Re: Risk Assessment/Management - OCTAVE

From: Fred Cohen (
Date: 10/31/05

  • Next message: Joshua Berry: "RE: Risk Assessment/Management"
    Date: Mon, 31 Oct 2005 12:34:33 -0800

    My big problems with OCTAVE are that it largely relies on non-
    enumerable lists, the expertise of the person applying it, has lots
    of detail and rigor and precision, but no accuracy that I can find,
    and it is entirely technical in orientation and ignores most of the
    vital element of business decision-making that is the core of risk
    management. I should also mention that it completely ignores the ides
    of risk transfer and avoidance in favor of mitigation and acceptance,
    and as such is fairly unrealistic in terms of outcomes. It is also
    very hard to explain to executive management (the CEO) who has to
    actually make these decisions.

    On Oct 31, 2005, at 10:48 AM, Simon Borduas wrote:

    > Hi Mark,
    > As far as Real life, down to earth methodology. I really Like the
    > OCTAVE approach. It will take you by the hand and assist you to make
    > your RA like an expert ;)
    > And the best thing about it... It's totally free.
    > On 29 Oct 2005 at 18:02, Mark Brunner wrote:
    >> I am looking for a tool, template or clear example of how to
    >> perform a Risk
    >> Assessment, and then manage the mitigation or acceptance of risk.
    >> I've read
    >> a lot of the available information regarding the theory,
    >> methodologies and
    >> strategy, but am having a real hard time taking the concepts and
    >> applying
    >> them to real world items. I've boiled my risk assessment effort
    >> to 5 key
    >> questions to start with for ease of creating some kind of matrix
    >> (spreadsheet for now).
    >> For instance, I try to use the following:
    >> 1. What are the resources - Information & Information Systems -
    >> I'm actually
    >> interested in protecting?
    >> Easy enough to figure out which are the critical items once an
    >> inventory is
    >> made and relationships are established.
    >> 2. What is the value of those resources, monetary or otherwise?
    >> Easy enough to get the replacement costs of hardware,
    >> software, config
    >> time, etc. but how do you valuate the data? Based on time and
    >> effort to
    >> recreate?
    >> 3. What are the all the possible threats that that those
    >> resources face?
    >> Where can I get a compendium of risks to apply to each item
    >> for Yes/No
    >> response?
    >> 4. What is the likelihood of those threats being realized?
    >> Am I supposed to GUESS at this? How to quantify?
    >> 5. What would be the impact of those threats on my business or
    >> personal
    >> life, if they were realized?
    >> Easy enough to figure out, based on criticality and function.
    >> I would appreciate any assistance offered. I'm floundering...
    >> Thanks,
    >> Mark
    > --
    > Simon Borduas, CISSP
    > Chief Security Officer / Chef de la sÚcuritÚ
    > HyperTec Group / Groupe HyperTec
    > Tel: (514) 745.4540 x 5740
    > Fax: (514) 745.0937

    -- This communication is confidential to the parties it is intended
    to serve --
    Security Posture tel/fax
    University of New Haven 925-454-0171
    Fred Cohen & Associates 572 Leona Drive
    Security Management Partners Livermore, CA 94550

  • Next message: Joshua Berry: "RE: Risk Assessment/Management"