The most elementary approach to risk assessment starts with identification of a set of
assets A ={a1,a1,...,an} and threats { }T = t1,t2,...,tn . Next, a Cartesian product is
formed {( )( ) ( )}A×T = a1,t1 , a2,t1 ,..., an ,tm . The value of each asset ( ) v an is
determined and, for each threat, the probability of interaction with asset during certain
period is assessed ( ) Ean tm . An interaction is problematic only if asset is exposed to
vulnerabilityVtm(an)∈[0,1]. Taking this into account, an appropriate risk estimate is
obtained as following.
The real problem with this procedure is obtaining exact quantitative values for the
above variables in real-time for the following reasons.
• Old statistical data are not available, because the technological landscape and IS
change quickly to meet evolving business requirements. Within these changes, new
vulnerabilities are created. In addition, different threats are attracted at different
time, because business context and assets change over time. Consequently, likelihood
of attack and number of vulnerabilities and exposures change over time.
• Furthermore, a substantial proportion of an organization’s assets are intangible
assets, such as information and goodwill. Identification and valuation of these assets
remains a difficult issue [4]. Even worse, the most important asset is personnel.
Due to the specifics of this type of assets their valuation is very hard. For
example, none of them are recorded and valued in balance sheets.
Therefore, it is hard to derive the exact value of risk. The above facts lead to the current
view that the logical alternative to quantitative IS risk assessment is a qualitative
approach at the level of aggregates. Here, assets, threats, and vulnerabilities are each
categorized intro certain classes. By using tables, such as one below, risks are assessed
and estimated, and priorities are set by rank-ordering data on an ordinal scale.
Table 1. The ISO/IEC 27005 risk assessment matrix measures risk on a scale of 0 to 8 and
takes two qualitative inputs: (i) likelihood of an incident scenario and (ii) the estimated
business impact. For example, if the estimated likelihood of incident scenario is low and the
corresponding business impact is high, then the risk is described by the value 4.
This is also a legitimate approach according to standards, such as ISO/IEC 27005.
However qualitative risk assessment approaches have significant shortcomings and
suffer from the following two major disadvantages [3].
• Reversed rankings, i.e., assigning higher qualitative risk ratings to situations that
have lower quantitative risks.
• Uninformative ratings, i.e., (i) frequently assigning the most severe qualitative risk
label (such as “high”) to scenarios with arbitrarily small quantitative risks and (ii)
assigning the same ratings to risk that differ by many orders of magnitude.
Therefore, the value of information that qualitative risk assessment approaches
provide for improving risk management decision making can be close to zero and
misleading in many cases of many small risks and a few large ones, where qualitative
ratings often do not distinguish the large risk from the small. This is further
justification that quantitative risk treatment has always to be the preferred option, if
metrics and measurement methods are available.
No comments:
Post a Comment