Risk Assessment

Risk Assessment methodologies have been a controversial topic for a while.  There are to ways to asses risk:

  • Qualitative
  • Quantitative

One school of thought believes that Qualitative is the way to go, hence they contend with High/Medium/Low kind of ranking.

The other school of thought believes that Quantitative is the way to go where the following formula is used:

Probablity of an event occurring in a given year(p%) X Impact should the event occur(i$) = ALE

Some are proponents of Bayesian Population Analysis.

One of the Methodologies I have come across is FAIR(Factor Analysis of Information Risk) by RMI, which was presented at the TOGAF 2007, Austin, TX.  The issue that came up was the amount and validity of data used in that analysis, and also the Taxonomy used.

In my opinion something like Actuarial Tables, which are used in insurance industry, must be created for IT Risk Analysis.  Unless an event occurs , there is no way to predict the frequency of it happening and amount of loss incurred.

In my opinion IT Security Risk managers should get together, put up a database on the Internet and anonymously report the breaches they have experienced, the associated loss, and the frequency of it happening.