Security Basics mailing list archives
Re: Getting the value of an asset and the probability of a risk to it
From: Jon Kibler <Jon.Kibler () aset com>
Date: Fri, 16 May 2008 16:21:33 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rivest, Philippe wrote:
Currently doing my CISA and i have one small question, how do you do a quantitative risk assesment. Qualitative i understand, low,med,high or 1-10. but a quantitative risk assessment is harder and a bit more complex A) I know that first you need to identify your assets B) Then you have to identify the asset value for the enterprise (first problem) C) Then you have to identify the risks that your asset have D) You have to identify the impact and probability of these risk (my main question is how to do this) E) You then have to calculate the risk per asset which is clear to me.
Okay, let's say you have intellectual property (IP) stored in electronic form, and it is worth $100M. If your competition gets the data, it could easily cost your company $25M a year in lost sales over the next 4 years. The IP concerns a sensitive product under development which you know your competition in Asia (or, even an Asian government) would pay someone to illegally obtain. The IP is stored in an encrypted database. However, when it is retrieved from the database, it becomes clear text. Given that, how do you even associate a SWAG with any of the following risks? 1) Someone with access to the IP, or someone on the network in the same broadcast domain, visited a legitimate web site that had been hacked (or opens an email attachment, etc.), and a keystroke logger or network sniffer not detected by AV was loaded onto their box and phones home vis SSL with all documents it encounters? 2) You have a mole? 3) Your data is backed up as clear text and the backup is copied, lost or stolen? 4) Someone violates policy and makes a copy of the document on a computer, CD/DVD, flash drive, etc., and the computer/media gets lost or is stolen? 5) The CEO of the company prints out a copy of the document, and since s/he thinks they do not have to follow the rules, takes it home and leaves it on a table in their home's entry hall, and a dinner guest from a competitor sees it and walks out with it? 6) What are the chances of a fire, tornado, nuclear warhead, etc. destroying all copies of the IP and it is not easily reproduced? 7) You have a WAP you do not know about? 8) You have a printer that has been hacked and phones home with all documents? 9) Someone has WiFi / WiMax / Bluetooth enabled on their computer and an outside forms a peer-to-peer connection to the computer and copies off all documents on the computer? 10) Someone emails an encrypted copy of the IP to their HotMail account so they can work on it at home and their home computer has been hacked? How do you know that you have even identified all the 'reasonable' risks? The short answer is, you don't know and can't know. For example, before 911, few people, if any one, would have thought that using another building in the WTC complex for off-site storage was a bad idea. (For the record, I have ALWAYS thought that having off-site storage within 50 miles of a primary site was insane! Plus, for some locations, that distance is not far enough. For example, because of hurricane risk here in Charleston, going 150 miles up the coast to Wilmington, NC for an off-site storage just doesn't cut it IMHO!) I have yet to see a quantitative risk assessment that didn't leave me laughing hysterically. Bottom line: I personally do not believe that it is possible to do a quantitative risk assessment and anyone who thinks otherwise either does not understand today's risk environment, or is delusional. My $0.02 worth! Jon Kibler - -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA o: 843-849-8214 c: 843-224-2494 s: 843-564-4224 My PGP Fingerprint is: BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkgt7M0ACgkQUVxQRc85QlOMOQCgmWJ71YmAscvn+KF8XaO/mG5g PIQAn2MjsXo6AjqSIZnfCxFSMdDLTU7j =XHqG -----END PGP SIGNATURE----- ================================================== Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
Current thread:
- RE: Basic Computer Security Advice Needed, (continued)
- RE: Basic Computer Security Advice Needed Sergio Castro (May 16)
- Getting the value of an asset and the probability of a risk to it Rivest, Philippe (May 16)
- RE: Getting the value of an asset and the probability of a risk to it Sergio Castro (May 16)
- Re: Getting the value of an asset and the probability of a risk to it Jon Kibler (May 17)
- RE: Getting the value of an asset and the probability of a risk to it Craig Wright (May 18)
- RE: Getting the value of an asset and the probability of a risk to it Murda Mcloud (May 20)
- RE: Getting the value of an asset and the probability of a risk to it Craig Wright (May 21)
- Getting the value of an asset and the probability of a risk to it Rivest, Philippe (May 16)
- RE: Getting the value of an asset and the probability of a risk to it Craig Wright (May 18)
- RE: Getting the value of an asset and the probability of a risk to it Rivest, Philippe (May 20)
- RE: Getting the value of an asset and the probability of a risk to it Craig Wright (May 21)
- RE: Basic Computer Security Advice Needed Sergio Castro (May 16)
- Re: Getting the value of an asset and the probability of a risk to it Jon Kibler (May 16)
- Re: Basic Computer Security Advice Needed Gustavo V G C Rios (May 18)
- Re: Basic Computer Security Advice Needed Gleb Paharenko (May 20)