Security Basics mailing list archives
Re: Getting the value of an asset and the probability of a risk to it
From: "Sheldon Malm" <smalm () ncircle com>
Date: Fri, 16 May 2008 13:07:19 -0700
This is not a plug ... This is precisely what ncircle IP360 does. Check out the website - there should be a scoring white paper there to get you started. -------------------------- Sheldon Malm Director Security Research and Development nCircle VERT Sent from my BlackBerry Wireless Handheld ----- Original Message ----- From: listbounce () securityfocus com <listbounce () securityfocus com> To: security-basics () securityfocus com <security-basics () securityfocus com> Sent: Fri May 16 12:38:41 2008 Subject: Getting the value of an asset and the probability of a risk to it Currently doing my CISA and i have one small question, how do you do a quantitative risk assesment. Qualitative i understand, low,med,high or 1-10. but a quantitative risk assessment is harder and a bit more complex A) I know that first you need to identify your assets B) Then you have to identify the asset value for the enterprise (first problem) C) Then you have to identify the risks that your asset have D) You have to identify the impact and probability of these risk (my main question is how to do this) E) You then have to calculate the risk per asset which is clear to me. The stage B and D are unclear as to HOW do you affect a value to a server, computer asset, data and so on. Also how/what would you use to identify the probability of a risk. Last question, i understand that the human are the enterprises most valuable asset. If so, how much would one value's anothers life in a quantitative evaluation. Also in link to this question, if you value the life of someone to X, would you stop investing in protection at X or X-1$ or would you go as far as you can (considering that this could put a serious bill up). Would you consider human in a risk assesment? Thanks a lot for all the info i may get **And to all who are going for CISA/CISM in june, keep it up :P Merci Philippe Rivest, Certified Ethical Hacker Analyste en sécurité de l'information Métro Richelieu 450-662-3300x3115 ►Avant d'imprimer, demandez-vous si c'est nécessaire! ►Before printing, ask yourself if you really need to!
Current thread:
- Re: Getting the value of an asset and the probability of a risk to it Sheldon Malm (May 16)
- <Possible follow-ups>
- Re: Getting the value of an asset and the probability of a risk to it krymson (May 16)
- RE: Getting the value of an asset and the probability of a risk to it Craig Wright (May 20)
- RE: Getting the value of an asset and the probability of a risk to it mark.pokorni (May 20)
- RE: Getting the value of an asset and the probability of a risk to it Craig Wright (May 21)
- RE: Getting the value of an asset and the probability of a risk to it mark.pokorni (May 21)
- RE: Getting the value of an asset and the probability of a risk to it Craig Wright (May 21)
- RE: Getting the value of an asset and the probability of a risk to it Craig Wright (May 22)
- RE: Getting the value of an asset and the probability of a risk to it Craig Wright (May 20)
- RE: Getting the value of an asset and the probability of a risk to it Craig Wright (May 22)
- RE: Getting the value of an asset and the probability of a risk to it Craig Wright (May 21)