Risk Assessment

 

Security in any system should be proportionate with its risks.  However, the process to determine which security controls are appropriate and cost effective, is quite often a complex and sometimes a subjective matter.  One of the prime functions of security risk analysis is to put this process onto a more objective basis.
 

 


There are a number of distinct approaches to risk analysis, but they are easily broken down into two types: Quantitative and Qualitative.

 

Quantitative Risk Analysis

This approach uses two fundamental elements; the probability of an event occurring and the likely loss should it occur.

Quantitative risk analysis makes use of a single figure produced from these elements, called the 'Annual Loss Expectancy (ALE)' or the 'Estimated Annual Cost (EAC)'.  This figure is calculated by simply multiplying the potential loss by the probability for any given event, making it possible to rank events in order of risk and to make decisions based upon their rank.

The problems with this type of analysis are usually associated with the unreliability or inaccuracy of the data, especially since probability can rarely be precise.  This can promote dissatisfaction in its results.  In addition, controls and countermeasures often tackle a number of potential events and the events themselves are frequently interrelated, making the data even less accurate.

Notwithstanding the drawbacks, a number of organizations have successfully adopted quantitative risk analysis.

Qualitative Risk Analysis

Qualitative Risk Analysis is by far the most widely used approach. Probability data is not required and only estimated potential loss is used.  Most qualitative methodologies make use of a number of interrelated elements:

THREATS - They are present for any system and are easily defined as things that can go wrong or that can 'attack' the system. Examples might include fire or fraud. 

VULNERABILITIES - These make a system more prone to attack by a threat or make an attack more likely to have some success or impact.  For example, for fire a vulnerability would be the presence of inflammable materials like paper.

CONTROLS - These are the countermeasures for vulnerabilities. 

There are four types:

  1. Deterrent controls reduce the likelihood of a deliberate attack

  2. Preventative controls protect vulnerabilities and make an attack unsuccessful or reduce its impact

  3. Corrective controls reduce the effect of an attack

  4. Detective controls discover attacks and trigger preventative or corrective controls.

 

Nology Solutions is here to help you prevent or control loss.  Please contact us and put our security expertise to work for your organization!  

 

 

Nology Solutions & Systems Inc.    “There when you need us!”

 
Home About

Support

Products

News

 Contact