk analysis questions Frank Pawlak (Apr 28)
- Re: Security policy and risk analysis questions Bennett Todd (Apr 28)
- RE: Security policy and risk analysis questions Matt McClung (Apr 30)
- Re: Security policy and risk analysis questions Joseph Pung (Apr 29)
- Re: Security policy and risk analysis questions Bennett Todd (Apr 28)