Problem solve Get help with specific problems with your technologies, process and projects.

Week 22: Risk assessment steps three and four: Identifying methodology and assets; assigning value

Shelley Bard continues her series on risk assessment guiding us through identifying methodology and assests, and assigning value.


Risk assessment is the process of analyzing threats to, and vulnerabilities of, an information system, and the potential impact that the loss of information or capabilities of a system would have on national security or your company's bottom line.

Using the Information Security Protection Matrix and the risk assessment process referenced in column 20, break down the 10-step process, focusing this week on steps three (identify the methodology to use) and four (identify assets and assign value).

Quantitative or qualitative methods calculate risk by assigning numerical values to the variables in the risk formula. The quantitative method assigns values to the threat, vulnerability, likelihood and consequence variables. Typically, this methodology uses complex statistical and probability theory calculations. The qualitative method combines the expertise, judgment and knowledge of a risk management team to assess the level of risk associated with a system and determine the likelihood that certain events will happen. A good methodology will use the best of both methods. For example, you can use automated tools in conjunction with threat and countermeasure evaluations.

For identifying assets and assigning value, consider: What are you trying to protect? What assets does the company/agency own? Whose loss, exposure or compromise would have an impact?

-Identify critical information and its flow, both internal and external.

-Identify workflow of organizations (chain-of-command versus information flow and any side workflows that impact identifying critical information).

-Quantify the data in terms of money.

What constitutes critical information? Intelligence, that if compromised, could cause loss of revenue or market edge. A product or service not yet ready for release. Impending takeovers/mergers. Information that can negate the reason for the business' existence, service or equipment (patentable). And loss of life, compromised through revealing intentions and/or positions.

Another way to look at critical information is as intelligence that keeps you different from or above the rest of the competition, or is necessary for you to have to accomplish your mission.

Upon arriving at site, identify critical info via a combination of:

-Questioning the CEO.

-Checking the organization's mission. Do they identify any key concerns? Do they identify any information they want to protect?

-Examining past experiences of analysts and previous research, if available.

-Ensuring both the team analysts and the organization's decision-makers agree what is the critical information.

-Helping the organization put a dollar/life value on loss, compromise, inability to access, integrity of this information, replacing/restoring it and/or loss of public confidence in using the organization's services. Tangible costs can be actual and/or original cost, and replacement cost.

-Value can be assigned using exact figures or estimated across the board. Assign values that seem reasonable -- the point is to weigh data so it reveals where you need to protect the most valuable assets, and your risk assessment shows where your countermeasures need to be heaviest.

More information
Use the Critical Files Checklist to do a mini-assessment this week. Tailor the list for your organization's information and assets. Do you have defense-in-depth protecting your most important data?

About the author
Shelley Bard, CISSP, is a senior security network engineer with Verizon Federal Network Systems (FNS). An infosecurity professional for 17 years, Bard has briefed and written infosecurity assessments and technical reports for the White House and Department of Defense, special interest groups, industry and academia. Please e-mail any comments to mailto:[email protected]

Opinions expressed in this column are those of Shelley Bard and don't necessarily reflect those of Verizon FNS.

Last week: Risk assessment steps one and two: Establishing boundaries/team building
Next week: Risk assessment steps five and six: Identify threats and determine vulnerabilities

This was last published in May 2004

Dig Deeper on Risk assessments, metrics and frameworks