Providing Accurate Risk Assessments

Published: 2009-04-19
Last Updated: 2009-04-20 14:10:15 UTC
by Mari Nichols (Version: 1)
0 comment(s)

As professionals in security we are constantly researching new technologies to keep our skills sharp.  The Internet Storm Center was formed to assist with keeping our peers aware of the fast paced changes in vulnerabilities, patches, hacks, worms, Trojans and threats in general.

How we communicate these risks to our key decision makers sometimes can be a challenge.   A recent example would be the Conficker April 1st situation.  It was important for us to convey the sense of urgency we felt to have MS08-067 patched, as well as cross checking all our systems for updates being rejected, antivirus definitions up-to-date and so on.  My question to you is “did you communicate the risk effectively”?  Were you able to give a complete and accurate risk assessment to your management? 

Remember that risk assessment is the process of identifying a threat, understanding how that threat relates (vulnerability) to your organization, assessing the cost and providing that information to management.  The formula is simple, let’s break it down.

 Risk = Threat x Vulnerability x Cost 

  1. State the threat in language that is easily understood.  It is your job to decrypt the threat for your management team.
  2. Portray clearly and accurately what the threat could do and how it would possibly perform in your environment.
  3. Identify the number of assets which may be affected by the threat.  What is percentage of vulnerable devices in relation to the total devices?  (Servers, workstations, operating systems, Internet exposure)
  4. Identify the corrective measures which are available to be taken.
  5. Calculate the SLE (Single Loss Expectancy).  What is the dollar value of the cost that equals the total cost of the risk? 
  6. State how the remediation would lower the exposure to the organization and give a cost for those actions.
  7. Recalculate the SLE with projected remediation included.
  8. Provide status of the protection mechanisms already in place (anti-virus definitions, IPS signature detections, patching statistics).
  9. Then allow management to make an educated decision based on risk to the enterprise, not just the security event itself. 

By utilizing this concrete methodology, we can lessen the influence of media hype and provide a professional cost based opinion to those best equipped to make enterprise decisions. 

Mari Nichols

iMarSolutions

 

Keywords: risk assessment
0 comment(s)

Comments

cwqwqwq
eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>
WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]
dwqqqwqwq mashood
[https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)
[https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]
What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/

Diary Archives