More Risky Business
Article Date: 3/98 by Rob Larson, Lakeside Transaction Services, Inc.
In the last issue of this newsletter, we took a look at the business aspects of computer security. In that article, I mentioned that the first step in implementing data security should always be a risk analysis, and that in this issue we would look at conducting a risk analysis.
The purpose of doing a risk analysis is to attach a dollar amount to a potential loss. Once you have that number, you can choose to avoid, assign, or assume the risk in an intelligent way. Without a risk analysis, you are only guessing how things might turn out. The following technique was published by IBM's Data Security Group in their booklet "Security Risk Assessment in EDP Systems".
You need to estimate two values to do your analysis. First, estimate the dollar value of the impact if the event happens (let's call it V). If you lose data, how much will it cost in data entry payroll to enter it in again? If somebody steals your customer list, how much business will you lose? Second, estimate the probable frequency of the event happening (call it P). Will it probably happen 10 times a day? Will it probably happen once every 3 years? For things like fire and earthquake, insurance underwriters and the government can provide statistical studies of frequencies.
Once you have P and V, you need to relate them to find your exposure (E) measured in dollars per year. IBM uses the formula E = (10 ** (P+V-3)) / 3, where ** stands for exponentiation. Good thing you bought your Stratus - you can use it to perform the calculation! IBM also developed a simple look-up chart to accomplish the same thing.
While you're going through this exercise, keep these guidelines in mind:
- Keep it simple. If you make this too complicated and look at too many tiny details, you will never finish.
- Work in powers of 10 unless you find a reason to use a more refined number. This is close enough to tell you where you should concentrate your security efforts.
- If P + V < 6, consider ignoring the threat (less than $300 per year exposure).
- However, keep in mind the reverse of the previous point: a lot of little things can add up. If they are related in some way, you may want to combine them.
While you are working on your risk analysis, you may find it useful to use a worksheet that has space for each of "the seven bad things that can happen" to each of the items you are considering. Leave a space on there to show P, V, and E for each item.
Once you have evaluated your risks, you can examine your exposures to see where you want to concentrate your efforts. As you consider implementing controls to reduce your risk, calculate the cost of the control and the amount it reduces your risk. At some point, additional controls will cost you more than the loss you would suffer - know when to stop! Without performing a risk analysis, you can't be sure where that point is.
If you are interested in conducting a risk analysis, you may want to look at a presentation I have given at Stratagy on this topic which includes some graphs, charts, and worksheets.
| 
