17 July, 2006

Risk Structure


Risk = Impact * Probability

Probability = Threats – Preventative Controls
Mitigating Controls
So what are the real pieces of this overused and debunked but not disproved equation?

Impact is Significance modified by the different forms of Immediacy

In the entire risk structure the only thing that Digital Security as an organization can reliably affect is the Controls/Management aspect. All other aspects of the process are defined outside of the Security team. We need to identify them and can determine which are in context for us but we cannot change them. Within likelihood the threats are controlled by the originators of the threats. Within Impact immediacy and significance are either inherent or defined by the business needs.

Context

Context – the context is the defined structure that the other portions of risk are compared against and dependant upon.

It defines the scale of review and management of controls.

In short - What are the scope and limitations of the risk management?


•What is being protected/assessed?
–Group, Segment, Business Unit, Project, Plant, Pipeline, …
•What are the applicable impact mechanisms?
–Confidentiality, Integrity, Availability, Environmental, Safety, Liability…
•What are the Applicable threat sources?
–Eve the evil hacker, Joe the employee, Virus, Mafia, Government, Competition…
•What are the acceptable Controls/Management functions?
–How much cost is acceptable?
–How much admin is acceptable?
–Who has Authority?
–Who has Responsibility?
–How does it overlap with other controls? e.g. Failsafes, FC&A, Physical Security

1 comment:

UK Health and Safety Consultant said...

Thanks Jim for sharing this informative blog. Risk assessment training is also important to where people are aware of things they are not allowed to do and serve as evidence if an accident should happen. And to minimize possible accidents.

Regard
Arnold Brame