|
|
|
Management Involvement and Guidance Organizational culture plays a key role in determining, first, whether to assess risk, and second, whether to use qualitative or quantitative approaches. Many firms’ management organizations see themselves as “entrepreneurial” and have an aggressive bottom line culture. Their basic attitude is to minimize all costs, take the chance that nothing horrendous happens, and assume they can deal with it if it does happen. Other firms, particularly the larger, more mature organizations, will be more interested in a replicable process that puts the results in management language such as monetary terms, cost/benefit assessment, and expected loss. Terms that support budgetary planning. It is very useful to understand the organizational culture when attempting to plan for a risk assessment and get necessary management support. While a quantitative approach will provide, generally speaking, much more useful information, the culture may not be ready to assess risk in significant depth. In any case, with the involvement, support, and guidance of management, more utility will be gained from the risk assessment, regardless of its qualitative or quantitative nature. And, as management gains understanding of the concepts and issues of risk assessment and begins to realize the value to be gained, reservations about quantitative approaches will diminish, and they will increasingly look toward those quantitative approaches to provide more credible, defensible budgetary support. RISK MITIGATION ANALYSIS With the completion of the risk modeling and associated report on the observed status of information security and related issues, management will almost certainly find some areas of risk that they are unwilling to accept and for which they wish to see proposed risk mitigation analysis. In other words, they will want answers to the last three questions for those unacceptable risks:
There are three steps in this process:
Safeguard Analysis and Expected Risk Reduction With guidance from the results of the Risk Evaluation, including modeling and associated data collection tasks, and reflecting management concerns, the analyst will seek to identify and apply safeguards that could be expected to mitigate the vulnerabilities of greatest concern to management. Management will, of course, be most concerned about those vulnerabilities that could allow the greatest loss expectancies for one or more threats, or those subject to regulatory or contractual compliance. The analyst, to do this step manually, must first select appropriate safeguards for each targeted vulnerability; second, map or confirm mapping, safeguard/vulnerability pairs to all related threats; and third, determine, for each threat, the extent of asset risk reduction to be achieved by applying the safeguard. In other words, for each affected threat, determine whether the selected safeguard(s) will reduce threat frequency, reduce threat exposure factors, or both, and to what degree. Done manually, this step will consume many days or weeks of tedious work effort. Any “What if” assessment will be very time-consuming as well. When this step is executed with the support of a knowledge-based expert automated tool, however, only a few hours to a couple of days are expended, at most. Safeguard Costing In order to perform useful cost/benefit analysis, estimated costs for all suggested safeguards must be developed. While these cost estimates should be reasonably accurate, it is not necessary that they be precise. However, if one is to err at this point, it is better to overstate costs. Then, as bids or detailed cost proposals come in, it is more likely that cost/benefit analysis results, as shown below, will not overstate the benefit. There are two basic categories of costing for safeguards: cost per square foot, installed, and time and materials. In both cases, the expected life and annual maintenance costs must be included to get the average annual cost over the life of the safeguard. An example of each is provided in Exhibits 8 and 9.
These Average Annual Costs represent the break-even point for safeguard cost/benefit assessment for each safeguard. In these examples, discrete, single-point values have been used to simplify the illustration. At least one of the leading automated risk assessment tools allows the analyst to input bounded distributions with associated confidence factors to articulate explicitly the uncertainty of the values for these preliminary cost estimates. These bounded distributions with confidence factors facilitate the best use of optimal probabilistic analysis algorithms.
|
