What is the difference between 'asset valuation' and 'impact analysis' in the security risk analysis process?
An "asset" is any resource, product, process, system, or any other thing that has some value to an organization and, as such, must be protected. Assets can be physical/tangible items, such as equipment or computers, and they can also be non-tangibles, such as information or intellectual property.
An asset will have some sort of "value" or worth to an organization based on various elements or factors important to the organization. When performing a security risk analysis -- whether qualitative, which results in subjective values based on the asset's worth to the organization specifically, or quantitative, which results in values based on the asset's cost -- you will need to determine the net value of an asset to the enterprise. This valuation process can take many forms; the CISSP Prep Guide by Ronald L. Krutz and Russell Dean Vines notes three basic elements used to determine an asset's value:
- The initial and ongoing cost to the enterprise for purchasing, licensing, developing and supporting the physical or information asset.
- The asset's value to the enterprise's production operations, R&D and core business viability.
- The asset's value established on the external marketplace and estimated value of the intellectual property, such as trade secrets, patents, copyrights, etc.
In her CISSP All-In-One Certificate Exam Guide, Shon Harris notes that, in addition to the above list, some other considerations when assigning value to information and assets should be:
- Value of the asset to adversaries.
- Cost to replace the asset if lost.
- Operational and productivity costs incurred if the asset is unavailable.
- Liability issues if the asset is compromised.
The theme from both of these references is that the value of an asset is more than the simple out-of-pocket dollars required to obtain the asset.
In a true security risk analysis, the phases of the process should include the following (again from Shon Harris):
- Assign value to information and assets.
- Estimate potential loss of risk.
- Perform a threat analysis.
- Derive the overall loss potential per risk.
- Choose remedial measures to counteract each risk.
- Reduce, assign or accept the risk.
Using this model and looking at the question, it appears the term "impact analysis" is really concerned with how to calculate the potential financial impact of threats to various assets.
Hence, you can essentially use the classic risk impact analysis approach listed above, which includes use of the exposure factor, annualized rate of occurrence and single loss expectancy calculations.
As we've already discussed how to determine the asset value, we'll now discuss what the exposure factor is.
The exposure factor is the percentage of asset loss caused by an identified threat. For instance, if a hurricane were to hit my $1 billion warehouse and cause 50 % destruction, the exposure factor is 50%.
The annualized rate of occurrence is the estimated possibility of a specific threat taking place within a one-year time period. So, continuing with this scenario, let's assume the hurricane season is only 20% of any given year. So, the annualized rate of occurrence is 20%.
The next step is to calculate the single loss expectancy. Here, multiply the asset value by the exposure factor. So, for the warehouse, the single loss expectancy would be $1 billion x 0.5 = $500 million.
Then, to calculate the annualized loss expectancy (or financial impact estimate) for my company per year; this is done by multiplying the single loss expectancy by the annualized rate of occurrence. So for this scenario it would be: Single loss expectancy ($500 million) x annualized rate of occurrence (.20) = $100 million. This is a huge number, and one that may not be realistic, but it serves for our example. This value, however, can help the security professional determine budgets and perform cost-benefit analysis when choosing mitigating actions to reduce potential loss.
In this example, you would use the $100M single-loss expectancy value when deciding how much money to spend on mitigation, i.e., spending more than the $100M on the mitigation would be a waste of money.
In conclusion, the asset value is a foundational part of an overall risk impact analysis process that helps the organization understand the possible financial impact on the enterprise as concerns a specific threat.
Dig Deeper on Risk assessments, metrics and frameworks
Related Q&A from Ernie Hayden
Dealing with lawyers is often a challenge. Ernie Hayden offers advice for CISOs dealing with enterprise information security legal issues. Continue Reading
Which will be more likely to further your infosec career: A certification, or an advanced degree? Expert Ernie Hayden weighs in. Continue Reading
While employee termination may be necessary in cases of insecure conduct, most employees are more encouraged by the carrot than the stick when it ... Continue Reading