Regarding risk assessment
as the basis of risk management, risk assessment is an important way for an organization to determine information security needs, and belongs to the process of organization information security management system planning. The main tasks include:
identifying the various factors that constitute the risk,
assessing the possibility and impact of the risk, and finally assessing the level or magnitude of the
risk, determining the organization ’s ability to withstand risks,
determining the strategies, objectives, and priorities for risk reduction and control, and
recommending risk reduction Countermeasures for implementation
Risk analysis method
1. Quantitative risk assessment: A method that attempts to analyze and evaluate security risks and their constituent factors numerically.
2. Qualitative risk assessment: Relying on the analyst's experience and intuition, or industry standards and practices, to qualitatively grade the size or level of risk manager elements.
The difference between quantitative and qualitative
1. Quantitative analysis: the process of using risk calculations to predict economic losses and the likelihood of each threat occurring.
2. Qualitative analysis: Instead of using calculations, it is more based on opinions and scenarios, and uses a rating method to assess the critical level of risk.
Quantitative analysis concept
1. Exposure factor (EF): the percentage of loss caused by a specific threat to a specific asset, or the degree of loss.
2. Single Loss Expectancy (SLE): or SOC (Single Occurrence Costs), that is, the potential loss caused by a single threat in a single occurrence.
3. Annualized Rate of Occurrence (ARO): the number of times the threat will occur within a year of assessment.
4. Annualized Loss Expectancy (ALE): or EAC (Estimated Annual Cost), which represents the expected value of the loss of a particular asset within a year.
Quantitative analysis process
1. Identify assets and assign value to assets.
2. Assess threats and weaknesses, and evaluate the impact of specific threats on specific assets, that is, EF (value between 0% and 100%)
3. Calculate the number (frequency) of specific threats, that is, ARO.
Calculate the SLE of assets: SLE = Asset Value * EF (single loss expectation = net asset value * exposure factor)
Calculate the asset's ALE: ALE = SLE * ARO (Annual Expectation = Single Loss Expectation * Annual Incidence Rate)
Examples of quantitative analysis process
1. The asset value of a data warehouse is 150,000 US dollars. After the fire, about 25% of the value of the data warehouse is destroyed. Then the SLE is $ 37,500 {asset value (150,000) * exposure factor 25%) = 37500}
2. If the data warehouse fire may cause a loss of US $ 37,500, and the frequency of the fire ARO is 0.1 (meaning that it occurs once every 10 years), then the ALE value is US $ 3750 (37500 * 0.1 = 3750)
How to deal with risks
Generally, companies know that their company has risks. There are four basic ways to deal with risks: transfer, avoidance, mitigation, and acceptance.
About risk assessment
1. Qualitative analysis methods are currently the most widely used. It is very subjective and often requires the qualitative classification of the size or level of risk management elements, such as "high", "medium", and "low", based on the analyst's experience and intuition, or industry standard practices. level.
2. The operation methods of qualitative analysis can be various, including group discussion (such as Delphi method), checklist (Checklist), questionnaire (Questionnaire), personnel interview (Interview), survey (Survey), etc.
3. Qualitative analysis is relatively easy to operate, but it may also cause inaccurate analysis results due to deviations in operator experience and intuition.
4. Compared with quantitative analysis, the accuracy of qualitative analysis is slightly better but the accuracy is not enough, but quantitative analysis is the opposite; qualitative analysis does not have as much calculation burden as quantitative analysis, but requires the analyst to have certain experience and ability.
