RE: Getting the value of an asset and the probability of a risk to it

["Sergio Castro" <sergio.castro () unicin net>]

Hi Philippe,

The only true way of doing a quantitative risk assessment on an asset is using statistics. If you have historical data 
on the downtime of a server, then you can estimate the probability of it being offline at any given moment. Or your 
vendor may be able to provide such information. With enough data you can get into Bayesian inference, in which you 
calculate the probability of downtime based on the presence of other variables. For example, what is the probability 
that the server will be down during a thunderstorm (possible power failure). In real life this is hard to do due to the 
lack of hard data, but it looks good on a Powerpoint :)

As to the asset value, what you really need to worry about is the "cost of opportunity". In other words, if the server 
is down for a period of time, how much money does the company either looses or is preventing from earning? Or what are 
the legal liabilities? Service Level Agreement penalties? Stuff like that.

And yes, you consider humans in risk assessment. Actually they are THE most important risk factor :)
As to placing value on a human, you do the exact same analysis as any other asset: how much cash you lose, or how much 
cash you stop earning if the person leaves.

Tecnically yes, you would stop investing in an asset at X-1$, although in a real life analysis you have to take into 
consideration not only the present, but potential future cashflows, loses, and risks.

Good luck!

- Sergio

-----Mensaje original-----
De: listbounce () securityfocus com [mailto:listbounce () securityfocus com] En nombre de Rivest, Philippe
Enviado el: Viernes, 16 de Mayo de 2008 02:39 p.m.
Para: security-basics () securityfocus com
Asunto: Getting the value of an asset and the probability of a risk to it

Currently doing my CISA and i have one small question, how do you do a quantitative risk assesment.
Qualitative i understand, low,med,high or 1-10. but a quantitative risk assessment is harder and a bit more complex

A) I know that first you need to identify your assets
B) Then you have to identify the asset value for the enterprise (first problem)
C) Then you have to identify the risks that your asset have
D) You have to identify the impact and probability of these risk (my main question is how to do this)
E) You then have to calculate the risk per asset which is clear to me.

The stage B and D are unclear as to HOW do you affect a value to a server, computer asset, data and so on. Also 
how/what would you use to identify the probability of a risk. 

Last question, i understand that the human are the enterprises most valuable asset. If so, how much would one value's 
anothers life in a quantitative evaluation. Also in link to this question, if you value the life of someone to X, would 
you stop investing in protection at X or X-1$ or would you go as far as you can (considering that this could put a 
serious bill up). Would you consider human in a risk assesment?

Thanks a lot for all the info i may get

**And to all who are going for CISA/CISM in june, keep it up :P

Merci

Philippe Rivest, Certified Ethical Hacker

Analyste en sécurité de l'information

Métro Richelieu

450-662-3300x3115

►Avant d'imprimer, demandez-vous si c'est nécessaire!

►Before printing, ask yourself if you really need to!