RE: Risk Assessment

This is a significant part of the CISSP certification material.
The three basic variables are the Threat (how likely is this
attack -- annualized rate or occurrence), the Exposure (how
vulnerable to it are we -- percentage) and the Asset (how valuable
is the thing to be protected -- dollars). A countermeasure whose
annual cost is less than the calculated Annualized Expectation of
Loss is considered a viable investment.
Although Exposure can only range between 0 and 100%, the annualized
rate of occurrence for some threats has no trouble exceeding 1. And
far too many companies don't discover the value of information assets
or business-critical systems until a loss actually occurs....

David Gillett
CISSP CCNP CCSE


-----Original Message-----
From: timpacalypse@xxxxxxxxx [mailto:timpacalypse@xxxxxxxxx]
Sent: Thursday, May 18, 2006 7:33 AM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Risk Assessment

This is quickly becoming one of my favorite sites ever.

Anyway, I posted a message in the Focus on Microsoft List
about securing FE/BE Communications in Exchange. I was
presented with many options. And with all of those options
was a common theme. Risk assessment.

I know that people make entire careers out of risk
assessment. But I was wondering if anyone could point me to
a source that gives a general outline how to quantitatively
calculate risk so that something can be presented to
management in the form of numbers. It'll be nice to come to
someone with something more concrete than..."well, it could happen."

Oh yeah, I don't have an IDS or anything so it's not like I
can go to them and say this is how many times we get scanned, etc.


Relevant Pages