Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

Share this Page URL

Chapter 2. Risky Business > Summary - Pg. 40

40 CHAPTER 2 Risky Business Meanwhile, the Common Vulnerability Scoring System (CVSS) [6], which is used to rate the risk of most publicly released vulnerability notifications, uses a formula so complex that it requires a scoring tool to be usable. Clearly, there are many factors to consider when measuring risk, and most of these sample equa- tions account for these factors in some way. The following is the most common calculation that you will see in a textbook: Single Loss Expectancy × Average Rate of Occurrence = Annualized Loss Expectancy However, like many textbook concepts, this one isn't commonly used in the industry. It calculates an Annual Loss Expectancy based on a Single Loss Expec- tancy and Annual Rate of Occurrence. For example, if you expect to lose five BlackBerries this year, and the cost to replace one BlackBerry is $50, then your ALE is 5 × $50 = $250. If you only lost one blackberry every 2 years, your ALE 0.5 × $50 = $25. The challenge is that it is very difficult to quantify the value of our assets when we consider reputational loss and other intangibles, much less predict the rate of occurrence without large volumes of historical data. But don't lose hope; there is actually a lot of great research being done in the space of quantitative risk analysis specific to information security. If you would like to get involved in this work, a good resource is the Society for Information Security Risk Analysts (SIRA) [7]. Whether you use a qualitative or quantitative model really doesn't matter, just as long as the model provides accurate determinations of risk that the organization can use to make consistent decisions about priorities. As the quantitative methods evolve and hopefully more tools like CVSS become available, you will likely see more adoption of these models, but most organizations will have their hands full with simpler qualitative models for a long time. Both qualitative and quantitative analysis approaches will be reviewed in more detail in Chapter 6, and a particular qualitative risk model will be used throughout the book to rate risk examples. SUMMARY Whether you formally align your information security program with a risk management methodology or not, you are forced to make risk decisions every day as part of your function. You will see greater success and encounter fewer obstacles if you can learn how to look at your organization through the lens of acceptable risk. Even starting with the most basic qualitative analysis model will immediately produce measurable improvements in the efficiency and effectiveness of your program. When properly packaged, these metrics can be presented to the senior management to demonstrate the value of security investments for the business.