Information Technology Reference
In-Depth Information
risk to the organization, and
probability
is the likeliness that an attack against the assets
will occur.
Severity
Control
Risk
Assessment
Probability
Figure 12-6
Risk Assessment Components
Risk assessments should explain the following:
What assets to secure
■
The monetary value of the assets
■
The actual loss that would result from an attack
■
The severity and the probability that an attack against the assets will occur
■
How to use security policy to control or minimize the risks
■
In many cases, security costs can be justified by describing the loss of productivity or
revenue that could occur during security incidents.
Generally, network systems are built with just enough security to reduce potential losses
to a reasonable level. However, some organizations have higher security requirements,
such as complying with PCI DSS, SOX or HIPAA regulations, so they need to employ
stronger security mechanisms.
Risk Index
A risk index is used to consider the risks of potential threats. The risk index is based on
risk assessment components (factors):
Severity of loss if the asset is compromised
■
Probability of the risk actually occurring
■
Ability to control and manage the risk
■
One approach to determining a risk index is to give each risk factor a value from 1 (lowest)
to 3 (highest). For example, a high-severity risk would have a substantial impact on the
user base and/or the entire organization. Medium-severity risks would have an effect on a
single department or site. Low-severity risks would have limited impact and would be rela-
tively straightforward to mitigate.