At 19/08/2004 03:40 AM, atlantis 1 wrote:
In-Reply-To: <20040809122759.7177.qmail@www.securityfocus.com>
Hi All,
Thanks very much to those of you who had replied to my earlier message on IT
Risk Assessment Model. I have developed a conceptual model for risk analysis
in the past few days, and wanted to get your inputs/opinions.
The Model is based on:
1) Threats that are associated with an asset
2) The current control capabilities.
What do you mean by "current control capabilities"? Do you mean controls that
are currently in place, the controls that are available to be implemented,
controls that the organization can afford to implement, technological controls
only????
I am calculating an Inherent Risk Value for individual threats based on the
Probability of Occurence of the threat, and the Severity of impact. (for this
purpose, I am using a scale of 1 to 4, 1 being Low & 4 being Severe). I use a
Sum of Squares approach (sum of squares of probability & Severity) to
calculate the Inherent Risk Value.
Why did you select a 1-to-4 ranking? Most numerical scales tend to be a 5-step
or 10-step ranking for ease of comprehension and for added granularity.
Am also curious as to why you selected a "sum of squares" for this
"calculation"? Would not a weighted scale be a better indicator?
Subsequently, I also evaluate the current control capability (segregating
between Preventive & Corrective/Detective controls) to mitigate/address the
threat (scale of 0 to 4, 0 being no control available, and 4 being highest
level of control). Again, I use a sum of squares approach to determine the
control capability value.
Why do you "segregate" the controls? A correction is, by definition, a
"preventative" control. Likewise for a "detective" control...
The Inherent Risk Value minus the Current Control Capability is the Residual
Risk, for which I have defined threshold levels and accordingly graded risk as
Low, Medium, High or Severe.
I think you are quite confused here.
An inherent risk, by definition, is a risk that exists or could be realized
PRIOR to the implementation of any controls. A residual risk, by definition,
is a the minimized or mitigated risk that exists or could be realized AFER
controls have been implemented.
Also, how are you mapping the numeric ranking you "calculate" to being high,
medium or low? What range of values would map to each level?
Based on this approach, I would have individual residual risk rating for each
threat scenario that would apply to the asset.
I would like feedback on the approach that I have adopted, and whether the
same is acceptable as part of the BS7799 Certification process.
Inputs/comments would be much appreciated.
I think you are needlessly (and incorrectly) re-inventing the wheel. The
frameworks, processes, equations, etc., for risk assessment, rankings, etc.,
are already well established in the IT audit, BCP, risk management and related
communities. I would strongly suggest you do some research at the ISACA
(www.isaca.org) site and save yourself a lot of time and effort.
Regards
Andrew.
