When calculating information asset risk, does the formula C x I x A x (T xV) work?
C = Confidentiality
I= Integrity
A = Availability
T = Threat
V = Vunerability
Good Answers (3)
Javed I
Chief Security Officer at zSquad (http://www.zsquad.com), a Boston-based Information Security Consulting Company
Best Answers in: Information Security (43), Corporate Governance (2), Web Development (2), Risk Management (1), Corporate Law (1), Advertising (1), Quality Management and Standards (1), Career Management (1), Professional Networking (1), E-Commerce (1), Using LinkedIn (1)
David:
In a way, it does, but it is not intuitive. Suppose you have a database of PHI that requires very high C.I.A protection. If you can not assign 'value' to the assets, all you will get is relative measures (system A is more at risk than system B)
But is system A more valuable to you than system B? May be TV for B is too low, but because of the nature of the data, you can not accept any risk for it. So the CIATV will give you a wrong estimate.
So to calculate risk, you need first classify your assets from a business impact angle. Then apply the formula to see the relative risks.
Paul M
Manager of Information Security at Priority Health
Best Answers in: Information Security (7), Corporate Law (1)
Risk implies a level of value attributed to information assets. And any formula used to calculate risk needs to incorporate at least the value of the target asset. In my opinion, however, calculating the value of an asset should be situational, and the CIA triad is a good starting point for that.
For instance, you may have some system or body of information where the risk to the business is low if that asset being unavailable but extremely high if its confidentiality is breached. Also, things like threat and vulnerability change across the CIA triad. For example, you may have assets where the vulnerability of the asset's integrity is very low (due to encryption, etc.), but the vulnerability of its availability is very high (due to being on a public network, subject to DoS).
In short, I don't think that this formula works all that well for calculating risk valuation, but you're on the right track.
Yinal O
Principal Architect , New York
Best Answers in: Information Security (20), Regulation and Compliance (1), Risk Management (1), Corporate Governance (1), Positioning (1), Computer Networking (1), Information Storage (1), Telecommunications (1), Software Development (1)
Hi David,
I agree with the previous comments. Quantitative risk calculation can only get serious when you define your input variables in details. The C x I x A x T x V formula you have mentioned will give you some numbers like any other combination based on your definition with availability vulnerability etc. but I do not recommend using this formula. You need to add the probability and the impact components of vulnerabilities for a better calculation (if they are not a part of your vulnerability definitions)
If it is possible, I recommend using a proven risk management framework. Even in this scenario you need to set your definitions and customize the framework. (A good start: http://www-t.zhwin.ch/ui/swp/documents/risk_assessment_approaches_f_136894.pdf)
Basically asset risk can be calculated with the answers of the following questions (from infosec handbook):
What could happen? (What is the threat?)
How bad could it be? (What is the impact or consequence?)
How often might it happen? (What is the frequency?)
How certain are the answers to the first three questions? (What is the degree of confidence?)
Here is a more common approach that you can formulize your risk calculation at high level:
Asset: Target of protection
Asset Value (AV): Cost or replacement cost of your assets
Exposure Factor (EF): Percentage of asset value that might be lost if things go wrong
Single Loss Expectancy (SLE): Money lost if risk happens, SLE = Asset Value (AV) x Exposure Factor (EF)
Annualized Rate of Occurrence (ARO): This is the frequency element of risk. (Number of repetitions of a risk factor in a unit of time/year), for example probability of a major flood vs. operator typing wrong password is different.
The Annualized Loss Expectancy (ALE): When you multiply your expected loss with frequency you get the cost of risk on an asset over a 1 one year period, ALE = SLE x ARO
A Google search on these keywords (ale aro sle) brings out several examples.
As I have stated above, even the most quantitative method is relative but the attempt to normalize and measure risk is a very good start. Let me know if you have a specific question.
regards,
- yinal ozkan
More Answers (3)
Michael S. B
Information Security Professional
Best Answers in: Computers and Software (2), Telecommunications (2), Computer Networking (1), Information Storage (1), Software Development (1), Web Development (1), Wireless (1)
What are your measurements for each of these variables? Are they based upon judgments and represent a scale, or are they cardinal numbers that are consistently generated based upon repeatable processes?
Michael S
Information security survivor
Best Answers in: Information Security (12), Software Development (2), Education and Schools (1), Risk Management (1), Personnel Policies (1), Ethics (1), Using LinkedIn (1)
Risk is a term that is used in many science disciplines and we change its formula at our peril. Risk is generally defined as:
Risk = Expected frequency of loss X expected magnitude of loss.
Fortunately there is an Information Security framework based on the above formula. It is called Factored Analysis of Information Risk. I have linked to a website that has a good white paper.
Links:
Michael S also suggests this expert on this topic:
Jim B
Director of Information Technology, CNA
Best Answers in: Information Security (2), Direct Marketing (1), Project Management (1), Market Research and Definition (1), Computers and Software (1), Web Development (1)
Well, it depends on what you call "working."
Any attempt to reduce a multi-faceted issue to a single score "works" only if it can help shed light on something worth pursuing that you might have missed otherwise.
If any of it is based on arbitrarily assigned scores (vs. real measurements), or if there's not an organizational agreement on how to determine the scores, or if someone would use it as a reason for ignoring a security issue, I'd say it doesn't work.
