< Back to Article List
Security Scanning is not Risk Analysis
By: Laura Taylor
July 14, 2002
Many information technology (IT) decision makers assume that performing a security vulnerability assessment is the same thing as risk analysis. However, these two processes are very different. Performing a security vulnerability assessment helps you determine what the existing holes and vulnerabilities are in your systems and networks at single moment in time.
A good security vulnerability assessment service will deliver a comprehensive report that includes detailed information about what exploits and possible threats your systems and networks are vulnerable to, and will rank these exploits and threats according to their risk levels. It should also include information about the exploits and threats, specifically naming them and describing how they work, and also provide recommendations for mitigating actions.
A risk analysis, in the classical sense, is a process that an organization goes through to determine their risk exposure. Risk is the possibility that damage could happen to a business or organization. The goal of a risk analysis is to determine the probability of potential risks, in order to integrate financial objectives with security objectives.
Differentiating Scanning from Risk Analysis
How Risk Analyis Works
The three primary steps to performing a risk analysis include:
In identifying the risks, clearly it's necessary to determine what is at risk. There are three risk categories that I suggest IT decision-makers focus on in performing a risk analysis:
Assets are physical or tangible items that have a financial value associated with them. Missions are functions, jobs, or tasks that need to be performed. Security is the ability to keep safe the missions and the assets, and really is a specialized mission. However, I like to list security separately, to emphasize its importance, and how it integrates with both assets and missions.
When you determine the security risk exposure, you are determining the vulnerabilities that exist that have the potential to cripple people, data, or other assets. When you determine the mission exposure, you are determining the vulnerabilities that exist that have the potential to prevent an organization from accomplishing its chartered mission. When you determine the asset risk, you are determining the vulnerabilities that exist that have the potential to harm a business's physical or tangible assets.
Threats are what subject an organizations assets and missions to risk. When you consider threats, you need to determine the probability of their occurrence, and also the severity of how bad they will be if they occur. In order to manage threats, you need to be able to measure risks. As was noted earlier, risk is the possibility of loss, and you need to be able to assign a numerical value to that possibility to determine your risk exposure.
Probability, Severity, and Calculations
P (L) = the probability of the potential loss
S (L) = the severity of the potential loss
R (E) = the total risk exposure
P (L) x S (L) = R (E)
Typically P (L) is normalized for a particular geographic location. For example, the threat of a hurricane is much great in Florida than in Illinois. When we normalize P (L) for a particular geographic location, we use what is known as LAFE and SAFE. LAFE stands for Local Annual Frequency Estimate, and SAFE stands for Standard Annual Frequency Estimate. LAFE is typically applied to the exact location of a risk, e.g. Pensacola, Florida. SAFE is applied to a much bigger geographic area such as North America.
The reduction in value of an asset from one threatening incident is called the Single Loss Expectancy (SLE). SLE is resulting value after a threat has been applied. Another way of understanding SLE is that it is current value (after the threat has been applied) subtracted from the total cost of ownership. To summarize:
SLE = Original Total Cost of Ownership - Remaining Value
Doing the Math
$80,000 = $100,000 - $20,000
To calculate the Annual Loss Expectancy (ALE) of an organization, you calculate the individual component SLE values and multiply them by P (L). Since LAFE and SAFE are more precise ways of using P (L) values, you typically multiply SLE values by LAFE or SAFE. To summarize:
ALE = P (L) x SLE
LAFE and SAFE are types of probability values, so therefore the following equations are true:
ALE = SAFE x SLE
ALE = LAFE x SLE
Annualized Rates of Occurrence
A threat that occurs once every 10 years would have a SAFE value of .1 since 1/10 = .1 .
Common SAFE values are listed in the below table:
Table 1. Threat Frequency Values
In our earlier database example, if the probability exists that a hacker will destroy 80% of a database occurs once every two years, our SLE equation is as follows:
SLE = .5 x $80,000
SLE = $40,000
$40,000 is how much this sample company can expect to lose each year. Now we have some real numbers to work with to figure out how much to spend on safeguards. If there is a way to protect this database, what the company might want to know is how much to spend on protecting it year after year. Should they spend $10,000 on an intrusion prevention system? Or should they spend $100,000 on an intrusion prevention system, a new firewall, a package to secure the TCP/IP stack, and an extra systems administrator?
How much should this company spend, and what should they spend it on to secure this database? That is the magic question that the CIO will be called upon to answer. The issue becomes more complex when SLEs for numerous assets and technologies are calculated and added up into a bigger ALE. When trying to figure out how much to spend on safeguards to mitigate the threat, you need to take into consideration the entire organization since it is possible that one firewall, or one intrusion prevention system might mitigate multiple threats and protect multiple assets.
The good news is that there some excellent tools to assist risk analysis experts and CIOs in determining the answers to these financial questions. These tools are not well known, but offer very advanced capabilities in guiding you through the risk analysis process. Unfortunately, they are not as simple to use as system and network security scanners. A comprehensive risk analysis process is time-consuming, and requires detailed financial analysis of an entire business. But if you want to know the answers to how much to spend on safeguards, which safeguards to implement, there is no better process.
The Right Tools for the Job
To find out more about these tools, visit the web sites of the company's that make them.
You can naturally calculate risk analysis metrics manually. However, using the proper tool to guide you through the process will greatly increase your ability to actually generate a successful risk analysis report that everyone can understand.
|Copyright 1997-2015 Relevant Technologies. All rights reserved | Legal and Privacy | Sitemap
Email: firstname.lastname@example.org | Tel: 240.786.4858 | Fax: 855.451.5466 | 8160 Maple Lawn Blvd, Suite 200, Fulton, MD 20759