Risk Assessment

Risk Assessment

Risk assessment assigns a risk rating or score to each information asset. It is a process of discovering, correcting, and preventing security problems. It is designed to provide appropriate levels of security for information systems. It can also help to each agency determine what is the acceptable level of risk and the resulting security requirements for each system.

Likelihood

Likelihood is typically used to refer to events that have a reasonable probability of occurring but are not definite or may be influenced by factors not yet observed or measured. In risk assessment, you assign a numeric value to likelihood. You have to rate if this threat is high or low. We can use a numeric value between 0.1(low) and 1.0(high). You could also choose to use a number between 1 and 100.

Many asset/vulnerability combinations have sources for likelihood, for example:

* The likelihood of a fire has been estimated actuarially for each type of structure.

* The likelihood that any given e-mail contains a virus or worm has been researched.

* The number of network attacks can be forecast based on how many assigned network addresses the organization has.

Risk Determination determines the possible risk.

For the purpose of relative risk assessment, risk equals likelihood of vulnerability occurrence times value (or impact) minus percentage risk already controlled plus an element of uncertainty, as illustrated in Figure 4-7. For example:

* Information asset A has a value score of 50 and has one vulnerability. Vulnerability 1 has a likelihood of 1.0 with no current controls. You estimate that assumptions and data are 90 percent accurate.

* Information asset B has a value score of 100 and has two vulnerabilities: Vulnerability 2 has a likelihood of 0.5 with a current control that addresses 50 percent of its risk; vulnerability 3 has a likelihood of 0.1 with no current controls. You estimate that assumptions and data are 80 percent accurate.

The...