Risk Management Lectures (5)

The following series represents lecture material that I’ve used from time to time in discussing the problem of IT Risk Management. I’ll be providing this material on my blog as a series of information related to the topic.

***

This week we explored the variable dimensions of “measuring” security – security is a feeling, a perception, an understanding of confidence that we have in the controls and countermeasures we’ve introduced to mitigate or eliminate the risk of exploit. Therefore, “security” is relatively a challenge to measure. Like our example ealier in the week, how secure is secure?

This course focuses on two general risk assessment methodologies: PARA (Practical Application of Risk Analysis) and FRAP (Facilitated Risk Analysis Process). PARA is quantitative where FRAP is qualitative. PARA is traditionally practiced with a key set of metrics:

Exposure Factor (EF) is the percentage of loss a realized threat even would have on a specific asset. It is used to calculate the SLE and ALE.

Single Loss Expectancy (SLE) is the monetary amount that is assigned to the loss due to a single event. It is caculated as follows: Asset Value ($) * Exposure Factor (EF) = SLE.

Annualized Loss Expectancy (ALE) is the monetary amount that represents the annually expected loss to an organization from a threat and is calculated as follows: SLE * ARO = ALE.

I also added a few more metrics into the mix:

Maximum Tolerable Downtime (MTD): The maximum length of time a business function can be discontinued without causing irreparable harm to the business. Business functions associated with customer service and billing often have the shortest MTDs.

Recovery Point Objective (RPO): In a disaster you will generally lose data. The Recovery Point Objective is the time (relative to the disaster) to which you plan to recover your data. For example, if you take overnight backups, the recovery point objective will often be the end of the previous day’s activity.

Recovery Time Objective (RTO): The time period after a disaster at which business functions need to be restored. Different business functions may have different recovery time objectives. For example, the recovery time objective for the payroll function may be two weeks, whereas the recovery time objective for sales order processing may be two days.

Metrics give management a quantitative understanding of risk, usually something that can be related in dollar terms so that countermeasures can be evaluated in the same light. PARA’s Underlying Principle: the expense to safeguard an asset should not exceed the value of the asset. Let’s do a PARA example:

The Sacramento, California office is located in a 20-year earthquake zone. Once every 20 years, it estimated that a 6.0-Richter scale earthquake or greater will strike the facility, likely causing damage to the facility/computer equipment; management assumes losses to computer assets could be estimated at 20%. As a countermeasure, the company has purchased insurance with $18,000.00/year annual premiums that increase 5% every year. Calculate SLE and ALE, and each of their subcomponents; show all of your work. Come to a conclusion: is the insurance premium a reasonable Safeguard as measured against the Threat of an earthquake? Explain your answer.

Asset Value (AV) = Total cost of the asset being evaluated in book value

Exposure Factor (EV) = Often just an estimate, the percentage of the Asset Value at risk if the vulnerability is exploited.

SLE (Single Loss Expectancy) = AV x EV

Therefore, SLE = $320,000 x 20% ($64,000). A single incident where the risk of an earthquake took place would cost the company an estimated $64,000.

ARO (Annualized Rate of Occurrence) = Expected frequency of the vulnerability being exploited within one year. Therefore, ARO = 1/20 years – a .05-probability that an earthquake could happen each year.

ALE (Annualized Loss Expectancy) is the evaluation of the risk of financial loss in terms of annualized dollars; certainly the company cannot expect to lose $64,000 every year as it is projected that such an earthquake only had a 1 in 20 chance of happening. Therefore, we must multiply SLE * ARO to come up with a more accurate annualized figure: $3,200.

Extending this reasoning out, over the course of a single year, the company shouldn’t pay more than $3,200 to safeguard the asset at its current cost, since the value of the loss and the probability of loss are reasonably low.

In this case study, the organization is paying yearly insurance premiums of $5,000, and every year the premium will increase by $250. Over the course of the policy (presumed 20 years), annual premiums will double to $10,000 by year 20; at year 1, the organization is overpaying insurance premiums by $1,800/year; at year 20, the organization is overpaying insurance $6,800/year. We could conclude that the policy should be re-written to accommodate a more accurate picture of financial risk.

R

Russell Mickler works a technology consultant in Battle Ground, WA, USA. With over thirteen years of experience, Mickler holds a CISSP, MCSE, a Masters Degree in Information Technology, and is pursuing his Doctorate at Walden University. His website can be found at www.micklerandassociates.com; he can be contacted at mickler@micklerandassociates.com.

Name (required)

Mail (will not be published) (required)

Website

Notify me of follow-up comments by email.

Notify me of new posts by email.