Educause Security Discussion mailing list archives
Re: Quantitative Risk Analysis?
From: "Basgen, Brian" <bbasgen () PIMA EDU>
Date: Fri, 23 Jun 2006 15:33:22 -0700
I've recently built a quantitative risk model based on the commonly quoted (but apparently not cited) model of risk = threat x vulnerability x asset value. I have not yet put it through the rigors of application, but it at least looks pretty. :) On your #2, it is refreshing to see your approach, as this problem is commonly couched in terms of RoI for security, which is a paradox. My only suggestion is to think broader than IT, thus perusing models that finance or marketing departments use. ~~~~~~~~~~~~~~~~~~ Brian Basgen IT Systems Architect, Security Pima Community College
-----Original Message----- From: Jim Webb [mailto:jtwebb () NGCSU EDU] Sent: Friday, June 23, 2006 10:31 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Quantitative Risk Analysis? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I was wondering if anyone out there might have any good info to share concerning Quantitative Risk Analysis models. Namely: 1. Is anyone currently using a Quantitive model to do assessment (FIPS/ALE)? If so, do you feel that this has garnered any significant benefits or burdens over qualitative modeling? Do you prefer one method over another and if so why? 2. Has any one wrestled with the establishment of empirical cost basis for "intangibles" such as primary & secondary losses from reputation/brand damage? I greatly appreciate any information/guidance offered concerning this. many thanks, - -Jim - -- ===================================================== James Webb Network Security Officer Department of I.I.T North Georgia College & State University phone: 706-864-1922 email: jtwebb () ngcsu edu http://www.ngcsu.edu/adminsrv/infotech/infosec/ "Never let the future disturb you. You will meet it, if you have to, with the same weapons of reason which today arm you against the present." - -Marcus Aurelius PGP Public Key: http://tinyurl.com/737x7 ===================================================== ~ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (OpenBSD) iD8DBQFEnCVNFU5MyueE6uIRAkrpAJ95YM64agE+bD5RrdZVw9i2ABhbuACeKEI2 kuVfX5oDO4PwYy8yLeE/I4c= =RdWB -----END PGP SIGNATURE-----
Current thread:
- Quantitative Risk Analysis? Jim Webb (Jun 23)
- <Possible follow-ups>
- Re: Quantitative Risk Analysis? CyberRAVE Support (Jun 23)
- Re: Quantitative Risk Analysis? Basgen, Brian (Jun 23)