Risk Analysis

One of the first and most essential things to do is to conduct an analysis of the security landscape and think about the security universe at it pertains to your organization. For each application you have to determine how it can be exploited, what would happen if something were to happen, and how to mitigate such occurrences. The term “application” in the previous sentence is meant to apply to all facets of applications—not only the user interface but also the servers and databases. This is often referred to as risk analysis, and it must be done. It can be very tedious, but it’s a necessary and valuable exercise.

In a simplified view of risk analysis, the first step is to determine the assets being protected and their associated value. The value can be determined either qualitatively or quantitatively. Referring back to the car example, your car has both a quantitative value and a qualitative value. Its quantitative value can be defined by a monetary amount. Its qualitative value may be in its reliability and possibly any nostalgic memories associated with places the car has taken you. Companies, company assets such as computer servers, and even data have similar values. Sometimes a concrete value can be determined quantitatively. For example, the company lost $6,000 due to the theft of a computer server. Qualitative values can be more difficult to calculate. For example, if the stolen server contained a database, there would also be a loss associated with the data that was stored within that database. A security breach that was made public could damage a company’s reputation.