Financial Risk Assessment
April 30, 2011Introduction
Risk Assessment can be viewed through a variety of lenses in a wide spectrum of situations with multiple criteria used in the evaluation. Information Technologies is a situation with multiple, possible, criteria for Risk Assessment (hereafter referred to as “RA”). To narrow this wide ranging criteria for assessment, a specific model is selected.
This model has, as all do, it’s own set of definitions and evaluative standards. Taking each in the area it concerns, supporting statistics will be supplied which are specific to Information Technologies across the main area of concern: the Internet.
The Model
The RA model used here is based on four, main, functional groupings. These are
Annualized Rate of Occurrence (ARO),
Exposure Factor (EF), Single Loss Expectancy or Exposure (SLE) and Annualized Loss Expectancy (ALE).
The order mentioned is the evaluative order needed to build the final, desired goal of this model – the Annualized Loss Expectancy. Each will be defined and then have appropriate statistics applied to build up and fulfill the predictive capabilities of this model.
Annualized Rate of Occurrence (ARO)
Annualized Rate of Occurrence, or “ARO”, is defined in this model as the frequency that a threat is expected to occur within a given time period.
Exposure Factor (EF)
Exposure Factor, or “EF”, is defined in this model as the magnitude of loss or impact on the value of an asset measured as a range 0-100%.
An asset, referred to as an “Information Asset” is defined as the “body of information organization must have to conduct business”.
Using this definition, an information asset is evaluated according to the following criteria – each is assigned a value upon completion.
Cost to replace information
As this model is applied to a software and information institution whose primary business is just that, clearly this rates an exposure factor of
100%
Cost to replace software
As this model is applied to a software and information institution whose primary business is just that, it would appear this rates an exposure factor of 100%. However, software in itself is constantly changing, evolving, and migrating across implementations. As a result, this value can be halved to 50%.
Loss of Confidentiality
Knowledge of the function of a product, or it’s confidentiality rates quite highly with the customers of that product. As a result loss of confidentiality, which is a function of information loss, is related to the transitory nature of software and information with an intermediate value of 75%.
Loss of Availability.
Software and information is not a physical product in that it consists of textual and binary data streams stored on a variety of media. Given that multiple systems store data in a variety of formats, availability of software and information can be restored in short order which yields an exposure factor of 10%.
Loss of integrity.
Integrity of software and information is a function of the confidentiality and availability of the data. As such the value is intermediate between these two with an exposure factor of 42.5%
Given these values, which are subjectively assigned and whose actual value could be the subject of an extended study in itself, the average is taken as:
Exposure Factor
Cost to replace information: 100.0%
Cost to replace software: 50.0%
Loss of Confidentiality: 75.0%
Loss of Availability: 10.0%
Loss of integrity: 42.5%
Average of Totals: 277.5/5 = 55.5%
The EF value is computed at 55.5%.
Single Loss Expectancy or Exposure (SLE)
Single Loss Expectancy or Exposure is defined as the assets value times it exposure value. The averaged value is applied from the Exposure Factor onto the revenues generated by the institution:
“With annual revenues exceeding $6.0 billion…”
This yields:
Asset Value: 6.0 Billion x Exposure Value: 0.555 = Single Loss Expectancy of 3.33 Billion (US) per year.
Annualized Loss Expectancy (ALE)
Annualized Loss Expectancy is defined as the Single Loss Expectancy, here computed for one year, divided by the Annualized Rate of Occurrence, here computed for ten years.
This yields:
Single Loss Expectancy: 3.33 x 10 years: 33.3 Billion over:Annualized Rate of Occurrence over 10 years: 1236.2 This yields an annual, per year loss, of 0.03 Billion (US) or 30 Million (US) per year.
Summary / Analysis
As with all models, this Risk Assessment model is based on numbers whose objectivity and subjectivity is open to debate. While the numbers used for the Annualized Rate of Occurrence and Asset Value are objective in the sense that they were retrieved from the DARPA initiated CERT project and the Security and Exchange Commission filings by this institution, data is only as good as it’s source. The Exposure Factor values are, in fact, subjective and as such open to debate at they relate to the key areas of evaluating Information Assets.
Nonetheless, the model does provide a yardstick to use to evaluate risk to software and information technologies. While only as good as the source of it’s numbers, the numbers themselves are high enough to give pause for thought before openly embracing network access by third parities whose interests are not consistent with the institution they access.
www.bestitdocuments.com