Educause Security Discussion mailing list archives

Re: Quantitative Risk Analysis?

From: "Basgen, Brian" <bbasgen () PIMA EDU>
Date: Fri, 23 Jun 2006 15:33:22 -0700

 I've recently built a quantitative risk model based on the commonly
quoted (but apparently not cited) model of risk = threat x vulnerability
x asset value. I have not yet put it through the rigors of application,
but it at least looks pretty. :)

 On your #2, it is refreshing to see your approach, as this problem is
commonly couched in terms of RoI for security, which is a paradox. My
only suggestion is to think broader than IT, thus perusing models that
finance or marketing departments use. 

~~~~~~~~~~~~~~~~~~
Brian Basgen
IT Systems Architect, Security
Pima Community College

-----Original Message-----
From: Jim Webb [mailto:jtwebb () NGCSU EDU] 
Sent: Friday, June 23, 2006 10:31 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Quantitative Risk Analysis?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I was wondering if anyone out there might have any good info 
to share concerning Quantitative Risk Analysis models.

Namely:

1. Is anyone currently using a Quantitive model to do 
assessment (FIPS/ALE)? If so, do you feel that this has 
garnered any significant benefits or burdens over qualitative 
modeling?
Do you prefer one method over another and if so why?

2. Has any one wrestled with the establishment of empirical 
cost basis for "intangibles" such as primary & secondary 
losses from reputation/brand damage?

I greatly appreciate any information/guidance offered concerning this.

many thanks,

- -Jim

- --
=====================================================
James Webb
Network Security Officer
Department of I.I.T
North Georgia College & State University
phone: 706-864-1922
email: jtwebb () ngcsu edu
http://www.ngcsu.edu/adminsrv/infotech/infosec/ 

"Never let the future disturb you. You will meet it, if you 
have to, with the same weapons of reason which today arm you 
against the present."
- -Marcus Aurelius 

PGP Public Key: http://tinyurl.com/737x7 
=====================================================
~
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (OpenBSD)

iD8DBQFEnCVNFU5MyueE6uIRAkrpAJ95YM64agE+bD5RrdZVw9i2ABhbuACeKEI2
kuVfX5oDO4PwYy8yLeE/I4c=
=RdWB
-----END PGP SIGNATURE-----

Current thread:

Quantitative Risk Analysis? Jim Webb (Jun 23)
- <Possible follow-ups>
- Re: Quantitative Risk Analysis? CyberRAVE Support (Jun 23)
- Re: Quantitative Risk Analysis? Basgen, Brian (Jun 23)