Calculating Potential Loss
Calculating potential losses is a little different than measuring asset value. Information assets aren't usually "lost" in the traditional sense--they're often still available for use, and partial (or even greater) value may be lost. Some information, such as Social Security numbers, don't have an inherent value; music files that are sold multiple times will have a greater asset value than face value because of their potential revenue. Value is a matter of context.
Because asset value is linked, but not tied, directly to loss, you must consider the type of compromise when evaluating potential losses. There are five distinct types:
Confidentiality breaches occur when high-value information, such as trade secrets or financial data, is read from storage, sniffed from the network by unauthorized parties, or leaked by internal users.
Integrity breaches occur when data is modified in transit or at rest, such as with transactions that are modified to reflect inappropriate quantities or dollar values.
Availability breaches are when information is deleted or made unavailable.
Productivity breaches occur when resources are disabled, such as when an e-mail server is disabled by spam or an e-commerce service is DOS'd by transaction requests.
Liability breaches occur when systems and data are still available, but are being misused. This could be an
Determining information asset value enables enterprises to focus on their real security needs and allocate adequate resources. But asset value isn't the only thing that may be lost. It's important to consider incident costs with the lost asset value when evaluating actual and potential losses. Incident costs are the lost asset value that are specifically associated with the incident, including IT productivity, legal and regulatory costs.
The severity of an incident and its losses are calculated by correlating the type of breach with the value type. For instance, if a worm disables your network, you have an availability and productivity breach that affects the asset values of everything on the network--productivity and revenue. The loss equals productivity and revenue values, plus incident costs associated with IT productivity. Legal costs and regulatory fines are also a factor.
A popular method of calculating potential losses is annual loss expectancy (ALE), an estimate for expected loss calculated by multiplying the probability of a particular type of loss by the total loss potential. For example, if there's a 10 percent chance of losing $1 million, the ALE is $100,000.
Obviously, there's a difference between a 1-in-10 chance of large loss and the strong likelihood of a number of incidents throughout the year. One way to address this difference is by treating ALE based on the category: recurring losses or specific security breaches. These distinctions allow you to rate the viability of projections based on historical data. If you know you've suffered an average 100 malware infections a month (recurring), you know your projections have a greater validity. Predicting less-frequent attacks is much more ambiguous, making such calculations more art than science.
This was first published in February 2005