Quantifiable Risk Assessments lack clarity

Discussion in 'other security issues & news' started by Sherif Mansour, Nov 13, 2005.

Thread Status:
Not open for further replies.
  1. Sherif Mansour

    Sherif Mansour Registered Member

    Joined:
    Nov 13, 2005
    Posts:
    10
    Hi all,

    I have been doing some research for Business Impact Analysis (BIA) as well as risk assessments; I went through material for CISSP, DRI, and ISO17799, as well as other books (including the Economics of Information Security). I have yet to find a decent and CLEAR way of conducting quantifiable risk assessments.

    Here is where I am having problems:
    The SLE (Single Loss Expectancy) usually its the result of the BIA...ok great, so how do you come up with the Exposure Factor ( SLE = Asset Value x EF)
    What stats do you use (http://www.securitystats.com/) I feel so much of this is subjective. An example would be the Annualized Rate of Occurrence (ARO)o_O I was surprised at the lack of resources available on this subject/detail. A lot of people use software to get these calculations but I still need to know the underlining algorithms and concepts for calculating these issues

    Any Economist or IT manager can develop his own ideas on the values of these assets and risks. I want to know about case studies and what the generally accepted methodology of Risk Assessments in IT. They do not seem to be set, or obscure at any rate.

    Let me know what you guys think
     
  2. ghost16825

    ghost16825 Registered Member

    Joined:
    Feb 1, 2005
    Posts:
    84
    NIST Special Publication 800-30 http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf might also have some information to help you out. I hear software is the preferred way to perform automated Quantifiable RAs, but you're right, statistical data seems to be hard to come by. Performing a Quantifiable RA is labour intensive, even with software. I guess performing the more subjective Qualitative RA is out of the question?
     
  3. Sherif Mansour

    Sherif Mansour Registered Member

    Joined:
    Nov 13, 2005
    Posts:
    10
    Hey thanks Ghost,

    I got some documentation from SANS and Cert.org had some intresting methods....but I think I'm going for C&A Systems Security Ltd's COBRA tool
    I don't know if its the most comprehensive software tool but its definatly the easiest and quickest way I found. The idea would be to generate the report and use its recommendations and counter measures as part of the final report. It als has an ISO17799 Compliancy tool with it (which will aso be included in the assessment)

    http://www.riskworld.net/
    Let me know what u think of that tool if you already have come across it.

    Kind Regards
     
Loading...
Thread Status:
Not open for further replies.