Risk assessment is also know as risk analysis or risk calculation. For purposes of uniformity, we will use risk assessment in term of choice for this discussion. Risk assessment deals with the threats, vulnerabilities, and impacts of a loss of information capabilities or a loss of information itself. A vulnerability is a weakness that could be exploited by a threat. Each risk that can be identified should be outlined, described, and evaluated for the likelihood of its occurring. The key here is to think outside the box. Conventional threats and risks are often too limited when considering risk assessment.
The key components of a assessment process are outlined here:
Risk to which the organisation is exposed: This component allows you to develop scenarios that can help you evaluate how to deal with these risks if they occur. An operating system, server, or application may have know risks in certain environments. You should create a plan for how your organisation will best deal with these risks and the best way to respond.
Risks in need of addressing: The risk-assessment component also allows an organisation to provide a reality check on which risk are real and which are unlikely. This process helps and organisation focus on its resources as well as on the risks that are most likely to occur, for example, industrial espionage and theft are likely, but the risk of a hurricane damaging the server room in another state or country is very low. Therefore, more resources should be allocated to prevent espionage or theft as opposed to the latter possibility.
Coordination with BIA: The risk-assesment component, in conjunction with the business impact analysis (BIA), provides an organisation with an accurate picture of the situation facing it. It allows on organisation to make intelligent decisions about how to respond to various scenarios.
Computing Risk assessment
When your not doing dis assessment, one of the most important thing to do its prioritise. Not everything should be weighed evenly because some events have a greater likelihood of happening. In addition, a company can accept some risks, whereas other would be catastrophic of the company.
For the purpose of risk assessment, both in the real world and for the exam you should familiarize yourself with a number of terms to determine the impact an event could haveL
- ALE is the anual loss expectancy value. This is a monetary measure of how much loss you could expect in a year.
- SLE in another monetary value, and it represents how much you expect to lose at any one time: the single loss expectancy. SLE can be devided into two components:
- AV (asset Value)
- EF (exposure factor)
- ARO is the likelihood, often drawn from historical data, of an event occurring within a year: the annualised rate of occurrence.
When you compute the risk assessment, remember this formula:
SLE x ARO = ALE
As an example, if you can reasonably expect that every SLE< which is equal to asset value (AV) times exposure factor (EF), will be the equivalent of £1,000 and that there will be a seven such offurrences a year (ARO), then the ALE is £7,000 conversely, if there is only a 10 percent change of an event occurring within a year time period (ARO = 0.1) then the ALE drops to £100.
Quantitate Vs. Qualitative Risk Assessment
Risk assessment can be either qualitative (opinion-based and subjective) or quantitative (cost-based and objective), depending on whether you are focusing on currency amounts. The formula for single loss expectancy (SLE), annual loss expectancy (ALE), and annualised rate of occurrence (ARO) are all based on doing assessments that lead to currency amounts and are thus quantitive.
To understand the difference between quantitative and qualitative, it helps to use a simple example. Imagine that you get an emergency call to help a small company that you have never heard from before. It turns out that their one and only server has crashed and that their backups are useless. One of the lost files was the only copy of the company’s history. This file detailed the company from the day it began to the present day and had the various iterations of the mission statment as it changed over time. As painful a loss as this file represents to the company’s culture, it has nothing to do with filing orders and keeping customers happy, and thus it’s loss is qualitative in nature.
Another loss was the customers database, This held customer contact information as well as the history of all past orders, charge numbers, and so on. The company cannot function without this file, and it needs to be re-created by pulling all of the hard copy invoices from storage and re-entering them into the system. This loss can be calculated by the amount of business lost and the amount of time it takes to find/re-enter all the data, and thus it is quantitative loss.