Tommi - Fotolia

Manage Learn to apply best practices and optimize your operations.

The key to assigning risk values in an IT security risk assessment

Security expert Michael Cobb offers pointers on how to assign risk values during a security risk assessment.

I know the importance of risks assessments, but my organization has a hard time assigning values to particular...

assets. While I recognize that this is a case-by-case basis, can you offer any general insight on how to assign value? Value on the basis of what?

There is a dual purpose of assigning risk values to IT assets within an organization. First, the values help determine which security controls are necessary and adequate to reduce the probability of loss or the impact of any loss to an acceptable level. Second, these levels help organizations achieve a reasonable balance between the cost and benefit of the safeguard as well as the sensitivity and value of the assets to be protected. Acceptable risk levels should be based on legal and regulatory compliance responsibilities as well as the business impact that would be experienced if certain risks are realized.

A quantitative risk assessment takes the cost of the potential loss of an asset (single loss expectancy, or SLE) and multiplies it by the probability that the loss will occur (annual rate of occurrence). The result is the annualized loss expectancy. An asset's SLE is not just the value of the asset, but the value of all the assets that would be affected by its loss. For example, the SLE of the CEO's laptop would include the value of the laptop itself, the data on it, the possible loss of reputation and the company's legal liabilities relating to any laws and regulations (e.g., data breach laws).

Intangible assets (e.g., reputation and legal liability) usually have a far higher value than physical resources -- compare the cost of a laptop versus a court case -- but there is a huge degree of subjectivity involved when assigning an actual figure to intangible assets. Risk assessments must estimate what monetary damage would occur if a threat should exploit a vulnerability and compromise an asset. This figure -- the impact -- has to include the cost of all the consequences of a security incident. For example, a fire in the server room would not only result in server replacement costs, but also lost business and a possible loss of reputation if business processes were disrupted for a long period of time.

The task of discerning this figure requires the help of asset owners and senior management to estimate the total potential costs the loss or compromise of certain assets would have. Certain values -- such as the replacement cost of a server -- can be very accurate, but putting a figure on the potential loss of business to competitors is more subjective.

Sometimes it's easier to use a scale of impact (such as insignificant, minor, medium, high and catastrophic) rather than specific monetary values, with each impact level representing a monetary band. For example, depending on the size of the organization, an insignificant event could be $0 to $10,000 while catastrophic would be a dollar value that would force the company to either close or to go into administration. Assigning an impact level to assets rather than a specific dollar value is a lot easier yet still allows the prioritization of the risks likely to cause serious damage.

Assessing risk is not an exact science, so any methodology should be subject to ongoing review and improvement. However, having an understanding of risk levels and measuring the effectiveness of controls will lead to fewer and less-damaging security incidents. The reasons for each assigned risk rating should be documented to provide a record of the thinking that led to the rating. Such documentation will provide useful information in future risk assessments.

Ask the Expert!
Have a question about application security? Send it via email today! (All questions are anonymous.)

This was last published in August 2014

Dig Deeper on Risk assessments, metrics and frameworks