Managing Risk

Risk Appetite is the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility.

Residual Risk: is the amount of risk that remains after the organization has implemented policy, education and training, and technical controls and safeguards.

Feasibility

Feasibilities are economic and noneconomic consequences of an exploitation of the vulnerability. Organizational, Operational, Technical and Political are the non-economic feasibilities; Cost-Benefit is an economic feasibility.

Cost-Benefit Analysis:

.  When there are several ways to determine the value of information assets to protect.  One of the techniques is dollar denominated expenses and savings from economic cost avoidance.

Cost: Identifying the cost of the information is difficult, so it is basically calculated based on the cost associated with development of software or acquisition of a vendor product to protect the information system, training cost for the employees to manage/use the vendor product, associated cost for the infrastructure, associated cost with upgrade or maintenance, and associated cost with labor for implementation or maintenance.

Benefit: The value of an organization that get after implementing the controls to prevent losses associated with vulnerability for an asset.

Asset Valuation: Process of assigning financial value or worth to each information asset that is associated with an organization. Asset valuation involves the estimation of real or perceived costs. Cost will be calculated from all the assets that is being used for design, development, install, implementation, maintenance, protection, recovery. Also includes the cost physical assets such as hardware.

Cost-Benefit Analysis is analyzed by calculating Single Loss Expectancy (SLE), Annualized Rate of Occurrence (ARO), and Annualized Loss Expectancy (ALE).

ARO Indicates that occurrence of an attack, ALE indicates that loss for an asset for each attack.

ALE=SLE *ARO

CBA =ALE (Pre-Control) – ALE (Post Control)

Difference between Pre SLE and Post SLE is identified as Benefit in Cost-Benefit Analysis Process.

Organizational Feasibility: Analysis examines how well the proposed Information Security alternatives will contributes the efficiency, effectives and operations of an Organization. Provides if the implementation align well with the strategic planning for the information systems, or is it deviating from strategic plan.

Operational Feasibility:  Also called as Behavioral feasibility. It refers to user acceptance, management acceptance, the compatibility and support with the requirements of organization stake holders.

Technical Feasibility: Implementation of technological controls is complex, It is necessary to identify the compatibility for the technology with organization policy and strategy.

Political Feasibility: Analysis considers what can and cannot happened based on the consensus and relationships among the interest of communities.

Reference: Management of Information Security by Whitman and Mattord