Information Security Risk Assessment

The new question that comes on is what is Information Security Risk Assessment or in other words Risk Management ?

Proper and thorough analysis of Risk Management is necessary as the whole process of Information Security depends on this phase. Even a single miss can make a not so effective security program.

This phase is the most critical in terms of analysis of Organizational security architecture.

There are 2 methods of assessing risks..

->Qualitative Risk Analysis
->Quantitative Risk Analysis.

Qualitative Risk Analysis :- Deals with probabilities and occurrences of threats, vulnerabilities, risk factors applicable and controls in place to combat threat and minimize risk and make a system/s non-vulnerable to threats.


Quantitaive Risk Analysis:- Deals with values or data and calculation of Loss Expectancy as SLE(Single Loss Expectancy) , ALE(Single Loss Expectancy), ARO(Annual Rate of Occurrence of a particular threat)

The formula goes as

ALE = SLE X ARO

When we talk about ALE, SLE, ARO we will have to discuss 2 more things here

EF (Exposure Factor of a system to a threat)
Asset Value (The net asset value of a system at the time of threat materializing)

Taking these 2 into account makes it as

SLE = EF X Asset Value

Once we have understood and identified the risks, the next step is to handle the risk.

The ways to handle the risks are

->Eliminate Risk : - Not always possible to eliminate the risk as it might lead to removal of system itself.

->Minimize Risk : - Putting controls in such a way as to reduce the impact or delaying the impact as in case of door delay(we will discuss later) which helps in taking action as an when it occurs.

->Transfer Risk : - Transfer means insurance of risk which is unavoidable as in case of disaster which could not be prevented. This mostly relates to features which are not controlable as hurricane or other natural disasters.

->Accept Risk : - This should be done when the cost of risks outweighs the cost of controls to be put in place. Means if the risk of damage and potential loss exceeds the cost of putting measures, then it is advisable to accept provided the organisation can live with it and it does not harm any other scenario or other third party, vendor networks.

There are couple of tools available to perform Risk Assessment as :
CORA, COBRA, CRAMM, RiskPAC all focussing on different spheres of business as Government and Public Sector, Telecom and IT Sector,Health Sector, Enterprise Sector.