CBK#3 Security Management Practices - Page 2

CBK#3 Security Management Practices - Page 1 2 3 4

Quantitative Approach:
Attempts to assign real numbers to the costs of countermeasures and the amount of damage that can take place.
Provides concrete probability percentages when determining the likelihood of threats and risks.
Purely quantitative risk analysis is not possible because the method is attempting to quantify qualitative items.

Steps in risk analysis -
- Assign value to information and assets
- Estimate potential loss per risk
- Perform a threat analysis
- Derive the overall loss potential per risk
- Choose remedial measures to counteract each risk
- Reduce, assign or accept the risk

Calculating risks -
EF (Exposure Factor) = Percentage of asset loss caused by
                                       identified threat.
SLE (Single Loss Expectancy) = Asset value * Exposure Factor
ARO (Annualized Rate of Occurrence) = Estimated frequency a threat will occur within a year.
ALE (Annualized Loss Expectancy) = Single Loss Expectancy *
                                                          Annualized Rate of Occurrence

Qualitative Approach:
Walk through different scenarios of risk possibilities and rank the seriousness of the threats and the sensitivity of the assets.
Procedures in performing the scenario:
- A scenario is written that addresses each major threat
- The scenario is reviewed by business unit managers for a reality check
- The RA team recommends and evaluates the various safeguards for each threat
- The RA team works through each finalized scenario using a threat, asset and safeguard.
- The team prepares their findings and submits them to management.

Delphie Technique:
Is a group decision method and is used to ensure that each member of a group gives an honest opinion of what he or she thinks the result to a particular risk will be.

Calculating countermeasures and risk:
Value of safeguard to the company = (ALE before implementing safeguard) - (ALE after implementing safeguard) - (annual cost of safeguard)
Total risk = threats * vulnerability * asset value
Residual risk = (threats * vulnerability * asset value) * control gap

Handling Risk:
Transfer risk -> Purchase an insurance
Reduce risk -> Implements countermeasures
Rejecting risk -> Denial of its risk or ignores it.
Accept the risk -> The company understands the level of risk they are under and the cost of damage that is possible and they decide to live with it.

CBK#3 Security Management Practices - Page 1 2 3 4

CISSP Summary 2002Related links | References

CBK#1 Access Control Systems & Methodology | CBK#2 Telecommunications & Network Security | CBK#3 Security Management Practices | CBK#4 Applications & Systems Development Security | CBK#5 Cryptography | CBK#6 Security Architecture & Models | CBK#7 Operations Security | CBK#8 Business Continuity Planning & Disaster Recovery Planning | CBK#9 Law, Investigations & Ethics | CBK#10 Physical Security

Contact:

E-mail: john.wallhoff@mailbox.swipnet.se
Written by: J.Wallhoff January - April 2002
Updated by: J.Wallhoff April 2002