RE: Getting the value of an asset and the probability of a risk to it



Craig -

That's awesome. I wanted to do something like that and get a Masters in Statistics. I have an undergrad degree in Economics, but my calculus is rusty.

What's the recommended math background for such a degree?

Mark Pokorni
CIRT
Engineering and Deployment
IO - Central Infrastructure Management (CIM)
Accenture
mark.pokorni@xxxxxxxxxxxxx
Chicago, 161 N. Clark St.


-----Original Message-----
From: Craig Wright [mailto:Craig.Wright@xxxxxxxxxx]
Sent: Tuesday, May 20, 2008 8:53 PM
To: Pokorni, Mark; krymson@xxxxxxxxx; security-basics@xxxxxxxxxxxxxxxxx; Rivestp@xxxxxxxx; Jon.Kibler@xxxxxxxx; sergio.castro@xxxxxxxxxx; smalm@xxxxxxxxxxx
Subject: RE: Getting the value of an asset and the probability of a risk to it


I am completing a Masters in Statistics at Newcastle Uni at the moment. In particular I am looking at statistical measure of risk and security. The paper is due for this one at the end of the year. I have also done some work in fraud analysis (and anti-money laundering) and I am presenting a paper on this topic in Sydney next week at a data mining conference. The paper is on Exploratory Data Visualisation.

Back in 1999/2000 I started on this path as I (my company at the time) was trying to create an early SIEM. With the crash the VC's (vulture capitalists) pulled out as they could not see that a SIEM would have value. No foresight.

I have also done some 6sigma and SAS training.

I am an academic junkie. I help keep universities viable by remaining enrolled and adding to their fees by remaining a perpetual student. There is a strong statistical component in both Economics and Physicals as well.

Regards,
Craig


Craig Wright
Manager, Risk Advisory Services

Direct : +61 2 9286 5497
Craig.Wright@xxxxxxxxxx
+61 417 683 914

BDO Kendalls (NSW-VIC) Pty. Ltd.
Level 19, 2 Market Street Sydney NSW 2000
GPO BOX 2551 Sydney NSW 2001
Fax +61 2 9993 9497
http://www.bdo.com.au/

The information in this email and any attachments is confidential. If you are not the named addressee you must not read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received this message in error, please notify the sender by return email, destroy all copies and delete it from your system.

Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy statement, can be found on the BDO Kendalls website at http://www.bdo.com.au/ or by emailing mailto:administrator@xxxxxxxxxxx

BDO Kendalls is a national association of separate partnerships and entities. Liability limited by a scheme approved under Professional Standards Legislation.
-----Original Message-----

From: mark.pokorni@xxxxxxxxxxxxx [mailto:mark.pokorni@xxxxxxxxxxxxx]
Sent: Wednesday, 21 May 2008 3:19 AM
To: Craig Wright; krymson@xxxxxxxxx; security-basics@xxxxxxxxxxxxxxxxx; Rivestp@xxxxxxxx; Jon.Kibler@xxxxxxxx; sergio.castro@xxxxxxxxxx; smalm@xxxxxxxxxxx
Subject: RE: Getting the value of an asset and the probability of a risk to it

So where did you pick up statistical analysis with an LLM?

Mark Pokorni
CIRT
Engineering and Deployment
IO - Central Infrastructure Management (CIM)
Accenture
mark.pokorni@xxxxxxxxxxxxx
Chicago, 161 N. Clark St.



-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Craig Wright
Sent: Friday, May 16, 2008 7:31 PM
To: krymson@xxxxxxxxx; security-basics@xxxxxxxxxxxxxxxxx; Rivest, Philippe; Jon Kibler; Sergio Castro; Sheldon Malm
Subject: RE: Getting the value of an asset and the probability of a risk to it


Quantitative risk requires statistics.

It is not hard to do as long as you have the maths. The difficulties are missing values (requiring longitudinal data analysis and multivariate methods) and incomplete risk profiling (requiring Bayesian methods).

The risk is a survival function with compounding time factors (heteroscadesis).

Pulling a number "out of your ass" is qualitative. If another can not re-calculate the same value, it is qualitative and NOT quantitative. Quantitative methods are not based in subjectivity.

Why this is not commonly done in IT risk assessment (BASELL II DOES require a qualitative risk assessment).
Lack of math skills in IT people
SAS and other quant people earn more (2.5-3x) the IT salaries

A good quant in a hedge fund can earn $300-500k US without too much trouble. This type of person rarely cares to do IT security. Hence few people who are statisticians AND security people.

Hence few quantitative risk reviews.

Some standards (BASEL II, GLBA) have requirements for quantitative risk. This is mainly banks, hedge funds etc. Few others can afford it.

The large ones do some. The smaller ones issue fake numbers more than not.

As for being delusional, that is for anyone who trusts a qualitative assessment where people pull numbers. These assess perceived risk - these do not assess risk. There is a distinction.

Qualitative = Perceived risk
Quantitative = Risk (within confidence bounds)

ncircle IP360 does nothing of the sort. ncircle IP360 is fluffy qualitative assessment.

You need to feed all the data you can and do a little dimensionality reduction, letting the numbers chose the factors and including the errors.

If you want to start learning how:
http://rem.ph.ucla.edu/rob/rm/new/index.html

To answer John;
"Bottom line: I personally do not believe that it is possible to do a quantitative risk assessment and anyone who thinks otherwise either does not understand today's risk environment, or is delusional."

No, the opposite. Qualitative risk is for those who like to think they know. The data is far too complex to be assessed by ANY person and requires computational methods. I have yet to see a qualitative assessment that when compared to a REAL quantitative one comes close. The issue being many naive qualitative methods that are falsely called quantitative.

Look at ARO, ALE etc. This relies on a risk calculation. The likelihood of an event for the type of organisation. The ONLY way to do this is to use survival analysis with multivariate analysis taking compounding factors into account. The issue is that people pull a figure out of their proverbial as was stated. ANY addition of non-quantitative data makes the ENTIRE calculation qualitative. ALE is ONLY a quant measure if the likelihood calcs are completed using hazard factors and survival calcs.

The difficulty is the cost. I have seen PCA, PLS, SIR and k-dimensional factorisation for 80+ dimensions that can take a few weeks of computer time and this costs $. Look at the rates of C++ programmers with quant skills. The question is why use these skills for security risk when market risk pays $600-$800 an hour. Even at the security risk calcs, few want to pay. My charge rate for this is $370 ex tax. For 80 hours plus work per system, the cost of the process is often greater than the assess value and risk for smaller firms.

However, once done, the model generally only needs to be updated yearly with the principle 5-6 components accounting for over 98% of risk by asset. This leaves an error of the 1-2% which is not material for most organisations.

Regards,
Dr Craig Wright (GSE-Compliance)


Craig Wright
Manager, Risk Advisory Services

Direct : +61 2 9286 5497
Craig.Wright@xxxxxxxxxx
+61 417 683 914

BDO Kendalls (NSW-VIC) Pty. Ltd.
Level 19, 2 Market Street Sydney NSW 2000
GPO BOX 2551 Sydney NSW 2001
Fax +61 2 9993 9497
http://www.bdo.com.au/

The information in this email and any attachments is confidential. If you are not the named addressee you must not read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received this message in error, please notify the sender by return email, destroy all copies and delete it from your system.

Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy statement, can be found on the BDO Kendalls website at http://www.bdo.com.au/ or by emailing mailto:administrator@xxxxxxxxxxx

BDO Kendalls is a national association of separate partnerships and entities. Liability limited by a scheme approved under Professional Standards Legislation.
-----Original Message-----

From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of krymson@xxxxxxxxx
Sent: Saturday, 17 May 2008 6:11 AM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: Getting the value of an asset and the probability of a risk to it

Fine, I'm biting.

You've hit the area of a quantitive (or other) assessment that makes many people wonder why we bother. Both B and D in your list are pretty subjective, and the best you can hope for is consistency in your valuation, rather than accuracy. You would think a quantitative assessment is rooted only in fact, but it still is rooted in belief, although often based on experience and maybe public data. But still, it always does still have roots in being just a guess that no two analysts will always agree on.

B) For the asset value, pretend the asset is no longer present. Then figure out the pain caused by that loss.

value = cost of replacement + lost value until fixed
cost of replacement = hardware + software + time-hours
lost value until fixed = business loss (sorry, not my area to determine that, but typically the accounting teams need to be involved) + productivity loss (typically on a per day measure)

Now, how do you REALLY determine all those values? You estimate and guess or you find the last time the incident occurred and ask how much it cost.


D) Risk probability is done in two ways, I believe.

First: You still subjectively pull a number out of your ass and call it the probability that the event will occur that year. This is very common. :)

Second: You take public or internally generated data and guesstimate based on that. If the event has happened 5 times in the last 5 years, the probability will be 1 (yes, it will happen once this year).

Also, make sure to avoid thinking in terms of partial loss. Either the asset is available or it is not. Saying it is kinda half there will burn you out quickly. :)

In my opinion (and obviously I am not a dedicated auditor or strategic risk assessor), this is sufficient for everyone except large companies in the Fortune 50 range. And any of those leftover 50 should have standards already in place to guide their shee...workers.



<- snip ->
A) I know that first you need to identify your assets
B) Then you have to identify the asset value for the enterprise (first problem)
C) Then you have to identify the risks that your asset have
D) You have to identify the impact and probability of these risk (my main question is how to do this)
E) You then have to calculate the risk per asset which is clear to me.

The stage B and D are unclear as to HOW do you affect a value to a server, computer asset, data and so on. Also how/what would you use to identify the probability of a risk.




This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.




This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.



Relevant Pages