Information Technology Reference
In-Depth Information
table 5.5
Cost of Asset loss and recoery
Loss
Loss $
Recovery
Recovery $
Asset
Asset topic value
Recover cost of
recovering stolen
asset, e.g., private
investigation
Business loss
Loss revenue,
goodwill, customers,
trust, stock value
Restore
Cost to restore
business function/
operations; cost to
restore equipment
Asset
Cost to replace
Replace
Cost to replace
equipment
organization competes against companies that may benefit from stealing its intel-
lectual property. These competitors have both private and state-sponsored backing
with relatively high means, method, and motivation, again contributing to a high
threat probability level.
Table 5.5 provides a framework to calculate cost of asset loss and recovery. Total
business impact of loss equals the (asset book value + business loss + cost of recov-
ery + cost of restoration + cost of replacement). When a particular total business
loss is zero, good business practice is to record the fact that it is zero and why. This
maintains a record of conscious omission of mitigation and avoids any claims to
omission by oversight.
5.4.2.2
Intelligent Resource Allocation
Intelligent resource allocation for risk management is the allocation of limited
resources (people, equipment, budget, and time) so as to mitigate high-loss risks
associated with vulnerabilities in high-probability targets subject to high-probabil-
ity threats.
The threat probability assessment is a methodology for intelligent resource alloca-
tion. The defender against risk cannot equally protect all assets all the time from all
threats; therefore, the organization makes informed decisions to protect high-value
assets subject to the highest probable threat. Predicting a specific attack on a specific
target at a specific time requires explicit intelligence. It is highly improbable to calcu-
late such accuracy from an aggregate assessment of discrete facts. An imminent threat
or active threat with known interest in a particular target, or that is highly skilled at
exploiting a certain vulnerability, narrows the potential target space considerably.
The risk management process provides a framework to assess threat and tar-
get probability; probable targets include personnel, physical, and cyber assets. The
