Security Basics mailing list archives

Re: Getting the value of an asset and the probability of a risk to it

From: krymson () gmail com
Date: 16 May 2008 20:10:50 -0000

Fine, I'm biting.

You've hit the area of a quantitive (or other) assessment that makes many people wonder why we bother. Both B and D in
your list are pretty subjective, and the best you can hope for is consistency in your valuation, rather than accuracy.
You would think a quantitative assessment is rooted only in fact, but it still is rooted in belief, although often
based on experience and maybe public data. But still, it always does still have roots in being just a guess that no two
analysts will always agree on.

B) For the asset value, pretend the asset is no longer present. Then figure out the pain caused by that loss.

value = cost of replacement + lost value until fixed
cost of replacement = hardware + software + time-hours
lost value until fixed = business loss (sorry, not my area to determine that, but typically the accounting teams need
to be involved) + productivity loss (typically on a per day measure)

Now, how do you REALLY determine all those values? You estimate and guess or you find the last time the incident
occurred and ask how much it cost.

D) Risk probability is done in two ways, I believe.

First: You still subjectively pull a number out of your ass and call it the probability that the event will occur that
year. This is very common. :)

Second: You take public or internally generated data and guesstimate based on that. If the event has happened 5 times
in the last 5 years, the probability will be 1 (yes, it will happen once this year).

Also, make sure to avoid thinking in terms of partial loss. Either the asset is available or it is not. Saying it is
kinda half there will burn you out quickly. :)

In my opinion (and obviously I am not a dedicated auditor or strategic risk assessor), this is sufficient for everyone
except large companies in the Fortune 50 range. And any of those leftover 50 should have standards already in place to
guide their shee...workers.

<- snip ->
A) I know that first you need to identify your assets
B) Then you have to identify the asset value for the enterprise (first problem)
C) Then you have to identify the risks that your asset have
D) You have to identify the impact and probability of these risk (my main question is how to do this)
E) You then have to calculate the risk per asset which is clear to me.

The stage B and D are unclear as to HOW do you affect a value to a server, computer asset, data and so on. Also
how/what would you use to identify the probability of a risk.

Current thread:

Re: Getting the value of an asset and the probability of a risk to it Sheldon Malm (May 16)
- <Possible follow-ups>
- Re: Getting the value of an asset and the probability of a risk to it krymson (May 16)
  - RE: Getting the value of an asset and the probability of a risk to it Craig Wright (May 20)
    - RE: Getting the value of an asset and the probability of a risk to it mark.pokorni (May 20)
    - RE: Getting the value of an asset and the probability of a risk to it Craig Wright (May 21)
    - RE: Getting the value of an asset and the probability of a risk to it mark.pokorni (May 21)
    - RE: Getting the value of an asset and the probability of a risk to it Craig Wright (May 21)
    - RE: Getting the value of an asset and the probability of a risk to it Craig Wright (May 22)
    - RE: Getting the value of an asset and the probability of a risk to it Craig Wright (May 22)
- Getting the value of an asset and the probability of a risk to it rivestp (May 20)
  - RE: Getting the value of an asset and the probability of a risk to it Craig Wright (May 21)
  - RE: Getting the value of an asset and the probability of a risk to it Craig Wright (May 21)

(Thread continues...)