Hi all,

I have been doing some research for Business Impact Analysis (BIA) as well as risk assessments; I went through material for CISSP, DRI, and ISO17799, as well as other books (including the Economics of Information Security). I have yet to find a decent and CLEAR way of conducting quantifiable risk assessments.

Here is where I am having problems:
The SLE (Single Loss Expectancy) usually its the result of the BIA...ok great, so how do you come up with the Exposure Factor ( SLE = Asset Value x EF)
What stats do you use (http://www.securitystats.com/) I feel so much of this is subjective. An example would be the Annualized Rate of Occurrence (ARO)??? I was surprised at the lack of resources available on this subject/detail. A lot of people use software to get these calculations but I still need to know the underlining algorithms and concepts for calculating these issues

Any Economist or IT manager can develop his own ideas on the values of these assets and risks. I want to know about case studies and what the generally accepted methodology of Risk Assessments in IT. They do not seem to be set, or obscure at any rate.

Let me know what you guys think

-{ Quote: "I feel so much of this is subjective. An example would be the Annualized Rate of Occurrence (ARO)??? I was surprised at the lack of resources available on this subject/detail. A lot of people use software to get these calculations but I still need to know the underlining algorithms and concepts for calculating these issues

Any Economist or IT manager can develop his own ideas on the values of these assets and risks. I want to know about case studies and what the generally accepted methodology of Risk Assessments in IT. They do not seem to be set, or obscure at any rate.

Let me know what you guys think" }-
NIST Special Publication 800-30 http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf might also have some information to help you out. I hear software is the preferred way to perform automated Quantifiable RAs, but you're right, statistical data seems to be hard to come by. Performing a Quantifiable RA is labour intensive, even with software. I guess performing the more subjective Qualitative RA is out of the question?

Hey thanks Ghost,

I got some documentation from SANS and Cert.org had some intresting methods....but I think I'm going for C&A Systems Security Ltd's COBRA tool
I don't know if its the most comprehensive software tool but its definatly the easiest and quickest way I found. The idea would be to generate the report and use its recommendations and counter measures as part of the final report. It als has an ISO17799 Compliancy tool with it (which will aso be included in the assessment)

http://www.riskworld.net/
Let me know what u think of that tool if you already have come across it.

Kind Regards