Tuesday, April 8, 2008

Risk Management

There are 3 steps in risk management:

1. Asset identification and Value Assignment
2. Quantitative/Qualitative Risk Analysis and assessment
3. Countermeasure and implementation

Asset identification and Value Assignment



Delphy technique consists in make a group, and anonimously, everybody put a value for some risks


Quantitative Risk Analysis



AV asset value
EF exposure factor
SLE single loss expectanci
ARO anualized rate of occurrence
ALE anualized loss expectancy
residual risk -> risk reduced by safeguards (risk never is reduced to 0)
total risk -> we have total risk if don't implement the safeguards.

AV * EF = SLE

SLE * ARO = ALE

Coefficients are in range 0-1 with 2 decimals.

Qualitative Risk Analysis



Some levels may be defined, like: dangerous, very dangerous, not dangerous.


Handling Risks



There are 4 options for each risk:

transfer the risk (ex. insurance)
reduce the risk (ex. countermeasures)
rejecting the risk (ex. ignore the risk)
accept the risk (ex. cost of countermeasures outweights the potential loss value AV)

Countermeasure costs:
Product cost
Design/planning cost
Implementation cost
Environment modifications
Compatibility with other countermeasures
Maintenance requirements
Testing requirements
Repair, replace, or update costs
Operating and support costs
Effects on productivity

1 comment:

Jerald said...

Wonderful blog & good post.Its really helpful for me, awaiting for more new post. Keep Blogging!
CISSP Certification