On Nov 29, 2004, at 19:57, Alberto Rivai wrote:
I think we should understand the goals of each control methods --
Preventive : Avoid occurrence
Detective : Identify occurrence
Corective : Remedy circumstances, restore control
Deterrent : Discourage violations
Recovery : restore resources, capabilities
Compensating : alternative control
Fire suppression is preventive because it lessen the damage from the
fire.
Although fire suppression takes place after the fire happened, it fits
the objective of control as countermeasure,which is to minimize the
risk
to an acceptable level for the organization. There are no definitive
guides to those types of controls, because each method can be part of
other control types.
Thanks, that's helpful - in my words, fire suppression systems
prevent/limit the extent of the loss. Got it.
For the ARO value the range can be from 0 which is never to 1 which is
always.
If a virus attacks happens all the time in a company, then the ARO
value for a virus attacks is 1.
What does it means? It means the the value of a safeguards you should
put in the company per year is the same as the value of the SLE
itself.
Example:
Assest value for a file server is $100,000
Exposure factor for the file server 50 %
Then the SLE : 50% * $100,000 == $50,000
To calculate ALE == ARO * SLE
If the ARO == 1 then the ALE == 1 * $50,000 == $50,000
It means you should spend $50,000 or less per year for the
countermeasure to be efficient.
This still seems wrong to me. Take your file server example, and
assume that we're talking about, say, a RAM failure. Say this actually
occurs an average of once a year. Punching the numbers:
Value is $100,000 (pricey server!)
EF is 50%
SLE is $50,000
ARO is 1
ALE = 1 * $50,000 = $50,000
Check.
NOW say that for server B, the actual rate of incident of RAM failure
is once every three months.
Per your perspective, the above calculation is identical. The
conclusion is that your ALE can never be greater than your SLE, and
that replacing that RAM four times during the year (avg.) cost you
exactly the same amount in loss or mitigation as replacing it once per
year.
My perspective is that ARO for the second scenario should be 4. Run
the numbers again:
Value is $100,000 (too much for a server with crappy RAM!)
EF is 50%
SLE is $50,000
ARO is 4
ALE = 4 * $50,000 = $200,000
Now you have a accurate reflection of the loss expectancy - the server
that fails four times a year is going to cost you (or is worth paying
to avoid) four times as much as the server that fails only once.
The *probability* that each server will fail during a year is, indeed,
1. The *frequency* expectation that the server will fail is 1 for the
first server, and 4 for the second. I thought ARO was about frequency
(annualized RATE of occurrence), not probability (annualized likelihood
that ANY failure will occur)?
Ok, finally, y'all have driven me to look up the ISC2 definition of ARO:
"This term characterizes, on an annualized basis, the frequency with
which a threat is expected to occur. For example, a threat occurring
once in ten years has an ARO of 1/10 or 0.1; a threat occurring 50
times in a given year has an ARO of 50.0. The possible range of
frequency values is from 0.0 (the threat is not expected to occur) to
some whole number whose magnitude depends on the type and population of
threat sources. For example, the upper value could exceed 100,000
events per year for minor, frequently experienced threats such as
misuse of resources..."
"It is useful to note here that many confuse ARO or frequency with the
term and concept of probability (defined below). While the statistical
and mathematical significance of these metrics tend to converge at
about 1/100 and become essentially indistinguishable below that level
of frequency or probability, they become increasingly divergent above
1/100, to the point where probability stops -- at 1.0 or certainty --
and frequency continues to mount undeterred, by definition."
So they said it better than I did. ;) I'm gonna make the call that
the Meyers book is wrong. Actually, so is ISC2, because there's no
reason to think that the ARO will ever be a "whole number", but I get
their drift.
KeS
------------------------ Yahoo! Groups Sponsor --------------------~-->
$9.95 domain names from Yahoo!. Register anything.
http://us.click.yahoo.com/J8kdrA/y20IAA/yQLSAA/kgFolB/TM
--------------------------------------------------------------------~->
Yahoo! Groups Links
<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/CISSP-Discuss/
<*> To unsubscribe from this group, send an email to:
CISSP-Discuss-unsubscribe@yahoogroups.com
<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/
